Pittsburgh, PA
March 19, 2018
    News           Sports           Lifestyle           Classifieds           About Us
The Dining Guide
National Job Network
Place an Ad
Home >  Business >  Personal Business Printer-friendly versionE-mail this story
Personal Business
Web watchers are more prevalent than most computer users know

Here are some ways to protect your privacy

Monday, July 30, 2001

By Stephanie Franken, Post-Gazette Staff Writer

Correction/Clarification (Published Aug. 3, 2001): Business -- An article about Web privacy in Monday's Personal Business section said, erroneously, that the Internet company DoubleClick collects Web users' buying patterns and credit card information. It does not. DoubleClick does track Web users' Internet viewing habits for advertising purposes, but it does not track their online transactions.

When the Internet was brand new, it was lauded as a revolutionary mode of communication that would bring the whole world home to a personal computer user. As it has turned out, the virtual world -- like the real one -- is populated with plenty of riffraff.

Anita Dufalla, Post-Gazette illustration

Shady characters can gain access to personal information through so-called Web bugs that invade personal computers like parasites and "suck information from the users' computers," said Chris Hoofnagle, legislative counsel for the Electronic Privacy Information Center in Washington, D.C.

Web bugs are more prevalent and much busier than many people realize. While some of the critters are fairly harmless, most experts say people need to know that their privacy can be violated through these bugs, which access information in e-mail accounts as well as on hard drives and then carry that information back out into the virtual universe, via the Internet, and into the physical one.

The stolen data then is used by marketers who develop profiles of Web users in order to personalize ads and sell goods and services -- but also by credit agencies that might sloppily piece together inaccurate financial data on John Q. Public, or by outright bandits who hijack peoples' identities and make purchases under their names.

"There are a lot of risks out there for people who use the Internet," said Hoofnagle.

A little Web savviness is in order, then, for even casual Internet users. But it shouldn't be confused with outright paranoia about using the Internet, cautioned Pradeep Khosla, head of the electrical & computer engineering program and the Robotics Institute at Carnegie Mellon University.

To Khosla, life in the Internet age simply requires understanding that the virtual universe, like the real universe, has certain risks. And there are precautions that people can take -- or choose not to take -- once they understand those dangers.

Oakland-based Web security start-up Intelytics Inc., an iVenture Lab company, has developed a list of five most common types of Web intruders and ranked them according to their potential threat.

Type 1: In this case, a third party gathers information about an individual based on his activities on the Web. While he surfs the site, an unseen information gatherer is creating a personal profile by examining the pages he visits, how long he stays, his geographic location -- and even his buying patterns and credit card information. Many commonly used Web sites, such as DoubleClick, use this type of bug to profile users.

Sometimes, these profiles merely categorize people according to their interests. But as people reveal more and more personal information through their Web behavior, Web bugs can help draw links between information gathered in various settings that "ultimately can allow Web users to be identified," said Stephen Fienberg, a professor of statistics at CMU who works on privacy issues for the U.S. Census Bureau.

And once somebody has a fully developed Web identity, complete with financial data, a birth date and a Social Security number, this information can be used for harm or for good. "The thing I worry about are credit bureaus, who collect information willy-nilly and don't verify it," said Fienberg.

Type 2: This application is downloaded on a computer unknowingly, like a Trojan horse, said Tommy Wang, director of Intelytics. It then resides on a user's computer -- even the hard drive. "A Type Two can monitor anything. For example, if you do your own taxes with financial software, it can monitor that." This type of bug often is downloaded invisibly because it has attached itself to a desired application such as an MP3 file.

Type 3: A script-based, Type Three bug enters a computer even when the user doesn't download anything at all. Wang and his colleagues used a script-based bug, for instance, during a presentation to the Congressional Privacy Caucus in Washington, D.C. The bug, specially written for the presentation, entered a committee member's personal computer and stole a copy of his private address book and calendar. While an audience watched on, the bug then transferred all of the stolen addresses to a colleague's computer.

The audience was horrified. "But the idea isn't to scare people," Wang said. "The idea is to show there is a problem -- and people need to be aware of it."

Type 4: This bug enters a computer through a Web-based application such as instant messaging or in a bulletin board. For instance, Wang said, some devious Web users recently created a Type 4 bug that infiltrated the popular Internet auction site, eBay. The bug gathered information about how much money auction participants were willing to spend for items that were up for sale on the site -- and then the bug's authors used that data to manipulate the auctions.

Type 5: This Web bug functions like an e-mail version of a wiretap. For instance, if a lawyer were to receive a message from an adversary in a lawsuit and then forward that message along with her own comments to several colleagues -- who then commented back and forth, too -- the original sender of the message could actually track the whole e-mail conversation as it progressed.

Of course, such an action is highly unethical -- but it is possible, and most people don't know it.

Fortunately, a number of options exist to prevent these privacy violations by thwarting the Web bugs that execute them. Some methods are free, and others are fairly inexpensive. Most cannot ward off the most determined and persistent hackers, but they can go far to protect an average Web user's privacy.

"One of the first and easiest thing to do is turn off one's cookies," said Hoofnagle. An invisible device that creates a profile of a user, a cookie helps Web site developers tailor information and sales pitches to a user's interest. But it also can be used to track every move a user makes on the Web and then deliver that data back to a third party -- and sometimes, that's enough to constitute a privacy violation. So turning off cookies also means turning off the ability of the Web world to understand your interests -- for better or for worse. And some sites will bar users from entry if they have turned off their cookies.

To turn off cookies in Microsoft's Internet Explorer 5, pull down from tools to Internet Options, and click on the Security tab. There, a user can make selections to turn off cookies for some or all Web sites. In Netscape 4.7, pull down from Edit to Preferences. From the menu on the left, open Roaming Access and click on Item Selection, and then click off cookies.

Another option to thwart Web bugs is to turn off scripts, in order to turn away all of the bugs that attach themselves to these files to enter home computers. But some Web sites, or portions of Web pages, will no longer be accessible if scripts have been turned off, so it's not an ideal solution.

To turn off scripts in Internet Explorer 5, go to Tools and then pull down to Internet Options. Click on Advanced. Under Java VM or Microsoft VM, uncheck "IT compiler for virtual machine enabled." In Netscape, go to Edit, and under Preferences, click on Advanced. Uncheck "Enable Java" and "Enable Javascript."

Another option is to simply minimize the amount of personal information you give out on the Web. For instance, some people create false or ever-changing Web identities when registering at various Web sites, in order to confuse and disorient Web bugs. While this approach can help protect privacy, it's important not to make up Social Security numbers: a "fake" Social Security number to one person could be somebody else's real number.

Beyond those options, there are free privacy protection packages that can be downloaded from reputable Web sites. The Electronic Privacy Information Center, for instance, offers a whole range of privacy protection software that can be found at www.epic.org/privacy/tools.html. The Privacy Foundation offers similar tools at www.bugnosis.org. And Intelytics has a free software package that can be downloaded from www.intelytics.com.Most computer stores sell privacy protection software in addition to anti-virus software.

Some of the more popular packages are sold by Norton or McAfee, and usually cost between $30 and $80. The software blocks most hackers and notifies computer users whenever a Web bug attempts to get in. While the software can't necessarily block every hacker, it works much like The Club on a car's steering wheel. "Like a car thief, a hacker's not going to go for the car with The Club on it because it's extra work," said Michael Traeger, who sells software at Best Buy in Monroeville.

CMU's Khosla doesn't use any privacy protection software for most of the data he sends and receives. However, "I keep my financial documents encrypted," he said. Encryption is a process that jumbles information so it is illegible to anyone without an "encryption key" -- and Khosla recommends that people interested in encryption visit www.verisign.com.

To put things in perspective, CMU's Fienberg said most people's correspondences over the Web are far too voluminous and mundane to attract much unwanted attention. Beyond being subjected to junk mail and unwanted sales pitches, most people's lives won't be affected much by Web bugs. "I don't spend much time worrying about it, despite the fact that it's my business," he said.

Similarly, Khosla worries that people will become paranoid about using the Web more than he worries that peoples' privacy will be violated. While computer users should have "a reasonable expectation of privacy," he adds, "I'm confident that there will be no notion of complete safety." That's because nobody gets a 100 percent guarantee of safety in real life either.

"Somebody could shoot you, somebody could run you over," Khosla said. "If I am paranoid about being shot, I'll be paranoid about my privacy on the Internet, too."

Back to top Back to top E-mail this story E-mail this story
Search | Contact Us |  Site Map | Terms of Use |  Privacy Policy |  Advertise | Help |  Corrections