Privacy Special Report: Stealth Surfing

SAN FRANCISCO (05/01/2000) - All right already, we all know there's no privacy on the Web. Online intrusion is like the proverbial weather--everybody talks about it, but nobody ever seems to do anything about it.

You can defend your online privacy, however. In fact, you must: The simple act of browsing can leave traces of you all over the place, enabling sites to gather information about you without your knowledge.

Whether the offense is spam in your mailbox, Web cookies on your hard drive, or word of your online identity becoming as widespread as ragweed pollen, you are not helpless. Fortunately, you have numerous ways to combat privacy invasions--from simple browser-setting tweaks to more robust and customizable third-party software to a Web service's solutions. You can just say no to those attacks on your anonymity.

Because Internet privacy attacks come at us from every direction, the best way to defend yourself is to take on each enemy individually. Accordingly, we'll explore, one by one, the various options available for controlling Web cookies, spam, and your online identity. Maintaining online privacy and security may be tricky, but you can do it. First, be sure to take the online privacy quiz on page 123 to see just how paranoid you should be. We've also included tips for making your America Online Inc. experience safer. And if you have a DSL or cable modem connection, pay special attention to the section on broadband security.

Before You Do Anything Else...

Your first step toward achieving security online is to make sure your browser supports the highest level of encryption.

The standard Internet Explorer and Netscape browsers use 40- or 56-bit encryption for secure socket connections--the ones whose URLs begin https:// (note the s at the end). That's weaker than it could be: The optimum legal setting is 128-bit.

To check the encryption depth of your installed version of Internet Explorer, select Help*About. You'll see the current Cipher Strength listed. If it's 40-bit, click the Update Information link for a small download that upgrades the browser to 128-bit encryption. (Unfortunately, there is no encryption upgrade patch, so you will have to install a new full version.)In Netscape Navigator, when you have an online connection, select Help*Software Updates to open a Netscape site; click the Your Installed Software link to find the Cipher Strength. If it's 56-bit, select Upgrade To Netscape Communicator to obtain 128-bit protection.

Control Cookie Intake

Web sites give you these little data tracking beacons. But you can tell them where to go.

No matter what level of encryption you have, you can maintain some degree of control over the way the browser handles cookies. At their simplest, cookies--small data files sent by a Web site and written to your hard disk--identify you when you return to a site, making your reentry quicker. Or they can be more insidious, tracking everything that you do both on the sending site's pages and wherever else you go on the Web. Don't get too excited about per-session cookies--they disappear after you leave a site, and they cannot be used to track you.

Tweak your browser: Both Netscape Navigator and Internet Explorer provide limited options for disabling cookies. If you turn off cookie acceptance altogether, you'll be stopped in your tracks online. Yahoo, Amazon.com, and the New York Times demand identity confirmation at almost every link, while Hotmail flatly refused to let us in unless we enabled cookies.

In IE 5, you can either raise the browser's security level to maximum or create a custom setting. To specify maximum security, select Tools*Internet Options*Security and move the slider to the top of its range--but bear in mind that this setting will prevent ActiveX and Java from automatically working, and it will prevent you from entering certain sites. Custom settings provide more flexibility, and they're easy to implement. Select Tools*Internet Options*Security and click the Custom Level button; scroll to the Cookies section and click Prompt under 'Allow cookies that are stored on your computer'. To turn this setting on in IE 4.0, select View*Internet Options*Advanced and check the box that says Prompt before accepting cookies.

In Netscape Communicator, select Edit*Preferences and click Advanced. Under Cookies, click either Disable Cookies, Warn me before accepting a cookie, or Accept only cookies that get sent back to the originating server (an option that prevents other sites, such as advertising partners, from viewing your cookies). Netscape's cookie-warning dialogs tell you where the cookie comes from (the site that you're visiting or its banner advertising service) and how long the cookie is scheduled to last (for example, DoubleClick, the New York Times, and Yahoo set their respective cookies to last for ten years; Amazon.com's stop working after two weeks).

In Internet Explorer you can delete the cookies already in place on your hard drive by emptying the directory (usually c:\Windows\Cookies). In Netscape, shut down the browser and then select Start*Find*Files and Folders. Enter cookies.txt in the search box and click Find Now. Select all the files listed and press the key. Once you're cookie-free, you'll be prompted each time a Web site wants to send a new cookie your way.

Cookie-free doesn't mean problem-free, however.

Cut out cookies: To enter some sites, you have to use cookies, but that doesn't mean you have to keep the cookies after you leave. Third-party software can supplement browser cookie controls. You can schedule Webroot's Window Washer, for example, to purge cookies (as well as temp files, history files, Recycle Bin files, your browser cache, and more) at regular intervals, or when you start or close Windows.

You can also have Window Washer keep some cookies if you trust the issuing site to use them wisely. Right-click the program's Tray icon; select Settings from the pop-up menu to open the main window; and in the Standard Wash Items list, click the Options button for the browser you're using. In the next dialog box, click the Cookies To Keep button to bring up a box with a list of cookies from various sites. Select one to see its contents--which may include details such as your e-mail address but usually consist of mumbo jumbo codes. Click Add to Keepers for the sites you trust, but leave out any you don't like the look of.

All cookies not specifically approved will be purged whenever you select Wash Now from the main Window or click the Tray icon.

Other downloadable shareware programs--Cookie Pal, Cookie Cutter, and Cookie Crusher, among others--use your browser's cookie settings to refuse cookie requests, add filters for accepting or declining cookies from specific sites, and alert you visually or audibly whenever a cookie arrives. Commercial packages such as ESafe Desktop and personal firewall software like Norton Internet Security 2000 ensure that cookies are accessible only to the site that issues them. They prompt you when a cookie is about to be written, allowing you to accept or refuse it permanently (this action creates a profile for the site that automatically deals with the site's cookies as you specify).

Pop Quiz: How Private Are You Online?

Feel lucky, punk? Well, maybe you shouldn't. Take our quiz to see whether you're an easy mark. Tally your points to see how hot things are for you on the Paranoid Thermometer.

Have you signed up at a free membership site?

If yes, collect 2 paranoia points. If you didn't check the privacy policy or read the text next to each check box, collect 10 more points. Many sites want your address, phone number, and income range--and share this information with other companies.

Have you used a credit card online?

If yes, assign yourself 2 points. The real danger comes from doing business with sites that don't store your credit card info behind a hack-proof firewall.

Have you used a debit card online?

If yes, 10 points. Though debit card services limit losses through theft, your checking account can be cleaned out while the service investigates fraudulent debits.

Have you sent a credit card number or other personal data via e-mail?

If yes, 10 points. E-mail is intrinsically less secure than a transaction conducted at an e-commerce site. And you never can tell who's going to forward your e-mails.

Do you use your real name and e-mail address when posting messages?

If yes, collect 10 points. Spam companies are notorious for harvesting visitors' addresses from Usenet and other forums.

Have you checked all the white-pages sites for your name?

If yes, 10 points. If no, 10 points. Online directory services cross-reference your home data with that of neighbors and local businesses, and--calling all stalkers--provide links to maps.

Have you installed Web apps that know when you're online?

If yes, 3 points. Like the Pentium III processor, Web applets may carry a unique serial number that can be used to identify a computer.

Do you open e-mail file attachments?

If yes, 5 points. Harmless though the attachment seems, it could contain Trojan-horse software that exposes your PC to attack from the Internet.

Do you use chat rooms?

If yes, 3 points. Log in to chat or IRC sites, and "script kiddies" can employ a program to gather your AOL screen ID and steal your password.

Do you use Windows networking or file-sharing software on your online PC?

If yes, 10 points. Windows 9x networking opens up the NetBIOS port to anyone who wants to access your PC. Hackers can probe systems for open ports and gain read/write access to your hard disk.

HOW TO SCORE

61 + Any secrets you had are secrets no more.

41 - 60 Pretty cocky, aren't you? Better be more circumspect.

31 - 40 You're cautious--but you could stand to be a little more so.

0 - 30 You've got nothing to worry about. You must already be paranoid.

Browse Incognito

One way to stay anonymous on the Web is to lower your browsing profile.

Think that most of your Internet activity --browsing, shopping, posting messages, sending e-mail--is private? Think again.

Give your PC a privacy test: Any time you're connected to the Net, your PC is open to the world. Gibson Research's ShieldsUp site (www.rc.com) features the 'Test My Shields' and 'Probe My Ports' links that establish a secure connection and show you a Web page with the information that a hacker could find out about your computer and LAN. You will likely see your name, your IP address, and the number of "ports" on your computer that could allow anyone who has the right software to scope out your hard disk and its contents.

Don't share your files: Hackers can gain access to your computer when your PC is set to share files and printers. Even if you aren't on a network, your PC's settings may be configured to allow file sharing--and hacker entry. To turn off access to file and printer sharing in Windows 9x, select Start*Control Panel, double-click the Networks icon, and select the Configuration tab. Click the File and Printer Sharing button, and make sure that both boxes in the dialog box are unchecked.

Study the trail you've left: The simplest way to block intruders from your PC is to install a firewall. But firewalls only defend PC ports that allow file sharing; they don't hide your browsing habits. To see what information you're giving away, check Privacy.net's Anonymizer analysis page (www.anonymizer.com), which lists the sites you've visited and any cookie-related information they deposited on your PC. For real anonymity, you need an anonymous browsing service that cloaks your identity--or lets you establish an alias that nobody can trace back to you--and routes all your activity through its own anonymous servers.

Surf anonymously for free: Anonymizer is the most venerable free anonymity service. Enter any Web address at www.anonymizer.com, and the site will take you there but conceal your IP address and other identification.

Unfortunately, the free version of the service slows the browsing process, carries ads, does not let Java or JavaScript apps execute, and more important, does not access FTP sites or secure http sites, such as Web merchants' order-taking pages.

Surf anonymously for a fee: Anonymizer's premium fee-based service works faster and lets you access secure http sites and execute "friendly" Java and JavaScript apps; it costs $15 for three months, $50 for one year.

Zero-Knowledge Systems' Freedom 1 and Privada's PrivadaProxy provide anonymity online via software/Web site combos and add other benefits. PrivadaProxy's Web Incognito service lets you set up an alias to use online and interposes a proxy server between you and any site you visit. You can set up as many online identities as you like for a monthly fee of $5 each. The software allows you to configure settings for cookies and e-mail filtering, but your browser must be set to run through a proxy server. In Internet Explorer, select Tools*Internet Options*Connections*LAN Settings. In Netscape, select Edit*Preferences*Advanced*Proxies, double-click Advanced, and select Proxies.

Freedom 1 uses a network of anonymizing servers and strong encryption on your PC to confound any site that tries to trace your connection back to your PC.

Online aliases, known as nyms, supply a browsing identity and an encrypted e-mail account (yournym@freedom.net). Five nyms with a one-year life span cost $50. Instructions are routed through one, two, or three intermediate servers, slowing browsing but simplifying mail cryptography and spam control.

How to Make Your AOL Account Private

Hackers love to target America Online. These gate-crashers can seriously compromise your account. Here are areas to patrol:

E-mail controls: Your AOL address doesn't take long to reach mass e-mailers. To control the e-mail you receive, log on with the master screen name, click the Mail Center icon, and select Mail Controls. Pick a screen name, and examine your control options: You can block all e-mail, block mail that originates outside AOL, or reject mail from specific domains or members you list; or you can filter out all e-mail addresses except those you list.

Downloads: If you try to download any program from e-mail, AOL's Download Sentry warns you that executable downloads could contain viruses or Trojan horses--but it won't stop you from downloading them. So be wary what you download from strangers--and even from friends.

E-mail links and attachments: Most people don't think twice about clicking an HTML link in an e-mail. Malicious JavaScripts can lurk on any Web page, and many of the sociopaths who code them delight in targeting AOL users. If e-mail from a stranger contains attachments or links, forward the e-mail to TOSSPAM, AOL's spam-alert address.

Instant messages: AOL Instant Messenger allows Internet users and AOL's 20 million members to communicate instantly. Control the flow of Instant Messages.

Select keyword Buddy, and click Privacy Preferences. You'll be presented with the same control options you have with e-mail in Mail Controls. You can exclude any combination of Internet and AOL users from sending IMs. Finally, click the Buddy List and Instant Message radio button to have your criteria accepted.

Chat rooms: AOL hackers have a script program that culls screen names from People Connection chat rooms and either adds them automatically to spam lists or sends unsophisticated Instant Messages asking for "password verification."

So create a dedicated screen name for chat sessions, and set up stringent mail and IM controls for that account.

Eliminate Spam

When it comes to inviting spam, you are your own worst enemy. But you can stop most of the annoying clutter.

No matter how cautiously you fill in personal information forms to register at sites you visit often, junk e-mail seems sure to follow. The two types of spam are e-mail you request ("get news of the latest airfare bargains") and annoying, unsolicited get-rich-quick, porn, and other pushy sales pitches. The former is easy to stop, but you'll need a digital machete to excise the latter.

Create an extra address: Avoid revealing your main e-mail address at Web sites and online message boards. Sign up at a free e-mail service like Excite Mail, Hotmail, or Juno and use that address when you register at sites. The free address will then become a receptacle for spam. These services let you filter out known bulk e-mailers, so you can reduce the flow further. Yahoo does this automatically; others require a little intervention. With Excite Mail, for example, click Preferences*Email, scroll to the Spam Controls, and click Refuse mail from known junk mailers. Bulk e-mailers often use software to harvest e-mail addresses from sites, so limit the use of your regular e-mail address when you post messages online or list a contact e-mail address on your own Web site.

Read before you sign: Some online merchants try to trick you into consenting to receive e-mails you have no interest in. Your defense: Carefully read the wording of any check box that refers to "news of updates" or "news from select partners." It's often hard to tell whether you need to click or unclick a check mark to opt out of the mailing list.

Unsubscribe cautiously: Once you're on a legitimate company's mailing list, it's usually not difficult to unsubscribe. Typically the unwanted message includes instructions to e-mail your request to a special address or to reply to the message with the word unsubscribe in the subject area. But be warned: If the message obviously came from a bulk e-mailer (a mail subject line with a sensational promise or lurid appeal such as "Make Big $$$" or "XXX Girls" is usually a giveaway), don't follow the unsubscribe instructions. Doing so just verifies that your e-mail address is active, which makes it more valuable for unscrupulous people to resell.

Set up filters: Blocking messages from bulk e-mailers requires a filter. In Outlook Express, select Tools*Rules Wizard and set up a folder for junk mail (such as your Deleted Items folder); then right-click any in-box message you don't like the looks of, and select Junk E-mail*Add to Junk Senders. This consigns future mail from that address to your junk mail folder. In Eudora 4.2, right-click an open message or message summary, and choose Make Filter from the menu. Use the Make Filter dialog to instruct Eudora to delete messages like the one that you've selected. In Netscape, Select Edit*Message Filters, and identify criteria that mark a message as unwanted mail. These identifying marks may include the sender's e-mail address, initials as a heading, multiple exclamation marks, or words such as "quick bucks" in the content.

Set up industrial-strength filters: If your address ends up being sold to bulk e-mailers, you need software that maintains lists to filter out bulk e-mailer addresses and message content. The shareware Spam Buster 1.8 and the trial download SpamKiller 2.77 are past PC World Best Buys, and they're available for download from FileWorld. Spam Buster intercepts more messages than SpamKiller, including some that aren't junk mail, but you can preview intercepted files before deleting them. Both programs provide a button you can click to report abuse of an e-mail account to the domain's postmaster.

Privatize E-Mail

It's a crime to open other people's mail--but not on the Web. Still, you can make your e-mail harder to open.

You've probably heard that you shouldn't put anything in an e-mail message you wouldn't put on a postcard. That's sound advice. Your boss and your IS department can lawfully read any e-mail sent to a corporate e-mail box. But since e-mail hops around in unencrypted form between servers on the Internet and ends up in online e-mail boxes that are extremely vulnerable to hacking, anyone intent on invading your privacy can read it.

Lock it up: If you have nothing to hide but occasionally send a sensitive message, you can attach the message as a password-protected Microsoft Word file (select Save As, and from the dialog box click either Tools or Options), and send the password in a separate message. Or you can use a zip compression utility (which also has a password-protection option) to compress a file in any other format. When you create a zipped file, click the Password button and enter a password. To extract that file, you must first type the password. These techniques aren't ideal--the encryption that's used in Word and WinZip isn't particularly complicated, and you have to send your password in unencrypted form.

Get all keyed up: You can achieve a more robust level of e-mail security by using key pair encryption. The sender encodes mail with one key--the recipient's "public" key--and the recipient decodes it using a unique "private" key. You never know the other party's password, and they never know yours. It's much like a bank's safe deposit box: To open, it you need your key and the bank's key. For details about practical uses of key-pair encryption, check out our March Got a Problem (www.pcworld.com/mar00/gap).

Probably the best-known encryption program is PGP (Pretty Good Privacy), which lets you pick a level of encryption from a range of 768 bits to 3072 bits--much higher than the 40- or 60-bit level of encryption in your browser. PGP is distributed in various forms, including PGP Freeware, a download for noncorporate use that integrates with Eudora and Outlook Express. If you use another e-mail client, you can copy messages to the Clipboard and then encrypt the contents of the Clipboard by using a little program in your Windows tray called PGPKey. In general, the higher the encryption level, the slower the process, so something in the middle of PGP's range--say, 1024 bits--is usually best (that is, it protects like Fort Knox and doesn't take forever to use).

Hush-hush sweet e-mail: End-to-end encryption without the hassle of separate keys is available with the free HushMail e-mail service at www.hushmail.com.

Web-based HushMail uses encryption as strong as PGP's default setting (1024 bits). Encryption and decryption take place inside your system, via a PC-based Java app, so everything on the Web remains indecipherable even to sophisticated hackers. Both sender and recipient must use HushMail accounts--a minor inconvenience.

Use a digital shredder: Register for a free secure e-mail account at www.1on1mail.com. The site's software encrypts mail up to 2048 bits and uses a virtual private network to connect your PC and the mailbox. The virtual shredder obliterates messages immediately after the reader closes them, or after a specified interval. The service is free, supported by advertising in the e-mail client software, and very secure.

Always On, Always Open To Attack

You have DSL or cable internet access--two of the biggest, baddest, broadest pipes to the Internet a consumer can have. And you don't have to wait for dial-up and disconnect dialog boxes because your Internet connection's always on. Convenient? You bet it is. But it also makes you susceptible to port-scanning scripts that probe IP addresses looking for a point of entry into your PC or home network.

Minimize risk by turning off your PC when you're not using it. If it's off 10 hours a day, your cable or DSL modem's permanent connection ceases to be a hacker's cat-flap. BlackICE Defender ($40, www.networkice.com) monitors network access to your PC. You'll probably see a dozen or more unsolicited "pings" (attempts to determine whether your IP address is active) per day from hacker scripts or other sources. Most are random attempts from hacker scripts looking for open ports on your PC.

Personal firewall software isolates your computer from its Internet connection by filtering out information, blocking open ports, and halting programs with ActiveX controls and JavaScript routines. Aladdin Knowledge Systems' ESafe Desktop 2.2 ($50, www.aks.com) one-stop firewall, virus scanner, and Web/mail-content filter puts Web pages, e-mail downloads, and floppy disks entering your system into a "sandbox" until they pass quarantine. It slows down things a little, but peace of mind is worth a lot. Other personal firewall and security systems include Norton's Internet Security 2000 and Zone Labs' ZoneAlarm 2 (a free download for personal use from www.zonelabs.com or FileWorld). The @Home network has established an Online Security center promoting McAfee's personal firewall software (a $30-per-year subscription service), based on Signal9's ConSeal Private Desktop software. WinProxy 3 proxy server software includes a firewall for sharing a broadband connection among PCs on a network. WatchGuard SOHO puts a proxy server and firewall software in a 5-mbps networking box ($449 for a ten-user license with one year of software updates, tech support, and Web-usage tracking, then $95 a year).

* WatchGuard Technologies; 800/734-9905; www3.watchguard.comPRODUCT INFO NO. 605Anonymizer PremiumList price: three months $15, one year $50; Anonymizer.com; www.anonymizer.comFreedom 1List price: five identities per year $50; Zero-Knowledge Systems; 514/286-2636; www.freedom.netPRODUCT INFO. NO. 603Norton Internet Security 2000List price: CD-ROM $60, download $5; Symantec; 800/497-6180PRODUCT INFO. NO. 604PrivadaProxyList price: $5 per identity per month; Privada; www.privada.netMake Chat SafeWhen you talk on the Web, everybody can hear. Try digital whispering.

When you participate in an online community--whether it's a chat room, a newsgroup, or an instant messaging service--you forfeit privacy. Though you choose the people you want to chat with, those you don't want to deal with can contact you or lurk and find out about you--because it's an open community. At worst, people with software that gathers e-mail addresses from Web sites or chat channels may collect your information and sell it to bulk e-mailers.

Fake your return address: When newsgroups or chat rooms demand your e-mail address, don't give them your real one. Deja.com's newsgroup service will provide you with an e-mail address you never need check. Or you can subscribe to a free e-mail service and turn on its full spam filter to prevent unwanted e-mails.

Turn IM off when you're not on: Don't run AOL Instant Messenger, ICQ, Yahoo Pager, or other instant messaging chat software all the time. With AIM, your chat name is active on the messaging server, and people can tell that you're online and how long you've been there, or that your connection has been inactive for a given period of time. Don't run the program every time Windows starts up. Select Start*Run, type MSCONFIG, and press . Under Startup, locate the offending software, click its box to remove its check mark, click OK, and then restart Windows.

Restrict access: With AIM and other chat services, casual acquaintances who know your e-mail address can easily tell when you're online and when you're away from your office. Restrict their access by not broadcasting your presence:

Select File*My Options*Edit Preferences, click Controls, and under 'Who can contact me', name only the people on your buddy list, create an even smaller list of people, or block everybody if you wish. At the bottom of the screen, select Nothing about me to prevent people who know your e-mail address from finding your screen name.

Keep it secret: These measures will not protect the privacy of your instant messages or files you exchange using AIM 3 and other chat clients. The only way to protect your conversations and exchanged files is to encrypt them. Boomerang Software's free Secure Shuttle Transport chat client uses RSA encryption and its own secure servers to shuttle the information. It doesn't share buddy lists with other chat software, so you have to convince your most confidential chatting buddies to migrate too. But for conversations you really don't want overheard, it's worth it.

Threats to privacy aren't only online. Any time you buy a house, renew your driver's license, or change long-distance carriers, someone is selling your name to telemarketers or junk snail-mailers. It's a database nation out there--you've got to be on your guard not to get sucked in.

Find files mentioned in this article at www.fileworld.com. Additional privacy and security tips can be found at www.pcworld.com/jun00/privacy. Matt Lake is a freelance writer operating behind a secure firewall somewhere in the eastern United States. He's not saying exactly where.

Join the newsletter!

Error: Please check your email address.

More about Advertising PartnersAladdinAladdin Knowledge SystemsAmazon.comAmerica OnlineAnonymizerAOLBoomerangBoomerang SoftwareDoubleClickFileWorldGibson ResearchICQIMSMcAfee AustraliaMessengerMicrosoftNetworkICEPGPPrivadaSecurity SystemsSymantecWatchguardWatchguard TechnologiesYahooZone Labs

Show Comments

Market Place