SAN FRANCISCO (05/30/2000) - Welcome to the Wired World! In a matter of hours, you book tickets for your next trip to Key West, buy a handful of travel guides from an online bookstore, and post an inquiry to the Internet newsgroup rec.travel.i-am-going-to.florida. Satisfied with all you've done so quickly and efficiently, you open your e-mail and -- surprise! You confront 45 messages promising "HOT XXXXX!!!!" "Steamy Action in the Keys," and the chance to make millions from the comfort of your own time-share. You also find five messages from people saying they read your Usenet message, went to your home page, found your home address, and have decided to visit.
As you're frantically deleting messages and wondering what you're going to do when strangers show up on your front porch, you begin mumbling to yourself:
"That's it. I'm dropping off the grid and going to live in a cave. The Internet knows too much about me."
How did this happen? The wired world has its advantages -- but easy as it is for you to find information online, it may be just as easy for others to find out about you. This is a world where hackers want to steal your credit card number, where employers can easily look up your posts to online discussion groups or monitor your surfing at work, and where advertising "profilers" can track your movements and shopping habits. All sorts of information about you may be out on the Internet, ready for someone to connect the dots.
That's why we've assembled this guide to preserving your privacy online. If you're connected, you need protection. Since some invasions happen when you're not even at your computer, we'll also show you how to safeguard a Mac that's always connected to the Internet. With a little care and some helpful utilities, you can enjoy all the conveniences of the wired world and remain hidden from prying eyes.
Your IP Is Showing
Surfing the Web seems like a blissfully anonymous experience. No nosey salesperson eyes you when you buy toiletries from Drugstore.com Inc., for instance, or winks when you buy Judy Blume's Forever from Amazon.com Inc. But in many ways you're dramatically less anonymous online.
What They Know about You
As soon as you connect to the Internet, you set up a relationship in which you both give and receive. Every time you download a Web page, your browser sends the Web server information about what Web browser and operating system you're using, the URL of the page that referred you to the site (if you simply typed the URL, the Web site gets no information about the last site you visited), and the IP address (a unique identifying number your computer uses on the Internet) of your system.
This information is usually recorded in a log, a file that details every page a Web server sends out to readers -- and tracks the IP addresses that retrieve the page. Sophisticated programs can process log files and piece together a profile of your visit: which pages you visited, how long you stayed on each one, and even what site you headed for when you left (if you clicked on a link on one of the Web site's pages).
Once someone has your IP address, he or she can also figure out generally where you're surfing from. For example, using the Lookup Domain feature in Stairways Software's (http://www.stairways.com) $35 shareware program, Anarchie 3.7, you can enter an IP address and find a person's domain.
What Cookies Tell Them
Sites can easily track what you do during one visit, but it gets more complicated when you go away and come back later. That's where cookies come in.
Cookies allow sites to keep track of who you are even if you haven't visited for a while. This is how Amazon.com recognizes you and serves up book recommendations when you return to the site, without ever asking you to log in.
This is also how your my.yahoo.com home page opens to your favorite news and stock quotes and how http://www.nytimes.com remembers your user ID so you don't have to log in each time you read the New York Times online. If you've ever registered on a site, it may have associated your name, address, and e-mail with all this other information.
Most cookies simply make surfing more convenient. The exception is when sites allow a separate company, usually an advertising service, to place its cookie on your computer from within a site and then use that cookie to track you from site to site. With this knowledge, the advertising companies -- known as profilers -- can build a comprehensive profile of your surfing habits and use it to put ads targeting you on their partner sites.
The profilers argue that their activity is harmless and that they don't really know who you are. Besides, they say, they're basically doing you a service by tailoring ads so you see only items of interest. But take the example of the company DoubleClick Inc., a very popular profiler many companies (including Macworld) have used. It became the focus of legal and media scrutiny for privacy invasion after it bought a direct-mail database called Abacus Direct last year.
Electronic Frontier Foundation
Privacy news, voluminous resources, and discussion groups from one of the premier organizations working for online privacy rights.
Center for Democracy and Technology
Here you'll find the Operation Opt-Out tool, which helps block cookies from many major sites. This site also offers news and legislation tracking.
Electronic Privacy Information Center
This is a good source of legal information. This site also offers book recommendations.
The Federal Trade Commission
The federal government's advice on protecting yourself against scams of all types.
Social Security Administration
The first place to go if you suspect you may be the victim of "identity theft." The hotline number is 800/269-0271.
The Abacus purchase gave DoubleClick the ability to take profiles a step further. The Abacus database contains nearly 3 billion transactions made at stores such as Bloomingdale's, as well as those customers' names and addresses.
With that information, DoubleClick could connect the dots and link your surfing habits with your name, address, phone number -- and your offline shopping habits as well. That was too invasive for the Federal Trade Commission. This past February, it launched a general inquiry into DoubleClick's practices. The company responded by promising not to link the two databases -- for now.
Companies such as DoubleClick may draw heat when they track your movements online, but it's perfectly legal for your employer to do just that while you're on the job.
Keep Your Surfing to Yourself
If all this gives you the creeps, you can take a few protective measures. Most involve a trade-off between convenience and privacy.
One way to keep people from monitoring your browsing is to hide it from them.
For this, you can go to a nifty Web site called Anonymizer (http://www.anonymizer.com) and use its Anonymizer surfing service. Enter a Web address you want to visit -- the service uses its servers to mask your identity as you continue to surf. Surfing anonymously is the only way to stop transmission of your IP address when you visit a site.
Watch Your Cookies
If anonymous surfing seems extreme, your next choice is simply to accept that sites know your IP address and to get wise about cookies. (If you dial in to your ISP, it may assign you a different IP address each time anyway.)Most of the major reputable sites offer an "opt-out," or the ability to request that the site not track you with a cookie. You'll usually find this option on a site's privacy-policy page. The Center for Democracy and Technology (CDT) offers a Web site (http://opt-out.cdt.org/online/) to help you through the process at many of the top portals, profilers, and e-commerce sites, such as DoubleClick and Yahoo. But opting out takes a bit of time and effort -- and may not actually work, since it's voluntary on the part of the companies.
Current versions of Microsoft Internet Explorer and Netscape Communicator have security features that keep sites from obtaining your e-mail address or accessing your files without your permission, and every browser offers you the ability to turn off cookies.
Turning off cookies is a great idea in theory that usually fails in practice.
First off, some e-commerce sites require cookies to keep track of what's in your shopping cart. If you turn cookies off, most browsers will beep at you repeatedly -- sometimes multiple times on a single Web page -- warning you that the site is trying to send a cookie and asking you to accept or reject the file. Needless to say, this makes browsing all but impossible.
Microsoft's new Internet Explorer 5.0 (425/882-8080, http://www.microsoft.com/mac/ie/) improves on this process significantly, allowing you to block cookies without all the beeping. If you want to know what cookies you've picked up in Internet Explorer, open Preferences and select Cookies from the commands on the left under Receiving Files. The list of cookies appears on the right. You can then select any you don't want and press Delete.
Use Cookie-Zapping Software
For Netscape users and people with older versions of Internet Explorer, a few programs can help manage cookies. Some offer other features that make them worthwhile for Explorer 5.0 users, too.
Webroot's $29.95 MacWasher (800/772-9383, http://www.webroot.com/macwasher.html) is the most thorough of the bunch. This shareware utility cleans your cookie file at selected times or during start-up or shutdown. MacWasher allows you to select cookies and files you don't want deleted so you can still log in to your favorite trusted site.
If you don't want to pony up the money for MacWasher, two freeware programs can help: 1.0 Technologies' No Cookie 2.0 (http://www.onepointoh.com/products/NoCookie/) and MagicCookie Monster (http://download.at/drjsoftware), from Dr. Jon's Software. No Cookie allows you to see what's in your cookie file, delete its contents, and disable the file so it can't save new cookies but won't cause your browser to keep beeping at you.
The only problem with No Cookie is that it basically offers an all-or-nothing approach. You may want some of your cookies that personalize certain pages.
While No Cookie uses a machete, MagicCookie Monster wields a scalpel. With this utility, you can edit your cookie file, selectively deleting any cookie you don't want. Of course, the flaw here is that you can't disable the cookie file, so those nasty cookies will return soon enough.
One solution is to use the two in tandem. Use MagicCookie Monster to delete cookies you don't want; then run No Cookie to disable the cookie file and keep new cookies out. This allows you to keep the automatic registrations at select sites of your choosing.
Another solution for aggressive advertisers is to use Override Software's $25 Lightspeed Surfer (http://www.overridesoft.com/lightspeed/), which blocks not only cookies but also advertisements. With this shareware utility running, you see a box with a plain text link in place of banner ads -- handy if the Web's commercial bent overwhelms you.
Don't Let Others Connect the Dots
We've talked about several ways people can obtain information about you on the Web, but one of the biggest dangers is how easily they can put all this information together. Take, for example, the following popular Internet legend.
As the story goes, BigHank53 sends a random e-mail to a site, calling its creators stupid. These levelheaded chaps search the Web, probably using a search engine such as AltaVista, for his Hotmail address. He's put this e-mail address on his home page, along with his resume, information about his family, and his activities with a church youth group. The site's creators then do a search of Usenet discussion groups and discover BigHank53's e-mail address somewhere else -- on postings to adult newsgroups.
After searching for the phone number of his church and employer, they have all the information they need to blackmail poor BigHank53. Their price? He must put a blinking banner that says "I am stoopit" on his home page. Is this a true story? Probably not. The scary thing is that it could be.
Discussion Groups Are Not PrivateTake a lesson from BigHank53. If you post to discussion groups, know that your posting gets archived and that people can search for what you've said by typing your name on a site called Deja.com (formerly Deja News).
This site archives every posting to every Internet newsgroup in searchable form. The premise of Deja.com is that you can see people's comments about a product you may be considering buying and use the archive as a grassroots Consumer Reports.
People can use this service for different purposes, however. Anyone from crazy site creators to potential and current employers, for example, can search for your name or e-mail address. If you're making nasty remarks about your coworkers or have a penchant for violent or sexual materials, they may find that enough grounds to fire you or not to hire you. This holds true if you keep an online diary or Web log -- if it's on the Web, it's not private.
Watch Where You Post Your E-mail AddressThere's another reason for wariness when you post to discussion groups.
Spammers use programs that mine these newsgroups and collect e-mail addresses, and then they flood you with spam about the latest get-rich-quick scheme or porn site.
If you want to avoid spam, or don't want your Usenet postings forever on display with your identifying e-mail address, get an anonymous Web-based e-mail address from a provider such as Yahoo Mail or Hotmail. These are also great to use for all online registrations -- the source of some spam.
To really throw the dogs off your scent, sign up for a couple different e-mail addresses and rotate them. This keeps anyone from developing a profile, even on your anonymous e-mail. If you don't like the idea of logging into all those accounts, use a secure (and free) personal information portal like Yodlee (http://www.yodlee.com) to check all your e-mail addresses at once. There's another option if you want fellow posters to be able to write you but want to outwit spammers' programs -- you can also insert a word or two into your e-mail address and include instructions for people to delete them before writing -- for example, email@example.com. Never put these camouflage e-mail addresses on a personal home page with your name on it.
The Last Word
The precautions you choose to take really depend on how much privacy you require. In all likelihood, you could surf and post freely your whole life without dire consequences -- but why take the chance? A few simple measures can put you in control of what people know about you and what they don't.
ELLIOT ZARET covers portals and e-commerce for MSNBC.com. SCHOLLE SAWYER is Macworld's executive editor.
Sidebar: Your Cubicle Is Not Your CastleWhat you do at work is not your own business. It's perfectly legal for your company to monitor your surfing and rifle through your e-mail while you're on the clock). And it may do just that -- according to a 1998 study by the International Data Corp. (IDC), 45 percent of all companies and 17 percent of Fortune 1000 companies use software to monitor their employees. IDC predicts that number will jump to 80 percent by 2001.
Is the Boss Watching?
Mac network managers can use software such as Netopia's netOctopus 3.5 (800/803-8212, http://www.netopia.com) for this purpose. Network managers can also see where you surf without using any software at all -- by simply checking the logs on the corporate proxy server.
Tidy Up Your Hard Drive
But your employer doesn't have to spy on you over the network to see where you've been. Your own hard drive will quickly spill your secrets. Microsoft Internet Explorer and Netscape Communicator both keep cache files, which speed surfing by storing images and pages you have visited. These files also provide a road map of where you've been. Internet Explorer's History file keeps a detailed record of your movements as well. If you're concerned your boss might mistakenly confuse that research you did at Amazon.com or ESPN.com for pleasure surfing, you can erase your tracks.
To do this in Internet Explorer, choose Internet Preferences from the Edit menu. Click on Web Browser and then on Advanced. Click on Empty Now to clear your cache; to delete your history, ask it to remember 0 places visited. In Netscape, go to the Edit menu and select Preferences. Choose the Advanced option and select Cache. Click on the Clear Disk Cache Now button.
You can also use a program such as MacWasher to get rid of all trace of your cache file or Internet Explorer History file. This program even deletes the Recent Files folder in your Apple Menu and empties the Trash.
Use a Password
When it came out that former CIA director John Deutch had all sorts of secret intelligence files on a Mac at his house, the account also revealed that someone using the computer had been surfing porn sites. A security report said the sex surfer was most likely someone else -- possibly a housekeeper -- and Deutch was probably not home at the time.
Ignoring the obvious question of whether the sex surfer therefore had access to the classified CIA files, the former head spook could have avoided the embarrassment of sexual innuendo with OS 9. A simple step, such as using OS 9's Voiceprint feature to lock intruders out of the hard drive, could at least ensure that you don't get in trouble for what you didn't do. If you use text passwords, include capital and lowercase letters, as well as numbers and punctuation marks.
Your Own Worst Enemy
Unfortunately, you are your own biggest security risk. Any data you put in an online form, especially personal information, is fair game for advertisers or hackers.
Most information -- whether it be e-mail, a photo, or items you type into a form -- travels across the Internet in packets. These bounce from server to server until they reach the right computer. Hackers have programs that can sit on a server and read all the packets that pass by, so a hacker can intercept information at will.
A Clear Cache
Your browser's Cache file keeps a record of every Web page you've visited. To erase this trail in Netscape Navigator, go to Preferences and click on Clear Disk Cache Now.
Protect Your Passkeys
It's easy to give away information without even realizing it. The three passkeys for your credit card and bank accounts are most likely your mother's maiden name, your date of birth, and your Social Security number. You'd never tell anyone all this, right? Think again.
If you're a fan of genealogy, for example, you may have posted your mother's maiden name on your home page or on a genealogy site such as FamilyTree Maker.com. You also may have given your date of birth in these places or when you registered for any number of sites.
Your Social Security number is probably the safest (and most crucial) of the lot, so protect it as best you can -- do not give it to companies unless you must: for example, when you deal with the DMV or a creditor. If you suspect someone has intercepted your personal information and stolen your identity, move fast.
Use Secure Sites
In some cases, however, you may feel that giving away some information in exchange for certain services is well worth it. In that case, follow some simple precautions. Require a secure site whenever you give any personal information. You have two ways to check: the key or padlock in the bottom left corner of your browser window should be locked; and the URL should begin with https:// rather than http:// (the s is for secure) if the connection is secure.
Sidebar: Make Your Mac Hacker-Proof
When you're constantly connected to the Internet through DSL, cable modem, or other high-speed technologies, the Internet is constantly connected to you.
Millions of people can probe your Macintosh over an always-on connection -- 24 hours a day, 7 days a week. Do you trust all those people? Of course not!
You use a Mac, so you're immune to many problems that plague the Windows world.
In its default configuration, the current Mac OS is not vulnerable to spammers or other miscreants. For instance, no one can hijack your computer and turn it into a "zombie attacker," as happened with many individuals' PCs in the recent denial-of-service attacks against Yahoo and other big Web sites.
Now that you're using the Internet more ambitiously, though, it's important to make sure you aren't exposing your computer -- or yourself -- to unnecessary risks. If you're running an e-mail or Web server, you'll want to protect your data as best you can from online thugs. One answer is firewall software.
Ports of Call
Internet programs communicate using ports. These aren't physical connectors on your computer, but numbered, software-based sockets on your Internet connection. Many port numbers are standardized. Port 25 sends mail; Web servers typically occupy port 80. Servers and some Internet programs listen on specific ports and respond to incoming connections: if you enable Personal Web Sharing, by default it listens for connections on port 80.
Firewalls can enable or block connections on specific ports and often for particular Internet addresses. Let's say you want to use Personal Web Sharing (or Mac OS 9's Internet-capable File Sharing) to access files on your home computer from work. In addition to password-protecting your Mac, you could configure a firewall so it only permits access to port 80 (Web Sharing) or port 548 (File Sharing) from your work computer. This way, you could access your files from work, but the firewall would deny any attempt to connect to your Mac from other computers elsewhere. (However, this would also prevent you from connecting from the cybercafe down the street.)OptionsYour always-on Internet connection may use a simple hardware router -- particularly if you have more than one static IP address. If so, that router may offer basic firewall capabilities, but you might have to configure it using a Telnet client, and it probably has little or no logging capability.
Open Door Networks (541/488-4127, http://www.opendoor.com) offers the $60 DoorStop Personal Edition, a simple firewall designed to protect the Macintosh on which you install it. DoorStop's interface is occasionally confusing, but configuration is straightforward, and DoorStop works with common services like Web Sharing, File Sharing, Timbuktu, Retrospect, and FileMaker. An enhanced $300 Server Edition offers more-flexible configuration options for Macs functioning as Internet servers.
Intego's $150 NetBarrier (305/868-7920, http://www.intego.com) also protects the computer on which you install it but offers an elaborate interface with traffic-monitoring gauges and configuration options (see Reviews, December 1999). Unlike DoorStop, NetBarrier can filter incoming and outgoing traffic, so you can prevent credit card or Social Security numbers from leaving your computer. NetBarrier protects against some denial-of-service attacks and detects port scans, which usually mean a miscreant is looking for an exploitable service. This program also overcomes a weakness in Open Transport by scrambling TCP sequences so it's tough to hijack an Internet session.
NetBarrier is overkill for most people, but it offers unique features.
If you're connecting multiple computers to the Internet, software routers such as Vicomsoft's $100 SoftRouter (800/818-4266, http://www.vicomsoft.com) and Sustainable Softworks' $90 IPNetRouter (http://www.sustworks.com) add firewall capabilities for an entire network. However, both products require more technical know-how.
There are two basic approaches to a firewall: you can selectively enable connections or selectively deny connections. The former approach is more conservative -- the firewall blocks all connections except the types you specifically permit. The latter approach is less secure, but it's also less hassle. You don't have to remember to use Passive FTP (in the Internet control panel's Advanced settings) or reconfigure your firewall if you install something, say, America Online Instant Messenger.
A firewall cannot protect you from every Internet threat -- you can still receive Trojan horse programs or virus-infected documents via e-mail, and Web sites still try to track your every move -- but it can prevent some abuses of your Mac. -- GEOFF DUNCAN