Net Threats: Privacy Matters

Your personal data has never been more vulnerable to prying eyes than it is today. Even with independent watchdogs on the case and tougher laws on the horizon, self-protection remains the best defense.

Brad Grimes

It's 10 a.m. and Richard M. Smith is ordering breakfast at a restaurant near his home in Brookline, Massachusetts. In the past several years, Smith, chief technology officer for the Denver-based Privacy Foundation and noted privacy expert, has shed light on controversial data-gathering practices at Amazon.com, Microsoft, and RealNetworks, among others. He wouldn't normally order eggs and sausage this late in the day, he says, but he's been on the road for more than two weeks on behalf of the Privacy Foundation and this was the first morning in a long time that he could sleep in.

"Our goal at the Privacy Foundation is to educate people about possible threats to their personal privacy and what tools they can use to protect themselves," he says. For advocates like Smith and others, privacy education is a full-time job.

Though most Internet users remain concerned about online privacy, many don't fully appreciate what's at stake. A research report published last August by the Pew Internet & American Life Project showed that 64 percent of Internet users have shared, or are willing to share, personal information in order to use a Web site. Moreover, 68 percent of users said they weren't worried that someone might know what Web sites they had visited.

Meanwhile, the mad scramble for online information continues. Even as users, industry groups, and policy makers come to grips with the sometimes surreptitious methods Web sites use to collect data, they are confronted with a changing landscape. New ways of gathering information come to light; major Web sites alter their privacy policies; and dot coms go out of business, leaving unprotected the data they've gathered. And new technologies such as wireless tracking and interactive television are poised to enter the picture.

Smith believes life would be better if companies treated personal information the way the American Library Association does. "Librarians have been dealing with issues of privacy for a hundred years. They decided they wouldn't give out lists of the books people took out, and once the book was returned, they'd throw away the check-out records," he says.

If only it were that easy.

The Siege Continues

What some people don't understand is that the Internet is more privacy-invasive than anything we've had to deal with before," explains Smith. "Anybody can get a name and address and put it in a little context. But the Internet lets [marketers] put it in a lot more context, with everything you've bought, everything you've read about, and everything you've looked for in a search engine.

"What's also important is what happens to the information later. After companies have collected all this data, even if it's for benign reasons, not only will third-party marketers want access to it, but the police will want it, the FBI will want it, and lawyers will want it."

"He's right," says attorney Ira Rothken when told of Smith's prediction. Rothken brought the first lawsuit against DoubleClick in January 2000 after the online advertising company said that it intended to marry information it had gathered online to personal information it had acquired by buying Abacus Direct.

The ensuing uproar forced DoubleClick to reverse its decision and prompted the Federal Trade Commission to start an investigation. In January 2001, after concluding that DoubleClick hadn't violated its privacy policy, the FTC dropped its inquiry but the lawsuits continue.

"As a lawyer in workplace litigation or another matter between companies, the first thing I do is subpoena all e-mail," says Rothken. "Now I'll find out your cookie IDs and I'll subpoena all of DoubleClick's data files to find out your surfing habits." (See "The No-Privacy Workplace" for more on workplace surveillance.)

Smith wonders whether serious online privacy laws will pass only following some high-profile case, as when Judge Robert Bork's Supreme Court nomination was derailed, in part, because investigators unearthed his video rental habits. That ruckus led to a law preventing video stores from revealing what titles people rent.

Taking Back Your Data

Even as Net users continue to give away personal information, companies track them zealously, and lawyers lick their chops, the good news is that people aren't sitting idly by.

Marius Cybulski, a programming student from Oshawa, Ontario, Canada, is one of a growing number of Net users who employ software to protect privacy online. Cybulski uses Norton Internet Security 2001 and Zone Labs' ZoneAlarm Pro firewall software to protect his system from prying eyes and rogue applications. He also strictly controls which cookies land on his hard drive.

"Unless a site specifically needs [cookies] to function, like Windows Update, I don't permit them," Cybulski explains. "Why should I? For statistical purposes? So a site can remember me and customize itself to my preferences? I hardly consider that essential in exchange for knowledge of where I've been, what I did, and where I'll be going."

New Tracking Tools

Cookies aren't the only devices that Net users have to worry about, however. Today, many companies use Web bugs to track your movements online.

A Web bug is a tiny GIF image file--just 1 pixel in size--embedded in a Web page and used to report information to the company that sends it. You can block cookies, but you can't currently block Web bugs, though companies are building filtering software.

If your browser isn't set to block cookies, the bug may tell your browser to accept a cookie from the server that delivers the image, or to send a previously stored cookie back to that server. Even if you block cookies, the bug offers another way--beyond server log files--of tracking your movements through a site.

"All of these technologies have been around for years," says Craig Nathan, chief technology officer for MEconomy, a start-up that helps Web sites develop server setups and site architecture to preserve customer privacy. "But now companies are experimenting with how they can use them. And practices that companies used to get away with are coming into the mainstream and gaining attention."

Most large sites employ Web bugs, Richard Smith says. PCWorld.com, for example, uses a bug delivered by DoubleClick, which handles our online ads. The bug was introduced in an effort to get a better count of traffic to the site after other information sources, such as server logs and syndicated research, proved contradictory or unreliable. PC World discloses the existence of the bug in its Privacy Statement; not all sites do likewise.

In many cases, moreover, the tools employed to track individuals on the Web aren't behind-the-scenes agents like cookies and Web bugs; they're programs that people use every day. Last fall, for example, Smith demonstrated how Web sites could use the "persistence" feature of Internet Explorer versions 5.0 and higher to obtain surfing information from a visitor--even one whose browser is set to block cookies. Persistence lets Web pages remember things like search queries so users don't have to reenter them.

More recently, Smith learned of a loophole in e-mail clients that allows someone to add JavaScript code to HTML-formatted messages so that person can find out where the message gets forwarded and what the forwarding comments are.

"Say I'm a marketer and I send you an e-mail about a product or service, and you send it along to someone with a comment like 'This looks interesting.' I'll know whom you sent it to and that you thought it looked interesting. Now I know to target you and your colleague," explains Smith.

Vulnerable e-mail readers include Netscape 6 Mail, Outlook, and Outlook Express. Eudora and AOL 6 e-mail readers, as well as earlier versions of Netscape and many Web-based e-mail systems, are unaffected because they don't support JavaScript fully, they turn it off by default, or they strip it out of incoming messages.

So far, no reports have surfaced of anyone exploiting this glitch. One way to fend off prying eyes is to disable JavaScript in HTML e-mail messages. You can get instructions for doing so, as well as other possible fixes, from the Privacy Foundation.

Changing the Rules

Even users who try to keep up with all the latest tracking technologies may be helpless when companies change the rules. Many dot-com companies are scrambling for profits or going out of business, and databases of personal information are a valuable commodity.

When Toysmart.com filed for Chapter 11 bankruptcy protection last June, it attempted to sell its customer database--something the site's privacy policy swore it would never do. The FTC and attorneys general from roughly 40 states filed suit against the company for violating its customers' privacy. Eventually, after receiving $50,000 from a division of Disney, a financial backer of the now-defunct retailer, Toysmart.com agreed to destroy its list.

In January, EBay users learned that they're not always in control of their own privacy preferences. At that time, the online auction site decided to fix a glitch in its registration form. Between April and October 2000, the part of the form that asked new users if they'd like to receive marketing messages, users surveys, telemarketing calls, and so forth had defaulted the answers to 'no,' whereas EBay had intended that the default answers be 'yes.'

The company finally decided to switch all the preferences to 'yes' and notified affected users by e-mail. EBay gave people two weeks to restore their old preferences before the changes went into effect.

"I don't understand why they can't just assume that right-thinking users would choose 'no' to these options, whether it was the default or not," says John Lee, an EBay user who works for a Boston insurance firm. "If the default was supposed to be 'no' and it was accidentally switched to 'yes', would EBay go through the same process or would they just assume people read the form correctly and made the selections they really wanted?"

In its defense, EBay said the same problem that flip-flopped registrants' default answers could have prevented users from getting updates about the site's privacy policy or e-mail notices that they'd been outbid in an auction. This assumes people were not reading the registration form closely and simply accepted the defaults.

The company says it ran its plan by several privacy watchdog groups before implementing it. One of the groups, Truste, later voiced concerns. "In this case [EBay] probably could have made a better call," says David Steer, a Truste spokesperson.

Fumbling the Data

Even online businesses that don't change their policies or track your whereabouts can threaten your privacy: Companies that collect information on their servers can't seem to keep a lid on the data.

Last year, hacking incidents and other security gaffes revealed customer information for the world to see at sites such as CreditCards.com, Eve.com (which later went out of business), and Amazon.com.

In January, the names, e-mail and home addresses, and phone numbers of 50,000 or so Travelocity customers were exposed to possible theft; investigators determined that the information may have been out in the open for more than a month.

Be prepared for more of the same, because Web sites clearly have not done enough to secure the information on their servers. Last year, PC World sat down with security experts from Sanctum (then called Perfecto Technologies). The company audits the security of client Web sites by trying to break in. When successful, Sanctum suggests remedies.

At the time, the company had audited 50 big-name sites and found security breaches in all of them. In eight cases, they were able to access any file they wanted--including customer data. Today, the overall situation remains unchanged.

"We wish we could say there's been progress over the past year," says Izhar Bar-Gad, Sanctum's chief technical officer. "Sites have not taken the necessary measures to protect themselves and their customers' data. We haven't found a single site that wasn't vulnerable."

During a recent audit of an airline Web site, Sanctum downloaded the entire source code and built a replica site. "It's not a matter of the bigger the bank, the better the security," says Bar-Gad. "The bigger the site, the more holes it has."

21st-Century Privacy

Soon, Web sites won't be the only entities that can gather information on their users. Wireless devices and interactive television sets will be able to communicate with company servers.

In 1996, the Federal Communications Commission launched Enhanced 911. Among other things, the E911 initiative requires cell phone companies to add features to new and existing phones that allow them to locate, within 100 feet, a wireless 911 caller. Implementation of the initiative is due by October of this year.

"It's a good idea," says Smith, noting that authorities already know where 911 calls from wired phones originate. "When I'm on a cell phone and I need to call 911, I don't want to worry about where I am--sometimes I won't know."

But setting up such a system will cost wireless companies money, and how they recoup some of the expense may cause controversy. Marketers are lining up to use this location-identification technology to aim wireless ads at customers. For example, when you stroll down the street near a McDonald's, you might get a wireless coupon for 50 cents off a Big Mac.

Industry groups and the FTC are working to establish guidelines for wireless marketing. Jules Polonetsky, chief privacy officer for DoubleClick, believes that strict rules will be in place before the debut of E911 and wireless ad serving.

"Wireless ad serving is in its infancy," says Polonetsky. "We can apply what we've learned on the Web to rules for the wireless world. Users should receive marketing information on their cell phones and handheld devices only if they ask for it."

In addition to wireless devices, interactive TV technology--such as WebTV, TiVo digital video recorders, and two-way digital cable--can send information about what you watch back to company servers. The threat here is analogous to the way Web sites track your surfing habits online.

"As on the Web, the question will be how these companies let users know they're being tracked and what they do with the information they gather," says Smith.

Big Brother Gets Bigger

Even if the prospect of being watched by fast-food companies doesn't bother you, the notion of Uncle Sam spying on you might. Perhaps the most controversial proposed surveillance system is the FBI's DCS1000. Formerly known as Carnivore, the system will be installed at ISPs to monitor e-mail messages for information about people under investigation. Think of it as an Internet wiretap.

No one disputes the need for law enforcement officials to conduct warranted searches of the electronic communications of suspected criminals, but privacy groups and some members of Congress worry that the system can be used to spy on people not under investigation.

A second government-proposed system called Public Access to Court Electronic Records also has privacy experts concerned. Under the PACER system, anyone with a Net connection and some loose change can download federal court case records for 7 cents a page.

Though the most confidential records won't be available, people will still have access to files that may include Social Security numbers, credit card numbers, and other personal information. Paper versions of these court records have long been available to the public, but privacy-rights groups contend that easy access over the Internet will encourage unscrupulous parties to go on low-cost fishing expeditions to collect personal information.

Gene Youngblood of Moses Lake, Washington, was shocked to find his name, case number, and Social Security number posted on a Washington bankruptcy court site. Youngblood, a flexographic printer operator, and his wife filed for bankruptcy in May 2000.

"I never had to give anything to receive this information," says Youngblood. "Not a log-in, a password, an identification, or a dime of money. Anyone can download the Social Security numbers of every person to file for debt relief in eastern Washington since 1997. And with a bit more diligence, they can find debtor's addresses as well as other personal information. I tried searches for people I work with and found three cases. If I were the criminal kind, I could easily steal their identities."

Laws of the Land

On the Net, government agencies are both friend and foe of privacy-conscious consumers. But almost everyone involved in the privacy debate agrees that Congress, after fits and starts over the past couple of years, will soon pass a federal law to govern how companies can collect and use information on the Internet.

The question is, will the law adopt an opt-out or an opt-in design? The former resembles the current practice of many sites: They assume that a user is willing to share information or receive marketing material unless the individual specifies otherwise. An opt-in model (which privacy advocates favor) starts with the opposite assumption, so users must specifically ask Web sites to collect data or contact them.

Most recently, Representatives Chris Cannon (R-Utah) and Anna Eshoo (D-California) introduced a bill that would require Web sites to notify people of how their personal data is used and to let them control that use. Meanwhile, Senator John Edwards (R-North Carolina) has promised to reintroduce a more stringent law that would require a site to obtain users' permission before it even begins tracking them with cookies.

According to observers, the milder opt-out bills like Cannon and Eshoo's have a better chance of passing.

"There will definitely be federal legislation this year," says Marc Rotenberg, executive director the Electronic Privacy Information Center. "We expect it to be baseline legislation that states can then build on."

Parting Shots

Clearly, the online industry is taking steps to protect users' privacy even as it looks out for its business interests.

"Since we brought the DoubleClick case, there has been some improvement in the way companies deal with personal privacy," says attorney Ira Rothken. "But the ability to retain control of one's personal information needs to be the default of any site's privacy policy."

And some consumers wish people would take privacy in their own hands. "I don't want the government writing [privacy] laws they can't or won't enforce anyway," says Deb Hooper, a freelance Web developer from Fostoria, Ohio. "The best way would be for all of us to just boycott sites that don't offer opt-in."

To users who continue to relinquish personal information without considering the effects on their privacy, MEconomy's Craig Nathan stresses, "People need to understand that the value of their personal information is greater than the discounts they're being offered. Otherwise, companies wouldn't offer those deals."

Back in Massachusetts, as he discusses why he's pursuing privacy rights, Richard Smith says, "We have rules in our society for how we interact that people don't always think about. We don't spend a lot of time thinking about saying 'hi' to people, but if someone doesn't say 'hi,' we notice and it bothers us. Privacy falls in the same category. We don't always think about it, but when it gets abused, it bothers us."

Brad Grimes, former executive editor for PC World, is vice president of Content Foundry. Michael S. Lasky is a senior editor and Dennis O'Reilly is a senior associate editor for PC World.

Protect Your Data: The Ten Commandments of Internet Privacy

Concerned about your privacy? A few changes in the way you use the Net can make all the difference. Follow these commandments.

1. Thou shalt not create easy passwords. Don't get lazy and use only one or two passwords at multiple sites just because that's easier to remember. Stay away from real words, use a combination of letters and numbers, and keep passwords at least six characters long. Don't use birth dates, names of children or pets, or simple sequences like XYZ123. Keep a record of your IDs and passwords, but not on your PC. Don't store your password to avoid entering it the next time you log on. And periodically change your passwords.

2. Thou shalt not maintain a browser cache. Browsers speed up online navigation by storing graphical and other elements of pages you visit in a cache on your hard drive. Of course, anyone with access to your PC can check where you've been and what you've seen. Regular purging is wise.

To clean out your cache in Internet Explorer 5, select Tools, Internet Options. With the General tab selected, click Delete Files in the 'Temporary Internet files' section. In Netscape 4 or higher, select Edit, Preferences. In the Category tree, double-click Advanced and then select Cache. In the Cache section, click Clear Memory Cache and OK. Then click the Clear Disk Cache button and, finally, click OK.

3. Thou shalt not enable file sharing. Your PC need not be on a network to be set to allow file and printer sharing. And if it is, you've left an open door for any knowledgeable hacker to enter through in order to snoop around and perhaps do some mischief. Lock up your PC as follows:

In Windows 9x, select Start, Control Panel, double-click the Network icon, and choose the Configuration tab. Click the File and Print Sharing button, and uncheck both boxes in the dialog box, if they aren't already unchecked.

4. Thou shalt not preserve a history. The browser keeps a history log that identifies each Web address you visit. If you're on a public machine, you might want to purge your history periodically. To clean out your history log in IE 5, select Tools, Internet Options. In the General tab, click the Clear History button and follow the prompt. In Netscape 4 or higher, select Edit, Preferences, choose Navigator in the Category window, and click Clear History.

5. Thou shalt not accept cookies from strangers. Useful cookies let Web sites recognize you on a return visit. Less-wholesome cookies follow your surfing habits and report on what you view. IE 4 and higher store cookies in the \Windows\Cookies folder. You can delete its contents by highlighting one file, then pressing Ctrl-A followed by Delete. Netscape Navigator versions 4 and higher store cookies in a file called cookies.txt. To find it, select Start, Find (or Search in Windows 2000/Me), (For) Files or Folders, and search for cookies.txt; then delete this file and its subfolders, if any.

You'll probably want to allow some cookies, so consider a cookie-management shareware program such as CookiePal or CookieCrusher.

6. Thou shalt not talk to strangers without protection. You may think you're safe when you communicate with people you know, but spammers and Web sites use harvesting software to grab e-mail addresses even when you think you haven't supplied yours.

The best way to talk safely: Don't run instant-messaging software in the background. Turn it off when you aren't using it, and configure your software to hide your presence. In AOL Instant Messenger, for example, select My Aim, Edit Options, Edit Preferences, and select the Privacy tab.

7. Surf anonymously, lest thy information be laid bare. If you wish to mask your ID when you surf, use one of the many anonymizing services available on the Web. Most of these Web-based services work the same: You log on to their site and go wherever you want on the Web from there. The services hide your actual IP address and substitute their own.

8. Thou shalt not surf without a firewall. If you have a broadband connection such as DSL or cable, you're connected to the Internet whenever your computer's turned on. And that makes you a target for hackers in search of computers to play around in. You can stop their intrusion with a firewall--an anti-intrusion program that acts as your PC's Internet gatekeeper.

9. Thou shalt not reveal information needlessly. The more personal information you supply, the less privacy you keep. Accordingly, give out the least amount of information necessary to complete any registration. Don't fill in any optional lines on profiles. Don't elect to store credit card numbers for future convenience. If a site offers to save your password for future visits, just say no.

10. Encrypt thy e-mail. Think your e-mail is private? Think again. Administrators, hackers, or anyone intent on gaining access to it can read your e-mail. For confidential correspondence, your best line of defense is encryption. Spies use it for a reason: No one but you and the intended recipient can decipher it. There are plenty of easy-to-use encryption programs available.

--Michael S. Lasky

To Tell or Not to Tell?

If you want to find out about tomorrow's weather, you'll get a more specific forecast if you provide your zip code to the weather service. But an online vitamin vendor doesn't need to know your entire medical history to sell you some echinacea.

Here's our rundown of personal information you should share only when it's absolutely necessary (Stop), the information you can share discriminately (Caution), and the information you can feel comfortable about sharing with anyone (Go). The rule of thumb: When in doubt, leave it out.

--Dennis O'Reilly

 Stop Social Security number, bank-account personal identification number (PIN), mother's maiden name, medical information, legal history, specific financial information (tax history, savings, mortgage, and so on), travel plans, employment history, and information about friends and relatives, including their home and e-mail addresses and telephone numbers.

 Caution Telephone number, street address, date of birth, marital status, employer, education, e-mail address, shopping preferences (music, books, favorite brand names, and the like), credit card number, hobbies and interests, affiliations (club memberships, political associations), and Web sites you've visited.

 Go Zip code, age, salary range, opinion surveys, and occupation. (Note: This information is safe to provide only when not transmitted along with other, more specific personal information.)

For more information on Internet privacy, visit the following sites: Privacy Foundation, Electronic Privacy Information Center, and Privacy.Org.

Future Threat: The No-Privacy Workplace

What do Xerox, Dow Chemical, and the New York Times have in common? They've all fired employees for allegedly misusing company e-mail and Internet systems to distribute pornography or other inappropriate material. How did they know it was going on? They monitored their workers' online activities.

And studies show that workplace surveillance is a growing trend. According to a 2000 report by the American Management Association, 38 percent of the organizations it polled monitor employee e-mail messages. That's up from 27 percent in 1999. A stunning 54 percent monitor workers' Internet connections, the first time the AMA has asked that question.

Too much trouble? Virtually everyone agrees that companies have the right to monitor employees' online habits to ensure they do not misuse company time and equipment--provided they disclose the practice. But as workplace surveillance becomes ubiquitous, experts say, it may prove to be more trouble than it's worth.

In 1995, e-mail messages containing inappropriate jokes were used as evidence in a sexual-harassment claim against Chevron Corporation. The case's $2.2 million settlement prompted companies to monitor e-mail to avoid similar suits. But the door swings both ways.

"Sure, you can fire someone using electronic evidence; but a fired employee can turn around and use surveillance records against the company in a wrongful termination suit," says Richard M. Smith, chief technology officer for the Privacy Foundation.

Workplace surveillance can have other downsides. Carl Botan, a professor of communication at Purdue University and a member of Purdue's Center for Education and Research in Information Assurance and Security, is studying whether employees who know they are being monitored are unhappier and less productive.

"How is [monitoring] going to impact a person's enthusiasm for coming in to work? How will it affect employee loyalty and turnover? These are issues that managers really need to think about," says Botan.

--Brad Grimes

Spam: It Happens

Looking for someone to blame for that unwanted e-mail cluttering your in-box? Start by checking the mirror. Spammers obtain our e-mail addresses in a variety of enterprising ways, but usually we inadvertently aid and abet them.

You can take a number of steps to eliminate spam from your in-box. Realistically, you can never get rid of it all. But here are some things you can do to cut out most of it.

Get an extra mailbox: Probably the simplest way to avoid all the spam rigmarole is to create a new e-mail address at one of the numerous free online services such as Hotmail or Yahoo Mail. Provide it when sites ask for an e-mail address that they obviously intend to send spam to, and the unwanted messages will go to this second address. If you're expecting to receive a legitimate e-mail message, such as an order confirmation, at that address, don't worry: It will stand out clearly among all the spam headers.

Read the fine print: It pays to scan registration forms carefully. Sites that require you to provide an e-mail address and create a password will note that you'll be getting mail from them, and in some cases from their partners (better known as advertisers), if you don't check (or uncheck) a box on the registration page. Scroll through the whole page before clicking the Submit button. Also read the statement next to the opt-out box, since some require that you check it and others that you uncheck it.

Unsubscribe at your own risk: Almost all the mailing lists you ask to be on will provide a way to unsubscribe at the end of the messages they send you. Usually it's as simple as replying with the word "unsubscribe" or "remove" in the address header. Sometimes you must go to the site, enter your ID and password, and then register your preferences.

But beware of replying to obvious bulk mailers or senders you've never heard of. They may offer you a way to opt out, but following their unsubscribe routine verifies your e-mail address, and you'll wind up with even more spam after they sell it to other spammers.

Use spam filters: Most e-mail programs support some level of filtering. For example, in Microsoft Outlook, you can select Tools, Message Wizard and create a folder for spam. Then when you get an unwanted message, right-click it, select Junk E-mail, Add to Junk Senders. Thereafter, messages from that address will go directly to the spam folder. Similar methods are possible with Outlook Express, Netscape Messenger, and Eudora 4.2.

But many spammers create new addresses with each message. To deal with them, you'll need a filter on steroids like Spam Buster or Spam Killer (both shareware programs). They intercept spam messages and cleverly detect variations in a spammer's address. Both offer a quick way to report the senders to their domain's postmaster.

Fight spammers: Help stop spam at its source with these Web sites dedicated to fighting spam: CAUCE (Coalition Against Unsolicited Commercial E-mail), Spam Cop, and JunkBusters.

--Michael S. Lasky