What can others learn about you?

©2003 by Walt Howe
(Last updated 27 August 2006)

We are in the midst of the Information Era! There has been an enormous information explosion, and the mushrooming popularity of the Internet and its World Wide Web puts huge amounts of information right at your fingertips. How much of that information is about you? Are you concerned about it?

Some of the threats to privacy have been widely publicized. The Federal Government wants the FBI to be able to access any one's PC. Amazon has been sharing customer information with others in their "purchase circles". And worst of all, a major security hole was revealed in Microsoft's Hotmail service that allowed anyone to view any hotmail member's mailbox by using a correctly configured URL that included the username, but not the password.

If you are running a business, you probably want information to be easily accessible about your products or services. You don't want potential customers to look elsewhere because they could not locate information about your business. Possibly you want your name to be readily recognizable, too. It may enhance your career standing. But what about your personal telephone number? Or your personal home address? Do you want your e-mail address to be accessible to all? Do you want just anyone to know about your personal interests? What information would you expect to remain private and unavailable to anyone with an Internet account? Are your expectations realistic, and what can you do about it? This page will give you some answers.

What information do you give away while websurfing?

When you visit a web site, some information is automatically available. Click on this link to the Center for Democracy and Technology to see the information that is available to all sites you visit. Be patient; it may take a minute to load your information. NOTE: If you have a good firewall, you may block this site from displaying your information. That does not mean it is not available, though. Read on...

If you clicked on the link above and it went through, you saw that any site you visit can tell--

• who your provider is
• where it is located
• what site you came from
• what software you are using.

The NY Times wants you to register for the privilege of reading their online newspaper. Will they misuse the information they get and sell it to spam mailers? Perhaps not! Will Joe's Awesome Cool Sites page resell the information? You decide.

If you want to prevent web sites from collecting information automatically about you and your computer, software, provider, and previous sites, visit Anonymizer.com.

What are cookies, and should you disable them?

If you clicked on the NY Times link above, and it was your first visit there, you were asked to register and provide some information. If it was not your first visit and you had already registered, you were probably not asked to register again. How could they tell that you were a repeat visitor? The answer is that they planted a cookie on your system with information about you. When you connected, your cookie files were checked to see if you were a registered user, and if you had elected to store your username and password in the cookie. This is an example of a persistent cookie, which remains on your system for a long time. Only the service that installed the cookie has access to it (besides yourself). It is either in a cookies.txt file on your browser's disk drive or in a separate file of its own. Cookies may or may not be encrypted.

Many ISPs use another type of cookie to keep track of logins. They can use a non-persistent cookie that remains in RAM, not on disk, while you are connected. If you are a registered member of an ISP, you must log in with your username and password the first time you access parts of the service that are for members-only (this page isn't one of those). Unless you have told your browser not to accept cookies, which is an option you have, you can continue to visit members-only parts of the service until you close your browser and the cookie goes away.On the other hand, if you tell Delphi to remember your password, it is stored in a persistent cookie, and you don't have to retype it each time. If you refuse cookies, every new page you visit for members only will ask you to log in again with your username and password. The cookie makes it easier for you to get around, and no one but you and the service can access the cookie.

Cookies are very common and are used to simplify navigation for you and identify you to the site you are visiting. A cookie can store quite a bit of information about you, and release it again each time you visit the site that generated it. A NOTE OF CAUTION: The site that generates the cookie isn't necessarily the site you are visiting. In some cases, cookies may be generated by another site, such as an advertising agency, that is providing services for a number of web sites. In this situation, the cookie-generating site may collect information on you any time you visit any of its sites. It won't know your identity (unless they can cajole you to fill out a form), but it will know your habits.

For a much more thorough explanation of cookies, see the Cookie FAQ at cookiecentral.com.

Should you disable cookies on your system? It is a personal judgment to make, just as it is your judgment how much information to give out about yourself as you visit web sites. Personally, I allow cookies to do their thing, but I am very careful about the information I give out and where I give it. i won't fill out a form full of personal information to get a one in a million chance of winning a prize, for example.

What information is already on the web about you?

Are your name, address, and phone number already on the web? Most people's are! Try the phone search services below for your name or whatever name your home phone is listed under:

Last name	First name	City	State

The information in printed white pages telephone books is in the public domain, and services like Switchboard have compiled the information into their databases. They will generally remove them, if you ask to be removed. There are a number of similar services. See our People and Business Finder Page for more.

That was the easy part. Is there other information about you on the web? Try searching for your name in Google. Put double-quote marks around your first and last names (for example, "Walt Howe")

Did you find anything interesting?

That is a quick look at the public sources with information about you. Whether you found anything or not, there still may be a lot more information about you that isn't as readily available. There are commercial databases available through the nets that are available for a fee to "qualified" businesses or individuals. Your social security number and credit rating are just two of the items that can be found on commercial databases.

Is e-mail secure?

The security breach at Microsoft's hotmail that we mentioned in our introduction was a worst case situation. For a few hours, anyone who learned the URL trick or accessed the hacker web site that automated it could access any hotmail account and see the contents. The security hole was plugged, but there may be others out there, and e-mail isn't very secure anyway.

Whenever you send e-mail, it is relayed through successive sites, and is theoretically accessible to a couple of dozen or so postmasters and system administrators, who have access to everything that passes through their machines. As a practical matter, so many thousands of messages pass through their machines that the chances of anyone looking at any particular message is pretty small.

If you are using an e-mail account on your employer's system, the courts have said that employers have a right to monitor e-mail on their systems. You probably run a somewhat higher risk of e-mail being read than you would with a large commercial provider.

On the other hand, suppose you have attracted the attention of an employer or law enforcement authorities for some reason. It is relatively easy to set up "sniffer" software to monitor every word of every message looking for your name or for certain keywords or combinations of words and to forward all such messages for special attention. If the organization's security isn't good and tight (many places aren't), it is also possible for hackers outside the system to set up "sniffer" software in an e-mail system, too.

What this all adds up to is that unless you have reason to be a particular target, you chances of having mail intercepted and read is very small, but still exists. As a rule, don't say anything in e-mail that you wouldn't want to see stuck up on a public bulletin board. If you can't accept that, consider encryption. It takes some extra effort to set up, but good, secure encryption is available in the United States and Canada. There is a Pretty Good Privacy (PGP) Plug-in for Eudora or Outlook E-mail software for Windows that is probably the easiest secure answer to encrypting e-mail.

Are credit cards safe to use on the net?

From the preceding discussion of e-mail vulnerability, you might not want to send credit cards numbers through e-mail. What about using credit cards with web sites? There was a news story last year about a hacker who retrieved a credit card number list from a web site's computer and sent the card numbers to the owners of the cards to show them how insecure the net is.

But you take similar risks every time you give your credit card to a stranger in a store or restaurant or over the phone? You take a risk every time you throw your credit card slips out in the trash? You risk giving away your credit card number every time you use it. The risks of using credit cards on the nets are probably less than every day usage, and the banks generally cover any losses anyway.

The public has been slow to trust credit card use online, and that is one major thing that is holding up large scale electronic commerce.

Many sites provide servers that operate in a secure mode with your browser to let you send information in safe encrypted form through the web now. The major credit card companies have recently agreed on standards for secure transmission of credit cards. Security is going to get a lot better in the times to come.

Will increased security enable the long predicted boom in electronic commerce? Not by itself. One more thing is needed, and that is a micropayment system. Many things are being offered free on the nets today with the expectation that eventually very small amounts can be charged for them--that people will pay a few cents or even fractions of cents to access information online that is free now, but costs more than a few cents offline. If micropayments were tried with today's systems, it would probably cost much more to process them than the payments themselves. These problems can be solved with good system design, the experts say, When micropayments systems succeed, perhaps then, the economic predictions can be realized.

What information do you give away with Usenet newsgroups and e-mail discussion lists?

Everything you post to Usenet newsgroups is easily read throughout the world. Furthermore, your posts are archived by search engines like DejaNews (now part of Google) and can be searched for anytime. The newsgroups you elect to post to are an expression of your interest areas. Your posts normally include your e-mail address, and this makes you a prime target for being picked up by spam e-mailers. One of the things you can do to offset this is to edit your e-mail address (if your newsreader allows it) so the robots that cruise newsgroups for e-mail addresses will not record it correctly. Another surer way is to use an anonymous remailer to send your messages. Be aware, though, that many people tend to discredit anything that is sent anonymously.

Note that everything we have said about newsgroups and privacy applies to e-mail discussion lists, too. The distribution is more restricted, but not usually more secure. Mailing list software often allows a subscriber to retrieve a complete mailing list of members. The mass marketers (spammers) see that a whole mailing list of people interested in a particular topic is particularly valuable, and you can be sure that such lists are regularly targeted. There are two things you can do to prevent your name being retrieved in this manner. One is to ask the list administrator to disable the membership list retrieval function. Many are doing that now. The other is to research the list commands to learn how to keep your name private when the list is retrieved by someone. Generally if you send the command HELP LISTNAME to the administrative address (not the address you send messages to) for the list, you can get a list of commands you can use. See our list subscription FAQ for more help with this.

Is there spyware or adware planted on your computer?.

Spyware is software planted on your computer to harvest and forward information about you to others outside your system. The information collected can range from a survey of your surfing habits passed along to advertisers and marketers to the passwords and credit card numbers you type passed along to crackers who will exploit it. The software can be planted through Trojan horses received in e-mail or even included in software you obtain and install for other purposes, such as Gator, Gozilla, products from Brilliant Digital, and freeware versions of CuteFTP. Many free game demos now include spyware embedded in them.

Spyware used to support advertising is often called adware. Another common name for these hidden programs with a hidden purpose is scumware.

To defend yourself against spyware, adware, and scumware, always maintain current anti-virus software on your system, and be very careful about installing software from unknown sources. Check out independent reviews before installing. Note that anti-virus software will not necessarily detect spyware.

Another disturbing trend in scumware is planting software that not only serves you ads, but uses your computers own unused processing power -- and that of many other unsuspecting people -- to support its own intensive processing tasks. This kind of capability has been used openly on a voluntary basis for such things as the worthwhile SETI project, but harnessing your computer deceptively for commercial purposes is about as low as you can get.

Spyware planted by advertisers is quite common. If you seem to be seeing an unusal amout of pop-up ads unrelated to the sites you visit, your system may be inviting them through spyware. Consider getting the free Ad-Aware software to check your system. I thought I protected my system well, but when I ran this software the first time, I found a dozen plants on my system from such sources as Adware, Doubleclick, and Flyswat.

Another program designed to detect and remove spyware, trojans, and hacker tools from your system is Pest Patrol. It is available for a free download and a 30-day free trial.

Webroot Spysweeper is another good program that I am currently using.

HijackThis is another powerful program for removing scumware, but use it with extreme caution. It can indiscriminately remove good software, too.

Suggested Readings

See my companion Security Guide for information on how to protect yourself better.

If you want to explore this subject further, there is lots of material on the nets. Here are a few starting points:

• Delphi Forum's Privacy Statement.
• Electronic Privacy Information Center.
• Privacy Rights Clearinghouse, established by the State of California.
• Electronic Frontier Foundation Privacy Page.
• Electronic Frontier Foundation Encryption Page
• Spywareinfo

Do you have any questions, comments, corrections or suggestions for improvement? Post a message in the Navigating the Net Message Base or use the form below, and we will give your ideas prompt consideration.

SUGGESTION FORM