WWW Security - Privacy in the Internet

Every time we use the Internet, either for surfing the World Wide Web or sending E-Mails, we leave our traces behind.  These traces can be analyzed, and a lot of information can be taken from them. 

How your personal information Gets collected

Whenever you connect to a web server, view a web site, or send an E-Mail, The servers along the way log these activities. The information can be collected in two ways : 

  • Direct disclosure of information : Many sites, make you register them before you can enter. Even if the registration is free, you are needed to give your information. Your name, E-mail, address, and whatever they site wants. The server remembers these pieces of information. You can never be sure as to what will be done with that information. But at least you're aware of that information collection, and if you wish to, you can simply choose not to give the info, and not to enter the site.
  • Passive recording of information : When you visit a site, the server logs your entry. It can know all sorts of things about you, just from looking at your messages, even if they are encrypted! the message headers cannot be encrypted, as they need to be routed through the internet. Your mailing address, and IP can always be extracted. Your own server can also record stuff you might not with him too (Your boss might look at that log, or your spouse might...). It knows where you surf, what you look at, and whom you E-mail. The Web browser you use can also know a great deal about you : And that information can sometimes be extracted from the browser...

What information can be revealed about you

A web site with the right equipment, can know a great deal. The information that can be revealed includes your E-mail address, your IP address, the files you viewed, and the pages you visited. 

When you send E-mail, you're actually getting quite exposed. You can encrypt the message body, but you can't hide the headers, if you want the message to travel through the net. 
Let's look at an example E-Mail header, taken from a Netscape Mailer : 

    Return-Path: <yogevm@math.tau.ac.il> 
    Received: from bfmail4 ([206.156.198.174]) 
     by e4000.artaxia.com (8.8.5/8.8.5) with SMTP id TAA08477 
     for <mertero@artaxia.com>; Thu, 5 Jun 1997 19:28:01 -0200 (GMT) 
    Received: from taurus.math.tau.ac.il (132.67.64.4) by bfmail4.bigfoot.com with SMTP ( Bigfoot SMTP Server May  8 1997 15:22:04 ); Thu, 05 Jun 1997 12:25:22 -400 (Eastern Standard Time) 
    Received: from lune.math.tau.ac.il (yogevm@lune.math.tau.ac.il [132.67.96.11]) by taurus.math.tau.ac.il (8.8.3/8.8.3) with SMTP id TAA23843; Thu, 5 Jun 1997 19:22:21 +0300 (GMT+0300) 
    Date: Thu, 5 Jun 1997 19:22:20 +0300 (GMT+0300) 
    From: Mashiach Yogev <yogevm@math.tau.ac.il> 
    To: Mertens Ron <mertero@bigfoot.com> 
    Subject: Re: [Fwd: Re: "Operating Systems" - The Exam] 
    In-Reply-To: <3396C160.7745@netvision.net.il> 
    Message-ID: <Pine.SUN.3.95.970605192120.27235C-100000@lune.math.tau.ac.il> 
    MIME-Version: 1.0 
    Content-Type: TEXT/PLAIN; charset=US-ASCII 
    X-UIDL: 011a6057e9a080092d8d36ce7f0fd9e8 
    Status: U 
    X-PMFLAGS: 36176000 0

We can see who sent this message (Mashiach Yogev) and we could also find his Email address. The message was sent to Ron Mertens. We can see the subject (an Exam in Operation Systems), the Date it was sent, and even the path the message went through to get to it's destination. 

When you connect to a web server, things are much worse than that. 
Let's take a look at the NCSA server (it's quite popular). It includes a program called httpd. It maintains 3 log files : 

  • access_log : it logs every access to the server. The name of the accessing site, the requested file name, time of access and some more info
  • error_log : Files that were requested, that doesn't exist
  • refer_log : The links that point to the links on the server
  • agent_log : A list of the programs that have contacted the server.

The 'problem' lies within the HTTP protocol. It has some features that allow all that data to be collected. The TCP/IP protocol, has a sort of caller-ID build in. When you connect, you send your computer's name, and the IP address. 
The refer_log is also a problem. It is used mainly for advertisement : for companies to be able to focus the advertisement more correctly, but it can be used for other means! 

A newer source of trouble, are the 'Cookies'.  Cookies are client side persistent information. Almost all of the new browsers have this facility : It allows web sites to store information about your visit, in your own hard disk. When you enter the site again, it will read your cookie, and thus now that you've been there already. It is used for nice tricks such as a personalized web page, and so on, but it can a serious privacy breach. 

If you're connected to the internet through  a Proxy, you have still another problem. The proxy server logs every access to the outside web, by every member of the organization. Your IP address, and your host computer are written down as well. 

Why should I care about all that?

well, you Should. Your privacy is your Right, as a human. If your privacy is violated, other freedoms (like the freedom of expression, or religion) might get threatened. Even if you have nothing to hide (like most people think), your privacy right must be important to you! 
Of course, it seems safe to surf the internet, but be warned that your are watched. Your privacy is not guaranteed, and that's a problem. Most of the information that can be collected is never used, but it can be. And there's not much you can do about it. A detailed profile of yourself can be created, and your tastes and preferences can be learned. Just by recording your message, and links, and web activity. This information can fall to the wrong hands (marketers and governments, for example) and be used against your interests. 

How can I assure my privacy?

You can wait for your country to legislate a law about privacy, although these things take time, and most likely will never happen. 
In the meantime, you can use several offered utilities to ensure your privacy : 

  • Anonymous Remailers : remailers are program that route E-mail (or Usenet message, for that matter) and posts them anonymously. The recipient cannot determine who sent the E-mail. There are different classes of these program, but most of them do the same things. Some of these programs also combine the privacy with encryption (using PGP) and so they are very useful, if you find your privacy or security shattered.
  • Cookies Clearers : Because the cookies are saved on your local Disk, it's actually quite easy to delete them if you feel they are a threat to your privacy! there are programs that do that in a safe and clean way.
  • The Anonymizer : This is a web site, created by Community ConneXion for those who are really worried. It is a web site, that shields your information from other sites. When you visit the Anonymizer, you are given an anonymous identity, and when you access other sites, they receive that identity and not your true one. It works even if you follow links to other sites, and it is a good privacy provider!
  • Anonymous Shell Accounts : Your Internet Provider knows a great deal about you. Every action you perform while you're on-line is known to your ISP.  Several providers allow you to open an anonymous account, and thus be protected (from themselves...).
  • Electronic-Cash : In order to secure your privacy when buying on-line, the idea of electronic cash came to life. The basic idea is having your money in your computer : You'll withdraw money from your account, and then you can spend it on line. With the E-cash system, when you buy, your identity is not revealed automatically. If you wish to protect your privacy, you can remain anonymous. It's good for on-line services, which don't really require your name.

Problems with privacy control

The main problem is that the internet is a world-wide network. People from all around the world visit it, and so it's hard to enforce laws on it. In the US, for example there is no comprehensive law that protects people's privacy. There are several guidelines that protect some areas of your privacy, but it's not enough. And most countries are falling behind the US in that area. 
Another problem is that the web browsers, are usually made by the same companies that make the web servers. The ability to collect information about the site visitors is a major selling points, and your privacy can be endangered by this fact. 

Some links to interesting places

Share this article

Receive all the latest articles by email!

Get all articles delivered directly to your mailbox as and when they are released on WindowSecurity.com! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update.



Receive all the latest articles by email!

Receive Real-Time & Monthly WindowSecurity.com article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become a WindowSecurity.com member!

Discuss your security issues with thousands of other network security experts. Click here to join!

Community Area

Log in | Register

Solution Center

Readers' Choice

Which is your preferred network auditing solution?