Articles‎ > ‎Data Security‎ > ‎

Internet Privacy is an Oxymoron

Note: This article was originally publish on my blog back on 10/4/06

Sun Microsystems Inc. Chairman of the Board of Directors Scott McNealy once said, "You have no privacy, get over it." That statement is more true today, then when it was originally said. Everyday, we are losing more of our ability and rights to protect our privacy.

Did you know that there is no such thing as true anonymity or privacy on the Internet? All you can do is mask your identity, and make it difficult for someone to know who you are. Although, in most cases its still possible for someone to track and identify you with enough work.

There is a lot of information about you that is leaked by your own personal Internet activities (such as surfing a web site, posting on forums, etc.). Then your computer and its applications (such as your browser, IM client, etc.) are doing their own fair share to help leak more information.

Anything that contains your name, address, etc. Is known as 'personally-identifiable information' (PII), because it can personally identify you directly. This information is generally provided by you to some web site or service (such as Amazon, eBay, etc.) that you may use regularly.

Any of the information (PII or not) is used to profile how you surf the web, what you buy, and other types of demographic analysis. All most all of this tracking is perfectly legal, and you even grant companies permission to do this when you agree to use a web site through its 'terms of service' or 'privacy policy' that you don't read.

Information Leaked by your Applications
As I said earlier, when you visit a web site there is certain types of information about you that is revealed by your computers applications. A lot of this information (such as your browser cookies) are needed by web-based applications to be able to customize your experience.

Below is a brief list of some of the information a web site can know about you, just by visiting it with a regular browser and Internet connection:
  • The type of browser you're using, a long with information about its features. For example: what version of: Java, JavaScript, Flash and other applications you have installed (see: BroswerSpy).
    • This doesn't include the information in the HTTP header, which includes information about your browser and the web page you requested from a web site (see the following article for more information).
    • There is information in the HTTP header called the 'referer', that also gives the web site your visiting, the last URL of the web site you're coming from. Here is an example, of some of the information a site can see about you.
  • Browser cookies and web beacons (an invisible 1x1 graphic on a web page with a unique id embedded in to its name), which can be used identify your computer across different web sites. This technology is generally used by advertising and marketing companies to track and profile your browsing activity to better serve you ads.
    • As more web sites become interactive, browser cookies are used to track your web site session information. If you turn off the cookie feature, you can prevent certain web sites from working properly for you.
    • Web beacons have been used by spammers to track if you open up an email message, and to see if a email address is valid. Although, most modern email clients prevent images from being downloaded automatically which help prevent information about you from being leaked.
  • Your browser keeps local copies of all the web pages you visited in its cache, along with a history of all the URLs you visited. Some browser's like Firefox keep track of the files you downloaded, and the keywords you typed into the search toolbar. Then there is the saved forms information (known as AutoComplete in IE), and saved password feature. This information is used to improve the broswer's user experience, but also can become a privacy issue in some cases.
Then there is all your other Internet applications such as your e-mail client, instant message client, VoIP client, etc. Each of these programs have their own type of logging or privacy issues, that you might be or might not be aware of.

For example, your instant message client may keep logs of all your conversations. Your e-mail client, keeps all the messages that you received and sent. Your VoIP client keeps a log of all the calls that you make.

Even if you clean all this information off your local computer, your application's service provider has logs and/or copies of it in their servers and databases. Its not uncommon for them to use this information to profile usage habits of their users. All this information is also available to local and federal law enforcement generally with the use of a search warrant.

Generally, no matter what network enabled application your using, the following information is always going to be left about you on some server somewhere.
  • Once someone knows your computer's IP address, its possible to isolate the ISP, and therefore the city, state/province, and country your computer's from (see: IP Address Locator).
    • Local and federal law enforcement with the use of a search warrant can force the ISP to release your identity, based on your computer's IP address.
  • When you visit a web site, information is stored in the web server logs of the time you visited the site, your IP address, which pages you viewed, and sometimes what you searched for on that site (see: Omniture).
    • Think about this, all your favorite search engines keep all the information that you searched. If you have a personal account on a site like Google, Yahoo, etc., they can directly tie this information back to you.
    • For example: "On August 4, 2006, AOL released three months of search history for 650,000 users to the public. Although the searchers were only identified by a numeric ID, the New York Times discovered the identity of several searchers." (excerpt from the Wikipedia)
  • Anytime you visit a web site using it's domain name your computer needs to lookup the IP address of the remote server through some DNS server request. This information is then logged on that computer.
  • When you're at work, and you search the Internet your companies web proxies and firewall can track all types of Internet activity. Plus in the U.S.A. any information on your computer, or in your e-mail is property of the company.
Digital Forensics
With all the data stored on computers these days, a new area of computer criminal science has been created called 'digital forensics'. These are law enforcement personnel specially trained to find and retrieve specific information off a computer.

The tools that these people use are good at extracting the data they want. Generally the programs we use everyday are really good at leaving digital bread crumbs all over your computer's hard drive about everything that you do. These digital forensics tools are designed to leverage this information

On a side note, about digital forensics tools. Did you know that by using a pattern analysis program you can predict if something was written by a man or a women with almost 70% accuracy.

The way this technology works is by analyzing the words used in a message and assigns different values to them to determine if the text was written by a man or women. More information can also be determined by your writing style beside gender, such as your nationality based on the words that you use.

To see this tool in action, check out Gender Guesser or Gender Genie. With technology like this, it means that any of those anonymous posting or e-mail you might have created are becoming a lot less anonymous.
Note: This technology was created by Dr. Neal Krawetz of Hacker Factor Solutions.