How secret is my surfing?

from the December 2006 Actrix Newsletter
by Rob Zorn

You've probably heard a number of times by now that you' re not nearly as anonymous as you think you are online. Even if your computer is completely free of spyware, information about you tags along and gets handed over to various servers in exchange for the web pages and other files you download.

This isn't necessarily a bad thing. If your computer wasn't identifiable to some extent, there would be no way to get web pages, movies, podcasts or e-mails to you. It' s often a good thing, too, that some sites recognise your computer and are able to tailor what they display especially for you. Shopping sites you regularly visit, and sites that you have some sort of membership at are good examples.

But there can be a fine line between what' s necessary for a site to know and invasion of your privacy. In the worst case, it could be possible for a site to compile quite a profile of you and your habits over time (possibly even including your name, location and e-mail address).

There exist companies such as DoubleClick that have as their mission constructing a massive database full of megatrillions of bits of information about surfers that have been gleaned over the years. DoubleClick consistently denies that it wants to identify individuals, but there is little doubt that it could know a lot of specific information about a lot of specific individuals if it wanted to. And DoubleClick is just one of the more well-known of many.

There are two main ways that information about you or your computer travels around with you. The first is your IP address, and the second is by means of "cookies".

Your IP Address

An IP address is a unique set of four numbers allocated to your computer by your ISP, and used to identify it online. The Actrix mail and web servers use your IP address to get the pages you request back to you. Broadband connections are "always on". This means you have the same IP address all the time. If you use dialup, your Actrix will allocate you a different IP address each time you connect, unless you have a special arrangement to always have the same one.

Every web server will keep records of which IP addresses it sends pages to, and ISPs like Actrix will keep records about which IP addresses were allocated to any customer at any given time. This is how the police and Internal Affairs are often able to catch people that visit illegal sites. They obtain warrants and then match our server' s records about which IP addresses it sent pages to with the records of who had the offending IP address at the time. Hey-presto, you' re busted!

Every time you visit a site, your IP address is recorded. If you provide any personal details, it is quite possible for site owners to keep a record of the personal details that go with your IP address. If you have broadband, and therefore a fixed IP address, it is even easier to record identifiable data about you.

Cookies

The second way tabs are kept on you is via cookies. These are little text files that many sites write to your hard drive. The next time you come to the site, it can read the cookie it left last time and tell such things as how long it has been since your last visit. Cookies can also record, for example, what ads you were shown last time, so that you can be shown something new this time. Cookies are text files only, so they can't do any harm to your computer, but they can be a privacy risk.

Cookies are not supposed to be able to be read by any site or domain other than the ones that set them. However, there are various ways web programmers can get around this, which is concerning. Some web sites with log ins, for example, use cookies to store your user name and password. Anyone able to steal your cookie could theoretically pose as you, or log in as you and see whatever else was stored about you at the site in question.

Modern browsers allow you refuse or be warned before cookies are written to your hard drive. Look under Tools and then (Internet) Options and check the security category. Browsing can become a nuisance with cookies turned off, though. Many sites won't let you in, or will repetitively ask you to accept their cookie first. The best practice is to allow cookies, but to be mindful about what information you hand over online. Don't create password protected accounts at sites other than those whose reputation rests on how well they protect your private data. Banking sites, Trade Me, eBay, PayPal and My Actrix, for example, should all be okay.

Cookies can also be flushed or deleted. Your browser will have a Delete cookies button somewhere under Tools/Options/Security, and you can delete them as often as you like without doing any real harm.

The most recent versions of Firefox and Opera come with a "Delete private data" feature under the Tools menu. When ever you're finished a surfing session you can use this to delete your cookies, History and Temporary Internet files with a single mouse-click.

More about cookies: http://computer.howstuffworks.com/cookie.htm.

Proxy servers

Some proxy servers can be used to help guard your anonymity online. Instead of connecting directly to a web site, you connect to the proxy server and it then connects to the web site on your behalf. The web site only sees the proxy server and doesn't know who the page or file it is handing over is going back to. Consequently it can't give you cookies. Proxies aren't a complete guarantee of privacy, of course. They too keep records, so if you're not sure you can trust whoever is running the proxy server, you haven't really gained much in terms of assured privacy, and their administrators are still subject to demands from legal authorities.

You can easily Google lists of free anonymous proxy servers to connect to as well as information about how to configure your browser to use them.

The-cloak (www.the-cloak.com)

The-Cloak gives you the functionality of an anonymous proxy server without having to change browser settings. Enter the desired web address into their interface and the-Cloak will sit between your computer and the page, preventing anyone (except for The-cloak, of course) knowing anything about you. You will find that the free service slows your browsing down a little due to bandwidth restrictions. The paid service is faster and costs about 2.5 cents per megabyte, though you have to purchase blocks of at least a Gigabyte (1024Mb) at a time.

Torpark(www.torrify.com)

Torpark is a modified version of Firefox developed by Hacktivismo, an international group of computer security experts and human rights workers. It enables its users browse the web anonymously by connecting only to the TOR network which encrypts all data between itself and your browser. This means not even an ISP can see what's passing through its servers on the way to you. Torpark also causes the IP address seen by any website to randomly change every few minutes.

Torpark takes no special installation and can be run from a flash USB memory stick. This means you can effectively remove it completely from your machine, and use it to keep yourself anonymous wherever you go. There are some drawbacks to its use including a slower browsing speed and individual websites not being able to store customised settings.

Mute anonymous file-sharing (http://mute-net.sourceforge.net)

Normal file-sharing services such as Kazaa and Limewire work by setting up a direct connection between your computer and someone else's so that files such as mp3s or movies can be exchanged. In order for this occur, your IP address needs to be known to the other computer. The RIAA in America has been able to catch so many file-sharers by posing as a song swapper and legally forcing ISPs to give them the personal details for the IP addresses they connect to.

Not that Actrix encourages illegal file-sharing, but if you're concerned about anonymity while swapping legal files, this may be a service you want to consider.

Mute avoids direct connections by using the computers of others joined to its network as part of the route a file will take to get to you. You can see the computer you're connected to, but you can't see the one that it is connected to. The IP addresses where files are located are also replaced with randomly generated virtual addresses, so nobody can really tell who is sharing what or from where.

Google anonymiser

Google uses a cookie to save your personal settings such as what language you want documents in, how many result you like displayed on the page and what level of filtering on content you think appropriate. This cookie allows Google to recognise you each time you come back.

Google is therefore able to keep a record of every request its users make, and over the years admits to having built up a formidable database of typical user behaviour of its search engine, including their likely names if they' ve googled themselves (and who hasn't?).

Whether or not they have something to hide, a lot of people are concerned about handing over their search habits. The Google Anonymiser can be used to reset the part of the Google cookie that identifies you to a string of zeroes. At http://www.imilly.com/google-cookie.htm  you can save a "bookmarklet" that you can click each time you visit Google to reset your cookie. After you've done so, you can enter your search term and Google won' t know anything about who' s making the request.