Reclaim your online privacy

Do you remember a time before everyone knew your every move?

Maybe it's our own fault. We live in an age where microblogs and social networks are all about keeping in touch—to the extreme. It's fun to follow friends, so we forget that posting pictures of that drunken frat party or naked mosh pit might not bode well for future relationships with employers, friends, or even the law. We forget that, sometimes, giving just a little tells a lot. You can't do anything online without signing up for an account, typically supplying your e-mail, at minimum.

End-user license agreements (EULAs) are more invasive than ever. Disney put one out that's over 50 pages long—for a DVD of Sleeping Beauty. Even "don't be evil" Google took flack for the Chrome browser EULA, which proclaimed the corporation owned whatever you might post through it. Google changed that policy—eventually. But it still hangs on to plenty of information about its users, all the better to sell you stuff. All that sounds innocuous compared with full-blown identity theft, but identity theft wouldn't be a plague if our personal data weren't out there for the taking. And make no mistake: It's out there. Companies like PallTech—an online service for investigators and collection agencies—have databases with just about every American's name, address, date of birth, and Social Security number.

Have we as a culture abandoned our right to privacy? Absolutely not. While it's easy to give up, it's also easier than ever to take back your privacy. The new generation of Web browsers takes the possibility of your being snooped on seriously—and that's just the beginning. We'll show you how to go online and remain as stealthy as can be, so the chances of you being ID'd without your consent, or having your ID stolen, are slim to none.

Secretive Surfing

All the major browsers for Windows—Internet Explorer 8, Firefox 3, Chrome 0.2, Opera 9.6, and Safari 3.1.2—offer some kind of security and privacy settings, at the very least to give you control over cookies, cached files, and your stored surfing history. How it's done is a little different in each browser.

Cookies 
Cookies are little strings of text that Web sites store on your computer as a means to identify you to that site later. This is handy, as it means not entering your passwords for sites over and over again. However, you may not want all the cookies that sites want to place with you on the Internet tracking you. Cookies won't store anything personal unless you hand the info over via a Web form; however, just visiting a Web site allows it to put a cookie that stores your browser type and IP address onto your computer, assuming your browser is set to allow that.

Why is that a big deal? Maybe it isn't. Cookies are neither good nor evil. They're a convenience, and like most conveniences, they come at a price. Consider this: Your e-mail program, even Gmail, suppresses the images in your messages by default. The reason is that spammers and marketers put special images containing URLs into those messages. Each URL is specific to just the message sent to each recipient. These are called Web bugs or Web beacons. If the image loads, even if it's an invisible, single-pixel picture, the server that supplies the image may also look for cookies it can read, associating your IP address with that URL, and for other images (advertisements) you may have seen. The marketers will know plenty about your browsing history in an instant. Browser preferences/options let you opt to accept all cookies, accept only those from sites you visit (eliminating those from third-party advertisers, for example), or never accept them at all. The latter is a shoot-yourself-in-the-foot move; go for the "from sites I visit" option and, if you're paranoid, check the box to be asked for permission before the browser allows the installation of cookies. But even that gets old fast. A button reading "manage" or "show" cookies will provide some granular control of cookies on a site-by-site basis.

Private data 
The information your browser terms "private" encompasses a lot—everything from your browsing history to download history, the cache of Web page files on your hard drive (aka temporary Internet files), cookies, and even saved passwords. All major browsers can clear all of the above with a button click, and most can be set to delete history whenever the software is closed or by some other time increment. Both are very important steps on a shared computer, even more so if the PC in question is a public computer. Clear your tracks when you're done.

The latest versions of some of these browsers take an extra, much-needed step, letting you invoke a privacy mode—some call it "porn mode" for obvious reasons—that prevents cookies and private data from being recorded in the first place. Your history of sites visited and searched for is not kept. This doesn't affect bookmarks you save or files you download, just your history. Chrome calls this mode incognito; in IE8 beta it's called InPrivate Browsingand accessed from the Safety menu; Safari and Firefox call it simply private browsing. Safari has had this feature since Version 2 in 2005.

The current Firefox 3.1 beta has not yet integrated the feature, but it's coming soon. In the meantime, those with the current or older Firefox can get the same feature using the Stealther extension.

You can tell you're in the privacy mode in different ways for each browser. IE8 puts a button in the address bar that reads InPrivate. Chrome's incognito mode puts an icon of a guy in sunglasses, trench coat, and fedora in the upper right corner by the tabs. In Safari, look for a check mark next to "Private Browsing" on the Edit menu. If you began a session without enabling private browsing, you can still "stealth up": Turn private browsing on, then selectReset Safari on the Edit menu to reset all your current pages to stealth mode.

In all cases, privacy mode is not on by default when you start browsing. You need to activate it when you launch the browser.

IE8's InPrivate Blocking goes a step farther than the others, not only not storing info from sites you browse, but also blocking third-party content providers—like advertisers—known for collecting data about you. Even without looking at your cookies. InPrivate Blocking will obstruct the most frequently encountered third-party content providers first. You can subscribe to lists of sites to block on a regular basis; and once you've blocked a few, you can publish a list of your own to share.

Personal Proxies

It doesn't take much to figure out such details about a person as address orphone number. With a partial name and location, you can find plenty for free on sites like pipl.com or ZabaSearch or even Google. People who are willing to pay get a lot more.

Your broadband modem typically has a unique IP address, and it's easy for any Web site or other snooper to see; the IP address is usually included in the headers sent with e-mail, too. An IP address alone can easily give an approximation of your location, based on where your ISP is located. VisitWhatIsMyIPAddress.com and it will reveal your IP address—plus a Google Map that will probably pinpoint the town you're in.

What's needed is a way to surf anonymously that goes beyond browser privacy modes for protection. Luckily, they exist. The fundamental stealth method is an anonymous proxy server. Plug settings from a proxy server into your Internet software (browser and e-mail) and all requests sent to the Internet from that software will be relayed through the proxy. This is also an effective method of making yourself appear to be in another location; the only problem is that you may also find yourself looking at foreign versions of sites like Google, which load languages based on a user's location. Using a proxy carries the bonus of making your PC less susceptible to outside attacks, but that's only a problem if you're not using a router and a software firewall (which you are, right?). Not all proxy servers guarantee anonymity, so choose accordingly.

Setting up proxy servers should be simple: You get an IP address and a port number to plug into fields in the options for your browser, e-mail client, and other Internet software. Sites like Proxy4Free.com, publicproxyservers.com, and more list some you can try. You can try skipping the entry, too: Get-Proxy.com lets you click a link to a proxy server and start surfing to sites immediately as if you're not yourself. These usually add an unsightly extra address bar at the top of the page to use for browsing anonymously.

A more advanced method is to install a proxy server/service of your own. Tor, short for "The Onion Router," is one that's free. Install the Tor Vidalia software bundle for Windows, Mac, or Linux and then set up your software to use it for anonymous surfing. Tor recommends using Firefox with an extension called Torbutton to automate the proxy server. Of course, not everyone thinks Tor is very secure, because it doesn't tell you which servers your traffic goes though. IronKey, maker of a super-secure USB thumb drive, offers Secure Sessions mode for browsing through its own Tor servers, which it claims are more reliable and faster because they're controlled.

Paying for anonymous proxies is also an option. Anonymizer ($29.99 for one year) is probably the best known, and GhostSurf ($29.95 per year) is another anonymous proxy. Both pledge to make you completely invisible when surfing the Web. ZoneAlarm ForceField ($29.95) takes a different tack: It's a virtualized "bubble of security" that separates the browsing from the operating system, keeping your computer safe from browser exploits. It doesn't anonymize, though it does offer a private browser mode.

Encrypted E-mails

Using cryptography to ensure that messages can be read only by intended recipients goes back to a time long before e-mail. It's just easier to implement electronically.

Programs like Pretty Good Privacy (PGP) use algorithms to encrypt and decrypt your messages. PGP, created back in 1991, isn't just pretty good—the encryption it applies is so good that its author, Phil Zimmermann, was targeted for criminal investigation. When sent overseas, cryptography that effective was considered munitions by the U.S. government. Zimmermann got around the charges by publishing the PGP source code in a book, protected by the First Amendment.

Here's the gist of how public key cryptography like PGP works. You create both a public key and a private key. The former you can tell the world. The latter you tell no one. Ever. All your friends do the same. You use their public key to encrypt things sent to them, they use your public key to send to you. Only your individual private keys can decrypt the messages received, because the public and private keys were created to work hand in hand. Keep things even more on the down-low by creating a "web of trust" between friends, and share your keys only with those in the circle. For more details on using encryption, read "Secure Your E-Mail and IM Communications".

PGP now comes in commercial products from PGP Corp. (including top-ratedPGP Desktop Pro). Products such as Voltage Security Network and eCipher Prohave similar public key cryptography. All do the job and work with just about any e-mail client, but will set you back around $80.

You can get open-source (free) encryption via a package called GnuPG. It works with front-end applications that interact directly with your e-mail. For example, EnigMail is an extension for Mozilla Thunderbird that uses GnuPG on Windows, Mac, or Linux to get you started with message encryption.

There are even ways to secure Web-based Gmail. The simplest thing you can do is to make sure the URL to access Web mail starts with https://. The "s" indicates that the page is encrypted using a Secure Sockets Layer (SSL) connection from you to the server. The Firefox extension Better Gmail can force Gmail to sign on with SSL. This isn't the same as encryption, but it is the same technology that protects your credit card info when sending it to servers like Amazon's. However, once that message leaves the server to go to a POP3 e-mail, it's no longer secure.

If you use Gmail's IMAP feature to access messages via Thunderbird, you can continue to use EnigMail and GnuPG and just send messages that way. Of course, the person on the other end needs to have both installed for decryption.

If you want to go entirely stealth-mail all the time, Hushmail.com claims that its free accounts are always secure and private, with all messages and attachments encrypted using open PGP. A Premium version offers more storage and IMAP-based e-mail access from desktop e-mail clients. The site even lets you send messages as if they're from your own e-mail, complete with a decrypter question you must include, something that only you and the recipient can answer. Once answered, the e-mail message is displayed on the Web.

Anonymizer Nyms is a program you can subscribe to for $19.99 a year. It creates temporary, disposable e-mail addresses (called DEAs, or "nyms") you can check with your regular e-mail client—perfect for all those online sign-ups. Nyms also prevents spam and malware. You can also get DEAs free at Mailinator.com, GuerrillaMail.com, and many, many others.

Intimate IMs

Instant messages go out over many networks using different protocols, but almost all are sent in cleartext. That means they're easy to read by the recipient with no extra processing by the software, which makes good sense when you're doing real-time chats. That also means they're easy to read if intercepted. Most IM clients can also send file attachments, which can include malware.

It should go without saying, then, that you should accept IMs only from people you know. But how do you ensure that sensitive messages sent and received are as secure as can be in transit?

Zone Labs had a product for a while called IMSecure, but the company discontinued it in the summer of 2008, removing all IM protections built into the ZoneAlarm Internet Security Suite. Why get rid of it? Zone Labs says several of the dominant IM services—AIM, Yahoo!, Microsoft—now offer features like encryption, IM spam blocking, and more, either integrated or through third-party add-ons.

Older versions of the AIM client allowed the use of a personal digital certificate for encrypting, just in case someone out there is packet-sniffing your network. You can still get older AIM versions (5.9, for example), and then a free certificate from Comodo.com, or AIMencrypt.com. The current versions of AIM and the business-oriented AIM Pro automatically use SSL when transporting messages, but don't do certificate encryption anymore. Even Trillian, the multiprotocol IM client, supports this for AIM and ICQ. Yahoo! Messenger has its own stealth and privacy settings, so you can sign on as invisible or ignore people, but it has no encryption of IMs. I found one other untested product, SimpPro ($25, www.secway.fr), which promises to encrypt all traffic on MSN, Yahoo!, ICQ, AIM, Jabber, and GoogleTalk, plus all their respective client apps.

Of course, no two IM systems offer the same security features, as they're all proprietary. Web-based IM front ends, such as AIM Express or the multiprotocol Meebo.com, won't support any of these security extras yet.

Thwarting ID Theft

Overall, identity theft is down since 2002. That's the good news.

In 2007, 1.6 million people claimed they were victims of identity theft; but fewer than 2,000 people were tried and convicted of the crime, according to September 2008's "The President's Identity Theft Task Force Report" (opens PDF). That means it's up to you to protect yourself—the cops aren't up to it. Always keep in mind the social engineering that grifters use to get your important digits, specifically your Social Security number. The number one recommendation in the report is to reduce or eliminate the unnecessary use of SSNs in the public sector. It would be smart to start now, because another recommendation is that victims of ID theft get another piece of ID to carry, specific to them. Ugh.

Our own Matthew D. Sarrel has covered the topic of stolen identity and how to prevent "losing" your identity in great detail. Follow his advice and add it to your everyday way of working, both online and off. If you want a high-tech approach for your online protection, check out Identity Finder Professional Edition 3.4 or MyTruston. Both keep an eye on your PC for information that should be secure—such as your address, phone numbers, credit card numbers, and birthdays—and either warn, delete, or encrypt the data before it goes out the tubes to the rest of the world. A number of security suites offer this feature as well.

Further Reading