'

Your Browser is Selling You Out

You may feel completely anonymous when you sit in front of your PC surfing the Web, but with every click you risk leaving tracks that clearly identify you to total strangers. Even if you're scrupulous about safeguarding your name and e-mail address, a single slip can give away details to a company whose name you don't recognize.

You may feel completely anonymous when you sit in front of your PC surfing the Web, but with every click you risk leaving tracks that clearly identify you to total strangers. Even if you're scrupulous about safeguarding your name and e-mail address, a single slip can give away details to a company whose name you don't recognize. And seemingly innocuous software programs can surreptitiously connect to the Internet and transmit personal data without your knowledge. Alarmed? You should be.

Surprisingly, the most insidious threats to personal privacy come from sources that were until recently considered mostly harmless. In and of themselves, browser cookies can't do much. They can't collect personal information unless you enter it, and each cookie's data is hardwired to a single site.

With the rise of Internet ad agencies, however, cookies have become far more dangerous. By placing ads from a single server on a variety of pages, these agencies can create detailed profiles of Internet use from a single computer. If the agency can convince you to enter your name and e-mail address, it can begin to connect the dots into a surprisingly complete picture. The Internet ad giants have an insatiable appetite for data; DoubleClick, for instance, recently spent $1.7 billion to acquire market research firm Abacus Direct and its treasure trove of 88 million personalized records of consumer activity. Don't recognize the name? If you've ever used the Alta Vista search engine or read the Wall Street Journal online, you're in Double Click's database.

The Ad Game

And what if you run a Web site that includes online advertising or e-commerce capabilities? If you let an Internet ad agency place ads on your Web server, be sure you understand fully how its information collection policies sync with yours. You owe it to your customers to collect only information you truly need to run your business. We strongly recommend that you publish a detailed privacy policy that clearly states what type of information you collect, why you need it, and what you do with it.

TRUSTe offers a clever fill-in-the-blanks wizard you can use to write a decent first draft of a privacy policy. Of course, the results are pure vanilla, as befits an organization whose primary purpose is to defuse calls for government regulation of the Internet. For a much more detailed look at the subject, read "Surfer Beware III: Privacy Policies Without Privacy Protection" (www.epic.org/ reports/surfer-beware3.html). This report by the Electronic Privacy Information Center (EPIC) is a no-punches-pulled review of how the 100 top e-tailers handle personal data. For consumers it offers an excellent primer on how to decipher the legalese in a typical privacy statement; for businesses it provides detailed instructions on how to create a meaningful privacy policy.

The results of EPIC's study are depressing: All 100 sites collect personal information, such as names, addresses (snail mail and e-mail), and phone numbers, and 86 sites use cookies. Only 21 of the top 100 sites appeared to limit the uses of personal information to that required for the transaction, and more than one-third include profile-based advertising without any warning to customers.

Internet ad agencies rationalize profiling by explaining that it lets them personalize the browsing experience. They claim that by knowing your preferences, they can serve up banner ads that are more likely to appeal to you than randomly selected ads. Maybe so, but most Internet analysts see a more logical explanation: Click-through rates on banner ads are shockingly low; the best way for ad agencies to make money fast is to mine their data and deliver targeted lists of prospective buyers to their clients.

Of course, cookies aren't the only way to siphon data from your computer to a far-off server. With the explosion in popularity of always-on Internet connections, it's trivially easy for software developers to write Internet connection code into their releases. That's the time-honored principle behind Trojan horse programs like Back Orifice¡ªif a company can convince you to install the program in the first place, it has free rein to snoop through your data and transmit at will.

So what happens when the Trojan horse comes in the form of trusted software? Just last year three popular programs were discovered to be making surreptitious Net transmissions. Real Networks' RealJukebox transmitted statistics about music files to the mothership. Comet Cursors, a browser add-in that transforms the ordinary mouse pointer into a custom image at partner sites, sent serial numbers (stored in a cookie, naturally) back to a central server to track its product's usage. And a silly holiday-themed computer game called Elf Bowling wasn't infected with a virus, as persistent Web rumors insisted; it did, however, open an Inter net connection capable of transmitting data.

In all three cases, the impact on consumers was minimal. The real damage to the companies was measured in PR terms, as each one had to apologize to its users and somehow convince skeptical observers that its failure to disclose the hidden communications channel was an innocent oversight. Sooner or later¡ªprobably sooner¡ªan unscrupulous developer will use this capability to really steal data. Don't let it be yours.

Be Prepared

Online advertisers will do nearly anything to seduce you into revealing personal details about yourself. Guard your name, e-mail address, and other details and never give them away without good reason. Set up a throwaway mail account at a free Web service and use it, plus an assumed name, whenever you're required to fill out a survey to gain access to a Web site. And don't install new software unless you're certain it's safe.

For extra protection, monitor your cookie collection and weed out any whose purpose you don't clearly understand (Netscape Navigator users can search for a file called Cookies.txt; Microsoft Internet Explorer users can look in the Temporary Internet Files folder for text files that begin with the word Cookie.) Follow the instructions in "How to Disappear" on page 92 to stop the top Internet ad agencies from collecting personal information about you.

For the strongest protection, use commercial blocking software to hide your identity when browsing the Web. Go to www.anonymizer.com to surf from an anonymous server. For more elaborate protection, download Freedom 1.0 from Zero-Knowledge (www.freedom.net). This compact program lets you create multiple identities, or pseudonyms, and then route your Internet traffic through a series of servers that keep your true identity completely secret.


How to Disappear

A handful of Internet advertising agencies are responsible for virtually all the banner ads you see on the Web. Through sweepstakes, surveys, and other come-ons, they try to entice you to provide personal information; most let you stop the data collection by "opting out." Here's a list of links that let you do just that.

Flycast www.flycast.com/about_us/index.cfm?sub=pri&content=privacy#optout.

Features privacy policy and opt-out instructions.

24/7 Media www.247media.com/privacy.htm

You'll find privacy policy and opt-out instructions. Ironically, you must send an e-mail with personal information to have it removed from the database.

Adsmart Network

Sister company of Engage Technologies; see instructions under Engage Technologies.

MatchLogic www.matchlogic.com/privacy/policy.htm.

For detailed opt-out instructions go to www.delivere.preferences.com/OptOut.

Engage Technologies www.engage.com/privacy/koptout.htm

Just click on its opt-out link.

NetGravity www.netgravity.com

A division of DoubleClick; see DoubleClick for opt-out instructions.

AdForce www.adforce.com/home/comp3_ priv.html

Claims not to store personal information; privacy policy does not include opt-out instructions.

Real Media www.real.com

No published privacy policy or opt-out instructions; claims its Privacy Proxy software prevents collection of personal data.

DoubleClick www.doubleclick.net/company_info/about_doubleclick/privacy/privacy2.htm#optout

Includes details for removing the cookie-based tag that identifies your computer.