Home & Office

Online anonymity hard to achieve but not impossible

Tough to trust Web sites with personal data amid reports of data leaks and privacy infringements even from major brands, but online anonymity still possible if users and organizations do the necessary checks, say security players.
Written by Ellyne Phneah, Contributor

It is difficult to trust Web sites to protect personal information, especially amid reports of data leaks and privacy breaches, but online anonymity may still be possible if consumers are aware of what they're sharing online and organizations observe best practices.

A recent study by Stanford University's Computer Security Laboratory which assessed 185 high-traffic Web sites found that more than half shared a consumer's username or user ID with another site. Among these top recipients of the user information were Google, Facebook, ComScore and Quantcast.

Information leakage is a pervasive concern, said Jonathan Mayer, a Stanford graduate and the study's author, noting that 61 percent of Web sites he interacted with leaked a username or user ID.

"Many times, developers are not thinking about privacy issues and it's a fact of life that information is going to leak to third parties. I think we have to recognize that's just the way the Web works," Mayer said in a Reuters report.

According to Stephen Cobb, security evangelist at ESET Security, trust is difficult to evaluate online as consumers tend to trust well-known brand names, but many big brands have at times failed to keep promises about security and privacy.

Cobb told ZDNet Asia that Microsoft, for instance, was taken to court by the American Federal Trade Commission (FTC) when the software giant's claims about privacy and the security of its Passport online authentication were challenged by consumer groups.

Many consumers are happy to share information about their personal preferences in order to receive relevant information, promotion and offers, or for popular online activities such as banking and shopping, Cobb noted.

However, he said it was disturbing the Stanford research revealed that personal information was being shared "without the conscious knowledge" of consumers.

"Web sites will eventually lose the trust of consumers, and their online business, if they cannot control the type and amount of personal information that is being shared, and limit the number of parties with whom it is shared," he cautioned.

Joseph Steinberg, CEO of Green Armor Solutions Information, added that data leakage is also made worse by hackers who can also attempt to undermine the policies of companies and Web sites.

Craig Spiezle, chairman of the Online Trust Alliance (OTA), noted that incidents of data loss occur every day, and while the majority of Web sites adhere to best practices, there is still no guarantee user information will not be leaked. If cybercriminals are willing to spend the time and CPU resources, they can compromise most sites via exploits or social engineering, Spiezle explained in an e-mail interview

"[Consumers] must understand that any data they post online can ultimately leak to the public," he said. "Do not rely on Web sites to be totally secure. If they are breached, you and your data leaks will not be safe."

Online anonymity difficult, but still possible
Remaining anonymous online is getting harder every day, Spiezle noted.

"Think of it as millions of individual pixels of information. By themselves or with a limited amount of data, they are abstract," he said. "Altogether or combined, they provide a mosaic of who you are."

Paul Ducklin, Asia-Pacific head of technology at Sophos, explained that even anonymized data can sometimes be "mined" to be traced back to a group, or even individuals. He noted that a few years ago, AOL published several months' worth of anonymized search data whereby each subscriber's name was replaced with a random number which gave no hint of the user's identity. Yet, searching the number can provide sufficient details about the users that a U.S. journalist was able to quickly identify, contact and interview one of these names.

However, Green Armor's Steinberg concurred that online anonymity and privacy are still possible to a large extent in terms of browsing.

Most Internet services providers including Google do not release usage information, so anonymity is ensured based on policies rather than technical systems, he explained.

For absolute anonymity, more must be done, he said, but noted that most people will not bother with the inconvenience and cost necessary to achieve this. For instance, there are people who are willing to dedicate computers for use solely on public Wi-Fi networks and who use anti-tracking software on these computers so they can browse with greater anonymity so that even the service providers do not know who they are, he explained.

There are also tools for browsing anonymously from home, Steinberg added, but their anonymity is ensured by the policies of the underlying technology, not by technical limitations.

Companies check policies, users beware
Keeping information secure often boils down to the fundamentals comprising a number of well-established security best practices, ESET's Cobb said. There are technical practices such as hardening the servers, reducing the attack surface, patching fast and often, and "application whitelisting", he noted.

Data leakage also occurs sometimes due to "overly aggressive" marketing programs that are conducted without sufficient oversight, he said. Business practices should be reviewed periodically to ensure what the marketing department and site developers are doing with the data is consistent with the company's stated privacy policies, Cobb said.

There are also best practices in policy and procedure such as background screening and security training for all employees who handle personal data, he said. Companies need to back their publicly stated commitment to privacy with policies that are strictly enforced in the workplace and their online activities, he added.

Failure to do so can lead to data leakage and regulatory scrutiny, Cobb warned, both of which can be very costly to the company's brand image and bottomline.

Companies and Web sites should also move to a design culture that favors security and privacy, Spiezle added, noting that they should work to minimize data collection, reduce retention periods and continually monitor systems and data flow.

As for users, Ducklin of Sophos remarked that consumers "love" social networking to the point that many of them give away too much information about themselves, their lives and lifestyle "far too frequently".

"A good starting point to boosting your privacy online is to think twice before you give out anything," he advised. "If in doubt, don't give out. You can have plenty of fun on the Internet without telling the world everything about yourself."

If the data is not there, it cannot be lost or stolen, he said. Ducklin added that celebrities can prevent their nude photos from being stolen if they stopped taking nude photos of themselves on their mobile phones.

Editorial standards