• PC World
• » Security

Taking Back Your Data

Even as Net users continue to give away personal information, companies track them zealously, and lawyers lick their chops, the good news is that people aren't sitting idly by.

Marius Cybulski, a programming student from Oshawa, Ontario, Canada, is one of a growing number of Net users who employ software to protect privacy online. Cybulski uses Norton Internet Security 2001 and Zone Labs' ZoneAlarm Pro firewall software to protect his system from prying eyes and rogue applications. He also strictly controls which cookies land on his hard drive.

"Unless a site specifically needs [cookies] to function, like Windows Update, I don't permit them," Cybulski explains. "Why should I? For statistical purposes? So a site can remember me and customize itself to my preferences? I hardly consider that essential in exchange for knowledge of where I've been, what I did, and where I'll be going."

New Tracking Tools

Cookies aren't the only devices that Net users have to worry about, however. Today, many companies use Web bugs to track your movements online.

A Web bug is a tiny GIF image file--just 1 pixel in size--embedded in a Web page and used to report information to the company that sends it. You can block cookies, but you can't currently block Web bugs, though companies are building filtering software.

If your browser isn't set to block cookies, the bug may tell your browser to accept a cookie from the server that delivers the image, or to send a previously stored cookie back to that server. Even if you block cookies, the bug offers another way--beyond server log files--of tracking your movements through a site.

"All of these technologies have been around for years," says Craig Nathan, chief technology officer for MEconomy, a start-up that helps Web sites develop server setups and site architecture to preserve customer privacy. "But now companies are experimenting with how they can use them. And practices that companies used to get away with are coming into the mainstream and gaining attention."

Most large sites employ Web bugs, Richard Smith says. PCWorld.com, for example, uses a bug delivered by DoubleClick, which handles our online ads. The bug was introduced in an effort to get a better count of traffic to the site after other information sources, such as server logs and syndicated research, proved contradictory or unreliable. PC World discloses the existence of the bug in its Privacy Statement; not all sites do likewise.

In many cases, moreover, the tools employed to track individuals on the Web aren't behind-the-scenes agents like cookies and Web bugs; they're programs that people use every day. Last fall, for example, Smith demonstrated how Web sites could use the "persistence" feature of Internet Explorer versions 5.0 and higher to obtain surfing information from a visitor--even one whose browser is set to block cookies. Persistence lets Web pages remember things like search queries so users don't have to reenter them.

More recently, Smith learned of a loophole in e-mail clients that allows someone to add JavaScript code to HTML-formatted messages so that person can find out where the message gets forwarded and what the forwarding comments are.

"Say I'm a marketer and I send you an e-mail about a product or service, and you send it along to someone with a comment like 'This looks interesting.' I'll know whom you sent it to and that you thought it looked interesting. Now I know to target you and your colleague," explains Smith.

Vulnerable e-mail readers include Netscape 6 Mail, Outlook, and Outlook Express. Eudora and AOL 6 e-mail readers, as well as earlier versions of Netscape and many Web-based e-mail systems, are unaffected because they don't support JavaScript fully, they turn it off by default, or they strip it out of incoming messages.

So far, no reports have surfaced of anyone exploiting this glitch. One way to fend off prying eyes is to disable JavaScript in HTML e-mail messages. You can get instructions for doing so, as well as other possible fixes, from the Privacy Foundation.

Changing the Rules

Even users who try to keep up with all the latest tracking technologies may be helpless when companies change the rules. Many dot-com companies are scrambling for profits or going out of business, and databases of personal information are a valuable commodity.

When Toysmart.com filed for Chapter 11 bankruptcy protection last June, it attempted to sell its customer database--something the site's privacy policy swore it would never do. The FTC and attorneys general from roughly 40 states filed suit against the company for violating its customers' privacy. Eventually, after receiving $50,000 from a division of Disney, a financial backer of the now-defunct retailer, Toysmart.com agreed to destroy its list.

In January, EBay users learned that they're not always in control of their own privacy preferences. At that time, the online auction site decided to fix a glitch in its registration form. Between April and October 2000, the part of the form that asked new users if they'd like to receive marketing messages, users surveys, telemarketing calls, and so forth had defaulted the answers to 'no,' whereas EBay had intended that the default answers be 'yes.'

The company finally decided to switch all the preferences to 'yes' and notified affected users by e-mail. EBay gave people two weeks to restore their old preferences before the changes went into effect.

"I don't understand why they can't just assume that right-thinking users would choose 'no' to these options, whether it was the default or not," says John Lee, an EBay user who works for a Boston insurance firm. "If the default was supposed to be 'no' and it was accidentally switched to 'yes', would EBay go through the same process or would they just assume people read the form correctly and made the selections they really wanted?"

In its defense, EBay said the same problem that flip-flopped registrants' default answers could have prevented users from getting updates about the site's privacy policy or e-mail notices that they'd been outbid in an auction. This assumes people were not reading the registration form closely and simply accepted the defaults.

The company says it ran its plan by several privacy watchdog groups before implementing it. One of the groups, Truste, later voiced concerns. "In this case [EBay] probably could have made a better call," says David Steer, a Truste spokesperson.

• See more like this:
• privacy,
• information,
• personal,
• invasion,
• surveillance,
• marketing