CDT’s Guide to Online Privacy: Tips

October 27, 2009

Fourteen Ways to Protect Your Privacy Online

1. Learn how to read online privacy policies

On the Web, as you shop, read information, view videos, use social networking sites, or engage in other activity, the sites you visit record what you are doing. Even if you don’t log-in or intentionally disclose any identifying information, Web sites can collect information without your knowledge — what computer hardware and software you use, what site you last visited, and what address your ISP has assigned to you. Web sites will often plant a "cookie" on your computer to identify your computer and keep track of your activity.

Most Web sites now have privacy policies that describe what kind of information the site collects from you, how it is stored and used, and who it is shared with. However, just because a site has something called a "Privacy Policy" does not mean that the site protects your privacy. On the contrary, often buried in the dense language of "privacy policies" are broad statements that your information will be disclosed to third parties and used for a variety of purposes. See our Web Site Privacy Policies page for more information about what to look for in a privacy policy.

2. Opt-out and use any other privacy options offered

As you sign-up for accounts with online merchants and social networking sites, pay particular attention to the various privacy settings and privacy options offered to you. For example, many online companies provide you with the option to get off or "opt-out" of the lists that share your information. A number of companies go a step further and ask your permission ("opt-in") before sharing personal information that they collect. Brand name companies will respect your choices. Too often, however, companies make opting out difficult, so you may have to dig through their privacy policy to find where to opt-out.

Companies such as Pro-Quo have created services to make opting-out easier for you. Several years ago, CDT created Operation Opt-Out to help you control how your personal data is collected and distributed; it is a little outdated, but still has useful links and information.

3. Get a separate account for your personal e-mail

If you are assigned an e-mail address in connection with your job, your boss probably has a legal right to read any and all correspondence in this account (and maybe any information stored on your work computer). In fact, you may have agreed to such monitoring when you took the job or first logged on to the corporate system.

Using a separate e-mail account (such as the free accounts available from Google or Hotmail) for personal communications helps protect your privacy at work. Some private accounts, such as those offered by Web-based email services, enable you to check your personal mail from work without downloading it to your company computer.

4. Teach your kids not to give out personal information online without your permission

In 1998, a federal law was passed requiring companies to gain parental consent before collecting personal information from children under 13 years old. However, there may be some sites that violate or skirt the law. Teach your younger children that they need your permission before they can give out their name, address or other information about themselves or the family.

Older children need to be reminded of the privacy pitfalls online too, especially as they use social networking sites. Be sure that any children who use social networking sites pay attention to the privacy settings and set them so that only the real friends they approve of can see their information.

The FTC has more information about the law protecting children under 13 and about kids privacy in general.

5. Be careful when using social networking sites and picture/video sharing sites

If you use a social networking site, be careful about who can see your information. If you use a picture or video sharing sites to share photos with friends and relatives, be careful how you set the settings that are offered, to be sure you are not sharing your pictures with strangers. Be especially careful with pictures of your kids. If the site allows you to do so, check every once in a while to see if anyone you don’t know is looking at pictures you did not want to share publicly.

6. Learn about – and use – the privacy features in your browser

The software you use to surf the Web – whether Internet Explorer, Safari, Camino, Firefox, or Chrome – has built into it a variety of tools (or plug-ins are available) that can help you protect the privacy and security of your information as you use the Internet. Take some time to read about the privacy and security features in the browser you use. They can help you control the planting of "cookies" on your computer (see Tip #9 for more on cookies), identify insecure or fraudulent sites before you visit them (see Tips #7 and #8 for more on spotting fraudulent sites), block viruses and other malicious software from being downloaded, and enhance your privacy and security in other ways. CDT’s report on browser privacy features has more information about these features, compared across the major browsers.

For example, if you use a computer in a library or other place where someone will use the computer after you, use the tools that allow you to clear your browser history and memory cache after browsing. This can be important because, as you use the Web, the browser software saves a history of the sites you visit. In addition, copies of all the pages you visit are saved in the computer’s memory (known as the "cache"), in order to help the site load faster when it is visited a second time. Also, the search bar on the browser may store past searches. All of these features have their benefits, but these browsing records can compromise your privacy, particularly if you use a computer at the library or in another context where someone else will use it after you do. Depending on the specific browser, you can delete cached images from the "Preferences" menu or the "Tools" menu. You may have to use three separate controls to delete all three sets of history – cache, the list of sites visited, and the search history.

7. Make sure that online transactions are secure

While interception of Internet communications in transit is rare, it is worth taking precautions, especially when sending credit card numbers or other financial information. Most e-commerce Web sites have a secure mode that encrypts sensitive transactions while they pass over the Internet, and all the major browsers indicate whether a transaction with a particular Web site is encrypted. In most cases, the address for a secure Web site will start with "https" – the "s" indicating secure. In addition, all of the common browsers use a small picture of a lock to indicate that a site is secure. The symbol appears either in a corner of the browser screen or right in the address bar; clicking on the lock will give you additional security information about the page.

It is VERY important, however, to recognize that the use of https and the appearance of the lock do not prove that the Web site you are visiting is legitimate or that your information will be used properly once it reaches the Web site. The company running the Web site may be fraudulent; or the Web site may be a fake, made to look like a legitimate, well-known brand but in fact it may be a spoof. Increasingly, browsers have features that will warn you if something doesn’t add up. Read up on the browser you use, so you know whether and how it warns you when you are about to visit a site that may be fraudulent. But the fraudsters are always trying to keep ahead of these security measures, so use common sense and check out Tip #8 to learn for yourself how to spot a fraud.

8. Learn how to spot phishing and other scams

Before giving out personal information online, know who you’re dealing with. You have to be especially careful because fraudsters are creating websites that look like those of legitimate businesses, trying to get you to enter information.

"Phishing" is a scam designed to steal your personal information under false pretenses. The scam works by tricking users into disclosing personal information, such as credit card numbers, social security numbers, and account passwords. The fraudsters pretend to be a well-known source, such as your bank, a brand-name e-commerce site, or popular social networking site. The fraudsters lure you in with an email, a pop-up ad, or an instant message that has a link to the fraudulent website where you are asked to enter their sensitive information.

One way to spot a phishing email is to examine the sender’s email address. For example, if the email purports to be from a bank or other business headquartered in the U.S., but the email address ends with .cn or some other country code, you can be sure it is not legitimate. Also, if you scroll your cursor over any link in the email (being careful not to click on it), your browser may show the actual address – if it is a string of numbers or is otherwise different from the address of the legitimate business, then the link will take you to a scam site.

Messages marked "Urgent" are usually frauds.

To be safe, it is best that you don’t click on any links in an email purporting to be from a bank or financial institution – chances are it is a fraud. If you want to go to the website of your bank, type the address into your browser.

Fraudulent websites generally have deceptive URLs. Look carefully at the address of a website – if it is not in the normal business.com format, it may be fraudulent. Many fake sites will place a picture of a fake lock icon on their site. Make sure the secure lock icon is in the browser frame, not inside the browser window.

Never click on an email attachment from someone you don’t know.

The Anti-Phishing Working Group has more advice about avoiding scams. If you have been the subject of a scam, you can file a complaint with the Federal Trade Commission and learn more at their Identity Theft website. Microsoft and eBay have good advice on how to recognize and avoid phishing scams.

9. Reject or delete unnecessary cookies

Cookies are small bits of computer code planted on your computer by most of the Web sites you visit. They enable the Web sites to collect and store information about your online activity and to recognize your computer when you return again or visit an affiliated site. If you signed up to a Web site and obtained a username and password, cookies remember that information for you. Some sites use cookies to deliver content targeted to your express or inferred interests; sites often use these preferences to target advertisements to you. Cookies can be used to track you across Web sites online, enabling creation of a profile without you even realizing it.

All of the major browsers allow you to reject cookies outright (although that may interfere with the functioning of various Web sites you want to use regularly) and to view and delete the cookies that have been put on your computer. You may have to dig around in the Help section or on the Browser Web site to find the cookie controls, since they vary from browser to browser and even between different versions of the same browser. In Safari, for example, you will find cookie controls under Safari > Preferences > Security. In Internet Explorer 6, you can find the options for controlling cookies by clicking "Internet Options" on the "Tools" menu, and then clicking the "Privacy" tab. To delete cookies already on your computer will require a separate set of steps; again, you may have to dig though the Help section or search online for instructions.

One point of caution: Some privacy opt-out systems rely on a cookie. If you delete the cookie, your opt-out is canceled. For this reason and others, it is probably best to delete your cookies selectively, not wholesale.

10. Use security software and promptly install security upgrades

If you go online, your computer could be infected by various kinds of malicious software, ranging from viruses to spyware. "Spyware" is used to deliver unwanted pop-up ads or to steal sensitive information. These programs create privacy problems, open security holes, and otherwise degrade the performance of your computer. Worse, you often can’t tell what’s wrong with your computer and even if you knew what you were dealing with, it can be very hard to uninstall spyware.

The best solution is to keep nasty software off your computer in the first place. Fortunately, there is a thriving market for security software that you can use to protect your computer. Anti-virus and anti-spyware software takes many forms, but if you use a reputable product, your computer will be protected from most (although not all) security threats. Check the reviews online at CNET or in Consumer Reports or use sites like GetNetWise.org for a list of good choices. Just make sure you get your security software from a reliable vendor; often, spyware masquerades as software to protect your computer!

The vulnerabilities in your computer software that viruses and spyware take advantage of are most likely being fixed or "patched" constantly by the developers of the basic software you use. Microsoft, for example, issues patches for their products once a month, on the second Tuesday (and more often if needed). You can set up your computer to automatically check for upgrades, and most security updates are free. When an application that you installed asks whether to update itself, you almost always want to do so promptly in order to ensure that you have the most up-to-date security in that application or on your operating system. Likewise, new security features are often incorporated into new software upgrades, so new versions of software you already own may be worth the upgrade. Check out what the reviewers have to say and see if the upgrade will protect you online.

And remember, don’t click on links or attachments in emails even if they promise security upgrades. Recently, an email purporting to be from Microsoft had a virus. If you are looking for a security upgrade, it is best to type the address of the company into your browser address bar – such as "http://www.microsoft.com/downloads/".

11. Safeguard important files and communications

Secure your laptop, your phone and other portable devices with a strong password. Keep your important files out of any shared or public folders. In situations where there is a particular need for security, you should use encryption. You can encrypt your e-mail and you can encrypt files stored on your personal computer. However, in order to encrypt your e-mail, both sender and recipient must use the same program. This is fairly common within closed systems (such as for communications among the employees of a government agency or within a corporation and between the corporation and its suppliers), but relatively few individuals use encryption for their daily email with people outside their own institution. The major e-mail programs (i.e., Internet Explorer Outlook) have encryption built in. Pretty Good Privacy (PGP), a popular encryption software, is free for non-commercial use. PGP can also be used to encrypt files on your computer.

12. Use anonymizer tools, but cautiously

While many people assume that they are anonymous on the Internet, the reality is much more complicated. It is best to think of the Internet as offering varying degrees of anonymity. For example, a digital cash system like PayPal offers good privacy and security protection for most purposes, in which you do not have to reveal your identity to the other party to a transaction. Likewise, for a variety of purposes, a pseudonymous e-mail address registered with a free service offers a form of anonymity. However, a law enforcement agent or a private individual or corporation armed with a civil subpoena could, with a couple of steps, unmask the identity of the average person who uses these services and others.

For especially sensitive matters, certain browsing tools can help increase your anonymity by hiding your computer’s identifying information. Anonymous browsing tools are readily available on the Net. Visit http://www.torproject.org and http://www.anonymizer.com

"Anonymous remailers" can allow you to send anonymous email messages. However, different anonymizers use different methods, in ways that may crucially affect their effectiveness. Despite the fact that the name "anonymizer" implies that you are completely anonymous from all parties, this is rarely the case. Therefore, it is important to closely study what the anonymizer does when deciding which tool to use for which purpose. At this time, CDT is not recommending any particular anonymous remailer.

13. Use strong passwords and protect them

Do not use passwords that can be easily guessed by someone who knows your name. Especially do not use your children’s or spouse’s names, your date of birth, current or old addresses, phone numbers, or Social Security number — it is just too easy for someone to find out these things about you. Do not use the same password across sensitive sites. Change your passwords occasionally.

14. Use common sense

Reading our Top Ten list and seeing frequent news stories about identity theft online is enough to make any Web user paranoid. However, a bit of common sense can go a long way. Online, ask yourself the same questions you would ask and use the same kinds of tools you would use when you are in the "real" world: If a Web site is not a brand name you recognize, do some consumer research; see if there are any complaints online about the company. If a deal seems too good to be true, it probably IS too good to be true.

For more tips and information, check out OnGuard Online, a fantastic resource maintained by the Federal Trade Commission. The FTC has a great list of privacy and security tips.