CDT's Guide to Online Privacy: Tips
Fourteen Ways to Protect Your Privacy Online
- Learn how to read online privacy policies
- Opt-out and use any other privacy options offered
- Get a separate account for your personal e-mail
- Teach your kids not to give out personal information online without permission
- Be careful when using social networking sites and picture/video sharing sites
- Learn about - and use - the privacy features in your browser
- Make sure that online transactions are secure
- Learn how to spot phishing and other scams
- Reject or delete unnecessary cookies
- Use security software and promptly install security upgrades
- Safeguard important files and communications
- Use anonymizer tools, but cautiously
- Use strong passwords and protect them
- Use common sense
On the Web, as you shop, read information, view videos, use social networking sites, or engage in other activity, the sites you visit record what you are doing. Even if you don't log-in or intentionally disclose any identifying information, Web sites can collect information without your knowledge -- what computer hardware and software you use, what site you last visited, and what address your ISP has assigned to you. Web sites will often plant a "cookie" on your computer to identify your computer and keep track of your activity.
Companies such as Pro-Quo have created services to make opting-out easier for you. Several years ago, CDT created Operation Opt-Out to help you control how your personal data is collected and distributed; it is a little outdated, but still has useful links and information.
If you are assigned an e-mail address in connection with your job, your boss probably has a legal right to read any and all correspondence in this account (and maybe any information stored on your work computer). In fact, you may have agreed to such monitoring when you took the job or first logged on to the corporate system.
Using a separate e-mail account (such as the free accounts available from Google or Hotmail) for personal communications helps protect your privacy at work. Some private accounts, such as those offered by Web-based email services, enable you to check your personal mail from work without downloading it to your company computer.
In 1998, a federal law was passed requiring companies to gain parental consent before collecting personal information from children under 13 years old. However, there may be some sites that violate or skirt the law. Teach your younger children that they need your permission before they can give out their name, address or other information about themselves or the family.
Older children need to be reminded of the privacy pitfalls online too, especially as they use social networking sites. Be sure that any children who use social networking sites pay attention to the privacy settings and set them so that only the real friends they approve of can see their information.
If you use a social networking site, be careful about who can see your information. If you use a picture or video sharing sites to share photos with friends and relatives, be careful how you set the settings that are offered, to be sure you are not sharing your pictures with strangers. Be especially careful with pictures of your kids. If the site allows you to do so, check every once in a while to see if anyone you don't know is looking at pictures you did not want to share publicly.
The software you use to surf the Web - whether Internet Explorer, Safari, Camino, Firefox, or Chrome - has built into it a variety of tools (or plug-ins are available) that can help you protect the privacy and security of your information as you use the Internet. Take some time to read about the privacy and security features in the browser you use. They can help you control the planting of "cookies" on your computer (see Tip #9 for more on cookies), identify insecure or fraudulent sites before you visit them (see Tips #7 and #8 for more on spotting fraudulent sites), block viruses and other malicious software from being downloaded, and enhance your privacy and security in other ways. CDT's report on browser privacy features has more information about these features, compared across the major browsers.
For example, if you use a computer in a library or other place where someone will use the computer after you, use the tools that allow you to clear your browser history and memory cache after browsing. This can be important because, as you use the Web, the browser software saves a history of the sites you visit. In addition, copies of all the pages you visit are saved in the computer's memory (known as the "cache"), in order to help the site load faster when it is visited a second time. Also, the search bar on the browser may store past searches. All of these features have their benefits, but these browsing records can compromise your privacy, particularly if you use a computer at the library or in another context where someone else will use it after you do. Depending on the specific browser, you can delete cached images from the "Preferences" menu or the "Tools" menu. You may have to use three separate controls to delete all three sets of history - cache, the list of sites visited, and the search history.
While interception of Internet communications in transit is rare, it is worth taking precautions, especially when sending credit card numbers or other financial information. Most e-commerce Web sites have a secure mode that encrypts sensitive transactions while they pass over the Internet, and all the major browsers indicate whether a transaction with a particular Web site is encrypted. In most cases, the address for a secure Web site will start with "https" - the "s" indicating secure. In addition, all of the common browsers use a small picture of a lock to indicate that a site is secure. The symbol appears either in a corner of the browser screen or right in the address bar; clicking on the lock will give you additional security information about the page.
It is VERY important, however, to recognize that the use of https and the appearance of the lock do not prove that the Web site you are visiting is legitimate or that your information will be used properly once it reaches the Web site. The company running the Web site may be fraudulent; or the Web site may be a fake, made to look like a legitimate, well-known brand but in fact it may be a spoof. Increasingly, browsers have features that will warn you if something doesn't add up. Read up on the browser you use, so you know whether and how it warns you when you are about to visit a site that may be fraudulent. But the fraudsters are always trying to keep ahead of these security measures, so use common sense and check out Tip #8 to learn for yourself how to spot a fraud.
Before giving out personal information online, know who you're dealing with. You have to be especially careful because fraudsters are creating websites that look like those of legitimate businesses, trying to get you to enter information.
"Phishing" is a scam designed to steal your personal information under false pretenses. The scam works by tricking users into disclosing personal information, such as credit card numbers, social security numbers, and account passwords. The fraudsters pretend to be a well-known source, such as your bank, a brand-name e-commerce site, or popular social networking site. The fraudsters lure you in with an email, a pop-up ad, or an instant message that has a link to the fraudulent website where you are asked to enter their sensitive information.
One way to spot a phishing email is to examine the sender's email address. For example, if the email purports to be from a bank or other business headquartered in the U.S., but the email address ends with .cn or some other country code, you can be sure it is not legitimate. Also, if you scroll your cursor over any link in the email (being careful not to click on it), your browser may show the actual address - if it is a string of numbers or is otherwise different from the address of the legitimate business, then the link will take you to a scam site.
Messages marked "Urgent" are usually frauds.
To be safe, it is best that you don't click on any links in an email purporting to be from a bank or financial institution - chances are it is a fraud. If you want to go to the website of your bank, type the address into your browser.
Fraudulent websites generally have deceptive URLs. Look carefully at the address of a website - if it is not in the normal business.com format, it may be fraudulent. Many fake sites will place a picture of a fake lock icon on their site. Make sure the secure lock icon is in the browser frame, not inside the browser window.
Never click on an email attachment from someone you don't know.
The Anti-Phishing Working Group has more advice about avoiding scams. If you have been the subject of a scam, you can file a complaint with the Federal Trade Commission and learn more at their Identity Theft website. Microsoft and eBay have good advice on how to recognize and avoid phishing scams.
All of the major browsers allow you to reject cookies outright (although that may interfere with the functioning of various Web sites you want to use regularly) and to view and delete the cookies that have been put on your computer. You may have to dig around in the Help section or on the Browser Web site to find the cookie controls, since they vary from browser to browser and even between different versions of the same browser. In Safari, for example, you will find cookie controls under Safari > Preferences > Security. In Internet Explorer 6, you can find the options for controlling cookies by clicking "Internet Options" on the "Tools" menu, and then clicking the "Privacy" tab. To delete cookies already on your computer will require a separate set of steps; again, you may have to dig though the Help section or search online for instructions.
One point of caution: Some privacy opt-out systems rely on a cookie. If you delete the cookie, your opt-out is canceled. For this reason and others, it is probably best to delete your cookies selectively, not wholesale.
If you go online, your computer could be infected by various kinds of malicious software, ranging from viruses to spyware. "Spyware" is used to deliver unwanted pop-up ads or to steal sensitive information. These programs create privacy problems, open security holes, and otherwise degrade the performance of your computer. Worse, you often can't tell what's wrong with your computer and even if you knew what you were dealing with, it can be very hard to uninstall spyware.
The best solution is to keep nasty software off your computer in the first place. Fortunately, there is a thriving market for security software that you can use to protect your computer. Anti-virus and anti-spyware software takes many forms, but if you use a reputable product, your computer will be protected from most (although not all) security threats. Check the reviews online at CNET or in Consumer Reports or use sites like GetNetWise.org for a list of good choices. Just make sure you get your security software from a reliable vendor; often, spyware masquerades as software to protect your computer!
The vulnerabilities in your computer software that viruses and spyware take advantage of are most likely being fixed or "patched" constantly by the developers of the basic software you use. Microsoft, for example, issues patches for their products once a month, on the second Tuesday (and more often if needed). You can set up your computer to automatically check for upgrades, and most security updates are free. When an application that you installed asks whether to update itself, you almost always want to do so promptly in order to ensure that you have the most up-to-date security in that application or on your operating system. Likewise, new security features are often incorporated into new software upgrades, so new versions of software you already own may be worth the upgrade. Check out what the reviewers have to say and see if the upgrade will protect you online.
And remember, don't click on links or attachments in emails even if they promise security upgrades. Recently, an email purporting to be from Microsoft had a virus. If you are looking for a security upgrade, it is best to type the address of the company into your browser address bar - such as "http://www.microsoft.com/downloads/".
Secure your laptop, your phone and other portable devices with a strong password. Keep your important files out of any shared or public folders. In situations where there is a particular need for security, you should use encryption. You can encrypt your e-mail and you can encrypt files stored on your personal computer. However, in order to encrypt your e-mail, both sender and recipient must use the same program. This is fairly common within closed systems (such as for communications among the employees of a government agency or within a corporation and between the corporation and its suppliers), but relatively few individuals use encryption for their daily email with people outside their own institution. The major e-mail programs (i.e., Internet Explorer Outlook) have encryption built in. Pretty Good Privacy (PGP), a popular encryption software, is free for non-commercial use. PGP can also be used to encrypt files on your computer.
While many people assume that they are anonymous on the Internet, the reality is much more complicated. It is best to think of the Internet as offering varying degrees of anonymity. For example, a digital cash system like PayPal offers good privacy and security protection for most purposes, in which you do not have to reveal your identity to the other party to a transaction. Likewise, for a variety of purposes, a pseudonymous e-mail address registered with a free service offers a form of anonymity. However, a law enforcement agent or a private individual or corporation armed with a civil subpoena could, with a couple of steps, unmask the identity of the average person who uses these services and others.
For especially sensitive matters, certain browsing tools can help increase your anonymity by hiding your computer's identifying information. Anonymous browsing tools are readily available on the Net. Visit http://www.torproject.org and http://www.anonymizer.com
"Anonymous remailers" can allow you to send anonymous email messages. However, different anonymizers use different methods, in ways that may crucially affect their effectiveness. Despite the fact that the name "anonymizer" implies that you are completely anonymous from all parties, this is rarely the case. Therefore, it is important to closely study what the anonymizer does when deciding which tool to use for which purpose. At this time, CDT is not recommending any particular anonymous remailer.
Do not use passwords that can be easily guessed by someone who knows your name. Especially do not use your children's or spouse's names, your date of birth, current or old addresses, phone numbers, or Social Security number -- it is just too easy for someone to find out these things about you. Do not use the same password across sensitive sites. Change your passwords occasionally.
Reading our Top Ten list and seeing frequent news stories about identity theft online is enough to make any Web user paranoid. However, a bit of common sense can go a long way. Online, ask yourself the same questions you would ask and use the same kinds of tools you would use when you are in the "real" world: If a Web site is not a brand name you recognize, do some consumer research; see if there are any complaints online about the company. If a deal seems too good to be true, it probably IS too good to be true.