Home  Contact   Privacy  Links       

Home>Tips & Articles>

Personal Privacy for
Computer Users
This article is a copyrighted work of PestPatrol.

Introduction

Computer users all over the world have consistently indicated that privacy is one of the key elements in their willingness or reluctance to using information technology . Collecting information about users has become a lucrative business, with some companies funding their activities primarily through the sale of marketing data or lists of potential customers with details that allow targeted contacts. Unsolicited commercial e-mail, or spam, has become a daily annoyance for millions of e-mail users. Telemarketing phone calls generate enormous resistance, especially when unscrupulous businesspeople call your home during the dinner hour or refuse to take victims off their calling lists. Grocery store loyalty cards not only provide discounts, they also track individual purchases; in some stores, customers' information allows specialized, targeted coupons to be printed at the cash register so that a competitor's product can be purchased at a discount on the next shopping trip.

On the interpersonal level, some people use Web-based services to look into the personal background of individuals on the Internet; employers use search engines and archives to read public postings by potential employees; and criminals sift through personal details to construct forged identities in the furtherance of identity theft. All these activities are possible without the use of computers, but they are greatly facilitated by the availability of large-scale databases online and of efficient search engines for collating data from different sources. Research that might have taken months of legwork, perhaps requiring personal visits to government offices to copy data laboriously by hand, can now be completed in minutes. As a result, finding out about people's lives has changed from one-by-one investigation into massive collation of data about millions of people at a time.

Personal computers have provided fertile ground for data collection about individuals. Many Web sites store information about individual users' browsing patterns in files called cookies, which reside on the user's hard disk. Cookies allow personalized views of a Web site; for example, an online bookstore can keep track of all the books that a user has searched for or requested additional information on. This information then allows the bookstore software to suggest additional titles that might interest that specific user. On a less friendly note, some users of particular software programs have been surprised to discover that their programs are placing unauthorized calls to data collection sites on the Internet to upload information about their systems or system usage.

All of these phenomena raise issues of privacy in the age of cyberspace. In this short paper, ordinary, non-technical users can get a sense of the fundamental issues that face all of us as we try to strike a balance between efficient commerce and our concerns about personal privacy.

Concepts of Privacy

Privacy can be thought of as the power to hide parts of the truth about oneself, or sometimes the power to control the use of truths about one that other people know. For example, many people would consider that the books they read or what they say in private to each other ought to remain private. In addition, the concept of informational privacy covers truths they may have revealed to others for specific purposes but that ought nonetheless to be controlled. Medical records, for instance, would seem to be semi-private under this view; a patient could reasonably approve having her gynecological data shared with doctors and nurses without wanting the details to be published in a newspaper or on the Web. Simson Garfinkel eloquently addresses the fluidity of privacy as follows: "Privacy isn’t just about hiding things. It’s about self-possession, autonomy, and integrity . . . . It’s the right of people to control what details about their lives stay inside their own houses and what leaks to the outside."

In United States legal theory, a statement by Justice Louis Brandeis sums up the American attitude towards privacy:

"The makers of our Constitution . . . Sought to protect Americans in their beliefs, their thoughts, their emotions and their sensations. They conferred as against the Government, the right to be let alone—the most comprehensive of the rights of man and the right most valued by civilized men."

Under common law, invasion of privacy can consist of

  • Intrusion upon a person’s seclusion in a substantial manner that would offend a reasonable person, such as pointing telephoto lenses at a bedroom window;
  • Appropriation of a person’s name or likeness – of concern primarily to celebrities who object to unauthorized use of their name or image in advertising campaigns;
  • Publicity given to someone’s private life such as details of sexual conduct, medical or psychiatric history; and
  • Publicity placing a person in a false light, such as insinuating that individuals support a particular political view when they don’t.

One of the best definitions is as follows:

"Privacy:

  1. The right of an entity (normally a person), acting in its own behalf, to determine the degree to which it will interact with its environment, including the degree to which the entity is willing to share information about itself with others . . . .
  2. The right of individuals to control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed . . . . ."

Another key concept is that "There are two kinds of truth that the law might try to protect:

  1. Truths about you that you have revealed to the public, either by giving some information over to someone else, or by being observed in public; or
  2. Truths about you that you have kept private."

Prof. Lawrence Lessig analyzes conceptions of privacy into three major concerns: minimizing intrusion, maintaining human dignity and constraining the power of the state (what he calls the substantive conception).

Cryptographer and security theorist Bruce Schneier makes an interesting point about the fundamental types of privacy violations: "There are two types of privacy violations—targeted attacks and data harvesting—and they are fundamentally different. In a targeted attack, an attacker wants to know everything about Alice. If ‘Alice’ is a person, it’s called stalking. If ‘Alice’ is a company, it’s called industrial espionage. If ‘Alice’ is a government, it’s called national intelligence or spying . . . ." In contrast, writes Schneier, data harvesting uses inference to sift through different lists of data about large numbers of data subjects and allows the attacker to generate a list of people who fit specific selection criteria.

The US Constitution does not specifically mention privacy, but the Fourth Amendment is usually applied when discussing government intrusion on people’s lives. The Amendment specifically forbids unreasonable search and seizure by government and law enforcement agents.

The distinction between government intrusion and intrusion by private commerce is important, because in the US, there are fewer privacy restrictions on private industry than on government. For example, buying a book, ordering a video, seeing a movie in a theater and eating in a restaurant have traditionally been seen as public activities; US law has said little about limiting observations of these kinds. Certainly financial information about consumers has been widely shared among lending institutions (including such unexpected entities as auto dealerships and appliance stores) and among credit agencies. The most important difference between government and private intrusions is that consumers can (often unknowingly) sign away their privacy rights by agreeing to contracts. End-user license agreements often contain language that specifically reduces a member’s or a user’s privacy rights.

In contrast, the European Union has promulgated much more stringent regulations – primarily the Data Protection Directive – on the sharing of private information – to the point of causing friction with US-based firms doing business in Europe . Until 1998, there were serious limitations to how European countries could transfer personal data to firms doing business in the USA; however, the "Safe Harbor" agreement provided a framework that gave credibility to the non-governmental, self-regulatory strategies favored in the US .

The US government has also progressed in national legislation to protect privacy. The two most important measures are the Health Insurance Portability and Accountability Act (HIPAA) that governs privacy of medical records and the Gramm-Leach-Bliley (GLB) Act that protects financial records about individuals.

In daily life, many people also have concerns about their privacy at work . In general, in the USA, the reasonable expectation of privacy governs to what extent employers may monitor electronic communications except personal phone calls. Because organizations own or control their e-mail, voice-mail and Internet-access systems, managers do have the right to monitor or intercept communications made via those media. However, it is generally accepted that employees be allowed to make personal phone calls from work; indeed, according to the Electronic Communications Privacy Act (ECPA) , any manager monitoring a live phone call is supposed to stop listening as soon as it is clear that the call is a personal one. All of this monitoring supposes that employees are aware of the likelihood of monitoring and that monitoring is carried out in a fair, unbiased way that cannot be construed as harassment or persecution of individual employees. Normally, employees must sign waivers (in many places every year) stating that they understand that the communications channels provided by their employer are the property of and under the control of the employer and may be monitored or intercepted at any time. A good rule of thumb is that no one should be doing anything on employer-supplied equipment that they would be embarrassed to discuss with their manager. Certainly writing extensive personal e-mail messages at work or spending hours on the Web in searches that are unrelated to one’s job will result in questions about an employee’s level of productivity.

In Europe, in contrast to the US situation, all personal communications by employees, including telephone, e-mail and via the Internet, are considered private and therefore subject to the Data Protection Directive restrictions .

Technological Threats

Office software

Modern computer technology offers many avenues for violating users’ privacy. For example, few users realize that if they allow Microsoft Office products to use "fast saves," they silently keep a full record of all the changes that they have made in a document. The same principle applies to changes made with "track changes" enabled. When such documents are sent to others, much more information may be revealed than expected; examples include comments from editors, reconsidered phrases, and even factual information that was supposed to be suppressed. Even the seemingly inoffensive Properties sheet may carry more freight than a user wants; many documents show the names of previous employers, details of managers' names and positions, and even comments that should not be made public. Before sending any MS-Office products to anyone else, all users should check to see that

  • The properties sheet has no more information that they wish to reveal;
  • They have unchecked "fast save" in the TOOLS | OPTIONS | SAVE menu;
  • They have turned off TRACK CHANGES by using the TOOLS | TRACK CHANGES | ACCEPT OR REJECT CHANGES menu and converting all changes into decisions on the final copy to be released.

Malware and spyware

Malicious software such as viruses (programs that reproduce by inserting themselves into other programs) and worms (self-reproducing programs that propagate through networks) sometimes carry victims’ documents with them. Recent examples of such privacy-busting malware include the Sircam worm and the Nimda virus-worm .

Spyware is software that covertly transfers information about an unsuspecting user to a corporate site where the information can be collated and used for marketing or as material to be sold for a profit. Spyware often enters a system through freeware or shareware, especially those that are ad-supported . Some browser plug-ins that offer new functions may contain spyware. Even HTML-enabled e-mail sometimes contains tiny one-pixel graphics images (Web bugs) that reside on undocumented Web sites; reading such e-mail causes a hit on the data collection site, thus confirming that the message has been opened and allowing an advertiser to be charged for the potential exposure to another victim of covert monitoring .

Many spyware products allow uncontrolled downloading of arbitrary code, thus threatening the integrity of the operating system; for example, the update-dll.exe file has already been found in three different versions in the wild, some of which may be transformed to download unauthorized code. This file is installed by the Aureate / Radiate toolkit, which is used in programs that currently reside on over 30 million computers today.

Spyware programs have also been demonstrated to cause browser and operating system crashes. For example, one of the files associated with the Aureate/Radiate toolkit is advert.dll, which is routinely removed by technical support personnel to stop repeated system crashes.

One way of discovering that a computer is infested with spyware is to set a personal firewall to alert the user whenever a new request for an outbound connection is made. Tools such as BlackIce , Norton Personal Firewall , and ZoneAlarm provide such functions. In addition, a spyware-blocking tool called Silencer can block all messages from being returned to spyware "mother ships." Steve Gibson, a highly-respected programmer, makes a free utility called LeakTest that checks your firewall or spyware-blocker to be sure that unauthorized messages are in fact being blocked.

Many spyware programs resist uninstallation; even after going through the uninstall routines, functional programs may persist and continue to communicate with their host systems (this is known as "phoning home" in a reference to the movie "E.T."). It can be frustrating and time-consuming to remove all vestiges of unwanted spyware, and most users lack the technical ability to ferret through the system registry and file system looking for unauthorized entries.

Another category of threats to privacy is the remote-administration trojan, sometimes called RAT. These tools masquerade as legitimate programs for administrators to use when providing technical support; however, products such as BackOrifice , NetBus , and SubSeven are trojan horses which include undocumented functions that allow unauthorized individuals to gain complete control over the compromised systems. Infested systems can show bizarre behavior, such as repeated opening and closing of the CD-ROM tray, disabled keyboards, and pop-up messages. Worse still, the remote attackers can extract all kinds of information, including screen snapshots, lists of files, copies of private files, and even keyboard logs showing the keys pressed while entering passwords. Any online activity, including instant messaging, is vulnerable to invasion by these stealthy invaders.

A number of products are available to address the removal of some or all of these types of malware. Aureate/Radiate DLL Remover and AdAware from Lavasoft specifically address certain types of spyware; PestPatrol , from the company that commissioned this paper, addresses the removal of trojans, hacker tools and denial-of-service attack agents in addition to spyware and adware.

Ten Tips for Increasing Online Privacy

Check out these practical tips to improve your privacy protection while you're online.

  1. Look for privacy policies on web sites:
    Web sites can collect a lot of information about your visit - what computer you use, what type of hardware and software you have, what web sites you have visited. Web sites that ask you to provide even a small amount of personal information can tie the data you provide to your browsing habits. When you go to a web site that has no privacy policy, write and tell the company that you are a user of their site, your privacy is important to you and you would like to see them post a policy. An increasing number of web sites has begun to provide privacy policies that detail the sites' information practices. Look for these policies and read them carefully. While privacy statements are not the only answer to online privacy risks, the effort should be encouraged and commended.
  2. Use a separate account for your personal e-mail:
    Often, online users do not realize that e-mail sent from their work accounts is likely to be an open book to their employers. Even if you send an e-mail from your home, a copy is often stored on your employer's main computer server. Your boss has a legal right to read any and all correspondence in this account or on your work computer at any time. Getting a separate account for home allows you to check your personal messages without using your workplace e-mail server.
  3. Teach your kids that giving out personal information online means giving it to strangers:
    Teach your children that they need your permission before they can give out their name, address or other information about themselves or the family. Several years ago, a number of web sites encouraged children to give information about themselves or their family; some enticed kids with games and free gifts. In 1998, a law was passed requiring companies to gain parental consent before collecting personal information from children under 13 years old. If you are concerned about a web site collecting information from children without consent, you should communicate your concern to the Federal Trade Commission at kidsprivacy@ftc.gov.
  4. Clear your browser cache after browsing:
    After you browse the web, copies of all accessed pages and images are saved in your computer's memory. While these copies make subsequent visits to the same sites faster, the browsing record has grave implications for personal privacy, particularly if you share a computer or browse at work. You can delete most of your online trail by simply going to the "Preferences" folder in your browser and clicking on the "Empty Cache" button. Sometimes this option is in the "Advanced" menu of the browser preferences. In Internet Explorer, go to "Internet Options" from the "Tools" menu and click on "Clear History".
  5. Make sure that online forms are secure:
    Online forms may be digitally transported in ways that leave them vulnerable to undesired access. Alternatively, online forms may be encrypted so that only the intended recipients can readily translate the information. Ensuring that your information is stored and transferred in secure ways is one of the keys to protecting your privacy online. Fortunately, browser companies have realized the importance of data security; newer browsers are designed to indicate whether the accessed page allows encrypted transfers. The commonly used graphics are a key, which is broken if the page is insecure, and a lock—locked is secure and unlocked is not secure. The graphic appears in the corner of the browser screen; clicking on the lock or the key will inform you of additional security information about the page. You should not input sensitive personal information about yourself (such as financial or medical data) on web pages that are not secure.
  6. Reject unnecessary cookies:
    Cookies enable web sites to store information about your visit on your own hard drive. Cookies inform site operators if you have visited the site and, if you have obtained a username and password, cookies remember that information for you. Many of the "personalized" search engines use cookies to deliver news topics that users select; sites often use these same preferences to target advertisements. Cookies can also be used to track you online and enable a creation of a profile without you realizing it. You can search your hard drive for a file with the word "cookie" in it (e.g., cookies.txt or MagicCookie) to view the cookies that have been attached to your computer. Newer browsers allow you to recognize sites that send you cookies and reject them outright by accessing the "Advanced" screen of the "Preferences" menu. In Internet Explorer, delete cookies by clicking on the "Delete Files" button in the "General" icon of "Tools" "Internet Options" menu.
  7. Use anonymous remailers:
    Anonymity is essential to privacy and free speech. It protects whistle blowers and writers of controversial material; most simply, it may enable one to publish without a forwarding address. The e-mail technology creates problems for the right to anonymous communication since the sender of a message can be traced back through digital paths. Created to address privacy risks and concerns, "anonymous remailers" presently allow you to send anonymous e-mail messages. One very good remailer was created as a joint project of the George Mason Society and the Global Internet Liberty Campaign and is available on the web at http://www.gilc.org/speech/anonymous/remailer.html.
  8. Use encryption to keep your e-mail private:
    E-mail is not as secure as many believe. E-mail can be easily rerouted and read by unintended third parties; messages are often saved for indefinite periods of time. Presently, there exist technologies that allow you to encrypt your messages in order to protect their privacy. Some e-mail programs (e.g., Internet Explorer Outlook and Netscape Messenger) have encryption. Pretty Good Privacy (PGP), popular encryption software, is free for non-commercial use. Read more on PGP and download the encryption software at http://web.mit.edu/network/pgp.html.
  9. Use anonymizers while browsing:
    From the moment you type in a web address, a log is kept with information about your visit. Every day, most of us walk down the street without being recognized or tracked. While anonymity is often taken for granted in the physical world, such luxury is not available online. Tools that strip out user information, thus preserving anonymity, have been created; a few are readily available on the net. Visit http://www.freedom.net and http://www.anonymizer.com.
  10. Opt-out of third party information sharing:
    Many online companies provide you with the option to get off (or "opt-out" of) the lists that share your information. Some companies enable users to easily opt out—users are often able to do so online. A number of companies go a step further and ask your permission (opt-in) before sharing personal information that they have collected. Often, however, companies make opting out difficult or virtually impossible: addresses are buried, one cannot opt-out online, etc. Don't be afraid to contact the sending company if you want to be removed.

Summary

There are many threats to privacy in this age of increasing connectivity. You can prevent compromise by criminals and by privacy-invading pest infestations by following these simple rules:

  • Read the fine print before installing any software, and especially adware that is supported by channeling ads to your computer;
  • Install and configure a personal firewall on your computer to identify and block unauthorized outbound connections as well as unauthorized inbound connections;
  • Always run an antivirus program that updates itself automatically to counter new threats;
  • Scan your system regularly with a tool like PestPatrol, which identifies and removes not only spyware but also many thousands of other pests that can hurt your computer and your privacy.

About PestPatrol

PestPatrol, Inc. is a Carlisle, PA based developer of anti-hacker tools founded in May 2000 by a team of security software professionals to counter the growing threat of malicious non-viral software. The company's founders, Robert C Bales and Dr David Stang, were the original founders of the National Computer Security Association (NCSA), later the ICSA and now known as TruSecure Corporation. The company's flagship product, PestPatrol™, detects and removes hacker, remote administration and distributed denial-of-service attack creation tools, trojans, spyware and adware. Further details about the company and a free evaluation version of the software may be downloaded at http://www.pestpatrol.com/downloads/eval/download.asp.



 

  
Categories
PC Monitoring
Key Logger
Anti Spy Tools
Popup Blocker
Anti Spam Tools
Evidence Cleaning
 
© 2003 SpyAny.com
All other trademarks are the sole property of their respective owners.