privacy enhancing technologies: protecting information online

FEATURE

Browsing the Internet results in the creationof information about a user’s browsinghabits and preferences that Web sites cancapture. Web sites may obtain informationthrough a variety of mechanisms, all ofwhich raise issues about privacy of personalinformation. Privacy enhancing tech-nologies can be utilized by users to restrictor limit the information made availableonline.

Anonymous surfingCookies are small packets of informationcreated by the servers of Web sites visited byusers. The cookie is automatically stored onthe user’s hard drive without theirknowledge (unless the user’s browser hasbeen set to reject them), and may beaccessed by the server when the user revisitsthe particular site. The information storedon a cookie can include header data (e.g. IPaddress, browser information and time/dateof visit) and click-stream data (i.e. a list ofsites last browsed by the user) as well as anyinformation which is voluntarily disclosedto a site, for example, for registrationpurposes.

The cookie sends the information storedon it to the Web site which can use it to‘personalize’ a page. For example, if a user haspreviously searched for information on‘travel insurance’, a banner advert containinga related product such as ‘cheap flights’ willappear. Cookies can also save a user time bylimiting the need for re-registering or re-entering a password to gain site access.

Cookies provide a source of valuablemarketing information. Popular links and

features can be identified and, particularly ifa user has registered with a site andtherefore disclosed personal data, a valuablecustomer profile may be built. Thisprofiling enables Web sites to builddatabases and carry out data mining,information from which can be used to planfuture marketing strategies.

Although cookies can be considereduseful, saving users time and personalizingtheir online experience, many still objectto the fact that unbeknown to them, Websites store personal information aboutthem for use, for example, for marketingpurposes.

In response to this objection,technologies have been developed toprevent cookies from being stored, or togive users options on which cookies theywish to accept. The simplest way a user cantake control of their cookies is by pre-setting their browser to notify them when aWeb site tries to store a new cookie.Internet Explorer and Netscape browsersboth provide a facility which notifies usersbefore cookies are set, and offers them theoption to reject them.

However, pre-setting your browser in thisway can soon become an annoyance,requiring a user to take action to actively

reject each cookie. A better method oferadicating cookies is by use of softwaresuch as the Cookie Crusher, CookieCrumbler or Cookie Monster which can bepre-set to remove all cookies from user’shard drives without prompting. Furtherinformation about these technologies, andcookies generally, is available fromwww.cookiecentral.com.

AnonymizerAnonymizer.com offers a service that doesmore than simply ensure that cookies arerejected or deleted. To prevent informationof any kind being made available to a Website or listed in the history folder of a user’sbrowser, users can visit the AnonymizerWeb page (www.anonymizer.com) and viewother Web addresses through theAnonymizer site. In this way theAnonymizer site acts as a kind ofintermediary barrier between the user andthe Web site preventing information aboutthe user being made available to Web siteswhich are viewed through it.

Anonymous messagingAnonymizer E-mail is a service that enablesindividuals to send messages that do notidentify the sender of the message (availablethrough www.anonymizer.com). Thissystem has the advantage of enablingindividuals to freely post messages voicingtheir opinions without fear that expressingtheir views will be unfairly damaging tothemselves. Using re-mailers can also limitspamming since spammers have lessopportunity to obtain a user’s E-mailaddress.

CryptographyIn 1990 a counter terrorism Bill wasproposed in the US which stated“manufacturers of electronic comm-unications service equipment shall ensurethat communications systems permit theGovernment to obtain the plain textcontents of voice, data and othercommunications when appropriatelyauthorized by law.”

In effect, the proposal meant thatmanufacturers of encryption technologies

Privacy EnhancingTechnologies: ProtectingInformation OnlineRacheal Ott

Use of the Internet around the globe is on the increase. An estimated 40 million usersin the UK alone, now have access to the Internet either at home or at work. However,despite the increase in awareness about the Internet as an information source, peoplewho make use of the Internet for personal or business purposes are generally unawarethat whilst browsing the Web they may make their personal information available tothe Web sites that they visit.

“Although cookies can beconsidered useful ... manystill object to the fact that... Web sites store personalinformation about them”

11

FEATURE

would have to insert ‘back doors’ in theirproducts, to enable the Government to readanyone’s encrypted information. Althoughthe Bill failed to become law, it was inresponse to this threat that PhilZimmerman decided to develop a strongencryption tool, for use by the general E-mail sending public, which was capable ofpreventing Government access.

‘Pretty Good Privacy’ (known as PGP) wastherefore born, combining features ofconventional and public key cryptography,the PGP system has become the conventionalmeans by which users world wide send secureencrypted E-mail messages. The maindrawback of the system however, is that it canonly be used to communicate between partiesthat use PGP. Without the PGP system thereceiver of PGP encrypted cipher-text willnot be able to decrypt it.

PGP is freely available for download onthe Web; users outside the US can visit theInternational PGP site at www.pgpi.org forfurther information.

Recent developments

Internet Engineering Task Force

The Internet Engineering Task Force(IETF) recently proposed a new InternetProtocol (IP) address scheme, which wouldinclude a serial number, unique to eachcomputer. Privacy advocates have voicedconcerns over these proposed IP addresses,which enable information sent over theInternet to be traced to a particularcomputer. The serial number could also bematched with cookies stored on a users harddrive to create a profile of the user of aparticular computer. The IETF have soughtto reassure those with privacy concerns bytaking steps to identify a method toconfigure the proposed IP addresses toavoid inclusion of the unique identifyingnumber. It remains to be seen whether this

scheme will be a cause of concern to privacyadvocates, however….

Enonymous.com

Enonymous.com, a US-based Internetcompany has developed a software toolaimed at enabling users to protect theirpersonal data online whilst makingavailable selected anonymous informationwhich can then be utilized by Web sites tocreate a personalized shopping experience.

Users who wish to take advantage of thissystem can download the software from thewww.enonymous.com site. The softwareinitially asks the user to enter their personaldata (e.g. name, address and telephonenumber) which is then securely coded andstored. Users can then choose to join the‘enonymous community’ by disclosing theirpersonal characteristics (e.g. likes, dislikes,age and profession). The characteristicinformation and identifying data are neverlinked, enabling users to have the benefit ofcustomized browsing without concerns overprivacy.

The enonymous software additionallyoffers a privacy seal and awareness service.The four-star scheme has rated 10 000 Websites on the strength of their privacy policies.When a user visits a rated site, the softwareautomatically informs the user of theexistence and extent of the site’s policy. Thesoftware also automatically recognizes Webpages which feature online forms. Users canchoose to allow the software to automaticallycomplete the form using an anonymousprofile which combines fictitious identifyingdata with the user’s own characteristics. Thisoption again enables users to protect theirprivacy whilst benefiting from a personalizedbrowsing experience.

Novell digitalme

Novell recently launched a new, free serviceaimed at allowing Web users to controltheir personal information online. Thedigitalme technology (www.digitalme.com)enables users to create a variety of digitalcalling cards containing different, specifiedamounts of their personal information oftheir choice, depending on to whom theinformation is to be disclosed. For example,a card that can be used for online shoppingmay be created which contacts only thatpersonal information which a user is

prepared to disclose to the E-retailer. Amore detailed card could be created forsending to friends and family. A card couldalso be created for use in work situations, atype of digital business card.

The cards can only be accessed andaltered by their creator; protected by strongencryption technology, the database wherethe cards are stored does not even permitNovell to gain access to a user’s mecards.

Those who sign up can build a digitalmeaddress book when they exchange cardswith other users. The advantage of thisaddress book is that it is always current. If auser, for example, updates their addressdetails, the change will automatically benotified to those users with whom they havealready exchanged details. The technology

used enables users to manage and tracktheir personal information, a crucial featurefor those with privacy concerns.

The Internet has sparked an informationrevolution. Users world wide now have instantaccess to information previously beyond theirreach. Many users however, fail to recognizethat their own personal information, disclosedvoluntarily online, obtained through the useof cookies or available through unsecuremessaging services, has become part of thisnew information source.

Whilst some users may feel happy abouttrading their personal information in returnfor a more tailored service or incentivessuch as free access to an online newspaper,others feel anxious about the effect thesetechnologies have on their ability to controltheir personal privacy. The market hasresponded to the needs of users who havesuch concerns by developing a variety oftechnological tools that can be employed tosafeguard their personal information online.

About the author

Rachael Ott works at Masons Leeds office.Specializing in Information and Technologylaw, Rachael is currently seconded to theInformation Computer and CommunicationsPolicy Division of the OECD in Paris.

12

“...the softwareautomatically informs theuser of the existence andextent of the site’s policy”

“the proposal meant thatmanufacturers of

encryption technologieswould have to insert ‘backdoors’ in their products”