Protect your identity as you surf

By Neal Brandstetter
(8/14/01)

The Internet is a dangerous place, full of profiteers who sell your personal data to information brokers and cunning criminals who have nothing better to do than steal your Social Security number, obtain credit cards in your name, go on spending sprees, and ruin your credit rating. So whether you're shopping at Macys.com or chatting with your buddies over ICQ, you'll need to take certain precautions to keep your personal info from falling into the wrong hands.

Fortunately, there's no need to get paranoid. To protect yourself, you simply need to understand potential dangers and know how to defend yourself. So get ready, because we're going to give you a whirlwind course on how to stay safe and keep your information private.

(Note: Because the majority of CNET's readers are running some flavor of Microsoft Windows, this article assumes that you do, too. However, many of our tips also apply to the Mac OS, Linux, or any other operating system that connects to the Internet.)

Hide your identity
Before you venture online, keep the following facts in mind:

• Someone on the Net can make money by selling your personal data.
• Every time you go online, you give someone new information--however small a piece it may be--about your preferences.
• Some data collectors are not content to wait for you to come to them and may try to trick or steal more information from you.

We can call these the Basic Rules of Personal Information, and they hold true for everyone who uses the Internet, from your Uncle Sid to Larry Ellison. Your good name and every iota of data about you is for sale. Since you're not getting a cut of the profits (at least, most people aren't), it's best to keep your private information to yourself. After all, once it's out of your hands, you have no control over who gets it and how they use it.

Protect your IP address
Like the number and street name of your real-world address, a computer's IP address tells others where and how to find the computer online. This identifier is composed of four numbers, each between 0 and 255, separated by periods (for example, 123.123.23.2). Every Web site and electronic device connected to the Internet must possess a unique IP address; that is, no two devices can have the same IP address at the same time.

If spammers or hackers manager to get your IP address, they can assault your PC with viruses or even hack directly into it to steal your personal data. You can put up dedicated hardware or software firewalls and install antivirus programs on every node in your network, but, given enough time and resources, a determined hacker can break into almost any computer.

You should guard your IP address as carefully as you would your full name and street address. Neither your browser nor Windows itself allows you to hide your IP address from the outside world, but some third-party software takes care of this problem. For $5 per month, Freedom , from Zero-Knowledge Systems, masks your true IP address from the real world by routing all your Internet data through the Zero-Knowledge network. This program can stump even Web bugs (see below).

If you use a dial-up connection, you're less at risk because your IP address changes with every session. But if you have an always-on connection, such as DSL or cable, you probably have a static or unchanging IP address. A static IP can leave you vulnerable to repeated scans and attacks. On the other hand, if you get a different IP address each time you connect to the Internet--a dynamic IP address --you can present a moving target for the hackers. If you're privacy conscious, ask your ISP for a dynamic IP address. Intruders will have a much harder time finding your computer time and time again if your address isn't constant.

Cookies keep track
But Web sites also use other technologies to track you down and trace your movement online. Cookies are small data files that the Web sites you visit can store in your browser's cookie file to track your path across the Web or record your user preferences. Most cookies have useful purposes. For example, if you register to view a specific Web site (such as the New York Times on the Web), the site can plant a cookie on your computer so that, thereafter, you won't need to enter your username and password to access the site. There are two kinds of cookies: persistent cookies, which remain on your computer even if you shut it down, and per-session cookies, which are often used to store the contents of a shopping cart and won't be saved once you power off your PC.

The threat cookies present isn't from the depth of the information they can reveal; cookies don't permit hackers unfettered access to your private files, for instance. The threat is a small but long-term erosion of your privacy. Most sites record cookies every time you click a new link within the site and can later find out which pages you read and how long you lingered. Such information may be very useful to marketers who mine it for details on your habits and likes or dislikes. Over time, these minute data fragments can help companies build a profile of you, which they could sell to yet more aggressive marketers.

Bugs do it better
If you delete the cookies regularly or configure your browser not to accept them (see Stop hostile apps for instructions), snoopy sites can't collect enough data to profile you. That's why some companies use Web bugs as a user-tracking backup if cookies don't work. Here's how Web bugs work: These tiny graphics, sometimes just a pixel high and a pixel wide, are the same color as a Web page's background. Any time you visit a site, the site must have your IP address before it can load any Web graphic file (including a Web bug), and, with your IP address in hand, the machine that hosts the Web bug can log your address for the duration of your session. Even with cookies blocked, bugs let sites track users surreptitiously. In many cases, the tracking may be benign--a site monitoring how popular a particular page is--but it isn't always just the site that uses a Web bug. Commercial sites with banner ads have discovered that ad banner companies themselves, such as DoubleClick, may use Web bugs to track the traffic on the sites that host their ads. So Web bugs can open you up to unwanted profiling, and (if the Web bug loads after a user fills in a Web order form, for example), possible junk mailing.

Stop hostile apps
Cookies aren't inherently malicious, but the ubiquitous little files inhabit your hard drive (if you use Internet Explorer, for instance, the cookies reside inside your C:\Windows\Cookies folder) and identify you via a string of numbers and letters (called a unique identifier) to the Web site or company that placed the cookie there. For instance, companies such as DoubleClick, Adbureau.net, or LinkExchange that provide advertising to Web sites can plant a cookie on your hard drive when you are reading one site (for example, Amazon.com) and then read that same cookie when you surf to a different DoubleClick-served site (for instance, CNN.com). That's how the company tracks you across multiple sites.

Take a bite out of cookies
Fortunately, your browser makes it easy to disable cookies: In Internet Explorer 5.x, click Tools > Internet Options, then choose the Security tab. Click the Earth icon labeled Internet, then click the Custom Level button near the bottom of the window. In the Security Settings window that opens, scroll down to the section labeled Cookies. To keep your browser from automatically planting cookies on your PC, select the Disable or Prompt option next to "Allow cookies that are stored on your computer" (in other words, the persistent cookies we mentioned earlier). It's generally OK to leave the per-session cookies enabled; these are the cookies that remember what's in your shopping cart when you use a Web store.

In Netscape, click Edit > Preferences and select the Advanced item in the left pane. Here, you can opt to block all cookies or to decide on a site-by-site basis. We recommend that you pick the second option and allow your browser to use cookies for some sites. That way, you can exercise a measure of control over your information and still take advantage of the cookie conveniences. If you're truly paranoid, however, you may want to disable all cookies even if it prevents you from, say, shopping efficiently online.

If you're curious about how many sites set cookies, check the "Warn me before accepting a cookie" box, and Navigator will pop up a dialog box each time a site tries to set a cookie. (Internet Explorer still lacks such an option.) We recommend that you try this for only a short time; the sheer volume of cookie request dialogs will likely drive you batty.

Be selective
Simply disabling cookies may not work for you, however. Internet Explorer doesn't let you block cookies sent to advertising companies while permitting cookies from the site you're visiting; it's all or nothing. Blocking all cookies eliminates the timesaving benefit of user preferences on free customizable news sites such as My Yahoo . If you use IE and want to pick and choose which sites are allowed to plant cookies on your hard drive, try the handy freeware CookieWall from AnalogX . CookieWall runs in your System Tray, silently monitoring your Internet Explorer cookie file every minute or so and allowing you to pick and choose which cookies to permit. When the program encounters a cookie that it hasn't seen before, a dialog box pops up to ask you what to do with cookies from this site--handy if, say, you register to use My Yahoo and don't want to have to enter your username every time you load the page.

Antiviral warfare
If you don't have antivirus software on your computer, get with the program! Every day your PC goes without proper protection is another day it risks infection --and infecting others. Viruses don't just wipe out your hard drive; some can steal your entire e-mail address book or implant programs on your hard drive (such as SubSeven or BackOrifice) that hackers can later use to break in to your computer. For $20, eTrust Antivirus software provides virus protection nearly as good as the big guns from Symantec or McAfee. Best of all, you can try it free for two months. For a more comprehensive antivirus program, however, you may want to shell out a few bucks for Norton AntiVirus .

Connection protection
If you use a high-speed connection such as DSL or cable, consider downloading ZoneAlarm, CNET's favorite free personal firewall . Firewalls not only keep hostile apps from entering your PC from the outside, they also block hidden or unknown software on your PC (the sort a virus could install) from connecting to the Internet without your knowledge and giving away your valuable information.

To find out how secure your connection is, go to Steve Gibson's Shields Up site and get a free test of your security. Shields Up performs many of the same tests hackers use to probe your computer for vulnerabilities and provides you with a summary assessment of your PC's security and what you need to do (if anything) to make yourself less vulnerable. Gibson's scan can tell you if the back door program is running but not if it has been (or is being) used. But a little information goes a long way. If you know the Trojan is there, you can work to get rid of it. Again, the price is right, so what are you waiting for?

Block spammers and scammers
Nearly everyone who uses the Internet lists e-mail as a primary reason for getting online, but when it comes to junk mail, electronic spam is more intrusive than the flyers that come rubber-banded to your doorknobs. That's because you, the Internet user, must pay for the bandwidth and disk space that spam takes up. Gobs of spam can also slow down your mail downloads. Even worse: once spammers know your e-mail address, they can sell it to dozens more spammers. One of the most irritating spam letters we've ever seen is the message offering to sell us the names and e-mail addresses of 5 million of our fellow spam victims for only $40.

The spam scam
How do the spammers get your address in the first place? Most of them acquire their stock of addresses through harvesting, a process that uses software to scan Web sites for any text with an @ symbol, recording the addresses in databases. Then they send their own spam to these addresses and/or sell or trade the addresses to other spammers.

What's one of the best ways to keep spammers from tracking you down? Avoid using your primary address; instead, sign up for a free e-mail account at a site such as Hotmail or Yahoo, then use these alternate addresses every time you post messages publicly or order products from Web stores. (For more antispam tips, check out our " Take back the Net " and " The great CNET spam-off " features.)

Spammers also harvest e-mail addresses from posts you make to Usenet newsgroups (for instance, news://rec.travel.europe) and online archives of mailing lists you might subscribe to. Never enter your e-mail address into your newsreader program's settings. It's easy for spammers to skim message boards for e-mail addresses, so use a free e-mail account to sign up for and reply to these. On those rare occasions when viruses send the contents of your address book to spammers, there's nothing you can do, so it's best to have antivirus software running all the time.

Keep a low profile
Of course, the easiest way to keep spam out of your in-box is to keep your e-mail address private in the first place. Give it only to trusted friends, family, and colleagues. Don't enter your primary address into Web forms or shopping order pages, and don't enter your address into your Web or Usenet browser's preferences; some sites can read your e-mail address or real name straight from the preferences. In general, when a Web browser or a Usenet newsreader asks you to enter your real name and/or e-mail address in a settings dialog, just leave the fields blank and move on.

Once spammers get ahold of your e-mail address, they can use HTML e-mail messages to acquire additional addresses from you. HTML e-mail looks different from plain-text e-mail in that it can be formatted with different type sizes and live Web links right in the body of the message. Unfortunately, these messages not only take a long time to load, they can also contain hidden scripts that send the list of addresses in your address book to the composers of the messages. It's fairly easy to disable HTML e-mail messages: simply go into your e-mail program's preferences dialog and deselect the preference to view mail as HTML. (In later versions of Eudora, for example, you click Tools > Options, then select Viewing Mail in the left pane and uncheck the box labeled Use Microsoft's Viewer.)

Other tools, including AnalogX's free Script Defender can stop malicious code in your e-mail before it activates. Script Defender, like CookieWall, runs in the background, waiting until it detects a malicious script. Then it stops the script from activating and lets you know what happened.

Encryption protection
Of course, even if you stick to all of these rules, e-mail messages themselves aren't safe from prying eyes; anyone who intercepts messages between your PC and their destination can read them. Unless, that is, you encrypt, or scramble, the contents of the messages so that only you and the intended recipient can read them. You can use a free programs such as PGPfreeware to encrypt your mail, but both you and the recipient have to install and configure it ahead of time. Some e-mail clients offer encryption options, but they require that you acquire a digital ID from a third party. To encrypt messages within Outlook, for example, you must first subscribe to a company such as VeriSign for a yearly fee for an ID.

Deter IM invaders
E-mail is no longer the fastest way to communicate over the Internet. Free instant messengers such as ICQ , AOL Instant Messenger , and MSN Messenger are extremely popular. You do pay a price for IM ease: spam, spam, and more spam, unless you're diligent.

The problem: IP address exposed!
The most serious instant-messaging security threat: ICQ allows your IM correspondents to discover your IP address. Many instant-messaging programs work by connecting two computers directly to one another, and, as a result, each computer can determine the other's IP address, but ICQ uses direct connections for nearly everything. Though an inexperienced hacker may have trouble figuring out your IP address on his own, many free tools make it easy to ferret out your address. Such tools monitor Windows' network connections to get a list of all the IP addresses the computer connects to. (Even DOS commands such as netstat can display the addresses of other computers when they're connected.)

Once malicious surfers know your IP address, they can launch attacks against your machine to crash the system or slow your Internet service to a crawl. Using free, easy-to-obtain programs, these unfriendly folks can also flood your PC with so much data that the Internet connection can't get a message out; occasionally these programs exploit a weakness inherent in Windows and make the operating system freeze up.

The solution: protect your IP address

• In ICQ 2000 - Click the ICQ button and pick Security and Privacy. Choose the General tab and make sure the Web Aware check box is unchecked. Choose the Direct Connection tab and select the radio button labeled "Allow direct connection with any user upon your authorization." ICQ lists the parts of its program that could allow others to see your IP address.
• In AOL Instant Messenger - In the AIM Preferences window, select the Privacy tab. Uncheck the box labeled "Allow users to see how long I've been idle" and select the radio button labeled "Nothing about me" in the section titled "Allow users who know my email address to find..."
• In MSN Messenger - In the Options dialog under the Preferences tab, uncheck the three options that appear under the General header.

The problem: log files on display
All instant-messaging programs let you log the conversations you have with others; in fact, ICQ logs your conversations by default. Just in case hackers ever break in to your PC, you may not want to keep records of your conversations, and you may want to eliminate the logs you already have.

The solution: delete your log files

• In ICQ 2000 - When you install ICQ, it brings along a second program called dbconvert.exe, which is stored in the same folder as ICQ itself (the Windows default is C:\Program files\ICQ). To eliminate your existing log files, close ICQ and run dbconvert. Pick your ICQ account from the top drop-down list, choose "No history (contact list only)" from the bottom drop-down, and click Next. When the program clears the ICQ database of logs, click Next one more time, then Done to close the program. You can also prevent ICQ from logging conversations with specific individuals on your contact list: right-click the name in the contact list, choose Alert/Accept Modes, open the Accept tab, and check the box labeled "Do not log event history." To stop logging altogether, click the ICQ button and choose Preferences, pick the Events item from the left pane, and fill in the check box next to "Do not log event history," then click Apply.
• In AOL Instant Messenger - All of AIM's logs reside in the folder located in C:\Windows\AIM95\your username . While the program doesn't log conversations (unless you choose File > Save in the message window), it does keep a log of your buddy list and any file transfers you may have made using AIM. Delete the contents of that folder to eliminate the logs.
• In MSN Messenger - MSN Messenger doesn't log chats automatically, although you can save individual threads by clicking File > Save in the chat message window. You can later delete any conversation logs you save by dropping the icon in the Recycle Bin.

The problem: instant spam
Instant messengers sometimes deliver a flood of spam in the form of annoying "forward me to everyone you know" chain messages or links to pornographic Web sites. Instant-messenger spam is often even more annoying than its e-mail cousin because most programs by default alert you with a flashing icon or a sound the second you receive any messages, even the unwanted ones.

The solution: block spam

• In ICQ 2000 - Click the ICQ button and pick Security And Privacy. In the resulting dialog box, select the Ignore tab and fill in all the check boxes. Select the "Users not on my contact list" option from the drop-down menu. Next, choose the General tab, select the radio button marked "My authorization is required before users add me to their contact list," and click Save.
• In AOL Instant Messenger - To tell the AOL Instant Messenger client to block messages from people not on your buddy list, click My AIM > Edit Options> Edit Preferences. Select the Privacy tab, then select "Allow only users on my Buddy list."
• In MSN Messenger - Click the Tools menu and select Options. Select the Privacy tab, then add the usernames you would like to be able to receive messages from or block certain people by moving their usernames between the two fields using the arrow buttons (located in the center of the dialog box).

Secure your financial transactions
Whether you're shopping at online auctions or checking a bank balance, you can keep your financial data out of the public eye.

Attention, E-mart shoppers
For the most part, shopping online is a low-risk activity, privacy-wise. That's because most shopping sites use a method of scrambling your credit card number and other information while it travels between your PC and the Web server called SSL (or Secure Sockets Layer); SSL makes it more difficult for someone "listening in" to the data flowing on the wire to intercept these sensitive numbers.

Shopping with a credit card is probably safest. When you use a credit card, you have the legal right to dispute any charge "if the product or service is misrepresented or never delivered," according to a MasterCard International online shopping guide . "If you pay by check or money order, by the time you realize there is a problem, your money will probably be gone."

Still, shopping online isn't completely risk-free. Criminals do indeed troll the Net for unprotected credit card info, addresses, and Social Security numbers. Fortunately, forewarned is forearmed.

Browser encryption
Your credit card info is most vulnerable as it travels across the Net from your computer to an online store. Hackers can intercept your credit card numbers en route by running sniffer software on Web routers that act as traffic signals on the Internet. The sniffers can see all the bytes inside a packet and look for keywords such as password inside. Fortunately, most modern browsers support Web sites that encrypt, or scramble, data in transit. Before you shop, look for sites that say they use SSL encryption (a common standard among reputable e-tailers). When you enter a secure area of a Web site, you should see a small, locked padlock icon at the bottom of your browser window; always check for this when using an online shopping cart. And if at checkout an e-tailer offers to store your credit card information on its servers, just say no. Occasionally, hackers break into store computers and steal that sensitive customer information.

Get the toughest encryption available
Netscape browsers since Navigator 4.61 (the browser portion of Netscape Communicator) ship with 128-bit SSL encryption support (the toughest available). Determine which Netscape version you're currently running by clicking the Help menu in Netscape Navigator and choosing About.

If you use any version of Internet Explorer earlier than 5.5, you'll need to download the 128-bit SSL High Encryption Pack from Microsoft. Internet Explorer 5.5 or later doesn't require this download; all new browsers now ship with 128-bit encryption. You can determine your version by clicking the Help menu in IE and choosing About.

Know your store's reputation
If you're considering shopping from an online retailer for the first time, search the Better Business Bureau's BBBOnLine site first to see if other consumers have reported problems with the company. Also, read the store's shipping, privacy, and return policies to be sure that the site clearly lists the street address and telephone number of its corporate headquarters. (An e-mail address alone isn't sufficient; a real street address can help ensure you're not dealing with a fly-by-night operation.) Sites that claim positive ratings from consumer-friendly organizations such as BBBOnLine or TRUSTe should provide links back to the organization's own site where you can verify the records yourself.

Use a credit card (not a debit card) for purchases
Most banks now offer account holders ATM debit cards that sport a Visa or MasterCard logo. Since these cards function like credit cards, you can use them for most online credit card purchases. However, if someone were to steal your debit card number, he or she wouldn't merely run up a huge credit card debt; the criminal could conceivably drain your entire checking or savings account before you could say "Stop, thief!" By virtue of the Visa logo on your debit card, banks provide a fraud-protection refund policy (with a $50 deductible) for all cardholders, but it can take several months to get your money back, so it's best to avoid the risk altogether.

Try disposable income
Recently, the members of the credit industry (including American Express and Discover ) devised a new tactic to prevent credit card fraud: the disposable credit card number. To get a disposable number, you simply register with your credit card company. Then, whenever you want to make an Internet purchase, you return to your credit company's site and enter the amount of the purchase into a form. The credit card company then provides you with a one-time-only number that you can use for that specific purchase.

Bank safe
If you're considering banking online, you face many of the same issues that online shoppers do. To keep your account information safe as you send it back and forth between your PC and your bank, make sure your bank's Web site uses 128-bit SSL encryption for all transactions. Look for the telltale locked padlock icon; then, before you start using your online account, be sure you're running a browser version that supports SSL (see recommendations above).

You'll also want to make sure that your bank doesn't sell customers' names, addresses, phone numbers, or other sensitive personal information to marketers. This practice exposes you to junk mail and spam. Read your online bank's privacy policy carefully to see who the bank shares information with and ask them to opt you out of any information-sharing programs at the time you sign up for an account. A federal law known as the Gramm-Leach-Bliley act requires financial service companies to provide a way for customers to choose not to let banks sell their customer profiles or to use them for marketing campaigns. If your bank's privacy policy provides Web-based forms that let you opt out of its marketing programs, use them. This may be the only time that filling out a Web form is likely to stop spam from entering your in-box! If your bank doesn't give you an opt-out option, you may want to find another bank.