Privacy Policies
The Washington Post, on 7-1-03, had an
interesting article
about online privacy. The article explains a number of sneaky methods that websites can use to collect personal
information without being honest about it. (Unfortunately, you may not be able to read that article now
unless you share personal information with the Washington Post!) Also mentioned was a study that found the majority of
people online think that the presence of a website privacy policy means their personal information is safe. That was, indeed, the
intention with privacy policies - to make people think that their personal information is safe. In actual fact, however, a privacy
policy means virtually nothing. First, since most privacy policies are written in long-winded, abstruse language,
it's likely that few people have even read them. Second, a privacy policy does not necessarily say that your privacy
will be respected. At best it just details what is done with information you provide to a website. Third, and most importantly,
nearly all online privacy policies contain a clause saying that the policy may change at any time without notice. Such a policy
is worse than meaningless - it's deliberately misleading.
So privacy policies are meaningless, but they have had the intended public relations effect: The presence on websites of
privacy statements and logos from corporate public relations fronts such as Truste have led people to think that their privacy
is protected by some kind of system of regulation. There is no such system. Organizations like Truste were created
to head off government action regarding online privacy. If a corporate website is asking for personal information then it's reasonable
to assume that your personal information, and the record of your activities at that website, will be sold to advertisers.
Indeed, some privacy policies even admit to such things. The policy of
BuyMusic.com, for example, clearly states:
"we reserve the right to use or disclose your personally identifiable information for business reasons in whatever manner desired".
Further down the page it explains that you will receive spam from buymusic.com
unless you opt out after every purchase.
That is a clear example of a company that uses their privacy policy specifically to block privacy. How many people, after all,
will go to the trouble of opting out of spam every time they make a purchase?
Back to top
Cookies
Cookies are encoded text files that are stored on your computer
by websites that you visit. You are usually not informed of this happening.
You can choose (in your browser settings) whether to accept cookies
coming in. None of the major browsers will inform you nor give you a choice
about cookies being called back to the server. If you have cookies they can be called back.
How cookies function :
Cookies are an easy, low-tech means for websites to keep a record of visitors.
When you arrive at a website that uses cookies, the cookie is created or "set".
With Internet Explorer it will be an individual file in the Windows\Cookies folder. With
Netscape/Mozilla/Firefox the cookie will be a single line in the file "cookies.txt", in the program folder
or in a Windows\App Data subfolder.
The cookie generally records the current time and a code number.
When you go to another page at the same website, the cookie can be called back. By referencing the code number,
the website can keep track of what happened on the last page....whether you ordered a product, etc.
If a cookie is used for this purpose it will usually "expire" after you leave the website.
Persistent cookies :
In some cases cookies will be "persistent", meaning that they stay on your computer....
They become a way to identify you on your next visit to a website. Persistent cookies
can be used to make a website password possible, for example, or to allow customization of the webpage that you see.
Using the cookie's code number, a website can reference it's record of your prior visits.
Third party cookies :
Cookies can only be read by the domain from whence they came. In the past this aspect
has provided a measure of privacy. For instance, a Yahoo cookie
is only read by a website in the Yahoo.com domain. With new advances in commercial exploitation of the Internet, however,
this limitation has been circumvented. Through the use of third-party cookies it's possible for one cookie to be read from
many websites. The way it works:
An advertising company, such as Doubleclick,
maintains the ad banners on a large number of websites. When your browser loads any webpage with one of these ads, it allows
the ad company to "set" a cookie on your computer. ( Even though you're not browsing in the DoubleClick domain, the ad is being loaded from
their domain. )
The result of this is that the ad company can collect information about your browsing habits on any of the
numerous websites that host their ads. Third-party cookies allow one website to have access to all the information
you've shared across many websites. If you allow cookies then you almost certainly have at least one DoubleClick cookie
on your computer right now.
UPDATE WARNING: Blocking 3rd-party cookies in
Firefox or K-Meleon may not work! Even the custom "pref" settings are ineffective. If you think
that you have disabled 3rd-party cookies,
visit this page to test your browser.
Cookies and Universal User IDs :
A more recent development is the user ID in cookies. See the section below,
Referrer Fields And User IDs,
for details about that.
What does all of this mean? :
Some sites offer a free service in exchange for marketing information. For example, the New York Times
website requires that you fill out a questionaire and accept cookies in exchange for freely reading their articles. That allows them
to keep a record of which articles you read at their website. You simply
have to choose whether you want to pay that price, allowing the NYTimes to sell information to advertisers about the
articles that you read.
To be realistic, if you have any persistent cookies you should not count on privacy.
With current technology, keeping even one cookie might allow any website to obtain an exhaustive dossier on you ( see next topic ).
Back to top
Super Cookies: Adobe Flash is Trojan Horse Spyware ...or... Cookies are the Least of Your Worries
A little-known and little-publicized fact is that there are a number of ways to
store tracking information on your PC without cookies. And the situation is getting worse.
As of this writing, you will need to avoid Internet Explorer, avoid javascript, and disable
Flash in order to achieve the level of privacy that you
probably think you get from
deleting cookies. (It goes without saying that you also need to avoid installing the various
toolbars and plugins available.)
Privacy problems getting out of hand
Unfortunately, the privacy/security issues described here are simply too much for the average
person to deal with, and privacy laws are far behind the technology. While the Internet of just a few
years ago was a passive medium of print and pictures, that situation has changed
and a feeding frenzy has developed as various entities plot to cash in on an interactive Web.
There's a feeling of lawlessness to the whole thing, as software companies like Microsoft increasingly justify
spyware and trespass onto the private property of the PC, redefining the PC as a service
appliance, while Internet companies like Google/Doubleclick justify mass-scale snooping and tracking.
They all want to find as many ways as possible to collect money from everything done online.
Companies like Microsoft and Adobe are even vying to usurp the Internet itself, creating
closed, proprietary products (Silverlight, Flash, etc.) to replace the open, public standard of
HTML webpages. In connection with those changes, the basic, reasonable level of privacy that
most people
think they have online is quickly becoming unrealistic.
Flash - trojan horse spyware
Many people do not realize that Adobe Flash is actually software embedded in
a webpage. A webpage is composed of HTML - text code that tells the browser how to display
a webpage. If you visit a webpage you can view the HTML code. Not so with Adobe Flash. A
Flash file, used to stream media, embed animations, etc. is a compiled program. When you allow
Flash to run you are allowing a small software program to download onto your system. That is
significant because Flash is actually running independently of the browser. In addition to security
risks from Flash itself, Adobe's Flash allows websites to store and retrieve data on your computer.
This data has been described as "Flash cookies", but it is not cookies. Flash can store significantly more
data than cookies can store. Flash stored data is not controllable through the browser. And Flash stored
data can be accessed by websites other than the originating one.
If you simply disable Flash you can avoid security risks, annoying, frivolous animations, and unseen,
personally identifiable, data storage by websites. But there are some websites which simply will not
work without Flash. (Most notable among them is YouTube. To download local copies of videos from YouTube
in Firefox without needing either Flash or javascript, install the
DownloadHelper extension.)
For more details about Flash data storage, see these links:
http://epic.org/privacy/cookies/flash.html
http://www.informationweek.com/news/showArticle.jhtml?articleID=160901743
Browsers - little-known data storage problems
As explained above, cookies are not the only way for websites to
track you by storing data on
your computer. Flash can also be used for that
purpose. And there are also other methods being built into browsers. Internet Explorer
has the little-known
userData object that allows a website to store large amounts
of data on your PC. In Firefox there is the scripting property
window.globalStorage.
Like IE's userData,
this is an invisible, uncontrollable way for websites to store data on your PC without permission.
And the HTML5 specification includes a similar item,
local storage.
This notion of "storage" represents a change in the commercial exploitation
of the Internet, with companies increasingly thinking in terms of providing "services" through
the browser. For that they want maximum interactiveness and maximum access/control of
the client PC. There is a gradual transition being attempted by online companies such as
Google/Doubleclick, Facebook, MySpace, Microsoft, etc. That development is not unlike the
scenario where a shopping mall replaces Main St., moving the public conversation to a private
retail establishment.
If you're content to let Facebook manage your friendships, while Google/Doubleclick provides
your software, then you will probably want to enable those companies to track you and store
their files on your PC in order to enjoy the full extent of their services.
If you find it a bit creepy that large corporations are taking the liberty
of storing data on your PC clandestinely, then
disable script in your
browser. That can't be stressed too strongly. Script is the implicated in the vast
majority of online risks, and it's also used in most of the ways that secret data can be stored on your PC.
There is an extensive detailing of the various data storage problems here:
http://packetstormsecurity.org/papers/general/html5whitepaper.pdf
If you would like to eliminate any currently stored tracking data on your PC, you
can download a cleanup script here. This script comes with an information file and
the ability to delete hidden files from Adobe Flash, Internet Explorer and Firefox.
Download cleardat.zip (5 KB. Updated 2/09)
Back to top
Anti-Phishing Protection: An Intrusive Gimmick
Risks from Phishing:
Phishing is the name given to a particular kind of scam, typically perpetrated through email.
The way it works is that a scam email is sent that appears to be from your bank, credit card
company, etc. The email typically requests that you visit a website to verify information.
The trick is that the URL (Internet address) given may appear to be valid, but is not. For example,
if you bank at FirstNational.com you might get an email that asks you to visit something like
www.FirstNational.com.somewhereElse.com/login/etc. That website
is actually at somewhereElse.com, not at FirstNational.com, but the URL might fool some people
who are not expecting it.
Phishing is not difficult to avoid if you are careful: First, no company you do business
with should be sending you requests for online information in the first place. If you
think a request
may be valid then inspect the URL before proceeding. The last part before
a forward slash ( "/" ) is the actual domain, the real address. Examples:
www.FirstNational.com.somewhereElse.com/login/etc.
Real address: somewhereElse.com
100.100.100.100/www.FirstNational.com/login/etc.
Real address: 100.100.100.100 (In this example the IP address is not translated to a URL.)
URLs can sometimes also be further disguised by substituting ASCII
codes for characters. Some websites do that with links when they don't want you to
know where the link goes. A browser will look for an ASCII code (in this case a hexadecimal number
representing a character) after any
% sign. For example, a forward slash
has the ASCII code number of 47, which is 2F in hexadecimal notation. So
www.FirstNational.com.somewhereElse.com/login/etc.
is the same as
www.FirstNational.com.somewhereElse.com%2Flogin%2Fetc.
The Gimmick of Phishing Protection:
Both Internet Explorer 7 and Firefox 2 have introduced what are claimed to be
a built-in anti-phishing filter. Both browsers use a "blacklist" of known phishing sites.
IE also uses a locally-stored "white list". When you visit a website, the URL is checked and a warning is
issued if the site is a known phishing site. At the full functionality
setting,
both filters check with Microsoft or Google, respectively,
every time that you visit a webpage. (The only exception would be with IE when
the URL appears in the locally-stored "white list" of sites considered safe.)
There are a number of problems with these phishing filters. First, the basic concept
is hare-brained. Phishing sites typically move around with great frequency, closing down
one URL to open another. So blacklisting is of limited value. Second, only the fully-functioning version of the
filter, which checks each website against a list at Microsoft or Google/Doubleclick as you browse, has any chance at all of being
even slightly useful.
But that constitutes a radical intrusion of privacy in the guise of protection.
It means that you will be reporting all the details of your Internet browsing
to a corporation that can then keep a long-term record about you, personally.
Google/Doubleclick sets and retrieves cookies when the Firefox 2 anti-phishing filter is working.
Presumably Microsoft does the same in Internet Explorer 7. There is absolutely no
conceivable reason for these cookies other than as a tracking method to identify you and
compile a history of your activity, probably for the purpose of targetted ads. (Cookies are used to
store information between visits to a webpage, or to store information when moving
between webpages. But the websites that you need to check against the phishing blacklist have no
particular connection to each other, so there is no legitimate purpose in
using cookies with a phishing filter.)
Shocking Implications:
The introduction of these fashionable phishing filters by Microsoft and
Google/Firefox may be of little real value to the web browsing public, but the gimmick holds great promise
for the browser makers.
If Microsoft and Google/Doubleclick can get people to
use their phishing filter tools in full-function mode, it could be almost as profitable for them as if they had turned
the Internet into TV, with each person online being exposed to increasingly targetted
ads as they travel from one website to the next, closely watched the entire time
by the company that gave them their browser. Yet few, if any, online analysts
seem to have considered that point. Like the famous "war on terror", everyone just
jumps on the bandwagon of alleged security improvements.
Internet Explorer 7:
The reasons not to use Internet Explorer are many, even without the problems
of IE7. Fortunately, Internet Explorer 7 is a limited version that
will only run on Windows XP with Service Pack 2. But if you are using WinXP SP2, and you want to use IE7,
be aware of what you are agreeing to when you see the
"Microsoft Phishing Filter" dialogue,
which asks near the top, "Do you want to automatically check the websites you visit?"
If you click
Yes you are agreeing to report all of your browsing activity to Microsoft.
Firefox:
The phishing filter problem with Firefox is only if you use Firefox 2
or the "Google Safe Browsing" Firefox extension. Firefox 1.5 is clean.
Note that Firefox 2 has a number of problems, and the combination is more
insidious than the sum of the problems taken alone: In Firefox 2 the option to block 3rd-party cookies
has been removed. Blocking 3rd-party cookies is common sense. They are
by definition spyware. Even Internet Explorer allows the blocking of 3rd-party cookies.
But there is a method to this madness. It so happens that enabling 3rd-party cookies
allows Google/Doubleclick to continuously track anyone
who fully enables the Firefox 2 phishing filter. (The phishing filter uses a Google/Doubleclick
cookie.) Unfortunately,
Google and Mozilla.org
have developed a strong financial connection between them, and the latest developments with
Firefox 2 do not bode well. Consider the following: Mozilla.org (the makers of Firefox) receives
money for Google/Doubleclick searches done through Firefox. Google/Doubleclick maximizes their profit on ads
by targetting those ads to people who are likely to be interested. The Firefox 2 phishing filter,
using a Google/Doubleclick cookie, opens up the possibility that all Firefox users could eventually
be fully identified and documented by Google/Doubleclick, allowing Google/Doubleclick to show them precisely targetted
ads on webpages that they view.
Firefox 1.5 is clearly a better choice than Firefox 2, but if
you want to use Firefox 2, be aware of the implications when choosing
settings for cookies and the phishing filter.
Back to top
Email - Spying, Spam and "web bugs"
Some new services have appeared that claim to offer the possibility of monitoring
your email: knowing when and if your email recipients have read your message. These services
include
DidTheyReadIt and
ReadNotify.
If you are not familiar with how such a service works then it may seem like a very clever thing to
accomplish, but actually it's just an old spammer's trick known as a "web bug". When email is sent
as "HTML email" it can have images included. The images can be attached as files, they can be embedded into the email, or
they can be linked. When an image is linked it is loaded from a remote location when the
email is opened, just as images in a webpage may be opened from a remote location when you
"navigate" to that webpage. HTML email is, essentially, a webpage.
Spammers often exploit the ability to link images as a way to track their spam email.
Each email will include a link to a tiny picture, just 1 x 1 pixel, using a unique ID number.
When you read your email it retrieves the picture, sending the ID number at the same time.
This allows the spammer to confirm that your email address is valid and to know that
you opened the email. Email tracking services work in precisely the same way.
The solution to web bugs is to prevent them from being loaded.
If you read your email
as plain text, or if you read it offline, or if you block images in your email, the web bug
image will never be loaded, so
that spammers and email snoops will have no way of
knowing whether you read the email.
Many email readers can be configured to block linked images from loading.
The following links lead to directions for blocking web bugs in various
email programs:
Yahoo
Hotmail
Mozilla/Netscape7.1/Thunderbird
An increasing number of email programs are including the
ability to block linked images. Many also have the option to read all email
as plain text because HTML email can be a security risk (especially in the
MS Outlook and Outlook Express products where the HTML email viewer is
actually a high-risk Internet Explorer window).
If you are considering the option of paying a snoop service to track your email
recipients, note that your email can only be tracked if the recipient:
1) Reads their email while online and
2) has HTML email capability, but
3) has not disabled linked images and does not read
their email as plain text, and
4) does not have a firewall that might warn them that their
email program is attempting an unauthorized online connection.
Back to top
Beware of Web-based Email and Online Services
Beware: You may give up rights to your own private property if you use web-based services.
An increasing number of companies are trying to find a way to make money by providing
online services. Web-based email (Yahoo, Hotmail, GMail, etc.) has been available for
some time, and other services are gradually showing up: Microsoft is planning some form
of MS Office online subscription. Google/Doubleclick is introducing online, searchable storage. Etc.
There are unique privacy and security issues with online services. Who owns your online email
and files? Who can read them? You may not mind having tacky Yahoo ads in your email -
and your friends may put up with it - but that's only the most obvious cost of "free" online services.
There are two basic problems with online services that have not yet been dealt with,
and those problems are only beginning to become evident:
1) When you store private files on a commercial server, the legal status of those
files is surprisingly unclear.
2) Many companies providing online services - most of which are free - take
the rather startling position that they are co-owners of any files that you store on their servers.
That claim is not usually made overtly, but is typically written into the user agreement.
You may feel that your Hotmail or your files stored on X-Drive or your photos hosted
on a photo album website are your private property. But that is turning out not to be the case.
You may have no control over files that you put into the hands of online service companies.
For example, Microsoft at one point claimed co-copyright and co-ownership of
all
content passing through Hotmail. That means they were claiming the right, for example, to use
your private email or family photo in their advertising. (Microsoft did reword the Hotmail user agreement after
complaints brought the issue to public attention.)
More recently, a US judge
ordered
that all email from a specific GMail account be handed over to the court,
including all previously deleted email. As it turned out,
Google/Doubleclick's user agreement states that they reserve the right to keep your email, even when you have
told them to delete it. This disturbing court case highlights both of the problems noted above: Google/Doubleclick is
claiming co-ownership of GMail users' email, and a government entity is regarding your email as Google/Doubleclick's property. The judge
was not issuing a warrant to search an individual's computer. Rather, the judge issued a subpoena to Google/Doubleclick
demanding the email of a private individual. The presumed owner of the email turns out to apparently have no property rights
where their own web-based email is concerned.
Google had been a well-regarded company in the past, but their pattern of storing private data
(from searches and GMail) is disturbing. And one of Google/Doubleclick's newer products is a search function
that combines online storage with the ability to search your computer. Again, that seems like a clever
and useful idea at first glance. But if you accept Google/Doubleclick's
search toolbar you could end up losing all rights of privacy to all of your own files! That's a high
price to pay, especially when you consider that fast and sophisticated search functionality is already built into
Windows, accessible from the Start Menu.
Maintaining Privacy While Avoiding Web-based Email
Most ISPs provide the option to create more than one email account. If you use
your ISP's email you get more functionality than is available through web-based email.
(You can create storage folders, have multiple accounts, use filtering rules, and read newsgroups
from most email programs, such as Thunderbird or Outlook Express. And all of your past email
is stored on your computer - private as well as searchable.)
In order to maintain privacy and avoid spam, avoid using your primary email address
for any but personal correspondence. Then create two other email addresses: one
for commercial purposes where you are required to submit an email address, and one for
junk - situations where you need to submit an email address but have no intention
of ever accepting email from that source. When your second or third email address
starts to get too much spam you can just drop it and create a new email address.
Example: You might create
yourname@YourISP.com,
shopping@YourISP.com
and
junk@YourISP.com. When your "shopping" or your "junk" email address gets filled
with spam, just drop that address and create
shopping2@YourISP.com
or
junkB@YourISP.com.
Back to top
Referrer Fields And User IDs
The "referrer field" is information sent by the browser when you arrive at a website.
Any website you visit normally receives your IP address, the name and version of your browser,
the page you're loading and referrer information. The referrer information
tells where you just came from. In general this is benign. It provides a way for website
operators to get information such as the URLs of other websites linking to them and how many
people are arriving from those links.
With the growing awareness of cookies, more people are blocking or deleting cookies from third party
sites, making it more difficult to track online activity between sites.
To get around that the referrer field is sometimes exploited to track people. Some websites may tack on extra
text to the referrer string, in order to relay information to the next website you visit.
Microsoft, for example, has done that with their Passport system, creating a way to track people moving between
all Passport-enabled websites. (See details here:
PC-Help.org and here:
Securityfocus.com)
Blocking transmission of referrer fields:
Referrer information can be blocked by using a firewall program.
Regarding specific browsers:
• Internet Explorer: IE does not have a means to block referrer fields.
• Firefox: Firefox (and Netscape) has an obscure setting that will stop referrer fields
from being transmitted. See the
SurfSet page for software that
can adjust that and other obscure settings. Or see the
Firefox tips page
if you want to do it yourself by hand.
• Opera: Opera has this setting, but opera can also be rather quirky
in the way it renders webpages, and the free version is adware.
Back to top
Online Ads - Easily Block Ads and Tracking with a HOSTS File
The Intrusion of Online Ads
Online ads provide a means for advertising companies to track your online activity,
identify you, and then sell that information to other marketing and product
companies. That is possible because many commercial sites now have their banner ads supplied
by ad-company servers. Doubleclick, for example, is one of the biggest ad servers.
If you read the HTML code in nearly any major, commercial, website
webpage you will find links to ad images coming from Doubleclick.
If you allow cookies then you almost certainly have at least
one Doubleclick cookie right now.
Through the use of cookies, advertising images, and web bugs (invisible 1x1 pixel images),
advertising companies can follow you around the Internet, creating a composite chart of
your activites. When an ad image loads that involves your browser sending a request
for the image file, which allows the ad server to record your IP address. By combining that
information with information that you may share with various
websites, you can potentially be identified and a marketing profile may be created for you.
The reason for all of this spying is that targetted ads are worth more money. A golf ball company
would like to only pay for ads shown to golfers. Likewise, diaper ads, car ads, etc. all have a
"target" audience. If an advertising company knows who you are and what you buy they can make
more money by showing you targetted ads as you browse online. This is also the reason that
websites such as the New York Times want you to "register" and fill out a survey: They can
then use a cookie to watch which articles you read and show you ads targetted at your
demographic and personal interests. For example, a golf ball company might contract to show
their ads only to suburban people between 30 and 65, who make over $40,000 per year, thus raising the odds
that each ad they pay for will result in a sale. This approach allows websites to charge more
for advertising space while simultaneously costing less for advertisers to reach their audience.
Further, it provides important information that can be used in the actual sale: The golf ball
company can adjust their webpages and prices based on your profile. For example, when you click on their ad they
might show you a page where their golf balls are on sale if they know that you have bought
golf balls from another company recently....or wealthy people may see a display of, say,
the "executive platinum series" golf ball while people on more meager incomes may see the
same golf ball advertised as the lower-priced "pro series".
(This is just an example to illustrate the possibilities. It is not intended to imply
anything about particular companies or products.)
Targetted ads have become big business, as explained
in
this CNet article.
Distasteful hype terms such as "behaviorally targeted advertising" and "audience management"
are used to describe this attempt to glean and consolidate as much information about website visitors as possible,
from numerous online and offline sources, in order to "monetize audience members". (Goodness knows what that is supposed to
mean. Literally it simply means "turn people into money"!) To read an entire "audience management" sales pitch
full of similarly crass, barely coherent hype, see
the Tacoda website
that was mentioned in the CNet article.
This spying is not just an intrusion of privacy. It's also being done secretly, for the most part. People are rarely
aware of being tracked online. The good news: It is easy to block most tracking, and many ads, by creating a HOSTS file on your computer.
About the HOSTS File
When you go to a website the address must be resolved to a numerical version in order
to make contact. For example, if you go to www.somewhere.com, your browser
will look up that address to get the IP address (like a telephone number) which is the real address for the website. This number,
might be something like: 25.201.1.244. It is composed of 4 numbers from 0 to 255. The
address of where you are coming from (for the purposes here) is always 127.0.0.1.
The HOSTS file dates back to a time when an index of Web addresses was kept on each machine. It is a simple
text file that can be used on all operating systems to pre-assign addresses to URLs.
It's your personal phone book, so to speak. (You do not need to change any settings in order to use a HOSTS file.)
A URL pre-assigned in the HOSTS file will not be looked up by the browser. This means that if you
assign www.somewhere.com to 127.0.0.1 in your HOSTS file then your browser will never load any files
from www.somewhere.com because it will be told that www.somewhere.com is your
own computer!
So the HOSTS file can be used to prevent loading 3rd-party ads, images, web bugs, etc. from
the websites that you visit. Moreover, the 3rd-party ad server will never be contacted so
it will not log your identifying IP address.
HOSTS files, Windows XP and Microsoft: On WinXP there is one notable issue with
the functionality of the HOSTS file.
Microsoft has used an especially sleazy trick,
subverting the HOSTS file, to ensure that their own spyware is not blocked. This is a brazen show of disrespect
on the part of Microsoft. Their bypassing of the HOSTS file can only have been done specifically to trick
experienced Windows users who do not want Media Player and other Microsoft spyware calling "home". Given that
Microsoft is refusing to recognize the privacy and property rights of their customers, the role of the HOSTS file in Windows Vista bears scrutiny. For instance,
there's no reason to assume that Microsoft will not sell backdoor HOSTS file access to your computer to companies
such as Doubleclick.
Ad Blocking and IFrames: There is a clever method that many advertisers now use in order to
attempt a bypass of image blocking in Firefox: A 3rd-party ad will sometimes be put inside an IFRAME tag.
An IFRAME ("inline frame"), for those unfamiliar with HTML, is a webpage embedded in a webpage, like a viewport
from one webpage onto another. When an ad is put inside
an IFRAME, the IFRAME is actually a 3rd-party webpage inserted into the page you are viewing. So the ad
still looks the same, but technically it is no longer a 3rd-party image and Firefox will not block it. That points
out another advantage of using a HOSTS file: If you have blocked an advertising URL in your HOSTS file
then neither IFRAMES nor images will be loaded from that source.
If you block 3rd-party ads and use Firefox, see the
Firefox Tips page for
further information and an explanation of how to remove IFRAMES from webpages that you visit. Or see
the
SurfSet page for software that will do the job for you.
Creating a HOSTS File
You may or may not already have a HOSTS file on your computer. To set up a HOSTS file for ad blocking
and web bug blocking:
1) If your system does
not show file extensions, go to
Control Panel ->
Folder
Options ->
View or
Start ->
Settings ->
Folder
Options ->
View
and uncheck
"Hide File Extensions for Known File Types".
2) Locate or create a HOSTS file in the following location:
Win95/98/ME - C:\Windows\HOSTS.
WinNT4/2000 - C:\WINNT\System32\Drivers\Etc\HOSTS.
WinXP - C:\Windows\System32\Drivers\Etc\HOSTS.
(Adjust the path if Windows is not on C drive.)
Note that the file has no extension. It is named simply "HOSTS",
not "Hosts.txt", etc. Nevertheless, HOSTS is a simple text file that can be written in Notepad.
3)
Add this line to your HOSTS file:
127.0.0.1 localhost
Then add any known ad server or web bug URLs to your HOSTS file like the following, adding one URL per line,
with a space between "127.0.0.1" and the server URL:
127.0.0.1 ad.doubleclick.net
127.0.0.1 ads.atdmt.com
127.0.0.1 server.somewhere.com
Each line defines a particular Internet address as being on
your computer (127.0.0.1). If you add only "ad.doubleclick.net" to your HOSTS file you should
see a greatly reduced number of ads (which means a greatly reduced incidence of tracking,
provided that you do not accept cookies).
Note that each server URL is unique. If you block "ad.doubleclick.net" that will not
block files coming from "ads.doubleclick.net" or "ad.doubleclick.com".
Improving and Updating the HOSTS File
Once you start using a HOSTS file you need to add the URLs that you want to block,
and those URLs can also change occasionally. The more ad-server and tracking URLs you
put in your HOSTS file, the better it will work. To help with that process you can
download a HOSTS file "kit". The kit includes information and a script file that will collect
URLs for you. You just download a webpage that you are viewing and drop it on the
script file. The script then extracts URLs from the webpage code and optionally adds them
to your HOSTS file. If you use Internet Explorer this kit can also put a button on the
IE toolbar to automate the whole process.The download, hosts.zip, contains the scripts, further explanation
and a sample HOSTS file.
Download HOSTS File Kit (38 KB)
Back to top
Other Privacy Issues
• Download "accelerators" and similar software of dubious benefit
Most programs and services that promise faster browsing or downloads are provided
for the purpose of online tracking. Some are spyware. Others require that you allow all online activity to be tracked.
Some people may not be bothered by that. If you are, and you use these kinds of programs/services, you should
read the privacy agreement and license. (Be aware, too, that most privacy agreements contain disclaimers
saying the agreement can be changed at any time without notification. Such a privacy agreement is meaningless.) There is an
interesting article on CNET if you want to know more.
• In some cases, clicking a link in email to go to a website will send your email address to that site.
A solution to that is to copy and paste the URL into your browser.
• Some ISPs have begun selling tracking information to marketers. Check your ISP's privacy
statement if you're concerned about that.
• If you're using the AOL browser:
Your browser is actually Internet Explorer but the settings relating to privacy and security
may have been hidden. To see the differences open the Windows version of Internet Explorer from
the Start menu and find 'Internet Options' in the toolbar dropdowns. Compare that to your
AOL "www" preferences settings. You'll probably see that 2 of the
settings tabs are missing from the AOL browser settings window. In effect, you've been locked out
of your browser settings relating to security, cookies, etc.!
• If you enable Javascript and ActiveX controls in Internet Explorer you allow for the possibility
of websites browsing through your computer; if your browser settings are connected to
your email, such as Internet Explorer and Outlook Express, you'll also leave yourself open to
HTML email viruses.
See the "Online Security Tips" page for further information about these issues.
Back to top
The 'Free' Dilemma
Another situation that's arisen: a trend toward free software that hosts
advertising. There are now several hundred ad-supported programs that install special software on your
computer, allowing for clandestine contact with an advertising company through your internet connection.
This contact is said to be for the purpose of periodically replacing the ads with new ones.
There's been a lot of talk about whether new ads are ALL that's being communicated, but that seems to
be missing the point....An advertsing company has installed hidden 2-way communication between
YOUR private computer and THEIR office. A visit to Webster's dictionary yields
this tidbit:
" wiretap - to tap (a telephone wire, etc.) to get information secretly or underhandedly."
A wiretap is a wiretap! How it's currently being used is hardly the relevant issue.
On the other hand, the programs referred to here are free for the taking. What is that
all about......
In many cases, clearly, the free giveaway is a mutual con-game. The marketer holds out a free
trinket, hoping to lure a passerby. The marketer's plan is to pickpocket while the
passerby is busy grabbing the trinket.The strategy of the passerby is to grab the
trinket while keeping his wallet intact. ....So who's cheating who?!
Interestingly, the word 'free' has become ubiquitous in newspapers, in magazines,
on TV, on the web and in stores. It would seem that we all hope to get something
for nothing, rather than strike a fair deal.
Apropos of that, there's an old saying that you can't cheat an honest man....
Get info. about adware and a download to clean it out:
OptOut - GRC.com
To get an ad company's side of the story:
www.aureate.com
To read more from an anti-ad site:
Beating Adware
Interesting related information and research from Ben Edelman:
http://www.benedelman.org/
To find out more about privacy in respect to Internet technology:
www.junkbusters.com
Electronic Privacy Information Center
For information about firewall software see the "Home Handyman" page.
( If you didn't "come in the front door" and don't see the menu on the left
click here to go to the JSWare Homepage. )
