The Illusion of Web Privacy
Nowadays, on the Internet, everyone knows if you're a dog
People complain about anonymity online. Increasingly, it gets in the way of efforts to clean up spam and fraud. Yet there are all sorts of situations where we need Internet communications to be anonymous--whistle-blowing, the confidentiality of medical and legal records, human rights activism, and political dissent [see "The Whistle-blower's Dilemma" in this issue].
But there are also more mundane, yet important, reasons to hide one's identity online. According to Lance Cottrell, president of Anonymizer Inc., a San Diego company that provides software for anonymous Web surfing, the purchasers of cloaking software increasingly are large corporations--especially from the financial and legal realms. They wish to avoid the fate that befell one investment bank during the dot-com bubble: a high-tech firm noticed an influx of visitors to its Web site, all coming from a single group of Internet protocol (IP) addresses. The source, easily traced, turned out to be an investment bank. A client of the bank eventually acquired the firm that was the object of all the attention, but, having lost the element of surprise, paid US $15 million more than it had planned.
There are ways to mask one's identity online, but they generally involve hijacking servers, registering fraudulent domains, or identity theft--the tricks of spammers and virus writers, not ordinary netizens. For us, it's surprisingly hard not to broadcast who we are online.
Webmasters generally know where one is surfing from, often down to the city and company address, even the department, because IP addresses are recorded by Web servers and frequently can be correlated with physical locations.
Sites can also detect return visitors, by means of identifiers known as cookies, unique numbers stored on the surfer's computer on the first visit. Cookies are convenient--they're the reason you don't have to log in every time you visit a favorite site, for example--but they can also provide a great deal of marketing information. If you fill out a Web form, for a contest, a job site, or an e-purchase, your IP address can be associated with the name, phone number, social security number, or any other data you provide. This pairing of your IP address and personal information can then be sold to other companies, including those whose Web sites you wish to visit anonymously. A partial solution is to set your browser to make cookies expire after a few days or to ask before accepting them.
Worse, advertising companies can identify you across different Web sites by means of some crafty code they place in their online ads. Known as "Web bugs," they report back information about you, such as your IP address and the date and time of your visit. Because ads often appear on multiple sites, information about you from around the Web can be collated, so that deeper patterns of Web browsing can be discerned. What sites did you visit earlier in the day? What sites after? Which parts of the sites seemed to interest you the most?
Controlling cookies can also help here, as can automatically blocking images from ad companies known to use Web bugs. More information about bugs and who uses them is available on the Electronic Frontier Foundation's Web site at http://www.eff.org/Privacy/Marketing/web_bug.html.