Guest Commentary by
Wes Miller, VP at Directions on Microsoft
But what, exactly, is online privacy?
Ignoring, for the moment, the recent moves by the US Dept. of Justice to force ISP’s to retain customer activity logs, I believe that online privacy means giving the user of any Internet-connected application, on any device, the ability to know:
- How they are being identified,
- Whether their activity may be logged,
- Who will be logging it, and
- How that logged information will be used, monetized and shared.
There are really as many as three parties involved in every conversation that happens online:
- The information consumer: you, in addition to any other individuals allowed to view information you contribute, if a site is public.
- The communication provider: any Internet service providers/network providers between you and the host.
- The information provider: the host company / server you connect to.
Information providers may also work in concert with ad providers, analytics providers who track the activities of information consumers, external content providers, and other third parties.
A New Kind of Product
A 1993 cartoon by Peter Steiner ran in the New Yorker, with one dog using a computer proclaiming to another, “On the Internet, nobody knows you’re a dog.”
Eighteen years later that’s no longer true; a 2010 quote that became an Internet meme proclaims, “If you are not paying for it, you’re not the customer; you’re the product being sold.”
Innumerable websites provide services that rely on the consumption and contribution by information consumers in order to function. For example:
Google searches lead to ads, which lead to revenue from advertisers; at its heart Google is a search provider, but advertising pays the bills.
Facebook aims to foster a growth in individuals’ relationships, online contributions, and, in time, click-through on advertisements to keep it all working.
Twitter relies on ongoing user contributions, and without fresh, user-supplied content has little to differentiate itself.
If you’re accessing these or other online services for free you’re likely paying through “contextual contributions.” For example, when you search on Amazon you’re providing information about your product interests and allowing the company to build your profile.
When you search on Google the same thing happens. As a search engine, advertising media, and analytics provider the more Google can know about you the better the company and its advertisers can target their advertising – and the more revenue they can earn. And it isn’t just Google; Microsoft and many others provide ad services, plus analytics that might be free for basic capabilities but can become quite expensive for “private” versions.
Websites Know More Than You Think
As you access a website you can pass a surprising amount of information to its remote servers. The website operators know your ISP, your IP address (either the unique address of your computer or the home router in front of it), and as a result your approximate geographic location. And by storing a cookie – a small file with a unique identifier – your behavior and the content accessed by your system can be tied to you as well. That is the essence of how all Internet analytics and advertising software works.
Even if you turn off cookies, Adobe Flash can create its own tracking cookies called Local Shared Objects (LSOs) which can be very difficult to disable. A 2009 Wired.com article claimed that more than half the Web’s top sites use Flash cookies to track users and even re-spawn conventional cookies that users may delete.
Don’t believe me? Try Panopticlick from the Electronic Frontier Foundation.
On my own computer, instances of Google Chrome and Microsoft Internet Explorer provide all the information needed to make my system uniquely identifiable to the websites that I visit. And since the identifiers shown in Panopticlick together with other externally identifiable information such as IP address seldom change, websites that I visit are able to tie my online activity – all of it – together in their databases.
Perhaps even more surprising, HTTP status codes enable websites to know whether you’re currently logged into other sites like Gmail, Facebook, Twitter, and undoubtedly thousands of others; while history hijacking can provide websites with a comprehensive list of the other sites that you have visited.
Few browsers can protect against these tactics, and the corporate mainstream has already begun to take advantage. For example, a 2010 University of California at San Diego study identifies sites operated by ESPN, Morningstar, and numerous others as using history hijacking to extract visitors’ online history.
Through use of these exploits it’s also possible for websites to derive a visitor’s gender, age, cultural background, political affiliations, social tendencies, and numerous other details – both public and very private – with a precision that few could believe possible.
Protecting Your Privacy
I argue that it’s just too simplistic to say that anyone should be able to “opt out” of providing identifying information to online providers as some have suggested. How exactly is the checkout process supposed to work at any ecommerce site if no identifying information can be transmitted or stored? How can you identify yourself to Gmail without Google credentials?
The reality is that the transmission of personally identifying information is a fact of life for those of us using the Internet. But as an information consumer it’s critical to make informed choices, beyond just “not using any computer connected to the Internet.”
To safeguard your online privacy, I encourage you to treat every website you visit as though it’s interested in knowing your most intimate details – but do you care?
Read my next post to find out why you should definitely care.
And, to protect yourself I encourage you to treat all information that you access, write or share online, including web-based email, as publicly visible – as though your spouse, children, boss and worst enemy can see all of it today – and at any time in the future.
Perhaps Google’s outgoing chief executive Eric Schmidt put it most pointedly: “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.”
It may sound menacing, but when it comes to the Internet it’s certainly true.
In part 2 of this article we’ll explore why pundits are so interested in online privacy, why so few Americans seem to care, and why we should all be concerned.
Wes Miller is a Research Vice President at Directions on Microsoft in Kirkland, Washington. Wes previously served as a product manager at several Austin, TX, Internet and security software companies, including Winternals Software, and spent seven years at Microsoft working in the MSN and the Windows Core OS divisions as a Program Manager. Wes has also contributed numerous articles to TechNet Magazine.