2. Online Tracking
3. Mobile Apps
4. Privacy Policies
5. Accessing the Internet
Wireless Networks and Wi-Fi
8. Additional Privacy Issues
This guide explains how your online activities may compromise your privacy and describes some of the steps you can take to protect yourself. Our separate consumer guide Securing Your Computer to Maintain Your Privacy explains how you can be proactive about your privacy by addressing computer security vulnerabilities.
you are online, you provide information about yourself almost every step of the
way. Often this information is like a puzzle with pieces that need to be
connected before the full picture is revealed. Information you provide to
one person or company may be combined with information you have provided to
another person or company to complete the puzzle. This information can be collected through your browser while visiting websites or by the mobile apps that you use on your phone.
2. Online Tracking
You probably have noticed that many advertisements that you see online are targeted to your
tastes and interests. That’s because almost every major website you visit tracks your online activity. Tracking technology can follow you from site to site,
track and compile your activity, and compile all of this into a database. Generally, tracking utilizes a numerical identifier, rather than your real name. This information is used to personalize the content that you see online.
The good news is that almost all browsers give you some control over how much information
is revealed, kept and stored. Generally, you can change the settings to
restrict cookies and enhance your privacy. Most major browsers now offer a
“Private Browsing” tool to increase your privacy. However, researchers
have found that “Private Browsing” may fail to purge all traces of
Some of the tools that are used to track you online include cookies, flash cookies, and fingerprinting.
Cookies. When you visit
different websites, many of the sites deposit data about your visit, called
“cookies,” on your hard drive. Cookies are pieces of information sent
by a web server to a user’s browser. Cookies may include information such as
login or registration identification, user preferences, online “shopping
cart” information, and so on. The browser saves the information, and sends
it back to the web server whenever the browser returns to the website. The web
server may use the cookie to customize the display it sends to the user, or it
may keep track of the different pages within the site that the user accesses.
example, if you use the internet to complete the registration card for a
product, such as a computer or television, you generally provide your name and
address, which then may be stored in a cookie. Legitimate websites use
cookies to make special offers to returning users and to track the results of
their advertising. These cookies are called first-party cookies. However,
there are some cookies, called third-party cookies, which communicate
data about you to an advertising clearinghouse which in turn shares that data
with other online marketers. These third-party cookies include “tracking
cookies” which use your online history to deliver other ads. Your
browser and some software products enable you to detect and delete cookies,
including third-party cookies.
Disconnect is a browser extension
that stops major third parties from tracking the webpages you go to.
Every time you visit a site, Disconnect automatically detects when your browser
tries to make a connection to anything other than the site you are
can also opt-out of the sharing of cookie data with members of the Network Advertising
Flash cookies. Many websites utilize
a type of cookie called a “flash cookie” (sometimes also called a
“supercookie”) that is more persistent than a regular cookie.
Normal procedures for erasing standard cookies, clearing history, erasing the
cache, or choosing a delete private data option within the browser will not
affect flash cookies. Flash cookies thus may persist despite user efforts
to delete all cookies. They cannot be deleted by any commercially
available anti-spyware or adware removal program. However, if you use the
Firefox browser, there is an add-on called Better Privacy
that can assist in deleting flash cookies.
Fingerprinting. A device
fingerprint (or machine fingerprint) is a summary of the software and hardware
settings collected from a computer or other device. Each device has a different
clock setting, fonts, software and other characteristics that make it unique.
When you go online, your device broadcasts these details, which can can be
collected and pieced together to form a unique “fingerprint” for that
particular device. That fingerprint can then be assigned an identifying number,
and used for similar purposes as a cookie.
is rapidly replacing cookies as a means of tracking. Tracking companies are
embracing fingerprinting because it is tougher to block than cookies. Cookies
are subject to deletion and expiration, and are rendered useless if a user
decides to switch to a new browser. Some browsers block third-party
cookies by default and certain browser add-ons enable blocking or removal of
cookies and flash cookies, fingerprints leave no evidence on a user’s
computer. Therefore, it is impossible for you to know when you are being
tracked by fingerprinting.
can test your browser to see how unique it is based on the information that it
will share with the sites that you visit. Panopticlick will give you a
uniqueness score, letting you see how easily identifiable you might be as you
surf the web.
fingerprinting is generally invisible, difficult to prevent, and
semi-permanent. There’s no easy way to delete fingerprints that have been
collected. Computer users determined to prevent fingerprinting can block
video and interactive graphics) may not load, resulting in a blank space on the
called NoScript. The combination of
detecting plugins and fonts, which are necessary to effectively fingerprint a
A company called BlueCava takes
device fingerprinting one step further. BlueCava
is able to identify and track users online across multiple devices, a practice referred to as householding. They can associate multiple devices to
the same person or household, by attaching an IP address to a BlueCava
identifier and by recognizing and collecting information about the various
computers, smartphones, and tablets that people use to connect the
internet. Thus, your behavior on one device can be associated with other
devices from both your home and office. This information can be very
valuable for marketing purposes.
BlueCava’s technology enables them
to recognize computers and devices by collecting information about your
screen type, IP address, browser version, time zone, fonts installed, browser
plug-ins and various other properties of your screen and browser. This
information is put into a “snapshot” and is sent to their servers to create a
unique ID for every browser and to “match” the snapshot to the snapshots they
receive from their marketing partners. When they use snapshots to create
a unique ID, they are also able to group related screens into “households”
based on common characteristics among the snapshots, such as IP addresses. BlueCava allows you to opt out of tracking.
3. Mobile Apps
If you use a smartphone or other mobile device to access the Internet, chances
are that you may be using mobile applications (apps) rather than an Internet
browser for many online activities. An app is a program you can download and
access directly using your mobile device. There are hundreds of thousands of
apps available, including numerous free or low-priced choices. Unfortunately,
apps can collect all sorts of data and transmit it to the app-maker and/or
third-party advertisers. This data may then be shared or sold.
Some of the data points that an app
may access from your smartphone or mobile device include:
your phone and email contactscall logsinternet datacalendar datadata about the device’s locationthe device’s unique IDsinformation about how you use the app itself
Many apps track your location. There
are location-based services like Yelp and Foursquare that may need your location in
order to function properly. However, there are also apps (such as a
simple flashlight) that do not need your location to function and yet still
Smartphones and other mobile devices
may ask you for specific permissions when you install an app. Read these and
think about what the app is asking for permission to access. Ask
yourself, “Is this app requesting access to only the data it needs to
function?” If the answer is no, don’t download it. Learn where to go on your
particular phone to determine what you will allow the app to access, and if you
are at all suspicious do more research on the app before you download.
Mobile apps generally do not
provide ad networks with the ability to set a cookie to track users.
Instead, ad networks may use your smartphone’s device identifier. To opt out of
targeting that relies on your smartphone’s device identifier, you must provide
the ad networks with your identifier to be kept on their “do not target” list.
4. Privacy Policies
One way to protect your privacy online
is to understand how a site or app will use and share your personal
information. Websites and apps generally provide this information in
California’s Online Privacy Protection Act
(CalOPPA) requires commercial websites or mobile apps that collect
personal information on California consumers to conspicuously post a
the categories of personally identifiable information collected about
site visitors and the categories of third parties with whom the operator
information on the operator’s online tracking practices. CalOPPA is the
in the United States to impose disclosure requirements on website
that track consumers’ online behavior. As a practical matter, CalOPPA
applies nationwide as long as the site operator collects personal
information from California consumers.
According to the California Attorney General, a website, app, or other online service may violate this law if:
The California Attorney General operates an online complaint form that consumers may use to report violations.
5. Accessing the Internet
are likely to access the internet using one or more of these services:
Service Provider (ISP)A Mobile
(Cellular) Phone CarrierA Wi-Fi Hotspot
you use a computer to access the internet and pay for the service
yourself, you signed up with an Internet Service Provider (ISP). Your
ISP provides the mechanism for connecting to the internet.
computer connected to the internet, including yours, has a unique address,
known as an IP address (Internet Protocol address). It takes the form of four sets
of numbers separated by dots, for example: 220.127.116.110. It’s that number that
actually allows you to send and receive information over the internet.
upon your type of service, your IP address may be “dynamic”,
that is, one that changes periodically, or “static”, one that
is permanently assigned to you for as long as you maintain your service.
IP address by itself doesn’t provide personally identifiable information.
However, because your ISP knows your IP address, it is a possible weak link
when it comes to protecting your privacy. ISPs have widely varying
policies for how long they store IP addresses. Unfortunately, many ISPs
do not disclose their data retention policies. This can make it difficult
to shop for a “privacy-friendly” ISP.
you visit a website, the site can see your IP address. Your IP address can
let a site know your geographical region. The level of accuracy depends upon
how your ISP assigns IP addresses.
can block your IP address by utilizing a service such as Tor which effectively
blocks this information. Another alternative is to use a Virtual Private
Network (VPN). A VPN replaces your IP address with one from the VPN provider. A
VPN subscriber can obtain an IP address from any gateway city the VPN service
you access the internet with a phone or other mobile device, you may
access the internet using a data plan tied to your cellular phone
service. If you have a data plan, your service provider (such as
AT&T, Sprint, Verizon, and T-Mobile) collects data about your usage.
Whenever you have an opportunity to create and use a
password to protect your information, make sure that you use a strong password.
Passwords are the first line of defense against the
compromise of your digital information. Revealing
the data on your phone, your banking information, your email, your medical
records, or other personal information could be devastating. Yet many people fail to follow proper
practices when selecting the passwords to protect this important
information. Many websites that store your personal information (for example
web mail, photo or document storage sites, and money management sites) require
a password for protection. However, password-protected websites are becoming
more vulnerable because often people use the same passwords on numerous sites.
Strong passwords can help individuals protect themselves against hackers,
identity theft and other privacy invasions.
Here are some password
“dos” and “don’ts” that can help you to maintain the security of your personal
Do use longer
passwords. Passwords become harder to
crack with each character that you add, so longer passwords are better than
shorter ones. A brute-force
attack can easily defeat a short password. Do use special
characters, such as $, #, and &.
Most passwords are case sensitive, so use a mixture of upper case and
lower case letters, as well as numbers.
An online password checker
can help you determine the strength of your password.Don’t “recycle”
a password. Password-protected sites are
often vulnerable because people often use the same passwords on numerous
sites. If your password is breached,
your other accounts could be put at risk if you use the same passwords.Don’t use
personal information (your name, birthday, Social Security number, pet’s name,
etc.), common sequences, such as numbers or letters in sequential order or
repetitive numbers or letters, dictionary words, or “popular“
obligated to change your passwords frequently, unless you believe that your
password has been stolen or breached. Conventional
wisdom considered changing passwords to be an important security practice. Recent research
suggests that people who change their passwords frequently select weaker
passwords to begin with, and then change them in predictable ways. Of
course, if you believe that your password has been breached or compromised, it
is essential to change it immediately.Don’t share your
passwords with others. One study found that more than one-third (36%) of people who share passwords in the
United States have shared the password to their banking account.Do
enable two-factor authentication
(when available) for your online accounts. Typically, you will enter
your password and then a code will be sent to your phone. You will need
to enter the code in addition to your password before you can access the
account. Twofactorauth.org has an
extensive list of sites and information about whether and how they support
two-factor authentication. Don’t write down
your passwords or save them in a computer file or email. Consider a password manager
program if you can’t remember your passwords.
Alternatively, keep a list of passwords in a locked and secure location,
such as a safe deposit box.
Password recovery methods are
frequently the “weakest link”, enabling a hacker to reset your
password and lock you out of your account. Be sure that you don’t pick
a question which can be answered by others. Many times, answers to these
questions (such as a pet’s name or where you went to high school) can be
ascertained by others through social networking or other simple research tools. It’s also a good idea to have your password
resets go to a separate email account designed for resets only.
7. Wireless Networks and Wi-Fi
and businesses establish wireless networks to link multiple computers, printers, and
other devices and may provide public access to their networks by establishing
Wi-Fi hotspots. A wireless network offers the significant advantage of enabling
you to build a computer network without stringing wires. Unfortunately, these
systems usually come out of the box with the security features turned off. This
makes the network easy to set up, but also easy to break into.
Most home wireless access points, routers, and gateways are shipped with a default network
name (known as an SSID) and default administrative credentials (username and password)
to make setup as simple as possible. These default settings should be changed
as soon as you set up your Wi-Fi network. In addition, some routers are
equipped by default with “Guest” accounts that can be accessed
without a password. “Guest” accounts should be disabled or
typical automated installation process disables many security features to
simplify the installation. Not only can data be stolen, altered, or
destroyed, but programs and even extra computers can be added to the unsecured
network without your knowledge. This risk is highest in densely populated
neighborhoods and office building complexes.
Home networks should be secured with a minimum of WPA2 (Wi-Fi Protected Access
version 2) encryption. You may have to specifically turn on WPA2 to use
it. The older WEP encryption has become an easy target for hackers. Also, do
not name your home network using a name that reveals your identity. Setting up
your home Wi-Fi access point can be a complex process and is well beyond the
scope of this fact sheet. To ensure that your system is secure, review your
user’s manuals and web resources for information on security.
of Wi-Fi hotspot locations has grown dramatically and includes schools,
libraries, cafes, airports, and hotels. With a Wi-Fi connection you can
be connected to the Internet almost anywhere. You can conduct the same
online activities over Wi-Fi as you would be able to at home or work, such as
checking email and surfing the web. However,
you must consider the risks to your privacy and the security of your device when using a Wi-Fi hotspot. Most Wi-Fi hotspots are unsecured and
Even the expensive pay Wi-Fi service available in many airplanes may be as
insecure as the free Wi-Fi offered at your corner coffee house. Therefore,
you must take additional steps to protect your privacy.
the network at a Wi-Fi hotspot is unsecured, Internet connections remain open
to intrusion. Hackers can intercept network traffic to steal your information. There are
3 major privacy threats in a Wi-Fi hotspot:
Attack refers to the act of intercepting the connection between your
computer and the wireless router that is providing the connection. In a
successful attack, the hacker can collect all the information transferred and
replay them on his computer. Eavesdropping
refers to the act of using sniffer software to steal data that is being
transmitted over the network. A sniffer is an application or device that can
read, monitor, and capture network data. This is particularly dangerous when
conducting transactions over the internet since sniffers can retrieve logon
details as well as important information such as credit card numbers. Looking
over the shoulder is the simple act of others looking over your shoulder
to see your activities.
are various ways to help protect your privacy when using Wi-Fi. Begin
with basic common sense. Look around to see if anyone is surreptitiously
trying to look at your computer. Do not leave your computer
unattended. Never conduct unsecured transactions over unsecured Wi-Fi.
When entering sensitive information (such as your Social Security number,
password, or credit card number), ensure that either the webpage encrypts the
information or that your Wi-Fi connection is encrypted. Disable your wireless
adapter if you are not using the Internet. Otherwise, you leave your
computer open to vulnerabilities if it accidentally connects to the first
(Virtual Private Network).
This is the first line of defense against vulnerabilities created by Wi-Fi. A
VPN provides encryption over an unencrypted Wi-Fi connection. This will help
ensure that all web pages visited, log-on details, and contents of email
messages remain encrypted. This renders intercepted traffic useless to the
hacker. You can obtain software to set up a VPN through your office or home
computer, or you can use a commercial provider’s hosted VPN service.
checking your email or conducting any important transaction, adding an “s”
after “http” may give you a secured connection to the webpage. Many
webmail services provide this feature. This ensures that your login details are
encrypted thereby rendering it useless to hackers. Although your email login
may be encrypted, some webmail providers may not encrypt your Inbox and
SSL (Secure Sockets Layer) certificates on all websites on which you conduct
sensitive transaction. SSL creates a secure connection between a client
and a server, over which any amount of data can be sent securely.
that your computer is not set to automatically connect to the nearest available
Wi-Fi access point. This may not necessarily be a legitimate connection point
but instead an access point on a hacker’s computer.
that file sharing is disabled on your computer to ensure that intruders cannot
access your private files through the network.
firewall on your computer and keep it enabled at all times when using Wi-Fi.
This should prevent intrusion through the ports on the computer.
your computer’s software and operating system up-to-date. This will help
plug security holes in the software or operating system.
8. Additional Privacy Issues
Using Search Engines
engines have the ability to track each one of your searches. They can record
your IP address, the search terms you used, the time of your search, and other
information. Startpage, a search engine operated by
Ixquick, based in The Netherlands, does not record users’ IP addresses at all.
company retained the information, it would eventually be misused. The company
concluded, “If the data is not stored, users privacy can’t be breached.”
Startpage will remove all identifying information from your query and submit it
anonymously to Google. Startpage uses advanced encryption technology for your
search queries. DuckDuckGo is another search engine that,
It’s a good idea to avoid using the same website for both your web-based email
and as your search engine. Web email accounts will always require some
type of a login, so if you use the same site as your search engine, your
searches can be connected to your email account. By using different
websites for different needs — perhaps Yahoo for your email and Google for
your searches — you can help limit the total amount of information retained by
any one site. Alternatively, log out of your email and clear your browser’s
cookies before going to other sites, so that your searches and browsing are not
connected to your email address. Another method for preventing a search
engine from associating your searches and web browsing with your web mail
account is to use a different browser for your email account than for your
searches and web browsing.
Avoid downloading search engine toolbars (for example, the Google toolbar or
Yahoo toolbar). Toolbars may permit the collection of information about your
web surfing habits. Watch out that you do not inadvertently download a
toolbar when downloading software, particularly free software.
you correspond through email you are no doubt aware that you are giving
information to the recipient. You might also be giving information to
any number of people, including your employer, the government, your email
provider, and anybody that the recipient passes your message to. An
unencrypted email message can potentially be seen by anyone while in
transit. If sent from an employer-owned device, it could be read by your
you use a webmail service such as Gmail or Yahoo, your emails could be scanned
by the webmail provider, both to detect spam and to deliver advertising content.
Gmail scans incoming emails and places relevant advertisements next to the email.
Yahoo Mail says that it performs “automated content scanning and analyzing
of your communications content.” If your recipient uses Gmail, Google will scan
your message and provide advertisements to the recipient even if you, the
sender, do not use Gmail.
website or app can determine the approximate location of your computer or
device by using one of several technologies. If you are using a computer,
your IP address can identify your approximate location. Most IP addresses
can identify you by your city or metropolitan area. Some can identify a
more specific location.
can block your IP address by utilizing a service such as Tor which effectively blocks this
information. Another alternative is to use a Virtual Private Network
(VPN). A VPN replaces your IP address with one from the VPN provider. A VPN
subscriber can obtain an IP address from any gateway city the VPN service
you are using a wireless connection, Wi-Fi triangulation can determine your
location by surveying nearby wireless networks. Similarly, GPS
triangulation can determine your location from a network of satellites.
GPS triangulation is more accurate than Wi-Fi triangulation. Finally,
cell phone tower identification can determine the location of a smartphone.
Your location information might be used for a useful purpose, for example,
providing accurate travel directions. However, it may also be stored and
combined with other information about you and used for behavioral marketing and
information can pose a significant privacy risk, particularly when it is stored
or combined with other information about you. It can reveal your
whereabouts at any given time, including your presence at sensitive
locations. It can be dangerous for individuals who are stalking or
domestic violence victims.
is very easy to get duped into clicking on a malicious link. If you click on a
malicious link, you will most likely be taken to a site that tricks you into
providing personal information that can then be used to steal your money, or
even worse, your identity. Clicking on a dangerous link could also cause
malware to automatically download onto your computer.
links may look like they were sent by someone you trust, such as:
A friend or
someone who you know. A
legitimate-looking company selling a product or service. A bank or other
business that you have an existing account with.
people think that malicious links arrive by email. But, criminals are finding
even sneakier ways to trick you into clicking on a dangerous link. You could
receive the malicious link in an instant message, a text message, or on a
social networking site like Facebook or Twitter.
links are hard to spot. They often:
misspelled versions of well-known URLs. Use popular URL
shortener sites to hide the real
Use simple HTML
formatting to hide the real URL. This is the most common method for
emailed dangerous links. You think you’re clicking on a trustworthy link,
but you are redirected to a dangerous link.
protect yourself from malicious links, consider the following tips:
Do not click on
a link that appears to be randomly sent by someone you know, especially if
there is no explanation for why the link was sent, or if the explanation
is out of character for the sender (i.e. horribly misspelled or talking
about what a great deal they discovered). Do not click on
a link that was sent to you by a business you don’t know that is
advertising a great deal. Instead, perform an online search for the
business, make sure it’s legitimate, and go directly to the business’
website to find the deal yourself. Do not click on
a link that was sent to you by a business you have an existing account
with. Either go to the business’ site yourself, or call up the business
and confirm the legitimacy of the link. Note that some
businesses may require that you verify your email address as part of a
registration process, which requires you to click on a link contained in
an email. Typically, the link will be emailed to you immediately after you
register online with the business. It’s a good idea to check your email
right after you register with a business.
Federal Trade Commission (FTC) is the federal government’s primary agency for online
privacy oversight. The FTC’s Onguard Online website offers tips
for avoiding internet fraud, securing your computer and ways to protect your
U.S. Computer Emergency
offers numerous computer security tips.