Chapter 8

Chapter 8. Hiding One's Identity

IN THIS CHAPTER

        Degrees of Exposure

        Web Browsing and Invasion of Privacy

        Browser Security

        Your Email Address and Usenet

        A Warning

If you are looking to protect your data, there are many tools available to you. The list is almost endless: digital certificates, packet filters, strong encryption, firewalls, virus utilities, virtual private networks, network appliances, and a dozen other tools. Each can offer some assurance that your Internet site and network is safe. What about more basic issues? For example, what steps can you take to secure your privacy while surfing online? As with data protection, there are also several methods available for protecting your personal privacy on the Internet. This chapter looks at these methods.

Degrees of Exposure

Unless you take steps to prevent it, your identity will eventually be exposed if you surf the Internet. That exposure will manifest in different forms and degrees, depending on many factors, including

        Your network connection

        Your browser

        Your public traffic

        The plug-ins and applications you support

These variables expose you to two different types of intelligence:

        Human intelligence

        Network intelligence

Let's examine each in turn.

Human Intelligence

Human beings spy on you. Through such spying, they can discover your identity, track your movements, or even catch you in a criminal act. Of all forms of intelligence, human intelligence is the oldest. (In fact, spies often muse that human intelligence is the world's oldest profession.)

Human intelligence comes in two flavors, collective and penetrative:

        Collective intelligence has as its chief objective to collect information without necessarily establishing direct contact.

        Penetrative intelligence has as its chief objective to establish direct contact, gain the contacted person's trust, and obtain information on an ongoing basis.

The Internet is a superb tool for collective intelligence. For example, consider your posts to Usenet. These are available to the public, to persons known and unknown. Others can track your messages closely and can learn a great deal about you by doing so. Naturally, this presents law enforcement agencies with a unique opportunity. Simply by using search engines, they can conduct collective intelligence at a whim.

This is completely different from the situation 25 years ago. To illustrate how different, let me take you back to the early 1970s. Here in America, the '70s were filled with political turmoil. Many radical organizations emerged, and some advocated violent overthrow of the government. U.S. intelligence agencies responded by conducting collective and penetrative operations. These operations were carried out by human beings. For example, to identify supporters of the Students for a Democratic Society, the FBI would send agents on foot. (These agents might have been employed by the FBI, or they might have been civilian informers. It didn't really matter which.) Such agents would mix with the crowds at political rallies and record license plate numbers, or gather names. Later, field agents would connect faces, fingerprints, and addresses to those names by running license plate files, retrieving criminal records, or questioning still other informants.

Those methods are no longer necessary. Instead, the Internet enables intelligence agencies to monitor public sentiment from the comfort of their own offices. Furthermore, they can do this without violating any law. No search warrant is required to study someone's activity on the Internet. This means that any agency can freely utilize tools and software available on the Internet to collect data on anyone. Likewise, no warrant is required before using the Internet to compile lists of people who might be involved in illegal or seditious activity. A warrant is only required when the data needed resides on private systems, such as an ISP. Obtaining a subpoena, an intelligence agency can then gain access to ISP log files, any e-mail traffic (if available), and any other digital data pertaining to the individual.

If you harbor radical political views, you should keep them to yourself. (Either that or gain a decent education in cryptography.) Here's why: Today's search engines can be used to isolate all Usenet traffic between a particular class of individuals (militia members, for example). You can bet your last dollar that Kirk Lyons (a white supremacist lawyer whose clients have been a "Who's Who" of the radical right) has been monitored closely by the FBI.

Be forewarned: Usenet is not a forum to exercise your right to free speech. Instead, it's a place where you are exposed, naked to the world. Usenet is just the beginning. Six out of every ten Web sites you visit track your movements. (Probably eight out of ten big commercial sites try to.) Advances in digital snooping make it possible for nearly anyone with a computer to become an electronic Peeping Tom.

Recently, the FBI introduced DCS1000, a system that, when plugged into a computer network, captures and tracks all network communication through that system. DCS1000 has created a large controversy with privacy advocates. One of the biggest reasons for this is simply that DCS1000 is not designed to monitor just a single individual (or select individuals) whom the FBI might be legally wiretapping. It captures all communications on the systems that the investigators plug it into. Recently, with the help of the Freedom of Information Act, about 600 documents relating to DCS1000 were released. From this information, SecurityFocus.com has put together an interesting overview:

Newly declassified documents obtained by Electronic Privacy Information Center (EPIC) under the Freedom of Information Act reveal that DCS1000 can monitor all of a target user's Internet traffic, and, in conjunction with other FBI tools, can reconstruct web pages exactly as a surveillance target saw them while surfing the web.

This is fine for tracking and monitoring illegal activities of people suspected of criminal activ ity, but what about all the innocent users that have unknowingly had their privacy violated? The FBI doesn't let the public know what it does with that data gathered from DCS1000.

Note

DCS1000 is the most recent name for the program formerly known as Carnivore.

Web Browsing and Invasion of Privacy

Before Web browsers existed, you could only access the Internet from a command-line interface. This interface was bare bones and intimidating to most people. Browsers changed that by turning the Internet into a point-and-click paradise; anyone with a mouse could easily navigate the World Wide Web. The results were phenomenal. Indeed, practically overnight, millions of users flocked to the Web.

When humanity rushed to the Web, marketing agencies took notice. This question was immediately posed: How can we use the Internet to make a buck? Companies came up with various answers, including electronic commerce. (In electronic commerce, consumers buy products or services over the Web, right from their own homes.)

From the start, there was a strong drive to develop methods of tracking not only consumer purchases but also consumer interests. Many such methods emerged by 1993, and today there are more than a dozen. In the following pages, you learn how your identity is ferreted out, bit by bit, by persons known and unknown.

Internet Architecture and Privacy

I'll begin by making a blanket statement and one you should never forget: The Internet's architecture was not designed with personal privacy in mind. In fact, there are many standard Internet utilities designed specifically for tracing and identifying users.

In a moment we'll examine some and how they work. First, however, we need to cover how user information is stored on servers.

How User Information Is Stored on Servers

There are two universal forms of identification on the Internet: your email address and your IP address. Both reveal your identity. At a minimum, both serve as good starting places for a spy.

Your email address in particular can reveal your real name. Here's why: Even if your Internet service provider uses Windows NT to host a few Web sites, almost all ISPs use UNIX as their base platform. That's because UNIX (coupled with a protocol called RADIUS) makes management of dial-up accounts very easy. (It also provides better mail support than Windows NT if you are dealing with hundreds or even thousands of accounts.)

On the UNIX system, user information is stored in a file called passwd, which is located in the /etc directory. This file contains user login names, usernames, and occasionally, user passwords (although only in encrypted form). An entry from the passwd file looks like this:

jdoe:x:65536:1:John Doe:/export/home/jdoe:/sbin/sh

If you examine the entry closely, you'll see that the fields are colon-delimited. Here you should be concerned with fields 1, 5, and 6. Using the entry as an example, those fields are as follows:

        jdoe Your username

        John Doe Your real name

        /export/home/jdoe Your home directory

This information is vital, and UNIX uses it for many tasks. For example, this information is double-checked each time you log in, each time you receive mail, and each time you log out. Unfortunately, the information is also usually available to the general public through a utility called finger.

Finger

Finger is a service common to UNIX systems. Its purpose is to provide user information to remote hosts, and, like all TCP/IP services, finger is based on the client/server model.

When a UNIX system first boots, it loads nearly a dozen remote services (for example, a Web server, an FTP server, a Telnet server, and so forth). The finger server is called fingerd, and is commonly referred to as the finger daemon.

The finger daemon listens for local or remote requests for user information. When it receives such a request, it forwards whatever information is currently available on the target. (The target in this case is you.)

On UNIX, a finger request can be issued from a command prompt. The results from the finger server are then printed to the local terminal. Here's what a command-prompt finger request looks like:

$finger -l jdoe@john-doe.com

The command translates into plain English like this: "Look up jdoe and tell me everything you can about him." When a user issues such a request, the finger daemon at john-doe.com is contacted. It searches through the system for jdoe and ultimately, it returns this information:

Login name: jdoe  In real life: John Doe

Directory: /  Shell: /sbin/sh

Last login Tue May 18 19:53 on pts/22

New mail received Mon May 18 04:05:58 1997;

  unread since Mon May 18 03:20:43 1997

No Plan.

For years, this information was available only to UNIX and VAX/VMS users. Not any more. Today, there are finger clients (programs that perform finger lookups) for all platforms. Table 8.1 lists a few.

Note

Windows NT now has integrated finger support, so a third-party client is not required. To finger someone from an NT box, simply open a command prompt window and type finger_target@host.com.

These days, most system administrators deny remote finger requests to their networks, even internally. When network finger requests are allowed, they are often unrestricted and unregulated. This permits remote users to identify not only you, but everyone on the system. To do so, remote users issue the following command:

finger @my_target_host.com

The @ symbol works precisely as an asterisk does in regular expression searches. In plain English, the command says this: "Tell me about all users currently logged on."

When writing this chapter, I wanted to give you an example, so, I fingered all users at Reed College in Portland, Oregon. Here is the result from that query:

finger @reed.edu

[reed.edu]

Login  Name  TTY Idle  When  Office

copeland D. Jeremy Copeland  *p1  12 Tue 19:24  Box 169  775 6945

boothbyl Lawrence E. Boothby  p3 121d Sun 09:05

mab  Mark Bedau  p4  Tue 19:32

copeland D. Jeremy Copeland  p6  4 Tue 19:29  Box 169  775 6945

slam  Greg (don't call me  p7  13d Wed 08:36  Box 470  or Coleman

slam  Greg (don't call me  p8  18d Fri 07:29  Box 470  or Coleman

mayer  Ray Mayer  *p9  2d Mon 16:59  (fac)  

mcclellj Joshua J McClellan  pf  4d Fri 14:45  (813)  

slam  Greg (don't call me  pe  6d Wed 08:19  Box 470  or Coleman

mcclellj Joshua J McClellan  q0  4d Fri 16:12  (813)  

moored  Dustin B Moore  q2 6:32 Tue 13:05  (1172)  

obonfim  Osiel Bonfim  q3 3:02 Mon 16:07

rahkolar Rahua Rahkola  q6  46 Tue 18:34

obonfim  Osiel Bonfim  q9 2:59 Tue 09:45

mcclellj Joshua J McClellan  qb  4d Fri 15:00  (813)  

jwitte  John Witte  *qc 4:00 Tue 15:14

lillieb  Ben Lillie  r3  58 Tue 13:11  P04  

szutst  Tobi A. Szuts  *r7  5 Tue 14:51  (819)  

mcclard  Ron McClard  *re 1:22 Mon 10:55  (x218)  

queue  Print Queue Display  qd  8d Mon 15:42

jimfix  James D. Fix  *qf  32 Tue 13:04

mcclellj Joshua J McClellan  r6 3:50 Mon 10:47  (813)

It doesn't look like these folks have much privacy, does it? Well, here's a fact: 99% of listings I checked around the Internet revealed the users'real names. If you think that listing only your company name will hide your identity, think again. Take a look at the first line of the preceding output:

copeland D. Jeremy Copeland  *p1  12 Tue 19:24  Box 169  775 6945

Here, as you can see, we already have this person's full name, his login name and email address (Copeland@reed.edu), and a phone number. Using Google (http://www.google.com), I found his personal Web site at Reed College. I can also safely assume from the location of the college that he is in Portland, Oregon. A search on Worldpages (http://www.worldpages.com) gave me four individuals matching this person, all with home phone numbers and personal addresses. Not a lot of personal privacy here, is it?

In many cases, by starting with finger and ending with WorldPages, you can find someone's home address (along with a map for directions) in fewer than 30 seconds. If someone tells you that finger doesn't present a privacy issue, give them a copy of this book. Finger can bring a total stranger right to your doorstep.

Solutions for the Finger Problem

There are solutions for the finger problem. However, before you bother, you should check to see whether you are a viable target.

Note

If you use America Online, know that AOL does not allow finger requests on their users.

There are two ways to determine whether you are a viable finger target:

        Perform a finger query on yourself.

        Check the /etc/passwd file on your ISP's server.

To check from a shell prompt, issue either of the following commands:

grep your_username /etc/passwd

ypcat passwd || cat /etc/passwd | grep your_username

These commands will print the information in the server's /etc/passwd file. The output will look like this:

jdoe:x:65536:1:John Doe:/export/home/jdoe:/sbin/sh

If you are a viable finger target, there are several things you can do to minimize your exposure:

        Use the utility chfn to alter the finger information available to outsiders.

        If chfn is not available, request that the system administrator change your information.

        Cancel your current account and start a new one.

Note

You might be puzzled why I suggest canceling your account. Here's why: It was you who provided the information in the /etc/passwd account. You provided that information when you signed up. If you can't access chfn and your SA refuses to change this information, it will remain there until you cancel your account. If you cancel your account and create a new one, you can dictate what information the server has on you.

On the other hand, if you don't care about getting fingered but you simply want to know who's doing it, you need MasterPlan.

MasterPlan

MasterPlan (written by Laurion Burchall) takes a more aggressive approach by identifying who is trying to finger you. Each time a finger query is detected, MasterPlan captures the hostname and user ID of the fingering party. This information is stored in a file called finger_log. MasterPlan will also determine how often you are fingered, so you can detect whether someone is trying to clock you. (In clocking, user A attempts to discern the habits of user B via various network utilities, including finger and the r commands.)

Tip

The r commands consist of a suite of network utilities that can glean information about users on remote hosts.

In clocking, the snooping party uses an automated script to finger his target every X number of minutes or hours. Reasons for such probing can be diverse. One is to build a profile of the target: When does the user log in? How often does the user check mail? From where does the user usually log in? From these queries, a nosy party can determine other possible points on the network where you can be found.

Here's an example: A cracker I know wanted to intercept the email of a nationally renowned female journalist who covers hacking stories. This journalist had several accounts and frequently logged in to one from another. (In other words, she chained her connections. In this way, she was trying to keep her private email address a secret.)

By running a clocking script on the journalist, the cracker was able to identify her private, unpublished email address. He was also able to compromise her network and ultimately capture her mail. The mail consisted of discussions between the journalist and a software engineer in England. The subject matter concerned a high-profile cracking case in the news. (That mail was later distributed to crackers'groups across the Internet.)

MasterPlan can identify clocking patterns, at least with respect to finger queries. The utility is small and easy to configure. The C source is included, and the distribution is known to compile cleanly on most UNIX systems. (The exceptions are Ultrix and NeXT.) One nice amenity for Linux users is that a precompiled binary comes with most distributions. The standard distribution of MasterPlan is available at the following address:

    ftp://ftp.netspace.org/pub/Software/Unix/masterplan.tar.Z

The Linux-compiled version is available at this address:

    ftp://ftp.netspace.org/pub/Software/Unix/masterplan-linux.tar.Z

Note

MasterPlan does not prevent others from fingering you; it simply identifies those parties and how often they finger you. Unfortunately, as of this date, MasterPlan is only available for UNIX and is no longer maintained.

After you shield yourself against finger queries, you might feel that your name is safe from prying eyes. Wrong again. Finger is just the beginning. There are a dozen other ways your email address and your name reveal information about you.

Beyond Finger

Even if your provider forbids finger requests, your name is still easy to obtain. When snoops try to finger you and discover finger isn't running, they turn to your mail server. In most cases, servers accept Telnet connections to port 25 (the port that sendmail runs on). Such a connection looks like this:

220 shell. Sendmail SMI-8.6/SMI-SVR4 ready at Wed, 19 Feb 1997 07:17:18 -0800

If outsiders can reach the prompt, they can quickly obtain your name by issuing the following command:

expn username

The expn command expands usernames into email addresses and real names. The response will typically look like this:

username <username@target_of_probe.com> Real Name

The first field will report your username or user ID, followed by your email address, and finally, your "real" name.

System administrators can disable the expn function, but few actually do. In any event, if the expn function is operable, nosy individuals can still get your real name, if it is available. Again, the best policy is to remove your real name from the passwd file.

Note

Unfortunately, even if the expn function has been disabled, the snooping party can sometimes still verify the existence of your account using the vrfy function (if your server supports it).

As you can see, finger poses a unique privacy problem but that's just the beginning.

Browser Security

With the rise of electronic commerce, various methods to track your movements have been developed. Three key methods are implemented through your Web browser:

        IP address and cache snooping

        Cookies

        Banner ads and Web bugs

By themselves, these techniques seem harmless enough. However, if you want to remain anonymous, you must take steps to safeguard yourself against them. Let's examine each in turn.

IP Address and Cache Snooping

Each time you visit a Web server, you leave behind a trail. This trail is recorded in different ways on different servers, but it is always recorded. A typical log entry on UNIX (running Apache) looks like this:

153.35.38.245 [01/May/1998:18:12:10 -0700] "GET / HTTP/1.1" 401 362

Note the first entry (the IP address). All Web server packages are capable of recording visitor IP addresses. However, most Web servers can also record other information, including your hostname and even your username. To see what a Web server can tell about you, visit this site:

http://www.agentz.com/browsers/cgitest.cgi

I had a friend at JetLink Internet services visit that site. Here is the information that server returned on him:

[View full width]

The host SERVER_NAME, DNS alias, or IP address is: "www.ixd.com"

The name and revision of the SERVER_SOFTWARE is: "Netscape-Enterprise/2.0a"

The name and revision of the SERVER_PROTOCOL is: "HTTP/1.0"

The SERVER_PORT number for this server is: "80"

The SERVER_ADMINistrator e-mail address is: ""

The name and revision of cgi GATEWAY_INTERFACE is: "CGI/1.1"

The extra PATH_INFO included on the URL is: ""

The actual extra PATH_TRANSLATED is: ""

The server DOCUMENT_ROOT directory is: ""

The cgi SCRIPT_NAME is: "/cgi-bin/cgi-test.cgi"

The query REQUEST_METHOD is: "GET"

The QUERY_STRING from Form GET is: ""

The CONTENT_TYPE of the Form POST data is: ""

The CONTENT_LENGTH of the Form POST data is: ""

The name of the REMOTE_HOST making the request is: "ppp-208-19-49- 216.isdn.jetlink.net"

The IP REMOTE_ADDRress of the remote host is: "208.19.49.216"

The authentication (AUTH_TYPE) method is: ""

The authenticated REMOTE_USER is: ""

The remote user (REMOTE_IDENT) for (rfc 931) is: ""

The MIME types that the client will (HTTP_ACCEPT): "image/gif, image/x-xbitmap, image/

jpeg, image/pjpeg, image/png, */*"

The client's browser type (HTTP_USER_AGENT) is: "Mozilla/4.04  (Win95; U)"

The page (HTTP_REFERER) that client came from:

"http://altavista.digital.com/cgi-bin/query?pg=q&text=yes&q= %22test%2ecgi%22&stq=10"

The e-mail address (HTTP_FROM) of the client is: ""

Note that in addition to grabbing the IP address, the server also grabbed the dial-up line my friend was using:

The name of the REMOTE_HOST making the request is: "ppp-208-19-49- 216.isdn.jetlink.net"

However, even more importantly, the server identified the last site my friend visited:

The page (HTTP_REFERER) that client came from:

"http://altavista.digital.com/cgi-

bin/query?pg=q&text=yes&q=%22test%2ecgi%22&stq=10"

The script that captured that information is called test-cgi. It is used to capture basic environment variables, both on the server and client sides. (As it happens, test-cgi can also be a tremendous security hole, and most ISPs remove it from their servers.)

Using these logs and scripts, Webmasters can precisely pinpoint where you are, what your network address is, and where you've been. Are you uncomfortable yet? Now quickly examine cookies.

Cookies

Cookies. The word might sound inviting to you, but not to me I very much value my privacy. In the past, many reporters have written articles about cookies, attempting to allay the public's fears. In such articles, they minimize the influence of cookies, dismissing them as harmless. Are cookies harmless? Not in my opinion.

Cookies (which Netscape calls Persistent Client State HTTP Cookies) are used to store information about you as you browse a Web page. The folks at Netscape explain it this way:

This simple mechanism provides a powerful new tool that enables a host of new types of applications to be written for Web-based environments. Shopping applications can now store information about the currently selected items, for fee services can send back registration information and free the client from retyping a user-id on next connection, sites can store per-user preferences on the client, and have the client supply those preferences every time that site is connected to.

The article from which the previous quote is excerpted, Persistent Client State HTTP Cookies, can be found at http://home.netscape.com/newsref/std/cookie_spec.html.

The cookie concept is like getting your hand stamped at a dance club that serves cocktails. You can roam the club, have some drinks, dance the floor, and even go outside for a few minutes. As long as the stamp is on your hand, you will not have to pay again, nor will your access be restricted. Similarly, cookies enable Web servers to "remember" you, your password, your interests, and so on. That way, when you return, this information is automatically retrieved. The issue concerning cookies, though, isn't that the information is retrieved. The controversy is about where the information is retrieved from your hard disk drive.

The process works like this: When you visit a Web page, the server writes a cookie to your hard disk drive. This cookie is stored in a special file.

Note

Windows users can find the cookies file in varying places, depending on their browser type and their version of Windows. Cookies in older distributions are kept in a file called cookies.txt. In newer distributions (and with Microsoft Internet Explorer), cookies are stored individually in the directory C:\WINDOWS\COOKIES. (On Macintosh systems, the file is called MagicCookie.)

Here are some typical entries from a cookie file:

[View full width]

www.webspan.net  FALSE  /~frys  FALSE  859881600  worldohackf  2.netscape.com 

 TRUE  /  FALSE  946684799 NETSCAPE_ID

1000e010,107ea15f.adobe.com  TRUE  /  FALSE  946684799  INTERSE 207.171.18.182 

6852855142083822www.ictnet.com  FALSE  /  FALSE 946684799  Apache  

pm3a-4326561855491810745.microsoft.com  TRUE  /  FALSE  937422000  MC1 

GUID=260218f482a111d0889e08002bb74f65.msn.com  TRUE  /  FALSE 937396800  MC1  

ID=260218f482a111d0889e08002bb74f65comsecltd.com FALSE  /  FALSE  1293753600  

EGSOFT_ID 207.171.18.176-3577227984.29104071

.amazon.com  TRUE  /  FALSE  858672000  session-id-time 855894626.amazon.com  

TRUE  /  FALSE  858672000  session-id  0738-6510633-772498

This cookie file is a real one, pulled from an associate's hard disk drive. You will see that under the GUID (field number 6), the leading numbers are an IP address. (I have added a space between the IP address and the remaining portion of the string so that you can easily identify the IP. In practice, however, the string is unbroken.) From this, you can see that setting a cookie generally involves recording your IP address.

Advocates of cookies insist that they are harmless, cannot assist in identifying the user, and are therefore benign. That is not true, as explained by D. Kristol and L. Montulli in RFC 2109:

An origin server could create a Set-Cookie header to track the path of a user through the server. Users may object to this behavior as an intrusive accumulation of information, even if their identity is not evident. (Identity might become evident if a user subsequently fills out a form that contains identifying information.)

Today, cookies are routinely used for user authentication. This is disturbing and was immedi ately recognized as a problem. As expressed in RFC 2109:

User agents should allow the user to control cookie destruction. An infrequently-used cookie may function as a "preferences file" for network applications, and a user may wish to keep it even if it is the least-recently-used cookie. One possible implementation would be an interface that allows the permanent storage of a cookie through a checkbox (or, conversely, its immediate destruction).

Despite these early warnings about cookies, mainstream Web browsers still ship with the Accept Cookies option enabled. Worse still, although most browsers have an option that warns you before accepting a cookie, this option is also disabled by default. Netscape Communicator, for example, ships this way. If you use Netscape Communicator, take a moment to go to the Edit menu and choose Preferences. After you have the Preference option window open, click Advanced.

Microsoft Internet Explorer ships in basically the same state. Think about that for a moment: How many new computer owners are aware that cookies exist? Shouldn't they at least be informed that such intelligence gathering is going on? I think so.

Tip

To disable cookies in Internet Explorer, click on Tools, and then select Internet Options from the list. A new window will open. Click the Security tab. You can change the security level to High, or click Custom Level. There you will find the options to disable cookies in Internet Explorer.

Combating Cookies

Cookies can easily be managed and defeated using cookie cutters. These are programs that give you control over cookies (such as viewing them, deleting them, or conditionally refusing them). Table 8.2 provides names and locations of several cookie cutters.

Note

Windows and MacOS users can also make the cookies file or directory read-only. This will prevent any cookies from being written to the drive. UNIX users should delete the cookies.txt file and place a symbolic link there that points to /dev/null.

If you want to learn more about cookies, check out some of the following articles:

        A Cookies Monster? Stephen T. Maher, Law Products Magazine. http://www.usual.com/article6.htm

        Cookies and Privacy FAQ. http://www.cookiecentral.com/n_cookie_faq.htm

        Are Cookie Files Public Record? Dan Goodin, CNET. http://www.news.com/News/Item/0,4,17170,00.html

        How Web Servers' Cookies Threaten Your Privacy. Junkbusters. http://www.junkbusters.com/ht/en/cookies.html

        HTTP State Management Mechanism (RFC 2109, a document discussing the technical aspects of the cookie mechanism.) http://www.ics.uci.edu/pub/ietf/http/rfc2109.txt

You should also know this: Cookies and the test-cgi script are not the only ways that Webmasters grab information about you. Other, less conspicuous techniques exist. Many JavaScript and Perl scripts can "get" your IP address. This type of code also can get your browser type, your operating system, and so forth. Following is an example in JavaScript:

 <script language=javascript>

  function Get_Browser() {

  var appName = navigator.appName;

  var appVersion = navigator.appVersion;

  document.write(appName + " " + appVersion.substring (0,appVersion.indexOf(" ")));

   }

</script>

JavaScript will get the browser and its version. Scripts like this are used at thousands of sites across the Internet. A very popular one is the "Book 'em, Dan-O" script. This script (written in the Perl programming language) will get the time you accessed the page, your browser type and version, and your IP address.

The "Book 'em, Dan-O" script was written by an individual named Spider. It is currently available for download at Matt's Script Archive at http://worldwidemart.com/scripts/dano.shtml.

Similar programs are available in a wide range of programming languages, including Java. You will find a Java program designed specifically for this purpose here:

http://www.teklasoft.com/java/applets/connect/socket.html

Banner Ads and Web Bugs

You've no doubt visited plenty of Web sites with banner advertisements. The Internet has become a marketing executive's dream come true, with nearly unlimited methods of tracking and recording information on consumers. Today, nearly every popular Web site is littered with annoying banner ads, Web bugs, and targeted marketing. The only cost is your own personal privacy. Banner ads are a necessary evil of the new Internet economy, but did you know that these innocent images can also be used to track users and transmit demographics back to the advertising companies responsible for them?

The methods vary, but it generally works like this: A user visits a popular Web site with a banner ad that has the capability to track. As the page loads, it will grab the required banner image directly off of a Web server run by the advertising company. Every time this happens, the ad server has the capability to log a great deal of information on who is loading that image. Using cookies, sophisticated JavaScript, and CGI, the unwitting visitor might be sending nothing more that her IP, or every piece of personal information she might have submitted to another Web site previously. It is also possible for the remote ad server to set a cookie on the user's computer to help it track that person in better detail.

The latest trend in violating your Web surfing privacy comes from Web bugs. A Web bug is usually a small, transparent gif, 1x1 pixels in size, that works in a similar manner to a tracking banner ad. When the page loads, the invisible Web bug loads also, triggering the same transfer of information that the banner ads can send. The biggest difference is simply stealth. You can't see or detect a Web bug, unless you look at the source for that particular Web page. Take a look at this example from the ZDNet Web site:

<img src="http://ads3.zdnet.com/i/g=r001&c=a56998&idx=2001.01.04.21.48.58/

http://images.zdnet.com/adverts/imp/dotclear.gif">

This is the HTML code to display an image on the ZDNet Web page. This, however, is no ordinary image. It's a Web bug used to track people visiting the Web site. Notice the height and width parameters, and the lack of a border or an ALT entry. This invisible image, when loaded, triggers the ad server at ZDNet to record whatever information they programmed it to retrieve. ZDNet is not alone in this behavior. I simply loaded the first Web site that came to mind, and found this Web bug.

There are several good articles online about the proliferation of Web bugs and banner ads with tracking capabilities. Be sure to check out this article: Nearly Undetectable Tracking Device Raises Concerns by Stefanie Olsen at http://news.cnet.com/news//0-1007-200-2247960.html.

What do these companies need this information for? Why do they violate your privacy, without your permission or consent? Marketing. Marketing and selling products to consumers requires detailed demographics and statistics. With this information, the advertising companies are better able to target a specific group in order to sell them something. If you visit a lot of Web sites related to computers, for instance, you will notice that the ads you see will be designed to get you to buy computer-related products and services. Also, a high traffic Web site can make a good sum of money by enabling advertisers to post banner ads and Web bugs on their pages.

Protecting Yourself from Banner Ads and Web Bugs

Thankfully, there are many solutions for combating intrusive cookies, banner ads, and Web bugs. Today, there are several software programs that you can proxy your Web browser traffic through to block this material. A proxy is a type of software that acts as a sort of middle man between you and the Internet. Your Internet traffic flows through it, and depending on the proxy's functionality, it is sped up, filtered, or redirected. My personal favorite is the Internet Junkbuster. Junkbuster's developers have also recently released a consumer version of Junkbuster called Guidescope, which is aimed at the general public and is easy to install and use. Guidescope offers the same level of protection as Junkbuster, but it is designed to be a lot more user friendly and easier to install and maintain.

Internet Junkbuster acts as a proxy server for all your Web surfing traffic. As you load Web pages, it inspects the incoming code for common patterns used by banner ads and Web bugs. Before this code ever reaches your Web browser, it is stripped from the HTML, effectively sterilizing the privacy-invading banners and bugs. Not only does this help safeguard your privacy, but blocking banner advertisements significantly speeds up Web browsing, and you will find it is a lot easier to concentrate on the information you came to see, rather than flashy obnoxious Web advertising. Internet Junkbuster and Guidescope can also be configured to block cookies.

Note

If your privacy is important, you should take a few minutes to take a look at the Junkbuster Web site. They provide a great deal of information on proactively protecting yourself from invasive advertising in email, postal mail, telemarketing, and other means.

More information on Internet Junkbuster and Guidescope can be found at

  http://www.junkbusters.com

    http://www.guidescope.com

Your Email Address and Usenet

Earlier in this chapter, I claimed that your email address could expose you to spying on Usenet. In this section, I will prove it.

Your email address is like any other text string. If it appears on (or within the source of) a Web page, it is reachable by search engines. When a spy has your email address, it's all over but the screaming. In fact, perhaps most disturbing of all, your email address and name (after they are paired) can reveal other accounts that you might have.

To provide you with a practical example, I pondered a possible target. I was looking for someone who changed email addresses frequently and routinely used others as fronts. Fronts are third parties who post information for you. By using a front, you avoid being pinned down because it's the front's email address that appears, not your own.

I decided to do a bit of research on a controversial person, Kirk D. Lyons of the Southern Legal Resource Center (SLRC). This name might not be too familiar to many people right away. Mr. Lyons is an outspoken attorney with a history of defending right-wing and extremist groups. He has also been a prominent voice and an active participant in several newsworthy incidents, especially in the last 10 years. Mr. Lyons has been directly involved with issues relating to the Oklahoma Federal Building bombing and Timothy McVeigh, the Ruby Ridge incident with Randy Weaver, and the Waco stand-off, to name a few.

Note

The following exercise is not an invasion of Mr. Lyons'privacy. All information was obtained from publicly available databases on the Internet. Instead, this exercise is very similar to the results of an article in a June 1997 Time magazine about Internet privacy. In that article, a Time reporter tracked California Senator Dianne Feinstein. The reporter did an extraordinary job, and even managed to ascertain Senator Feinstein's Social Security number. The article, "My Week as an Internet Gumshoe," is by Noah Robischon. At the time of this writing, it is available online here: http://www.pathfinder.com/time/magazine/1997/dom/970602/technology.my_wek.html.

The first step in tracking an individual is to capture his or her email addresses. To find Kirk D. Lyons's email address, any garden-variety search engine will do, although http://www.altavista.com and http://www.google.com have the most malleable designs. That's where I started. (Remember that I have never met Mr. Lyons and know very little about him.)

I began my search with AltaVista (http://www.altavista.com). AltaVista is one of the most powerful search engines available on the Internet and is provided as a public service by CMGI, Inc. It accepts various types of queries that can be directed toward WWW pages (HTML), images and video, and other forms of digital media. I followed up using Google (http://www.google.com), a newer but amazingly powerful search engine. Don't let the clean, simple interface fool you. Google quickly grew out of obscurity into one of the best search engines available.

I chose AltaVista for one reason: It performs case-sensitive, exact-match regular expression searches. That means that it will match precisely what you search for. (In other words, there are no "close" matches when you request such a search. This feature enables you to narrow your results to a single page out of millions.)

In order to force such a precise search, you must enclose your search string in double-quotation marks. I began by searching the Web for this string:

"Kirk D. Lyons"

This search returned nearly 200 matches, and I started sorting them looking for anything interesting. Most of what I found were various articles and publications either about Mr. Lyons or written by him. I was able to discover an older, shared email address used by Mr. Lyons and one of his colleagues, unreconfed@cheta.net. Searching for just this email address yielded very little, so I turned to Usenet postings. Using http://www.deja.com/usenet/, I was able to search thousands of postings. I came across some by Kirk himself using the email address above. What was interesting here is that the email header information was left intact, which gives quite a bit of information:

Return-Path: unreconfed@cheta.net

Received: from lexington.ioa.net

  (IDENT:root@lexington.ioa.net [208.131.128.7])

  by mail.hal-pc.org (8.9.1/8.9.0) with ESMTP id DAA09388

for <abnrngrs@hal-pc.org>; Thu, 4 Nov 1999 03:23:08 -0559 (CST)

  Received: from 1861 (ppp227.arden.dialup.ioa.com [205.138.38.236])

  by lexington.ioa.net (8.9.3/8.9.3) with SMTP id EAA29654;

Thu, 4 Nov 1999 04:19:27 -0500

Message-ID: <1bed01bf26a5$a5ea0560$cb268acd@1861>

To: <Undisclosed.Recipients@lexington.ioa.net>

From: "Kirk D. Lyons or Dr. Neill H. Payne" <unreconfed@cheta.net> Subject:

HELP

From this, it is possible to determine who is using this address, and where they were connecting from and which service provider they were using to send the message. I can also determine that this is a dial-up account, possibly a home user account in Arden, North Carolina. Further investigation helped me discover that this individual is heavily involved in Civil War re-enactment. This led me to discover Mr. Lyons's sideline business, Different Drummer, including more detailed information including the address, phone number, fax number and email for this business.

Note

Google acquired Deja's Usenet archive as this book went to press. The Deja URLs redirect to http://groups.google.com/, however, Google has yet to make available the entire archive, as Deja had done. Check in often with the Google site to check the progress of that endeavor.

This may not seem like much information, but, in reality, it is enough that I could easily start pulling up business and tax records, property information, and other public data on Mr. Lyons. There is very little limit on how far this investigation could be taken. In just a few minutes using freely available Internet Web site based searching, I was able to gather a considerable amount of information about Mr. Lyons.

That might not initially seem very important. You are probably thinking, "So what?" However, think back to what I wrote at the beginning of this chapter. Twenty years ago, the FBI would have spent thousands of dollars (and secured a dozen wiretaps) to discover the same information.

Usenet is a superb tool for building models of human networks. (These are groups of people that think alike.) If you belong to such a group (and maintain controversial or unpopular views), do not post those views to Usenet.

Even though you can prevent your Usenet posts from being archived by making x-no-archive: yes the first line of your post, you cannot prevent others from copying the post and storing it on a Web server. By posting unpopular political views to Usenet (and inviting others of like mind to respond), you are inadvertently revealing your associations to the world.

DejaNews

As previously noted in this chapter, Google bought the Usenet archives from Deja. At press time, the entire archive was not online as it had been with Deja. However, it's quite likely that the archives will be back online eventually. Check in with http://groups.google.com/ for the status. So do not assume that your postings cannot be found one day!

To recap, assume that although your real name does not appear on Usenet postings, it does appear in the /etc/passwd file on the UNIX server that you use as a gateway to the Internet. Here are the steps someone must take to find you:

1.       The snooping party sees your post to Usenet. Your email address is in plain view, but your name is not.

2.       The snooping party tries to finger your address, but, as it happens, your provider pro hibits finger requests.

3.       The snooping party telnets to port 25 of your server. There, he issues the expn command and obtains your real name.

Having gotten that information, the snooping party next needs to find the state you live in. For this, he turns to the WHOIS service.

The WHOIS Service

The WHOIS service (centrally located at rs.internic.net) contains domain registration records of all American, non-military Internet sites. This registration database contains detailed information on each Internet site, including domain name, server addresses, technical contacts, the telephone number, and the address. Here is a WHOIS request result on the provider Netcom, a popular Northern California Internet service provider:

NETCOM On-Line Communication Services, Inc (NETCOM-DOM)

  3031 Tisch Way, Lobby Level

  San Jose, California 95128

  US

  Domain Name: NETCOM.COM

  Administrative Contact:

  NETCOM Network Management  (NETCOM-NM)  dns-mgr@NETCOM.COM

   (408) 983-5970

  Technical Contact, Zone Contact:

  NETCOM DNS Administration  (NETCOM-DNS)  dns-tech@NETCOM.COM

  (408) 983-5970

  Record last updated on 03-Jan-97.

  Record created on 01-Feb-91.

  Domain servers in listed order:

  NETCOMSV.NETCOM.COM  192.100.81.101

  NS.NETCOM.COM  192.100.81.105

  AS3.NETCOM.COM  199.183.9.4

Take a good look at the Netcom WHOIS information. From this, the snooping party discovers that Netcom is in California. (Note the location at the top of the WHOIS return listing, as well as the telephone points of contact for the technical personnel.)

Armed with this information, the snooping party proceeds to http://www.worldpages.com/. WorldPages is a massive database that houses the names, email addresses, and telephone numbers of several million Internet users.

At WorldPages, the snooping party uses your real name as a search string, specifying California as your state. Instantly, he is confronted with several matches that provide name, address, and telephone number. Here, he might run into some trouble, depending on how common your name is. If your name is John Smith, the snooping party will have to do further research. However, assume that your name is not John Smith that your name is common, but not that common. The snooping party uncovers three addresses, each in a different California city: One is in Sacramento, one is in Los Angeles, and one is in San Diego. How does he determine which one is really you? He proceeds to the host utility.

The host utility will list all machines on a given network and their relative locations. With large networks, it is common for a provider to have machines sprinkled at various locations throughout a state. The host command can identify which workstations are located where. In other words, it is generally trivial to obtain a listing of workstations by city. These workstations are sometimes even named for the cities in which they are deposited. Therefore, you might see an entry such as the following:

chatsworth1.target_provider.com

Chatsworth is a city in southern California. From this entry, we can assume that chatsworth1.target_provider.com is located within the city of Chatsworth. What remains for the snooper is to reexamine your Usenet post.

By examining the source code of your Usenet post, he can view the path the message took. That path will look something like this:

[View full width]

news2.cais.com!in1.nntp.cais.net!feed1.news.erols.com!howland.erols.net! 

ix.netcom.com!news

By examining this path, the snooping party can now determine which server was used to post the article. This information is then coupled with the value for the NNTP posting host:

grc-ny4-20.ix.netcom.com

The snooping party extracts the name of the posting server (the first entry along the path). This is almost always expressed in its name state and not by its IP address. For the snooping party to complete the process, the IP address is needed. Therefore, he telnets to the posting host. When the Telnet session is initiated, the hard, numeric IP is retrieved from DNS and printed to STDOUT. The snooping party now has the IP address of the machine that accepted the original posting. This IP address is then run against the outfile obtained by the host query. This operation reveals the city in which the machine resides.

Tip

If this information does not exactly match, the snooping party can employ other methods. One technique is to issue a traceroute request. When tracing the route to a machine that exists in another city, the route must invariably take a path through certain gateways. These are main switching points through which all traffic passes when going in or out of a city. Usually, these are high-level points, operated by telecommunication companies such as MCI, Sprint, and so forth. Most have city names within their addresses. Bloomington and Los Angeles are two well-known points. Thus, even if the reconciliation of the posting machine's name fails against the host outfile, a traceroute will reveal the approximate location of the machine.

Having obtained this information (and having now differentiated you from the other names), the snooping party returns to WorldPages and chooses your name. Within seconds, a graphical map of your neighborhood appears. The exact location of your home is marked on the map by a circle. The snooping party now knows exactly where you live and how to get there. From this point, he can begin to gather more interesting information about you. For example:

        The snooping party can determine your status as a registered voter and your political affiliations. He obtains this information at http://www.wdia.com/lycos/voter-records.htm.

        From federal election records online, he can determine which candidates you support and how much you have contributed. He gets this information from http://www.tray.com/fecinfo/zip.htm.

        He can also get your Social Security number and date of birth. This information is available at http://kadima.com/.

Many people minimize the seriousness of this. Their prevailing attitude is that all such information is available through other sources anyway. The problem is that the Internet brings these sources of information together. Integration of such information allows this activity to be conducted on a wholesale basis, and that's where the trouble begins.

As a side note, complete anonymity on the Internet is possible, but usually not achievable by legal means. Given enough time, for example, authorities could trace a message posted via anonymous remailer. (Although, if that message were chained through several remailers, the task would be far more complex.) The problem is in the design of the Internet itself. As Ralf Hauser and Gene Tsudik note in their article On Shopping Incognito:

From the outset the nature of current network protocols and applications runs counter to privacy. The vast majority have one thing in common: they faithfully communicate end-point identification information. "End-point" in this context can denote a user (with a unique ID), a network address or an organization name. For example, electronic mail routinely communicates sender's [sic] address in the header. File transfer (e.g., FTP), remote login (e.g., Telnet), and hypertext browsers (e.g., WWW) expose addresses, host names and IDs of their users.

Then there is the question of whether users are entitled to anonymity. I believe they are. Certainly, there are plenty of legitimate reasons for allowing anonymity on the Internet. The following is excerpted from Anonymity for Fun and Deception: The Other Side of "Community" by Richard Seltzer:

Some communities require anonymity for them to be effective, because without it members would not participate. This the case with Alcoholics Anonymous, AIDS support groups, drug addiction support and other mutual help organizations, particularly when there is some risk of social ostracism or even legal consequences should the identity of the members be revealed.

This is a recurring theme in the now-heated battle over Internet anonymity. Even many members of the "establishment" recognize that anonymity is an important element that might preserve free speech on the Internet not just here, but abroad. This issue has received increased attention in legal circles. An excellent paper on the subject was written by A. Michael Froomkin, a lawyer and prominent professor. In Anonymity and Its Enmities, Froomkin writes

Persons who wish to criticize a repressive government or foment a revolution against it may find remailers invaluable. Indeed, given the ability to broadcast messages widely using the Internet, anonymous email may become the modern replacement of the anonymous handbill. Other examples include corporate whistle-blowers, people criticizing a religious cult or other movement from which they might fear retaliation, and persons posting requests for information to a public bulletin board about matters too personal to discuss if there were any chance that the message might be traced back to its origin.

Anonymity and Its Enmities by Professor Froomkin is an excellent source for links to legal analysis of Internet anonymity. The paper is an incredible resource, especially for journalists. It can be found on the Web at http://warthog.cc.wm.edu/law/publications/jol/froomkin.html.

However, not everyone feels that anonymity is a good thing. Some people believe that if anonymity is available on the Internet, it amounts to nothing but anarchy. A rather ironic quote, considering the source, is found in Computer Anarchy: A Plea for Internet Laws to Protect the Innocent, by Martha Seigel:

People need safety and order in cyberspace just as they do in their homes and on the streets. The current state of the Internet makes it abundantly clear that general anarchy isn't working. If recognized governments don't find a way to bring order to the growing and changing Internet, chaos may soon dictate that the party is over.

You might or might not know why this quote is so incredibly ironic. The author, Martha Seigel, is no stranger to "computer anarchy." In her time, she has been placed on the Internet Blacklist of Advertisers for violating network policies against spamming the Usenet news network. The Inter net Blacklist of Advertisers is intended to curb inappropriate advertising on Usenet newsgroups and via junk e-mail. It works by describing offenders and their offensive behavior, ex pecting that people who read it will punish the offenders in one way or another. The following is quoted from the docket listing on that Blacklist in regards to Cantor & Seigel, Ms. Seigel's law firm:

The famous greencard lawyers. In 1994, they repeatedly sent out a message offering their services in helping to enter the U.S. greencard lottery to almost all Usenet newsgroups. (Note in passing: they charged $100 for their service, while participating in the greencard lottery is free and consists merely of sending a letter with your personal information at the right time to the right place.) When the incoming mail bombs forced their access provider to terminate their account, they threatened to sue him until he finally agreed to forward all responses to them.

The Internet Blacklist can be found on the Web at http://math-www.uni-paderborn.de/~axel/BL/blacklist.html.

However, all this is academic. As we move toward a cashless society, anonymity might be built in to the process. In this respect, at least, list brokers (and other unsavory information collectors) had better do all their collecting now. Analysis of consumer-buying habits will likely become a thing of the past, at least with relation to the Internet. The majority of electronic payment services being developed (or already available) on the Internet include anonymity as an inherent part of their design.

Several digital electronic payment systems exist today. A lot of research has been done in this area. Several companies currently developing systems are

        eCash Technologies

        Zero-Knowledge Systems

        CyberCash

        Millicent

What I have a hard time understanding is how these systems can provide anonymous transactions. The reason I bring this up is simply that records must be maintained, log files generated, transactions authorized, and people involved to ensure the system works. Therefore, these "anonymous" transactions really aren't and that brings you to my warning.

A Warning

Technology is rapidly changing our society, and personal privacy is disappearing in the process. The Internet will only further facilitate that process.

Already, many banks are using biometrics for customer identification. The process is bone chilling. In order to withdraw your money, you must surrender your retina or thumbprint to a scanner that authenticates you. This technology is already being marketing for personal computers, and the sales pitch sounds enticing. After all, aren't you tired of having to enter a pass word every time you boot your machine or log on to the Net?

Soon, biometric authentication will be used in online electronic commerce. Before you close this book, I ask you to consider this very carefully: Imagine the climate a decade from now. Each user will have a unique, digital ID based on a cryptographic value. That value will be a 32-bit or 64-bit number derived from the physical characteristics of your face or your right hand. Without that number, you will not be able to buy or sell anything. When that time comes, remember that you read it here first.

Internet Resources

Finally, here are some good sources concerning privacy on the Internet.

Privacy & Anonymity on the Internet FAQ

Author: L. Detweiler

Content: Many sources on privacy and anonymity on the Internet; a must for users new to identity issues on the Net.

URL: http://www.prz.tu-berlin.de/~derek/internet/sources/privacy.faq.02.html

Anonymous Remailer FAQ

Author: Andre Bacard

Content: A not-too-technical description of anonymous remailers, how they work, and where they can be found. Bacard is also the author of Computer Privacy Handbook ("The Scariest Computer Book of the Year").

URL: http://www.andrebacard.com/remail.html

Anonymous Remailers

Author: Francis Litterio

Content: Locations of anonymous remailers on the Internet.

URL: http://world.std.com/~franl/crypto/remailers.html

How-To Chain Remailers with PGP Encryption

Author: Anonymous

Content: A no-nonsense tutorial on how to chain remailers, and, in doing so, send a totally anonymous message with encryption.

URL: http://www.email.about.com/internet/email/library/weekly/aa042400a.htm

Privacy on the Internet

Authors: David M. Goldschlag, Michael G. Reed, and Paul F. Syverson, Naval Research Laboratory Center for High Assurance Computer Systems

Content: A good primer that covers all the aspects discussed in this chapter.

URL: http://www.itd.nrl.navy.mil/ITD/5540/projects/onion-routing/inet97/index.htm

Anonymous Connections and Onion Routing

Author: David M. Goldschlag, Michael G. Reed, and Paul F. Syverson, Naval Research Laboratory Center For High Assurance Computer Systems

Content: PostScript presented in the proceedings of the Symposium on Security and Privacy in Oakland, CA, May 1997. A detailed analysis of anonymous connections and their resistance to tracing and traffic analysis. (Also discusses vulnerabilities of such systems; a must read.)

URL: http://www.itd.nrl.navy.mil/ITD/5540/projects/onion-routing/OAKLAND_97.ps

Special Report: Privacy in the Digital Age

Author: Susan Stellin

Content: CNET article containing resources on privacy on the Internet.

URL: http://www.cnet.com/Content/Features/Dlife/Privacy/

The Electronic Frontier Foundation

Author: N/A

Content: Comprehensive sources on electronic privacy.

Location: http://www.eff.org/

The Electronic Privacy Information Center (EPIC)

Author: N/A

Content: Civil liberties issues; this site is indispensable in getting legal information on privacy and anonymity on the Internet and elsewhere.

URL: http://epic.org/

Computer Professionals for Social Responsibility (CPSR)

Author: N/A

Content: A group devoted to discussion about ethics in computer use.

URL: http://www.cpsr.org/

The Anonymizer

Author: N/A

Content: A site that offers free anonymous surfing. The application acts as a middleman between you and the sites you surf. Basically, it is a more complex proxying service. It allows chaining as well, and your IP is stripped from their logs.

URL: http://www.anonymizer.com/

Articles and Papers and Related Web Sites

Data Spills in Banner Ads. Richard M. Smith. February 14, 2000. http://users.rcn.com/rms2000/privacy/banads.htm

Nameless in Cyberspace: Anonymity on the Internet. Jonathan D. Wallace, 1996. http://www.cato.org/pubs/briefs/bp-054es.html

On Shopping Incognito. R.Hauser and G. Tsudik. Second USENIX Workshop on Electronic Commerce, November 1996. http://www.isi.edu/~gts/paps/hats96.ps.gz

The Anonymous E-mail Conversation. Ceki Gulcu. Technical Report, Eurecom Institute. June 1995.

Control of Information Distribution and Access. Ralf C. Hauser. Technical Report, Department of Computer Science, University of Zurich. September 1995.

Internet Privacy Enhanced Mail. Stephen T. Kent. Communications of the ACM, Vol. 36, No. 8. August 1993.

Certified Electronic Mail. Alireza Bahreman J. D. Tygar. 1994. ftp://ftp.cert.dfn.de/pub/pem/docs/CEM.ps.gz

E-Mail Security. Dr. John A. Line. UKERNA Computer Security Workshop, 15/16. November 1994. ftp://ftp.cert.dfn.de/pub/pem/docs/UKERNA-email-security.ps.gz

How Companies Track Your Movements on the Internet. http://www.privacy.net/track/ provided by privacy.net

Electronic Fingerprints: Computer Evidence Comes of Age. M. R. Anderson, Government Technology Magazine. November 1996.

Achieving Electronic Privacy. David Chaum. Scientific American, pp. 96-101. August 1992.

Erased Files Often Aren't. M.R. Anderson, Government Technology Magazine. January 1997.

FBI Seeks Right to Tap All Net Services. M. Betts. ComputerWorld, Vol. XXVI, No. 23. June 8, 1992.