Part 2
Pushing Back
If you don't push back against those who want to know
more about you all the time, you'll end up as transparent to them as if they
lived with you. This is not a joke!
The first thing to do is decide whether you need or want
to bother worrying about all this data out there on you. Some people actually
like the fact that when they go to their favourite news site it shows them the
baseball scores first and never shows them news about foreign countries at
all. In this case you have "paid" for your "free lunch" and are happy about
it.
This may be fine for one or two sites. It even may be
fine for all the sites you normally visit - but you should still be on guard
whenever you visit a new site or get sent something by a "friend" to try or
see. You should also be aware that not all your "friends" may appreciate your
giving their e-mail addresses out to your favourite site so you can send them
something interesting (as David did in the case that sparked this article) You
have to learn to practice safe Internetting at least enough to not annoy
others you deal with.
On the other hand, if you are uncomfortable with "them"
knowing all about you, including your underwear size, eye prescriptions, age,
occupation, sex, address, place of birth, etc. then you need to do more than
just be watchful.
The major thing to recognize is that, as noted above,
most of the time your information is dealt with only by computer programs -
and computer programs are still not truly "intelligent". Today's "data mining"
techniques look for statistical patterns within numbers of records. They look
for viewing or purchasing patterns with enough people following them that it
makes sense to craft a marketing strategy that matches the pattern and take
advantage of it. To do this they apply mathematics that, amongst other things,
throws out "bad" or inconsistent data.
Hmmm... maybe there's a way to get our records thrown
out - or at least confuse them as to which patterns we really fall into.
To do this we must inject some randomness and/or
misleading data into our travels. Not enough that we can't get the services we
want, and certainly not enough that we fall afoul of fraud laws or such. Just
enough to maintain at least a bit of a curtain of privacy and cast uncertainty
on the data.
This can be done in non-Internet activities as well. I
have several credit cards but use them in a fairly random fashion. Some months
I'll use one for gas and another for miscellaneous purchases and not use
another one at all - even for months at a stretch. Same thing with the mix of
credit and debit card use. I also use cash in many situations even though I
could (and sometimes do) use credit in the same situation. Thus, there are
holes in "their" data - no obvious patterns in general.
The same things can be done when giving information to
Internet (and software) companies.
Many of these practices are "passive" push-backs. I also
actively push back in some cases by letting the organization know my views on
their "policies" and letting them know my own policies if necessary and why I
have them. The rest of this section deals with some of the details of this
pushing back.
Affinity Cards
A good friend of mine makes his money solely as a
computer security expert. He's paranoid - a good thing in his industry. One of
the things he has found out is that some stores will actually allow you to
register anonymously for an affinity card. No personal information on record,
but you get the discount and the store can track that "anonymous cardholder
12345... has this purchasing habit" which seems fine with them. So far he's
received such cards from a couple of food chain stores and a book chain.
A suggestion he has made to me that I have yet to do
anything about is that people register in some fashion to get a card then drop
them into a box at the door for later use by anyone else who needs one. In
some stores the cardholder earns "instant" rebates over time and the random
cards might act almost as a lottery. I'm not sure how the stores would like it
but it's a thought.
On the other hand, I have noted above that I actually
get a sore back (from the thickness of my wallet - carried in a back pocket
and causing me to sit funny in my car - requires a "walletectomy" every few
months) if I carry all the cards the various stores want me to use. It used to
be that other than the credit cards, I only needed my "Air Miles" card since
it crossed many stores. The problem is that for whatever reason, many stores
are no longer part of this umbrella and instead run their own card.
My push back to them is to ask if just having the number
is enough - in which case I'll enter it into my cell phone or PDA, both of
which I have with me at all times anyway. This has worked fairly well for some
stores. A couple didn't like the idea and I've run across individual clerks
who don't quite understand, but that's their problem and I let them know it.
On the other hand, there are a number of shops I won't
deal with any more than I absolutely have to because they require that I
present the whole card, and in one case the card itself is thicker than most
credit cards are. The manager there just didn't understand when I told him why
I wouldn't be back until they changed the policy. The store offers quite a
healthy discount for cardholders but their competition does the same and only
requires the number.
Other stores are getting the message and creating cards
that are very thin, and in once case 1/4 the size of a credit card and
designed to hang on your keychain. The push back seems to be working.
Places that use the old "stamp" card (card of empty
squares stamped each time you purchase something) will mostly keep the card in
their store for you. If they don't, I tell them why I won't be back.
E-mail Software
Solutions
The original subject of this discussion is an e-mail
sent to me by David. If you don't want the sender or other nefarious web site
to know the fact that you've received (and opened) any particular e-mail, you
may have to change your software. At minimum you'll have to get into its
options and change how it deals with external links from HTML mail.
| I'll first of all say
that I don't use Windows for my day to day Internet access. I have a Linux
box in front of me, the details of which are on my home-office page. About the only
thing different from the picture at the moment is the second monitor I
mentioned above - beside the one you can seen in the center of the main
picture. As you'll note I also have both a separate machine with Windows
2000 on it and a session of Windows 2000 running in a "cage" (VmWare)
on my Linux box, so I do have access to the facilities if I can't do things
any other way. I'm in fact writing this article using FrontPage 2002 in
Windows under VmWare on the main machine.
My E-mail program is Evolution - a
Linux-based Outlook look-alike. I've used Outlook in the past as well as
Eudora and many other Windows based programs, but I no longer do so, so am
a bit rusty on their setup and daily use. |
The things I've found out indicate that versions of
Outlook older than 2002 and all versions of Outlook Express up to very
recently cannot be told not to load images from the outside when e-mail is
shown in the preview pane or opened up. Outlook 2002 can be set this way (see
link below) and Outlook 2003 comes with this feature set on (don't load
external links). Personally I like Evolution's way of doing it at this point -
load external links only if the From: address is in my Contacts folder;
although the fact that Yahoo spoofed this is disconcerting. I may suggest to
the team that is doing the Evolution programming that it also take a look at
the Return-path: address (which in this case showed nobody @ Yahoo-inc.com)
If you can't update to a newer Outlook you might want to
get Mozilla/Netscape and use It's mail
reader instead. Many people like it and there are new features coming all the
time. Blocking images is a selection on the "Privacy & Security" menu under
"images" where you can select specific sites you'll allow images from or turn
their download off completely. Again, no selection for only allowing them in
mail from people you know. I use Mozilla 1.5 as my main browser on both
Windows and Linux - works fine for most sites now.
If nothing here applies to your situation; you can't
change (company policy or financial reasons) or simply don't want to, you
should at least understand that you are letting the other end know that their
message was received. If you don't like it - push back by telling your vendor
and/or company MIS/IP people.
E-mail Source
Code Discovery
You can see the "nasty" URLs in e-mail you've received
by setting your program to "show e-mail source" and looking for the "img"
(upper or lower case) tags. The following one is from my Christmas Greeting,
sent out with the pictures included in the e-mail as attachments. This type of
IMG is just fine - the whole thing is included in the e-mail and no external
reference is needed to view it. The "cid:" portion of the tag string means it
is referencing an internal (to the e-mail message) attachment.
|
<IMG SRC="cid:1071083508.9622.19.camel@pacdat.pacdat.net"
ALIGN="bottom" ALT="" BORDER="5"> |
The following HTML IMG tag came from David's e-mail to
me (slightly obfuscated). Note that the tag in this one contains a full URL to
an image file, plus the extra ? and database key.
| <img src="http://us.f1.yahoofs.com/
xxx/ 3f808b6z_c5e5/
bc/ Yahoo!+Photo+Album
/__tn_pers27903z7040.jpg
?BCmegAABvemnfj9H" width="61" height="90" border="0"/> |
In most of the e-mail programs in use today, receiving
this e-mail would tell Yahoo that you existed, and they already know your
e-mail address since your friend gave it to them.
| "Yahoo!'s
practice is to include web beacons in HTML-formatted email messages
(messages that include graphics) that Yahoo!, or its agents, sends in order
to determine which email messages were opened and to note whether a message
was acted upon." abstract from
Yahoo's privacy pages. |
So, through no fault of my own, Yahoo now knows that my
e-mail address exists and I've seen a picture from their site. Their policy
states that they collect personal information "when you visit Yahoo! pages..."
which now I have done. Now they seem to think they have implicit permission to
pass my e-mail address around their company and associated companies, business
partners and other companies. But I didn't knowingly visit their page - I
only viewed an e-mail I thought had come from a friend of mine!
Greeting Cards Too
The same thing happens when a friend of yours sends you
some electronic greeting cards - you know, the ones that they can have sent
out to their whole mailing list on major holidays and to individuals on
birthdays and anniversaries. I even sent out a special
missive to my own Christmas list this year imploring them not to follow
this practice as I would not likely see their card since my system is set not
to download the external links.
The point with this and the previous section is that
regardless of whether you have decided you don't care about your personal
information, decisions you make can affect others you count as friends or
associates. I'm not talking about a virus using your contact list to send
itself - that you may not have been able to stop, although I can make a case
there too.
I'm talking about your use of "free" services that you
put information of any kind into that ends up with the service discovering
information about your friends and associates despite the fact that they have
not been given the opportunity to say no.
Browser Software
Solutions
To minimize sites tracking you, you can limit your
browser's cookie storage abilities. Interestingly enough, most browsers today
allow far more flexibility in these settings than your e-mail programs allow
in theirs.
In general, there are two types of cookies - those that
last only for a "session" - meaning until you close your browser window (and
any clones you have of it) or until you reboot your computer - and those that
last between sessions.
In addition there are "first party" cookies and "third
party" (you, the viewer being the missing "second" party). Some web sites (and
Yahoo says they do this) may set a cookie for one of their advertisers which
comes from a completely different web site. This is a third party cookie.
First party cookies are from the site you think you're viewing. Some people
turn off third party cookies and leave first ones on. Others only allow
session cookies.
Some browsers allow you to treat session cookies
separately from others. Some don't. Some don't tell you what they're actually
doing (MS IE is one unless you go into the "advanced" settings) so you may
have to dig a bit on your favourite search engine.
Even if you turn off cookies other than session cookies,
some browsers allow you to add a list of sites you'll accept them from in any
case. This allows you for instance to allow Google or Yahoo to recognize you
when you come back (and track your travels through their pages) but not allow
3rd party cookies (unless Yahoo sets one for Google) - the best of both
privacy and utility worlds but sometimes a pain to administer.
On the other hand, nobody said that "Free" didn't come
with some pain did they?
Previous
- Next "Legislation and a Personal Privacy
Policy"
