Worried about snoops watching as you work the computer keyboard? Stephen H. Wildstrom, Business Week's Technology & You columnist, devoted his Nov. 11 offering to this subject, and he was the Nov. 3 guest of BW Online to discuss issues of online privacy.
OnlineHost: Copyright 1996 America Online, Inc.
OnlineHost: Material entered into AOL by persons other than those identified as Business Week's employees or authorized representatives, acting on behalf of Business Week, is material for which Business Week assumes no responsibility.
OnlineHost: Welcome to Business Week Online! Tonight the topic is computer privacy (is anyone snooping on you?), and the guest is BW's Stephen H. Wildstrom (SWildBW). Steve devoted his Technology & You column in the Nov. 11 issue to new worries about online privacy, and he's ready for questions on this and other computer subjects. The moderator is Bob Arnold (BobABW), editor of BW Online.
BobABW: Hi everyone, and thanks for joining us tonight. Welcome, Steve. Let me start things off, if that's O.K.
SWildBW: Hello.
BobABW: Privacy has been a big concern online for quite a while, but there seems to be a resurgence of that concern just now. What's behind that?
SWildBW: I think the main thing that focused attention on the issue was the flap this summer over the Nexis/Lexis P-trak database -- a huge collection of personal information on most of the population of the U.S. A lot of what appeared in print and especially online about P-trak was wrong or exaggerated, but it did shine a spotlight on the issue.
BobABW: Here's a question that gets right to the point.
Question: Steve, what about companies (I-Pro?) that are trying to set themselves up as login/password clearinghouses for other Web sites, so that you don't have to remember your password at 25 different sites? Are these password registries safe?
SWildBW: Well, first of all, I'm not sure they are necessary, at least for users of Windows 95 and Internet Explorer 3. Win95 maintains its own password cache. But in general, they are as trustworthy as the people running them. That's a big issue in Net security in general -- you have to trust the people who hold the security information.
BobABW: BillSVa is next, with the bottom-line question of the evening.
Question: How private are we on the Web? What sort of information do search engines like Yahoo, Excite, etc., typically obtain when we visit their sites?
SWildBW: Anytime you visit any Web site, you automatically present at least two pieces of information: what browser you are using -- type, system, and version -- and what page you visited last. If the site deposited a cookie -- we'll talk more about that later -- you'll present other information. But generally, unless you have registered at a site, it won't have access to personal information.
BobABW: Steve, how do you answer Jis5?
Question: Just read your article an hour ago. But you fail to mention the government's antiprivacy stance vis-a-vis encryption.
SWildBW: We have a fascinating paradox here. Some people are demanding that the government defend our privacy from nosy corporations. Others worry that the government itself is the real threat to privacy. For the most part, I'm with the second group. Now, for the specifics: The Administration has retreated significantly from its original encryption position as embodied in the Clipper/Skipjack/Capstone proposal. I have some problems remaining with the latest "key recovery" plan, but on the whole, I think it's a big step in the right direction.
BobABW: Elite BB is next with a basic, but often overlooked, question.
Question: What are some suggestions for choosing a password for anything?
SWildBW: The main things are that it not be a word that could be looked up in a dictionary, and it not be anything easily associated with you, like a birthday or phone number. The ideal password would be a random string of letters, numbers, and punctuation. Trouble is, people can't remember those, so they write them down, sometimes on PostIts on the monitor. So that's not good. The best way I know to get a password that's both reasonably safe and easy to remember is to take two short words and string them together with a number of other nonalphabetic characters in the middle, like pass26word (but don't use that one.)
BobABW: While we're on fundamental questions: Try this important one from RBoyle859.
Question: Can anyone read your E-mail?
SWildBW: Do you mean are they able to or are they allowed to? Taking the second part first, in general, no, according to the Electronic Communications Privacy Act [ECPA]. The important exception is that a number of courts have ruled that E-mail written on company computers on company time is the property of the employer. Now for the "able to" part. When you send a mail message, it gets broken up into small packets that travel through the Internet. In theory, these packets can be read at any host they pass through. In practice, the sheer volume of data moving across the Net makes this very difficult, so someone would have to really, really be interested. The practical result: E-mail is generally safe on the Net, but you'll need to take additional steps, particularly encryption, to protect anything really sensitive.
BobABW: TAltvalja has a comment next. Any reaction, Steve?
Comment: The only way to ensure privacy is to have members of the various Web nets or groups encrypt their data to each other (impractical).
SWildBW: Strong encryption is the only way to be really sure that communications remain private. For regular correspondents, it's not all that impractical with a program like PGP. And there are commercial programs, like Lotus Notes, that have a built-in encryption option for E-mail.
BobABW: SRodrig18 has a question we've all wondered about. And while you're at it, Steve, maybe this is the place to explain cookies.
Question: How do advertisers get your name on their list? Is it from a registered site?
SWildBW: There seem to be two main sources for names or, more to the point, E-mail addresses. The first is from filling out registration forms. The second is from posting to Usenet newsgroups. Now about cookies: A cookie is just a unique identifying string that a Web site you visit leaves in a file maintained by your browser. If you haven't given your name or E-mail address, all the Web site knows is that the person who visited last Thursday and checked out the New Widgets page is here again. But if the site can associate a name with the cookie, then it knows who you are and what you do each time you visit.
BobABW: Here's a question dear to the hearts of us workaholics, from MikeMerc.
Question: I do a lot of work from home. Is the E-mail I send and receive in the course of my work (which is often mixed with personal mail) stil subject to review by my employer? Or is that limited to mail sent on the company network?
SWildBW: This is a really murky area of law. The law in this area is being made case by case, judge by judge, so the answer may well depend on what state or federal judicial district you live in. In general, it's safest to assume that your employer can legally read any mail that is sent to you from the company system.
BobABW: C105012 (love that name) wants to know about credit-card safety.
Question: Has the ability to use the credit card over the Internet become safe?
SWildBW: I've always believed that if it was safe enough for the banks (and Visa, MasterCard, etc.) to allow it, it was safe enough for me. Here's the logic: Your liability for fraudulent use of your credit card is limited under U.S. law to $50. The banks' liability is unlimited, so they have a much greater stake in maintaining security. I have no qualms about using a credit card on any secure site using a browser that supports secure transactions.
BobABW: Next: Zhimdelah.
Question: Do local ISPs have access to your E-mail? In other words, if you are dealing with a small ISP, do you have to worry about some bored sysop [system operator] reading your personal mail?
SWildBW: The sysops can get into the mail files, but they're violating ECPA if they read them. It's like postal workers: They could steam open your letters, too. The difference is that with E-mail, it leaves no physical evidence. Like I said, if it's really sensitive, don't send it with open E-mail.
BobABW: Here's the start of another question from BillsVA. (Let me see if I can find the rest).
Question: I've noticed that E-mail from some major corporations contains standard header messages stating that the message was sent through the Net and may have been tampered with. Is there a real threat of this? Is info we send over the Net any more susceptible to theft or manipulation than, say, a thief stealing a credit-card receipt out of the trash?
SWildBW: Some lawyer must have told the corporation to put that stupid disclaimer in the header. There is a good technology for assuring that mail is not tampered with in transmission and that, at the same time, guarantees that it was really sent by the person who signed it. It's called a digital signature, and I expect the technology to become very widespread in the next year or so.
BobABW: O.K., Steve. Fill us in on this one, from Zhimdelah, once more.
Question: How do Internet "sniffers" work, and are they a concern to businesses and/or private individuals?
SWildBW: A network sniffer can easily be set up to anyone who has physical access to the network wire, usually a local network at a company or an ISP. In simplest terms, it's just a program that looks at every packet moving across the Net and opens those that it wants to look at. The main purpose is stealing passwords. On most networks, you can't get local login passwords this way because they are encrypted. But you can grab any password sent using a Telnet prorgram or sent to an insecure Web server.
BobABW: Here's another good question from MikeMerc.
Question: Steve, what kinds of specific proposals are bouncing around Washington regarding restrictions on data collection on the Net? Any with a strong chance of becoming law?
SWildBW: I think what's likeliest is that Congress will ask the Federal Trade Commission and the Federal Communications Commission to study the question. Representative Markey introduced a bill to that effect last year. There may be strong legislation protecting children from the collection of personal information. And it would be nice, but maybe unlikely, if the privacy status of E-mail were clarified.
BobABW: I think SRodrig18 wants to know about firewalls.
Question: Can someone gain access to other info (info other than Internet mail, etc.) on your computer through the Internet?
SWildBW: It's hard to give a categorical answer to that question, but in general you're vulnerable if three conditions have be met: You have a persistent (not dial-up) connection to the Net. You're not behind a properly set-up firewall. And your computer has been configured to share files with others.
BobABW: Yupitz is a little off the subject of privacy, but what do you think, Steve Wildstrom?
Question: I think that the government should take proper actions for Internet censorship on any sites that receive government money.
SWildBW: I'm not sure what's meant by Internet censorship here. In general, believe it or not, the government is real fussy about how its money is spent. But it can't usually place a lot of conditions on money that isn't directly related to the grant.
BobABW: Schnutz2 doesn't seem to be in the habit of sugar-coating things.
Question: So how safe do you think our identity is from some sue-happy sleazeball who is looking to take a person to court for anything he or she might say on the Web?
SWildBW: The laws of libel and slander apply as surely online as they do in any other medium. Now I'm going to say something that will make me real unpopular with some privacy advocates. I believe fervently that anyone who is willing to stand up and say something has the right to do so. But I don't believe there is any particular right to anonymous free speech except under very special circumstances. In other words, you're free to say whatever you want, but you'd better be prepared to take responsibility for your words.
BobABW: KeWLnCRaZ -- that's a screen name. Now for the question.
Question: Is it actually possible to send an anonymous, "encrypted" message via the Internet to which the recipient and sender would only have access? Disregarding any laws that are on the books forbidding it?
SWildBW: There are no laws limiting the use of encryption within the the United States. It is illegal to send most encryption technology -- but not encrypted messages -- outside of North America (we trust the Canadians). Some countries, most notably France, do restrict the use of encryption by their citizens.
BobABW: TotlzBack is asking about something of which I have no personal knowledge. But generally, how would something like this work?
Question: How does the government -- i.e., military or DEA -- get permission from AOL to search our paths taken on here?
SWildBW: If the government wanted, say, the Web logs from AOL, they would have to subpoena them. I'm honestly not sure if this is covered by ECPA, in which case it would require a court order. And I guess you'd have to ask AOL what they'd do if they got a request for "voluntary" compliance. There are many well-documented cases of the government obtaining phone-company records without proper court orders, although in general, these involved claims of national security.
BobABW: Everyone wants to know the answer to this question from RGBYSHEAS.
Question: How can I stop this large amount of junk E-mail from my system?
SWildBW: I wish I knew. I keep it out of my main mail system at work with some filters, but the mailers are always a step ahead of me. I don't want to offend our hosts here, but the AOL system is just plain hopeless. Three-quarters of the mail coming into my AOL mailbox is unsolicited junk, mostly get-rich-quick schemes. If they can't block it, they have to help users control it.
BobABW: Steve, what are remailers? This question's from Zhimdelah. And by the way, I think I read (via E-mail) that AOL is taking steps to block junk mail.
Question: Do you personally advocate the use of remailers? Are there any legal battles over this issue at the present time?
SWildBW: I assume you mean anonymous remailers. These are computers that take mail you send them and resend it in a way that the message cannot be traced back to you. The most widely used one, a site in Finland, shut down a few months ago under pressure from the European Union. I don't use them, and, as I said earlier, I don't have a whole lot of sympathy for anonymous mail.
BobABW: Only American Express may really know the answer, but any help for Robin IV?
Question: If I give my credit-card number to American Express so I can check my status, can people get my credit-card number?
SWildBW: If you send it in an E-mail message, maybe. If you send it to a secure transaction server (one that shows a solid key on Netscape or a closed lock on Internet Explorer), almost certainly not.
BobABW: Try this next, from CardCheat.
Question: Is it true that someone can send a virus into your PC just from your being on the Internet, even if you don't download files?
SWildBW: Yes and no. Microsoft Internet Explorer 3.0 uses a new technology called ActiveX that downloads executable files in a way that isn't always obvious. But unless you have turned all security off, it will always ask your permission before opening one of these "controls." And any decent virus checker should catch a rogue control.
BobABW: I'm pretty sure that Web logs only show AOL as the origination point of a visit, not who the person is. Steve, do you know? The question's from Totzlback.
Question: Does AOL give Web page creators information about what sign-on names have visited their page? I keep getting E-mail from people/companies that either saw me in there, or they must get a list. What's the deal?
SWildBW: Not for sure. I doubt that AOL has that information.
BobABW: And one more question on E-mail, grom KNorris96.
Question: Once my E-mail has made it to its destination, is it O.K.? Can people only read it in transit?
SWildBW: Depends on the destination mail system. On some systems, system administrators can read any file on the system. On others, the post office files are encrypted and can only be read by the recipient. But once again, since you have no way of being sure, it's best to be careful.
BobABW: Steve, a final question: What's the best advice you can give people for protecting their privacy online?
SWildBW: If you register at a commercial Web site, somebody will be collecting and very likely selling the information. If this bothers you -- and it may or may not -- just don't do it.
BobABW: Thanks to Steve Wildstrom, Business Week's Technology & You columnist, for an informative evening on this important subject. Thanks, too, to all of you in the audience for your questions. Transcripts of all BW conferences are available soon after each program under the Talk & Conferences button on our opening screen. And check our Conference Calendar, also in Talk & Conferences, for notices of upcoming events. Thanks again, and goodnight.
Copyright 1996 by The McGraw-Hill Companies, Inc. All rights reserved.
