Your Connection > How They Track You
Website monitoring is a legitimate technique companies, organizations and individuals use to measure how their website is doing. It gives useful, anonymous statistics on who the ISP is (not individuals), where the ISP is located, what content people are viewing, when the high traffic periods occur and how long people are staying on the website. It doesn’t target individuals per se. It’s the same as a brick-and-mortar store keeping track of how many customers enter the store, what they’re browsing for, what they’re buying, whether they’re locals or tourists and peak times when there are the most customers. It makes smart business sense to have a demographic profile of their customer base so the store can adjust its inventory, its displays and arrangement of merchandise accordingly to give the customer what he wants and increase the store’s sales, thus keeping employees employed and the store in business. Used in this sense, everybody wins.
It’s when the monitoring becomes tracking that your invasion of privacy comes into play.
Tracking, although not as sneaky and devious as hacking, is no less an invasion of your privacy. While you might not mind Amazon.com knowing your buying preferences, because it makes shopping more convenient when you’re being presented with items you’re interested in, knowing that every move you make on the Internet is being tracked, is downright creepy. And getting reassurance that all this tracking is anonymous doesn’t really wash after learning how the government just finished building a one million square foot facility in Utah to store all the data they are accumulating on everyone. Anonymous data collecting and analyzing might make sense if the facility were for a retailer looking to see where markets were trending. However, when the government is doing this kind of tracking, analyzing and storing of your data, we call this being “power drunk”. And like any drunk on a bender, it doesn’t look like there’s any end in sight to this information grab.
Securing Your Connection provides ways you can make yourself virtually invisible to the following tracking and spying techniques:
- Using your IP (Internet Protocol Address): like a street address, everything on the Internet is identified by an IP address. Even a website address is just a name associated with the underlying IP address. When you connect to the Internet, your ISP assigns you an IP address. Every website you visit has its own IP address. Knowing your IP address and those of the websites you visit, your ISP can log (record) and track your activities. Currently, in the US, there are no mandatory ISP data retention laws. However, this does not mean that your ISP does not voluntarily store logs of its users’ online activities and that you will soon be losing your expectation of privacy (if you haven’t lost it already) from your own ISP.
- Deep Packet Inspection (DPI): the information stream you send and receive during your Internet activities are composed by what are called, “data packets”. The web pages you read, the photos you upload, the email you send and receive, the Voip phone calls you make, all are sent and received as a stream of data packets. Each packet contains sender/receiver information so the packet can arrive at the correct destination, as well as content information, or what the data actually is, like part of an email or Voip conversation. Deep Packet Inspection scans Internet traffic to determine who the packet’s from, what it contains and where it’s going. This is necessary, for example, for your router because it has to know who on your network to send the data packet to. It’s also part of your firewall, because it needs to know what to filter in and out of your network. It’s also great when your ISP is using Deep Packet Inspection to scan and block malware. It’s not so great if your ISP is scanning and logging the content of your data packets. Your Internet activities can be tracked and used by your ISP for targeted advertising, “lawful” interception of your communications, even censorship by blocking you from certain websites like those that engage in file sharing, for example.
- Man-in-the-middle attack: is when a sender and receiver are communicating and a third party (the man-in-the-middle) intercepts the messages and becomes the go-between, thereby reading the contents of the message from the sender then sending the message along to the receiver.
As an example using SSL/TLS encryption, the sender goes to a trusted store to get an encryption key and the receiver does the same. If they both trust the store, each receive an encryption key that is used to encrypt their communication and connect. Prior to sending or receiving data, they encrypt the message with the key. In a man-in-the-middle attack, the attacker replaces the address of the trusted store with the attacker’s address. The sender and receiver get the key the attacker provides, and instead of passing the sender’s address to the receiver and the receiver’s address to the sender, the attacker passes his own. Now every piece of information that is sent between the sender and receiver goes through the attacker. The attacker decrypts the data with the key he gave the parties, and can see every bit of information as if he were sitting at the sender or receiver’s computer. And the sender and the receiver have no idea it’s happening.
- Cookies: when you go to a website, like Amazon.com, information about you is stored in your browser. This information is sent back to the originating server and may contain for example, what’s in your shopping cart, or on your wish list, what web pages you visited, what buttons you pushed, etc. Cookies are intended to provide the you with a better browsing experience by remembering your preferences. Cookies cannot install malware on your computer.
- Web site statistics: are used by website managers to track where you’re from, what content you’re viewing , how long you stay, what browser you’re using, etc. An example would be a merchant who may want to know what products potential customers are viewing, peak customer viewing times, customers’ location and search words or phrases used to find the website.
Next: Securing Your Connection describes how to protect yourself from being unwanted tracking techniques.