Last week we talked about the growing concerns over privacy on the Internet. Through the combination of how TCP/IP works, common Domain Name System naming conventions, and the log files kept by ISPs and Web site operators, it is quite possible for someone to shatter your illusions of anonymity. Several organizations are trying to solve this problem and clean up the privacy "slime trail" you leave. We will look at a few solutions here.
What if you are behind a corporate firewall or proxy server? These servers will hide your personal IP address. A proxy will initiate requests on your behalf, so from the perspective of an Internet Web server's log file, it will see all the connections coming from you and your co-workers as originating from the proxy or the firewall. Some proxies will also rewrite your browser version and operating system information; most pass it along. Remember that a firewall or proxy server will log all of your connections, so a Web site operator working with your firewall administrator could track you down. Also, Web sites that use cookies will be able to retrieve private information through a firewall that you may have divulged for a feature such as personalization. Although a corporate firewall can shield you from the outside world, the great depth of information contained within them points out how important it is that the firewall administrators be privacy zealots. I clearly can recall several administrators, from my days implementing firewalls, who would love to monitor the surfing habits of their co-workers and bosses.
Advertisement: |
Anonymizer is the most widely known provider of anonymous Internet access. Anonymizer provides a wide variety of services for private surfing, remailing and encryption. Essentially, Anonymizer acts as a value-add ISP for providing anonymity. Anonymizer.com functions as a proxy, it hides your presence from the Web sites you connect to. More than being providers of anonymous services and technologies, the people at Anonymizer are also activists on the issue of privacy. Anonymizer offered Web surfing and e-mail services to the Kosovars that were caught in the middle of the Serbian conflict. These services let users freely express their opinions without fear of being tracked down by the Yugoslavian government.
ProxyMate, like Anonymizer, is another Internet privacy system with a decent track record. Originally called the Lucent Personal Web Assistant, ProxyMate was developed by Bell Labs at Lucent. ProxyMate provides anonymous surfing, an "autofill" function for Web site logons, as well as a spam filter. When a Web site requests an e-mail address, ProxyMate will assign an "@proxymate.com" address, which you can filter as needed from your own inbox.
PrivacyX is a new anonymous Web and e-mail service that got off to a rocky start, at least for the browser portion. In the rush to release its services this summer, it was found that the browser could be compromised to reveal the user's IP address. PrivacyX has since decided to release the browser as an Open Source project to the privacy community.
Zero-Knowledge is the start-up to watch in the Internet privacy space. You may recall the stir Zero-Knowledge created this past spring in a public battle with Intel over the Pentium III's serial number. Intel gave OEMs the capability to turn off the processor ID in response to an outcry from privacy advocates. As a demonstration of the inadequacy of Intel's compromise, Zero-Knowledge wrote an applet that could turn the processor ID back on without the user being aware of it.
While this was an interesting episode and was a clear demonstration of Zero-Knowledge's skill, the firm will soon be widely known for their Freedom privacy technology. The Freedom technology is a combination of client software and a sophisticated network of Anonymous Internet Proxies that obscure your connection, while at the same time allowing you to take advantage of Web site personalization features, such as cookies. The "Freedom Network" of anonymous proxy servers is not a closed network of machines owned by Zero-Knowledge - they are servers run by ISPs or other organizations. The idea behind this is to make the software a pervasive part of Internet proxy servers, not a private network that would become its own privacy hole or performance bottleneck. These anonymous proxies are grouped into "clouds," through which your browser's requests are encrypted before being sent to the destination server. A pseudo-link state routing protocol is negotiated within the cloud to keep performance optimized and provide some granular control over how many hops to allow. Unlike the other options mentioned, Zero-Knowledge does not own or manage the proxy servers, providing a better model of distributed trust than its predecessors. The technology of the Freedom Network also does a lot more to obscure the client connection than the alternatives. Placing your trust in a single company's proxy servers to make your connection anonymous could be perilous if that company was ever compromised. Zero-Knowledge has some real believers in Silicon Valley, having recently garnered $12 million in first round venture capital financing.
Occupying a different space in the privacy battle is another start-up, Enonymous. Enonymous provides a software tool to advise the consumer of the privacy practices of the Web site they are visiting, and also helps simplify the process of sending personal data to chosen Web sites. You enter your personal data into the Enonymous client once, and it splits out the contact data needed to complete a transaction from other personal data. Enonymous is also moving forward with another privacy seal to rank the policies of Web sites. Enonymous is thus attempting to become your personal privacy advisor.
Whether you feel the fears are justified or not, privacy concerns will continue to grow on the Internet and within corporate networks. Organizations such as Anonymizer have built up a reputation for privacy. New start-ups in the privacy arena best serve the market by developing technology that protects the user without requiring inherent trust in their own proxy servers and private network - the Zero-Knowledge model or via Open Source.
One thing that I touched on briefly in this newsletter is the importance of having incorruptible firewall administrators in the corporate environment. It is hard not to reach the conclusion that corporations that act as Big Brother, even in a benevolent sense, will be headed for trouble if they cannot provide privacy assurances for their employees. By controlling everything that can be installed on the desktop, and logging everything that goes in and out of the network - corporate users have little to protect their own privacy from within the intranet. Of course, IT needs to protect the company's intellectual property and valuable corporate data: The question is what is the proper balance between protecting the company and respecting the employee? Companies aren't necessarily differentiating between valuable corporate patents and personal employee records.
Will the type of privacy technology used to protect you from an unknown Web site operator eventually be needed to protect you from your own IT department?
RELATED LINKS
Archive of Network World on Security newsletters
Network World Security Alert will keep you up to date on the latest security holes and patches, with daily updates from key vendors, security organizations and Network World reporters. See the latest dispatches from the security here.
