Harley Hahn's
Internet Insecurity

Chapter 4...

Taking Control

Clients and Servers

As you use the Web, visiting one Web site after another, have you ever wondered if there is a way the remote computers can keep track of your activities? The answer is, yes, to a limited extent, they can. They do this by using a facility called cookies. To appreciate how cookies work, however, you need to understand the idea of clients and servers, so let's take a moment to talk about them first.

In Chapter 1, I explained that the Internet is a large, worldwide network, in which data is transported in packets using a system called TCP/IP. This is certainly one way to understand the Net, and, in a technical sense, it is actually a definition of the Internet. From a functional point of view, however, there is a better way to describe the Net: as a system in which all communication takes place between two type of programs, clients and servers.

A SERVER is a program that provides a specific service over the Internet. A CLIENT is a program that requests a service.

Here is a common example. To read email messages, you use a program, called a MAIL CLIENT, that runs on your computer. The most common mail clients are Microsoft Outlook and Outlook Express, Netscape Messenger, and Eudora. (If you use AOL, it works in a different way — using a Web-based mail system — that I will explain later in the chapter.)

When people send you messages, they don't go to your computer directly. Rather, they are stored on a remote computer by a program called a MAIL SERVER. To check your mail, your mail client contacts the mail server and asks if there are any messages waiting for you. If so, the mail server sends the messages to your computer, where your mail client displays them for you.

When you send an email message, the process works in reverse. You use your mail client to compose the message. Once it is finished, your mail client sends the message to the mail server. The mail server then sees that your message is delivered properly (by sending it to the mail server of the person to whom the message is addressed).

Strictly speaking, a server is a program. However, we also use the term to refer to the actual computer on which the server program is running. For example, say that you are taking a tour of a large company. As you visit a room filled with computers, the tour guide points to one of the machines and says, "That is our mail server."

You will notice that the mail client/server system actually uses two types of servers: one to accept incoming mail, and one to send outgoing mail. Indeed, these are actually two different server programs. The one that sends incoming mail to your client program is called a POP SERVER. (The name stands for "Post Office Protocol".) The server that accepts your outgoing mail and delivers it for you is called an SMTP SERVER. (The name stands for "Simple Mail Transfer Protocol".)

If you have ever set up a brand new mail program, you will know that one of the things you have to do is specify the name of the computer that houses your POP server and your SMTP server. In most cases, the POP server and the SMTP server both run on the same computer (which, is often referred to, generically, as the "mail server"). When you use the Internet from home, your mail server is maintained by your ISP. When you use the Internet at work, your mail server is maintained by your company.

Jump to top of page

Web Clients and Servers

Now that you understand the basic idea of clients and servers, let's talk about what happens when you use the Web.

To use the Web you need a Web client program. Such programs are known as BROWSERS, because, in the olden days, it was thought that people would use their Web clients to browse the Web (as many people do). The most popular browsers are INTERNET EXPLORER (from Microsoft) and NETSCAPE (from AOL).

In order for you to look at a Web page, your browser must contact a Web server and request the data for that particular page. The server then sends the data to your browser, which displays the page for you.

As I mentioned above, the term "server" is used in two ways: to refer to the program that communicates with your browser, and to refer to the computer in which that program runs. Thus, we can say that the Web server (a program) runs on a Web server (the computer).

This, by the way, is a typical example why it can be so hard for normal people to understand the nuances of computers and the Internet. Programmers will often use the same term in two similar, but different, ways. In this case, "server" can refer to either a computer or a program. Although programmers understand, by context, what is meant when the word "server" is used, normal people find it easy to be confused.

Let's consider an example. Here is the URL (address) of my Web site:


The second part of the URL, www.harley.com, is the name of a computer. This computer — my Web server — runs a Web server program. When you tell your browser that you want to look at my Web site — say, by typing the URL in your Address Bar, or by clicking on a link to the site — your browser sends a message to the computer named www.harley.com. When the message arrives, it is processed by the Web server program, which then sends the appropriate data back to your browser.

Jump to top of page

Web-Based Email

Broadly speaking, there are two ways in which you can use email services. You can use either a separate mail program as a client, or your Web browser as a client.

With both systems, you still need a mail server to send and receive mail on your behalf. The mail server resides on a remote computer and is maintained by your ISP or — when you use mail at work — by your company.

With the first system, you run a mail client on your computer, and the client communicates with the remote mail server on your behalf. (As I mentioned earlier, the most common mail clients are Microsoft Outlook and Outlook Express, Netscape Messenger, and Eudora.)

With a Web-based mail system, you use your browser as a client, and everything you do with your messages — reading, replying, composing, and so on — is presented to you on Web pages. This is the system that is used by the many free, Web-based mail systems. For example, Hotmail, which is owned by Microsoft, works in this way.

From a technical point of view, the biggest difference between a standard client/server mail system and a Web-based mail system lies in where the messages are stored. When you use a regular mail client, your messages are downloaded from the server to your computer. Once the messages are on your computer, it is fast and easy to manipulate them. Moreover, you can keep them as long as you want, and dispose of them as you wish. You also have maximum privacy: as long as no one else has access to your computer.

With a Web-based system, the messages always stay on the remote server, which makes everything slower. Moreover, using Web-based mail is more awkward because browsers are not designed to be mail clients. When you use a separate mail client, you are using a program that was designed specifically to handle mail and, as such, has more sophisticated capabilities than a general-purpose Web browser.

Web-based systems, however, do have an important advantage. Because you don't need a special program, you can check your mail from any computer that has a browser. This is handy if you travel or — as we will see in the next section — if you want to keep your email private from other people.

AOL, by the way, uses both systems. The AOL software (which is distributed free) contains a mail client. This client, which runs on your computer, contacts the AOL mail server on your behalf whenever you want to send and receive mail. In addition, you can also check your AOL mail by using an ordinary browser, as with other Web-based email.

In both cases, the messages stay on the remote AOL server. They are not downloaded to your computer, even when you use the mail client. This is why you can check your AOL mail from any computer that has Internet access, whether or not it has the AOL software installed. It is also the reason why checking your AOL mail is a slow, clunky experience, no matter what system you use.

Jump to top of page

How Private is Web-Based Email?

When you use a regular mail client, the program runs on your computer, and every time you check your mail, the incoming messages are downloaded to your computer. This means that anyone with access to your computer can use your mail program to read all your messages. Moreover, whenever you send messages, copies are kept on your computer, so someone using your computer can also see all your outgoing messages. For that matter, such a person could even use your program to send email to other people, and it would look as if the mail came from you.

Web-based mail systems do not keep any messages on your computer. Moreover, they require you to log in with a user name and password before you can use the system. This means that no one can look at your mail unless they have your password. For these reasons, many people use a Web-based mail system for privacy.

As you might expect, this is common in the workplace, where people do not want to use their work address for personal mail. When you use your company's email system, all your messages go through the company mail server, which means that the company has access to your communications.

Moreover, there is another consideration. It is common practice for network administrators to back up the data on their computers. This involves copying the data from the hard disks to tapes or CDs, which are kept in long-term storage. If something goes wrong with a hard disk, or if information is lost by accident, it is a simple matter to recover the information from the backup.

This means that, as a matter of course, all the messages on the mail server are backed up regularly. So even after you read and delete your messages, they could be stored indefinitely on a backup tape, where they can be recovered anytime the company chooses to do so. To be sure, no one is going to go to the trouble of restoring old messages without an important reason, but if it happens that you fall out of favor with the company, it wouldn't be hard for them to prove that you were using company resources for personal mail (if, indeed, you were). If you use a Web-based system for personal mail, your company does not have direct access to your messages.

However... don't think you are completely safe. Some companies use monitoring programs, which record everything you do on the Net. If your company has such a program, you can bet it is keeping track of your email as well as your Web activity.

Moreover, it's not as hard as you might think to see what someone has been up to with a Web-based mail account. True, you need a user name and password to access the account, but that won't stop a smart investigator. Here is an example.

I know someone who was hiding his activities (actually, a double life) by using what he thought were private email accounts and a list of fake names. After he left the company, an investigator began to check out the fellow's computer. Using the computer, the investigator typed the address of a well-known, free Web-based email system. The system prompted the investigator to enter a user name and password.

As the investigator started to type a user name, the browser (Internet Explorer) cooperated by using its AutoComplete function to list all the names the employee had ever typed into the form on that particular Web page. In an instant, the investigator knew all the fake names the fellow had been using.

Finding the passwords wasn't that hard. The designers of Web-based systems know that many people forget their passwords, so they always provide ways to get around the problem. A common feature is to allow someone to request that a message be sent to them with their user name and password. The message is sent to the email address the person used when he first set up the account.

(When you set up a Web-based mail account, you must furnish information about yourself, including a valid email address. This process is called REGISTERING. The companies that provide these services know that many people use them for questionable purposes. To protect themselves, the companies do their best to ensure that they have a real name and email address for each account.)

Thus, if an ex-employee specified a company email address when he or she registered the Web-based mail account, it is easy for an investigator to get the user name and password. All he has to do is request the information to be sent to the registered email address.

In this case, it was even easier. Some Web-based services have another way to help you if you forget your password. When you register, you make up a question. Later, if you forget your password, the system will ask you that question. If you answer successfully, you will be automatically logged in. So, all the investigator had to do was tell the system he had forgotten the password. After a few tries, the investigator was able to guess the answer to the question, and was logged in to the account. (And, believe me, it was hot stuff!)

It is common for people to use Web-based mail accounts at work in order to send and receive private email, and as you can see, it's not as private as you might think (or hope). But work isn't the only place you will find people trying to hide their activities. Many people use such email accounts at home, in order to keep secrets from a husband, wife or significant other. (I know of a number of people who do this regularly.) Children also use Web-based email accounts to keep their messages safe from the prying eyes of their parents.

If you use a home computer, anyone in the household can access your programs. In particular, anyone can start your mail program and read all your messages. (More than one relationship has broken up in this way.) However, if you use a Web-based mail system, all the messages are stored remotely, and there is no way for an unsuspecting spouse to accidentally (or purposely) find your secret messages. In fact, many people have completely secret Internet personalities that their spouses know nothing about. This phenomenon is a lot more common than you might think, and it is one of the ways in which the Internet can put a great deal of strain on a relationship. We'll talk about all of this more in Chapter 14.

For now, all I will say is that, if you are doing this, you shouldn't be, and you're not as safe as you think you are (especially if your spouse, girlfriend, boyfriend or parents are smart and persistent).

Jump to top of page

How Private is Regular Email?

As we discussed above, when you use Web-based email, your browser acts as a mail client, and your messages stay on a remote server that is beyond your control.

Regular email works differently in two important ways. First, your client is a dedicated mail program that runs on your own computer. (The most common mail programs are Microsoft Outlook and Outlook Express, Netscape Messenger, and Eudora.) Such programs are designed specifically for email and, as such, are much better tools for mail handling than are browsers. In particular, mail programs are faster and more powerful.

Second, when you use a mail program, your messages are copied from the server to your computer, and then deleted from the server. This means that you have a lot more control. You can keep your messages indefinitely. It is up to you when to delete them. In the meantime they are not stored on the server, so you have control over your own privacy.

In general, I prefer regular email to Web-based mail, because I like using a real mail program (not a browser), and I like to control how long my messages are saved. However, if other people have access to your computer, there can be a privacy problem because, when you are not around, another person can simply start your mail program and look at all the messages.

If you are worried about a lack of privacy, you must take steps to make sure this doesn't happen. The best policy is to make sure that there are never any messages lying around that you would not want other people to read. Even if you think no one in your house or at work would deliberately spy on you, it could happen by accident.

Let's be honest. Let's say a friend of yours is away and you need to use his computer for a moment (say, to find a place to buy a Harley Hahn book). What would you do if his mail program was open and you happened to see a message with a provocative subject? ("See you tonight, don't tell anyone" or "Your embezzlement was discovered".)

If you have ever looked through someone else's mail, you will find out pretty quickly that it is almost always a boring experience. On the other hand, it's human nature to want to look at things you are not supposed to see, so let's be realistic. If someone has the chance, eventually, they are going to look at your mail, so if privacy is crucial, you need to be prepared.

Within your mail program, messages are kept in what are called FOLDERS (Microsoft Outlook and Netscape Messenger) or MAILBOXES (Eudora). These are not the same thing as the folders used by Windows to hold files. (A Windows folder contains separate files. A mail folder is actually one large file containing a number of messages.) Moreover, the only way to manipulate mail folders is from within the mail program itself; you can't use Windows Explorer.

All mail programs have a few standard folders, and you can create more if you need them. Here are the names of the standard folders and what they are used for.

      Outlook Messenger Eudora
  • Incoming messages that have not been processed
  • Unfinished messages that have not been sent
  • Finished messages that have not been sent
  • Messages that have been sent
  • Deleted Messages

How these folders are used varies somewhat from one program to another. However, when it comes to privacy, there are two important things you must remember. First, anyone with access to your computer can look at all your mail folders. They can see not only what is waiting in your inbox, but all the mail you have sent or received. At work, you should be aware that it is possible for a network administrator to check your mailboxes over the network, without even being near your computer.

The second important point is that when you delete messages, they are not removed permanently. They are simply moved to your Deleted Items/Trash folder. This means that to remove a file permanently, you must first delete it from its original folder, and then delete it a second time from the Deleted Items folder.

If you are serious about privacy, never forget to empty your Deleted Items folder. If someone is snooping on you, that is the first place they will look.

Jump to top of page

Sneaky Browser Tricks: Cookies

Now that we have discussed Web clients (browsers) and Web servers, let's return to the question of privacy I raised earlier in the chapter. Is it possible for Web servers to keep track of your activities? If so, this is important, because many Web servers are maintained by companies who do not care about your personal privacy. If a company can track what you do, you are going to have to look out for yourself.

The answer is yes. Web servers can, to a limited degree, keep track of what you do on the Web. They do so by using what are called "cookies".

A COOKIE is data that is placed on your computer by a Web server. The data consists of several lines of text, and is stored in a special folder on your hard disk. Later, that Web server — or in some cases, a different Web server — can retrieve the cookie, examine it, and even leave another one. In most cases, you have no idea that any of this is happening. You visit a Web site, never dreaming that the remote computer is actually putting information on your hard disk.

Why is this necessary? Your browser and the remote Web servers you access are not connected permanently: they simply pass information back and forth as necessary. Each time you click on a link, your browser sends a request for data to a remote Web server. However, each request is independent of any previous communication. Thus, if a Web server needs to keep track of what you are doing, it must leave cookies for itself on your computer. A copy of the cookies is sent back whenever you click on a link pointing to that server.

The idea behind a cookie is to enable Web servers to relate a previous transaction to a later one. Consider this analogy. You drive into a parking lot and are given a ticket on which the time and date are stamped. When you leave, you must show the ticket, which is then used to determine how much you should pay. In this case, the ticket is acting like a cookie.

The name "cookie", as used on the Web, came from an operating system named Unix (a master control program that is much older than Windows). Within Unix, a program can store a special type of data to be read later. Such data is called a "magic cookie". No one knows the exact origin of the term, but clearly, it was chosen to be whimsical.

Cookies on the Web are used for various purposes. The programmers who create Web sites have developed ingenious ways to use cookies to track your movements on the Web, and to remember your preferences and your identity.

All of this, of course, raises questions of privacy. How do you feel about companies being able to track your movements on the Web, even in a limited way? How do you feel about companies accumulating information about you and your purchases in order to sell you things more effectively?

The original justification for cookies was that it would help the consumer (that is, you) in various useful ways. For example, many Web-based stores allow you to accumulate purchases, one at a time, as you browse the Web site. This facility is referred to as an electronic SHOPPING BASKET or SHOPPING CART. Each time you select an item for possible purchase, the Web server saves this information on your computer in the form of a cookie. In other words, your shopping basket is really a set of cookies stored on your own computer. (We'll talk about the details of buying and selling on the Net in Chapter 13.)

Another justification for cookies is that that they can make life easier by making it unnecessary for you to enter the same information each time you visit a Web site. For example, some Web sites require you to register in order to use the site. Once you are registered, you can access the Web site whenever you want, as long as you enter a user name and password to identify yourself. (You choose your user name and password when you register.) This process is called LOGGING IN. (Obviously, companies force you to log in so they can keep track of who you are and what you are doing.)

On some Web sites, when you log in, you are given a chance to specify that your user name and password should be saved permanently on your computer. If you accept this choice, the Web server stores a cookie with this information on your computer. That way, you won't have to enter the same information each time you want to visit the site.

These rationalizations for cookies — shopping and remembering personal data — are certainly useful, and they are trotted out each time the business side of the Internet tries to justify its ability to leave cookies on your personal computer without your knowing. However, most cookies are not of that nature.

How do I know this? In order to make my browsing more enjoyable, I use a program that blocks Web advertisements. One of the other functions this program provides is blocking cookies. The program keeps track of the number of cookies it blocks, and I can tell you that in the last month (as I write this), the program has blocked 15,954 cookies from being stored on my computer — and in that time, I have not even bought one item from a Web site!

The cookie system has a built-in privacy safeguard: a cookie can only be stored by a Web server when you visit its Web site, and only that server can ever look at the cookie. However, in practice, the spirit of this safeguard is routinely circumvented. Here is one way in which it works.

As you know most Web pages contain pictures of some type: photos, graphics, and so on. You might think that such a page is stored on a Web server as one large file, which is sent to your computer at the request of your browser. Actually, the text of the page is stored in one file, and all the pictures are stored in separate files. When your browser requests the data for a Web page, all of these files are sent to your computer separately. Your browser then receives the files and puts them together to create an image of the complete page. Thus, looking at a single Web page usually initiates a number of separate file transfers.

A great number of Web sites contain advertisements in the form of pictures. In many cases, these pictures do not actually reside on the main Web server. Instead, they are stored on servers maintained by advertising companies. This means that, each time you look at a page with ads, there is a good chance that the ads themselves are coming from special-purpose advertising servers. And each time one of these servers sends a picture to your browser, it can also leave one or more cookies.

This means that, as you use the Web, you will accumulate many, many cookies from Web servers you had no idea you were contacting: servers that are run primarily to send out ads and track people's movements. These cookies are stored under the name of the ad server. Later, you might visit a completely new Web site that uses ads from the same server. At that time, your browser will automatically send the server copies of all the cookies stored under its name on your computer.

Are you starting to see how advertising and marketing companies can use cookies to trace your activities and remember your personal information? Well, it gets worse.

Imagine that, for some reason, you type your name, email address and phone number into a form at a particular Web site. You do this because you want to get something for free (such as access to an online newspaper) or because you want to buy something. It happens that, unknown to you, the company maintaining the Web site has a data-sharing arrangement with the Acme Marketing Company. Also unknown to you, the Acme Marketing Company maintains a sophisticated system that uses cookies to track your movements among all the sites that display its advertisements. It is now possible for them to relate your name, email address and phone number to your activities on the Web. All of this information is stored in a database which is sold to other companies who want to sell you things. This is one way in which your email address can end up on junk mailers lists. (In Chapter 8, I'll show you the strategies you can use to protect yourself against this kind of marketing abuse.)

Jump to top of page

Why Are Cookies Used So Much?

The cookie system was first proposed and implemented by the Netscape company in the late 1990s. As I mentioned above, the official justification was (and still is) that cookies are good for consumers. However, it is clear that cookies are being used for all types of things that go way beyond customer convenience. Cookies are a major marketing tool, used by companies to accumulate data by tracking what you do and how you do it.

Some people are offended by cookies just out of general principle. After all, what right do companies (and other organizations) have to track our actions on the Internet? Why should merchants who only care about our money be able to store information about our activities and our preferences? The answer to this question is complex and has as much to do with economics and psychology as it does with technical considerations.

As I explained in Chapter 1, the Internet is based on one-to-one connections. As such, the Net is, most definitely, not a broadcast medium. For this reason, it is not possible to use the Net to reach a lot of people, reliably and repeatedly, in a cost-effective manner. Moreover, the economies of scale, which work so well outside the Net, do not work well on the Net itself. On the Net, services grow less efficient as they grow larger.

For this reason, businesses that depend upon a large audience do not thrive on the Net unless they are married to a substantial and significant non-Internet enterprise. Even then, it is surprisingly difficult for most companies to make money on the Net.

It is a characteristic of business that — month after month, year after year — a company must generate more and more profit in order to remain healthy. This is not greed: this is a normal part of the system. A business whose profits do not grow regularly will eventually stagnate, and, if the business has stock that is publicly traded, the price of its stock will fall.

Generally speaking, businesses are able to increase their profits in two ways: by selling more goods or services, or by becoming more efficient and raising their profit margin. (The term PROFIT MARGIN refers to the percentage of revenue that a company retains as profit after paying all its expenses.)

All Internet companies eventually find themselves under great pressure to increase their audience and to sell, sell, sell.

All companies, on and off the Net, are under constant pressure to increase their profits. This is especially true for companies with publicly traded stock. However, the business environment on the Net is so competitive that there is not much room for raising prices or lowering costs (both of which would increase the profit margin). Instead, companies really only have one choice: they must sell more and more goods or services, either by attracting more customers or by selling more to their existing customers.

This is why all Internet companies (as well as Internet divisions within other companies) eventually find themselves under great pressure to increase their audience and to sell, sell, sell. Up to a point, it is possible to build up a substantial Internet audience by giving away something valuable for free (usually some type of information). However, making money from this audience is quite a different thing.

This is why Internet companies, no matter how substantial they may look, are constantly worried about money. As such, they do everything they can to squeeze out as much money as possible. This is why, when you visit commercial Web sites, you will find yourself bombarded with a great many advertisements (nearly all of which, by the way, are hopelessly inefficient).

This is also why so many Web sites leave cookies on your computer. Internet companies lust after as much marketing data as they can find, hoping that, in some way, they can use that data to increase their sales. And if an ever-increasing treasury of data doesn't lead to more sales... well, the company can always try to sell it.

Jump to top of page

An Approach to the Privacy Dilemma

It's important to realize that when a company acts in a way to further its own interests at the expense of your privacy, the company is not necessarily acting immorally. You see, companies — and other organizations, such as universities and governments — are entities in their own right. As such, they have a powerful tendency to protect their existence and further their aims.

So don't waste a moment being bothered by the fact that companies on the Net do not really care about your privacy. Of course they don't. They care about what they need to care about: making money, projecting a particular image, attracting customers, increasing their profit, dominating their particular industry, raising their stock price, and so on.

So let's be realistic. There is no vast conspiracy to ferret out your personal secrets and sell them to the highest bidder just for the sake of being malevolent. Companies act according to their nature, so instead of getting upset or trying to fight the system, see what you can do about preserving your privacy. Recognize that it's hard for anyone to make money on the Net, and companies that give you something for free (even if it is information) are going to have to do anything they can to squeeze out every dollar they can. This means, yes, that they will use cookies, and any other trick that might work, to find out information about you, if they think that information might lead to profit.

You will remember that, in Chapter 1, I explained that when you use the Net, you are in public. To be sure, it is not the same as when you leave your house and mix with other people, but you are in public just the same. As you know, being in public requires you to give up a certain amount of privacy and, from time to time, to put up with a certain amount of inconvenience.

So, don't get excited each time you read about a new Internet privacy violation. Rather, accept it as being part of the Net. Just look at the problem carefully, ask yourself how it affects you, and then take whatever steps are necessary to protect yourself.

In general, this is the approach I want you to use when you analyze any Internet problem. To see how it works, let's take a look at the problem of cookies.

Jump to top of page

What to Do About Cookies

Everyone dislikes being manipulated by big companies, so it's easy to understand why you might resent having your activities and your preferences monitored without your approval. Lots of people feel this way and they especially dislike the way this information is used to target them as potential consumers. I have to admit that I sometimes feel the same way because I am, by my nature, a private person who likes to control his environment. However, let's set our feelings aside and be reasonable.

I am sure you have had the experience of buying groceries at a supermarket with a computerized checkout system. After all your items are scanned, a special device prints customized coupons for you based on what you have bought. For example, if you have bought a particular cereal, you might have received a coupon for 50 cents off a similar cereal from a different company. Obviously, a computer is examining your purchases and using the information to market a product to you directly.

Does this bother you? Frankly, it doesn't bother me. Even though I don't use such coupons, and I just throw them away, I don't really see the system as an invasion of my privacy. After all, the cereal company isn't interested in me as a person; they only want to sell me cereal.

Similarly, when a company uses cookies to try to market to you more effectively is it really that big a deal? The answer is no. It's not all that different from the coupon machine in the supermarket. However, it feels different, for two reasons. First, you access the Net by using your computer. As we discussed in Chapter 2, your computer interacts directly with your mind and, as such, you see it as a highly personal tool. Second, the Net is a much more mysterious place than a supermarket, so it's understandable why you would instinctively dislike the idea of information about you floating around out there, beyond your control.

I have thought about this question carefully over a long period of time — remember, as I told you, I myself am a private person — and I have come to the conclusion that cookies, although philosophically offensive, aren't really that big a deal, and don't really infringe upon our privacy in a meaningful way. From time to time, you may read about some Internet privacy advocate ranting against the hidden menace of cookies. Ignore the diatribe. There are more important things to worry about.

If you really hate the idea of cookies, you can get a cookie blocking program that will let you control which Web sites (if any) are allowed to leave cookies on your computer.

In fact, you can set up your browser to block cookies if you really want to. With Internet Explorer:

  1. Pull down the Tools menu and select Internet Options.
  2. Click on the Security tab, and then on Custom Level. This will open a new window called Security Settings.
  3. Within this window, scroll down to the Cookies section, and choose the setting you want. Then Click on OK to close the window.

(Note: You will see an option related to "per-session cookies". This is for cookies that are meant to be temporary. For example, if you are buying something at an Internet store, the Web site might use temporary cookies to remember the contents of your shopping basket. Such cookies are automatically removed when you stop your browser program, so you can ignore the setting for this option.)

So, as I say, you can block cookies if you want but, for practical purposes, it's really not worth the trouble. (You may remember me mentioning a program I use that blocks cookies. Actually, I use the program to block advertisements. It just happens to block cookies at the same time. I care more about the ads than the cookies.)

So, does my recommendation not to worry about blocking cookies mean that you can ignore them altogether? No, you do need to think about cookies, because in certain situations, they can cause a severe privacy problem, but in a completely different way than you might have thought.

Jump to top of page

Tossing Your Cookies

As I explained earlier, cookies are stored on your computer in a special folder. Anyone with a bit of technical knowledge, who has access to your computer, can easily examine your cookies. Each cookie is identified by the name of its Web site. This means that someone with access to your computer can see the names of many of the Web sites you have visited just by looking at your cookies. Moreover, the person doesn't need to be in front of your machine. If you are on a network, the administrator can look at your cookies remotely, over the network. (Actually, if you really want to be paranoid, you can worry about the fact that the network administrator can look at any of your files any time he wants.)

Thus, if you work in an environment in which you are especially concerned about privacy, it behooves you to delete your cookies regularly. After all, if you have been visiting contraband Web sites, it doesn't do you much good to delete your history and flush your cache, when sitting peacefully on your hard disk are a half dozen cookies under the name www.barnyardsex.com. So let's spend some time discussing how to examine and delete your cookies.

With Internet Explorer, your cookies are kept in a folder called:

C:\Windows\Temporary Internet Files

This is the folder that is also used as your cache (see the discussion in Chapter 3). To examine the contents of this folder, start Windows Explorer — the file management program — and navigate to the folder. (If you are using Windows 2000 or Windows NT, the location of this folder and other similar folders will be a bit different. I'll discuss the details later in the chapter.)

Alternatively, you can get to the folder by following these steps:

  1. Pull down the Tools menu and select Internet Options. You should be looking at the General page.
  2. In the Temporary Internet Files section, click on the Settings button. This will open a new window.
  3. Within this window, click on View files. This will open a copy of Windows Explorer. You will now be looking at the contents of the Temporary Internet Files folder.

Each cookie is actually a small file, and they are easy to see. Under a column named Internet Address, each cookie will have the designation Cookie. You will also see the name of the Web site that left the cookie.

To see the contents of a cookie, double-click on its name (in the leftmost column). When you do so, you may see a message like:

Running a system command and this item might be unsafe. Do you wish to continue?

Don't worry about it, just click on the Yes button. There is nothing unsafe about looking inside a cookie. When you click on the Yes button, a window will open showing you the contents of the cookie. (Do this a few times and you'll realize there's no point in looking inside cookies.)

To delete a cookie, right-click on the name. A menu will appear. Choose Delete. You will be asked to confirm that you really want to delete the cookie. Click on Yes.

To delete all the cookies at once, press Ctrl-A. This will select all the items in the folder. (Alternatively, pull down the Edit menu and click on Select All.) You can tell that all the items are selected because they will be highlighted. Right-click on one of the names and choose Delete. Again, you will be asked to confirm the deletion.

Once you have done this, it looks like you have deleted all the cookies from your computer. You haven't. Windows keeps another copy of all your cookies in a different folder named:


You will have to display the contents of this folder and delete all the cookies (and sub-folders) it contains. One way to display this folder is to type the full name into the Windows Explorer address bar.

Are you finished yet? Maybe yes, and maybe no. Sometimes Windows stores yet another copy of the cookies in a folder named:

C:\Windows\Local Settings\Temporary Internet Files

If this folder exists on your computer, you will have to clear it out completely, including all the sub-folders.

(Are you starting to see why, in Chapter 3, I suggested that you should learn how to use Windows Explorer well?)

Jump to top of page

The Balance of Power

It seems as if, when it comes to gathering information, the Internet deck is stacked in favor of the companies and merchants and not the consumers. For example, cookies are often used to invade your privacy (there's no doubt about that), and yet there's not a lot you can do except block them, delete them after the fact, or ignore them. Moreover, you will find that, if you block cookies completely, some Web sites won't work properly (they are purposely designed that way).

Cookies are not the only example of electronic perfidy. Here is one that is even harder to see. Whenever you click on a link, your browser contacts a Web server on your behalf, and every time this happens, your browser cheerfully sends the address of the current Web page to the remote server. This information is called the REFERER FIELD. In other words, each time you click on a link, your browser silently sends the referer field, telling the remote server which page you were reading when you clicked on the link.

This betrayal is more extensive than you realize, because it often happens that the Web page your browser is fetching requires elements from more than one Web server. If so, the referer field is sent to all such servers. For example, many Web pages contain ads that come from special Web servers maintained by Internet advertising companies. When your browser sends out the referer field, all the servers — including those run by the advertising companies — are sent information about what you were looking at when you clicked on the link.

How common is this? Earlier I mentioned that I use an ad blocking program that also blocks cookies. Well, this same program blocks referer fields from being transmitted to "third-party" Web servers, such as those that supply advertisements. In the last month (as I write this) my program has blocked 8,054 such referer fields.

Your browser does not allow you the option of refusing to send such information. So let's say you have just clicked on a link to a Web page that contains advertisements, and your browser has dutifully just sent the referer field to the Web server that is supplying the ads. There is a good chance that the advertising company's Web server has, at one time, stored cookies on your hard disk. (The cookies were put there when you visited other Web pages that contained ads from the same server.) Your browser will quietly send all these cookies along with the referer field. As it happens, one of these cookies is a unique identification number, identifying you to the server (this is common).

But wait, there's more. At one time, you visited a Web page that offered you a free something-or-other, if you would only type your name and email address into a form. It happens that the company offering the free something-or-other has a marketing deal with the same Internet advertising company that has just received the cookies (including your ID number) and the referer field (showing the Web page you were just visiting).

Yet, as bad as the lack of Internet privacy might seem, and as much as people like you and I might cry out for relief, it seems that the browser companies are going out of their way to make it easy for Web servers to find out as much as they can about us.

For example, Microsoft has built a system called PROFILE ASSISTANT into their software. The sole purpose of Profile Assistant is to make it as easy as possible for Web sites to extract personal information from your computer. What type of information? Your first name, your last name, your email address, your gender, your job title, your mailing address, your phone number, your business phone number, and your business address. (The information comes from the address book maintained by your Microsoft email program.)

During my research at the Microsoft Web site, I found a technical article written for Web programmers, with the ever-so-coy title: "Collecting Personal Information from Your Users Easily with the Microsoft Profile Assistant and Internet Explorer." Fortunately, Profile Assistant is not used widely, so we don't need to learn the details and conjure up a huge amount of righteous indignation.

However, what we do need to do is take a moment to think about these types of systems — cookies, referer fields, Profile Assistant, and so on — and ask ourselves: Why are they created in the first place?

Jump to top of page

You Are Not the Customer

Why is it that the people who build browsers work so hard to make life easy for third-party commercial marketers and care so little about our desire for privacy? The answer to this question is important, because it gives us insight into the economic dynamics that control the computer software industry. Understand this, and you'll understand a lot.

Let's start by asking what seems to be a simple question. From the point of view of the browser companies, who are the customers?

At first, you might think the answer is the users. People like you and I are the customers. After all, we are the ones who use the browsers. We are the consumers.

Businesses don't care so much about consumers as they do about consumers who pay for what they consume.

But are we? Businesses don't care so much about consumers as they do about consumers who pay for what they consume. So ask yourself, how much did you pay for your browser?

The answer is nothing. You got your browser for free. It was either pre-installed when you bought your computer, or you downloaded it from the Internet, or someone at work installed it on your computer. Regardless, you paid nothing at all to the browser company for the right to use a powerful, sophisticated program (and you expect free updates).

Perhaps you have heard the old joke about the car salesman who brags that his prices are so low that he sells cars below cost. Someone asks him, if you sell cars for less than you pay for them, how do you make any money? His answer: I make it up on volume.

It is true that Microsoft (which makes Internet Explorer) and AOL (which makes Netscape) are large, successful companies, but not so large or so successful that they can make money by giving away millions of free browsers. Microsoft and AOL must not only create the browsers, they must maintain them. This means developing new versions, fixing bugs (problems), and creating specific editions to run on different systems (Windows, Macintosh, Unix), all of which runs into big bucks.

So where does the money come from? It comes from businesses: from companies that (in Microsoft's case) buy the programming tools and service contracts necessary to create Web sites; or from companies that (in AOL's case) make marketing deals based on the captive audience provided by free browsers.

So who are the real customers? Not you and not me. The real customers are the companies that pay money. So is it any wonder that Microsoft and AOL put the interests of such companies above the interests of the end users?

From time to time, I will make remarks about how Microsoft, AOL, and other Internet companies care more about making money than the needs of the people who use their software. This is certainly true, but let's be realistic. All companies need to make money and, since we don't pay for most Internet software, it only makes sense that software companies are going to listen to the people who do pay.

From a technical point of view, it would be easy for your browser to filter out advertisements, stop referer fields, protect your privacy, and allow you to selectively block cookies.

Now you know why it doesn't.

Jump to top of page

Cleaning Out Your Computer Every Day

If you live or work in an environment where someone might have access to your computer when you are not around, you may be worried about your privacy. If so, here is a brief checklist of what you can do every day to clean out your computer.

Before we start, I want to point out that these actions are not foolproof. They are useful as far as they go, and they will eliminate the easiest ways that a casual snooper might intrude upon your privacy. However, Windows is designed so that any programs can leave traces in various places, and there is no practical way for you to remove them all: a skillful, determined investigator will always be able to find something.

The only foolproof way to clean your computer completely is to wipe out the contents of the hard disk and reinstall Windows. (Even then, you still have to worry about any existing backups.) For more information on this topic, see the discussion in the next section on how to clean your computer permanently.

You can clean your computer at the end of each day, by following these 7 steps. The exact details on how to perform each action are explained earlier in this chapter and in Chapter 3.


  1. Clear your history.
  2. Flush the cache.
  3. Delete your cookies.

Mail Program:

  1. For each folder, delete all the messages you don't want anyone else to see, then...
  2. Delete everything in your trash folder.


  1. Delete any files or folders you don't want anyone else to see, then...
  2. Empty your Recycle Bin.

Jump to top of page

Bequeathing Your Computer

Having discussed how to clean your computer on a daily basis, let's consider a less common situation, one in which you are called upon to give up your computer to someone else. If this is personal, for example, if you are giving your old computer to your brother-in-law or donating it to a church group, the solution is simple. You must delete everything on your hard disk.

The best way to wipe out your hard disk is to perform what is called a low-level format. Before any disk can be used, it must be prepared in a certain way. This process is called FORMATTING. Every disk must be formatted before it can be used, including hard disks, floppy disks and CDs. With floppy disks, formatting destroys all the data on the disk. With a hard disk, however, this is not the case. If you want to destroy all the data, you must use a special procedure called LOW-LEVEL FORMATTING.

Normally, low-level formatting is only done once, at the factory, before the disk is shipped to the computer manufacturer. Although the procedure is automatic, once it starts, it is a long process that will take hours. Still, it is the only sure way to wipe all the data on your hard disk.

Once you have formatted a disk in this way, you will not be able to use your computer until you have reinstalled Windows. The instructions for low-level formatting and Windows installation differ from one system to another, so I will have to refer you to your computer manual or to the company that made your machine.

In a work situation, giving up your computer to another person presents you with different problems, especially if you are being fired or if there is a conflict between you and the company.

Moreover, as we discussed in Chapter 2, if your computer is on a network, there is a good chance that a backup has been made of your files. If this is the case, cleaning your computer is still a good idea, but you must recognize that if the company wants to get your old files, including your email, they can do so by restoring them from a backup.

Unlike a home situation, your company may have strict policies about what you may or may not delete from your computer. This only makes sense. The last thing a company wants is for a disgruntled employee to delete, say, last year's sales figures or all the personnel records. (This is where backups come in.)

There is a good chance that the person who administers your computers will not allow you to wipe out everything on your hard disk. Indeed, if you are using Windows 2000 or Windows NT in a networked environment, you will probably be limited as to what system facilities (such as formatting) you can even use on your computer.

If you have never used your office computer for personal work, you are in a good position. All you really need to do is clean your computer the way I described in the previous section. However, if you have used your computer for personal work, you need take a few extra steps.

First, uninstall all the programs that you have ever installed for your own use, such as AOL software. The best way to uninstall software is to use the Windows Add/Remove Programs facility. Click on the Start button. Select Settings, then Control Panel, then Add/Remove Programs.

Now look through the list of programs. When you see one you want to uninstall, click on it and then click on the Add/Remove button. Repeat this procedure until you have removed all the programs you have ever installed for your own use. Hint: This can be a slow process because, with some programs, you will have to reboot to complete the uninstall process.

Once you have finished uninstalling your personal programs, use Windows Explorer and go through your hard disk, deleting all your personal files and folders. Be aware that some programs do not completely remove all their files when they are uninstalled, so you may have to clean up after them.

As you examine your disk, be sure to check the following folders, and any sub-folders, to see if they contain personal data that should be removed:

C:\Program Files
C:\Windows\All Users\Start Menu
C:\Windows\Application Data\Identities
C:\Windows\Downloaded Program Files
C:\Windows\Local Settings\Temporary Internet Files
C:\Windows\Offline Web Pages
C:\Windows\Start Menu
C:\Windows\Start Menu\Programs
C:\Windows\Temporary Internet Files

If you are using Windows 2000 or Windows NT, the location of these files will be a bit different. For Windows 2000, look in the following folders:

C:\Documents and Settings\All Users\
C:\Documents and Settings\username\
C:\Documents and Settings\username\Local Settings\

where username is the name you use to log in. For example, if you log in as harley, you would look in:

C:\Documents and Settings\All Users\
C:\Documents and Settings\harley\
C:\Documents and Settings\harley\Local Settings\

For Windows NT, look in:


Note: Your Windows 2000 or NT system may be set up to prevent you from accessing these folders.

Jump to top of page

The Windows Registry

Within your computer is a special collection of technical information known as the Windows REGISTRY. The registry contains data relating to (1) the hardware components in your computer, (2) the programs installed on your computer, and (3) Windows itself. The registry is very important, because Windows and your programs depend on it to store crucial data from one work session to the next. Indeed, without the registry, you couldn't even start Windows, and if you accidentally damage the registry, your entire system can become inoperative.

A large portion of the information in the registry is stored in special files, which you should never, ever touch under any circumstances:


The rest of the information is related to your hardware components, and is recreated each time you start the computer.

In Windows 2000 and Windows NT, the registry is even more complicated. The actual data is stored in a number of files. Most of them are in the folder:


Others are in the folders:

C:\Documents and Settings\Administrator\
C:\Documents and Settings\username\

Again, these are files that you should never touch directly.

If you are a super-nerd, you can look at the contents of the registry and even make changes by using a program that comes with Windows, called regedit ("registry editor"). However, regedit is not for beginners. Do not even think about it unless you are sure you know what you are doing. If you make a mistake, it could permanently disable your system.

The reason I am telling you about the registry is that it contains the many different preferences you can set that affect your working environment. For example, when you set options in Windows Explorer, you are actually making changes in the registry. (Of course, Windows Explorer makes the changes for you, so you don't accidentally cause a catastrophe.) Another common use of the registry is to specify which programs should be run automatically each time you start your computer.

There exists a program called TweakUI ("tweak the user interface") that was written by a group of programmers at Microsoft. TweakUI allows you to make many different changes to the registry in a simple, safe manner. In particular, TweakUI lets you set certain options that will help you wipe out certain data automatically to protect your privacy.

I'll explain those options in a second, but first I'll tell you how to install TweakUI on your system. (If you don't understand these instructions, get a friend to help you.)

If you use the original edition of Windows 98 and you have the installation CD, you can find TweakUI on the CD. Insert the CD into your CD drive and look for the file:


To install the program, right-click on this file and select Install.

If you don't have this particular CD, you will have to find TweakUI on the Net. (It is available for free.) Before you begin your search, you should know that there are two different versions of TweakUI, one for Windows 95 and one for Windows 98. (The Windows 98 version will also work for Windows ME, Windows NT and Windows 2000.)

To find the version of TweakUI you need, use a search engine to search for one of the following patterns:

+tweakui +"windows 98"
+tweakui +"windows 95"

You should be able to find the program along with the installation instructions.

Once you have TweakUI up and running, you will notice that it is in the form of a medium-sized window with a number of tabs along the top. Look for the tab named Paranoia and click on it. You will now see a number of different options that you can turn off and on that allow you to clear various types of information automatically each time your computer starts. For example, you can clear your Internet Explorer history.

Turn on the options you want and then click the OK button. Now, each time you restart your computer (or log in, if you share your computer with someone else), Windows will protect your privacy by deleting the information automatically.

One last hint. If you feel like experimenting with TweakUI, be sure to read the help information first. To do so, click on the Tips button on the first page. I know you won't want to, especially because Microsoft help information is usually so useless, but TweakUI is different. You need to know what you are doing. (Moreover, as I mentioned, TweakUI was written by a small group of programmers, and they did an especially good job on both the programming and the help information.)

Jump to top of page

Programs That Take Your Side

Aside from TweakUI, there are a large variety of other programs that are designed to enhance the privacy and security features of your computer. You can find such programs by searching at a software archive using the keywords privacy or security or both.

In case you don't know any software archives, you can find a lot of resources in the Software section of my book Harley Hahn's Internet Yellow Pages. Or, you can try one of the following Web sites. (Note: Even though the third URL says win95, it contains software for all the Windows systems.)

Windows software archives:


The programs you will find will offer you many different privacy and security features. Here is a short list to give you an idea of what is available:

  • Keep other people from using your computer when you are not around.
  • Securely store and manage all your passwords for Web sites that require you to log in.
  • Encrypt and decrypt files so no one else can read them without a password.
  • Hide and restrict access to specific files and folders.
  • Block other people from using certain programs (such as your mail program).
  • Overwrite the contents of a file before it is deleted, so that even if someone restores, the data will be gone.
  • Control cookies as you use the Web.
  • Create a diary or journal that is encrypted, so only you can read it.
  • Clean out your browser history and other accumulations of information showing your activities.

Jump to top of page