BLOG

Internet Privacy: Spam and Cookies-How to Avoid Indigestion While Binging at the World Wide Automat

10/01/1998

Reproduced by permission. ©1998 Colorado Bar Association,
27 The Colorado Lawyer 27 (October 1998). All rights reserved.

Super highway, schmuper highway. Sure, the image is appealing: modeming down the info autobahn in the DSL1 fast lane. RA2 -dio cranked and the AC3 on. Deeply tinted glass surrounds and insulates you from the outside world. You are autonomous and anonymous. Nice picture. The only problem is that, when it comes to your personal privacy, the cocoonlike aura engendered by the Internet is more fiction than fact.

In matters of privacy, the Internet is much less like a super highway and a whole lot more like an automat by the side of the road. There is a lot of variety, you can eat all you want, you rarely see the people who work there, and you typically dine alone. However, the owner sets the price for each item you take, and the folks working in the back can see you, and what you are taking, through the pass-through slots. Along with some occasional delectable morsels, the eateries on the World Wide Web serve up a lot of junk food. Whatever else you order, spam and cookies come with each meal. Junk food will not kill you, but many would prefer to avoid it, or at least cut down their consumption. This article is an introduction to avoiding indigestion at the World Wide Automat.

Name Your Poison

There is no such thing as a free lunch, and that goes for the Web, too. Entreé to the Internet comes at a price. That price is loss of a certain degree of personal privacy. This is a delicious irony, indeed, given the illusion of anonymity telecomputing has created since the salad days of computer bulletin board systems. However, as junk e-mail piles up in the in-box, the illusion of privacy is rapidly fading.

Folks also are discovering websites, such as www.dejanews.com, which captures and stores senet4 messages, allowing anyone to search for your name and see what you have been writing about. A recent Price aterhouse poll found that 86 percent of the American public is concerned about invasion of personal privacy on the Internet. The regulators are listening; the Clinton Administration, Federal Trade Commission, and several private organizations have been working overtime to bring some measure of privacy to Internet consumers, or at least to restore the illusion. This is in the interest of cybermarketers, too. After all, knowledge that a store has video cameras in its dressing rooms is more likely to cause shoppers to flee than to buy. Most agree that Web consumers’ privacy concerns will be addressed, if not by the industry itself, then by Big Brother. In the meantime, self-help is available.

Spam: Lunchmeat of the Masses, E-mail of the Mass Marketers

If you have not received any junk e-mail lately, check your Internet connection; you are probably unplugged. Junk e-mail, dubbed "spam" by the Internet community (much to the chagrin of the Hormel Company, whose spiced ham product has already suffered mightily at the hands of Monty Python) is the manna of the mass marketers.

Consider the economics. Traditional mass mailing,while commercially viable, requires postage for each piece sent.On the other hand,with a comparatively modest investment in an e-mail server at a fixed cost, literally millions of pieces of junk mail may, at the speed of light, be flashed directly to the target’s electronic mailbox, with the recipient paying the freight. Such a deal!

The economics of spam have led to such proliferation that major on-line providers, for example, America Online ("AOL"), have successfully sued to enjoin major offenders, for example, CyberPromotions, because the sheer volume of spam passing through commercial mail servers has brought the flow of legitimate subscriber mail to a crawl.While the lawyers slug it out in court, what "Hormel-lich" maneuvers can users employ to keep from gagging on spam?

Just Say No, Thank You

Mass mailers acquire e-mail addresses in two ways:they purchase them or they use robotic-like programs, "bots" for short, to search the Internet for them. If you truly detest spam, your first line of defense is:don’t publish your e-mail address.

Not many years ago, few people knew what an e-mail address was; today, they know what it is, and they want yours. Software and other product registration forms, credit card applications and other forms now routinely request e-mail addresses. Many Internet websites require visitors to "register," which usually requires providing your e-mail address as a condition to admittance. To reduce junk mail, "just say no" to providing your e-mail address, or provide a bogus address, such as jblow@spambegone.com.

Some websites, wise to this trick, require an e-mail validation procedure. Since the most obvious reason for validating an e-mail address is to increase the commercial value of an e-mailing list, before complying, check out the website’s privacy policy. Does it even have one? If it does, does it promise to use the data you provide only for itself? If not, assume your validated e-mail address will be sold, and decide whether admission to the site is worth a side of spam.

By the way, it is pointless to send a nasty e-mail, or "flame" in "Netspeak," protesting a registration requirement since, without proper precautions, this will only provide the website your e-mail address without the benefit of admission.
Similarly, responding to spam, for any reason (especially if it invites you to request that you be removed from the sender’s e-mailing list) simply confirms that your e-mail address is attached to a warm body and is tantamount to ordering several more heaping helpings.

A newer and slicker way of foiling the e-mail validators is with Lucent Technologies’ Personalized Web Assistant, available for free at www.lpwa.com:8000. The LPWA is a proxy server that allows you to generate "target revocable email."

When installed and used, LPWA serves up a bottomless bowl of unique e-mail addresses capable of being
validated, but which the user can later "revoke" if spam is ever sent to that address. Full details and instructions are available at the Lucent LPWA site.

Fooling the Electronic Busboys

Usenet users are particularly susceptible to mass marketers’ "bots," which scan these Internet interest groups for e-mail addresses. Like nosey busboys, bots clear e-mail addresses from Usenet tables. Fortunately, the mindless nature of bots can be turned to their disadvantage if you include extraneous material in your Internet address; for example, NOSPAMcfluce@ ditdit.com.

Another tactic is to include no return address or delete it if your e-mail program automatically injects one. In Netscape Communicator, change your e-mail address in "Preferences" under "Mail & Groups\Identity." Since bots typically search only the "headers" of e-mail messages, not including your e-mail address in the return address field will give the bot nothing to grab hold of. Bots rarely pick up an e-mail address embodied in the text of an e-mail message, nor can they intercept private e-mail.

Dining Anonymously

Removing your return address from e-mail headers provides a significant degree of privacy, but not total anonymity. The e-mail system itself, of necessity, automatically incorporates certain originating domain information for routing purposes.
For those seeking total anonymity, there is the "anonymous remailer" and, for the extremely paranoid, "chained
anonymous remailing." An anonymous remailer is a service that acts as a gateway for e-mail. The service automatically strips out all header information that might disclose the point of origin and substitutes a different identity. For example, email anonymously remailed through a service, such as www.anonymizer.com, will show only that it originated from anonymizer. com. Chained anonymous remailing passes e-mail through multiple anonymous remailers, making it virtually impossible to trace. In short, anonymous remailing is like sending your valentines to Loveland, except that, in addition to hand-canceling your sweetheart’s mail "Loveland," it also deletes your return address.

Anonymizing services also can act as an anonymous gateway to Web browsing, preventing website tracking software from telling who you are and where you have been. Otherwise, each time you visit a website, it can determine and log: 

  1. the Internet domain (for example, cobar.org) you are communicating from, which can disclose your firm’s name;
  2. your personal IP (Internet Protocol) address—the unique address of your personal Internet connection—which can disclose who you are; and
  3. the last website you visited, which could be rather embarrassing. Anonymizing gateways cover your tracks.

Total anonymity, however, is impossible and impractical. An unlisted commercial e-mail address is not good for business.

Further, there are some sites from which you may want to receive targeted e-mail; for example, advising of product updates or providing information germane to your business or a hobby. When you want to receive e-mail from a website, you can use Lucent’s LPWA, and should always peruse the site’s privacy policy. As "Netizens" (Internet citizens) become more sensitive to intrusions on their virtual seclusion, website operators are implementing privacy policies and jettisoning validation of e-mail addresses in the interest of self-survival.

Electronic Food Tasters and A Dog Under the Table

Some junk e-mail is bound to slip through no matter what measures you take For this reason, multiple strategies are useful for disposing of the unwanted spam that plops on your plate. Most modern browsers (such as Nestcape and Internet Explorer) offer the equivalent of an electronic food taster in the form of filtering capability. Filters can automatically dispose of unwanted bytes before you even see them. The usefulness of this feature is not limited to taking out the spam; filtering software can be used to sort and organize e-mail in a variety of useful ways; for example, by client or other grouping. In Netscape Communicator’s mail program, the "Mail Filters" utility is found under the "Edit" menu.

Most, but not all, spammers launch their mail from certain domains, such as: cyberpromo.com, 258.com, impactmarket ing.com; noriskbiz@hotmail.com; works 4u@ix.netcom.com; mindspring.com; qsend.com; electronicpromotion.com; foray mail.com; and my personal nemesis, bull*seye.com. Foiling some of these spammers is as easy as creating filters that automatically send incoming e-mail containing the known spam addresses directly to the e-mail trash folder. Filters also can search for key words in the body of a mail message, such as "xxx" or "sex."

Caveat: As the cat and mouse game of spammer vs. spammee evolves, many spammers have begun changing their identity routinely or anonymizing or falsifying their originating domain. For example, several spammers were using a bogus origin of Hotmail.com, presumably in the belief that enough legitimate users use Hotmail that nobody would filter incoming mail from that domain. This abuse made Hotmail, a wholly-owned subsidiary of Microsoft, both hot and litigious.

In June 1998, Hotmail was awarded an injunction and $337,500 in damages against three spoofing spammers—just desserts, indeed.

Because mail filtering is not a perfect solution, you are advised at least to scan the headers of unread messages in your trash folder before emptying it, lest that lucrative offer for your professional services in a sex discrimination case be automatically disposed of along with the unwanted solicitations from "Persian Kitty."

Even when employing multiple strategies, spam intake can be reduced but not completely eliminated. Fortunately, the spam that slips by your defenses is relatively easy to spot. It is likely to have no return address, or one you do not recognize, or some other clue to its content in the description field. For those final unwelcome morsels the filtering food taster misses, the mouse and delete key are as effective as an electronic dog under the table.

Cookies at the World Wide Toll House

Cookies are the currency of choice at many toll houses on the World Wide Web. However, in the case of this particular tariff, the Web commercializers believe it is more blessed to give than to receive. Cookies are a take-home dessert, flat data files automatically supplied by websites and stored on your computer whenever you connect to an Internet website. On Windows 95 and 98 operating systems, the "cookie jar" where this information is stored is named "cookies.txt," and can be found with Windows’ "Find" tool.

As a threat to privacy, cookies have received much more media ballyhoo than is warranted; not since Prodigy’s infamous "stage.dat" scare has anything digital received so much newsprint. The reason for this excess probably derives from Americans’ distaste for the sneaky: until recently, few Internet diners were even aware of the existence of cookies, because, like bread brought to the dinner table, cookies arrive unrequested and unannounced.

Websites use cookies for a variety of functions, including remembering stored passwords, allowing users to compile "shopping baskets" of items they wish to purchase on-line, and remembering what pages a returning website visitor has viewed at that website. This type of information is not harmful and is generally beneficial to users.

supposed to be able to read only its own cookies and can only give twenty cookies to any one customer. Cookies can be no larger than 4k, and your jar will only hold 300 cookies before automatically clearing out the most stale. Rather, the perceived danger to privacy lies in the possibility of a website combining cookie data with registration data and then pooling this data with others to compile a detailed profile of user tastes based on on-line activities. This "cookie crumb trail," also known as "clickstream data" or "mouse droppings," if triangulated with other powerful databases, indeed has the potential to create a detailed personal dossier.

However, self-help is readily available. The current versions of both Netscape and Internet Explorer permit users to set their "Preferences" to reject cookies, to notify the user before accepting a cookie, or to accept only cookies that will be returned to the originating website. It is an eye-opening experience to set your user "Preference" to require notification of all cookies, just to see how prevalent their use really is.

Typically, rejecting a cookie will not bar admission to a site, but may limit the site’s usefulness or functionality. Internet aficionados generally believe that sites that bar admission for refusing cookies deserve to be avoided and, since many of these sites survive on banner advertising revenue based on user visits, if Netizens shun cookie-required sites, these operators will change their ways or suffer on-line Darwinism.

For those curious about the cookies already in their jar and who is sending them, cookies.txt can be viewed with a simple text editor or a word processor. Cookies can be blocked by replacing the cookie file with a zero-length file of the same name. There also is no shortage of freeware (software that can be downloaded free), shareware (software that can be used on a trial basis before payment is required), and inexpensive software for examining, editing, blocking, or eradicating cookies. They have such colorful names as Cookie Pal, Cookie Master 2, Cookie Crusher, Crumbler97, and Cookie Cutter.

Cookie Master2, an easy to use cookie logger, viewer, and editor is available from ZDNet for free at its www.hotfiles.com website. For those willing to fork out a few more bucks, Guard Dog Deluxe is a more feature-rich and robust Internet utility, which includes several privacy features, including cookie management, virus scanning, and file guarding. A free trial version is available at the www.cybermedia.com site.

Privacy Begins at Home

In addition to being concerned about who is tracking your movements on the Web, anyone with access to your PC can learn a lot. All major browsers cache web pages and images for faster re-loading. Thumbing through someone’s cache directory is like looking through their credit card bills; you can tell a lot about where they have been. By default, Netscape Communicator maintains a history file, called netscape.hst, of every website you have visited in the last several days. Entering "Control-H" with Communicator running will divulge this history and enable you to sort it in a variety of ways. This feature is useful for locating a site you can’t quite remember the name of, but also is a log of every place you have been on the Web.

For those concerned about privacy at home or work, the disk cache and history files can be set to zero in
"Edit\Preferences\Advanced\Cache" and "Edit\Preferences\Navigator," respectively, at the cost of some speed and convenience, or both can be manually cleared periodically. (This also can be done on Internet Explorer.) Communicator’s bookmark.htm file—where "bookmarks" to your favorite sites are stored, and, of course, any e-mail6 stored on your hard drive—is also available to anyone with access to your PC.

Take-Home Remedies: Visit the Pharmacy

Given the speed with which the Web redefines itself, any print article is bound to be quaint history in a matter of months. Regardless of whatever legislation Congress might enact, some threat to personal privacy will remain whenever two computers are connected together.

Fortunately for those who relish their privacy, there are a number of on-line pharmacies stocked with the latest take-home medications for avoiding Internet heartburn. Among the best are the Electronic Frontier Foundation (www.eff.org); the Electronic Privacy Information Center (www.epic.org); the Privacy Rights Clearing House (privacyrights.org); and, for information regarding anonymous mail servers, a Usenet group (alt.privacy. anonserver).

With a few common sense precautions, and the numbers of these electronic druggists in your bookmarks file, the Internet is still more fun than scary. Go ahead and binge at the World Wide Automat.

Bon appetit.

Notes

  1. "DSL" stands for Digital Subscriber Link, a high-speed Internet connection.
  2. "RA" stands for Real Audio, a standard for continuous-playing Internet audio.
  3. "AC" stands for Air Conditioning or Alternating Current, depending on which highway you are driving.
  4. The Usenet is a network of public topical discussions on the Internet. Messages posted to a Usenet newsgroup can be read by anyone whose Internet service provider ("ISP") subscribes to that group.
  5. See CyberPromotions, Inc. v. America Online, Inc., 948 F.Supp. 436 (E.D. Pa. 1996). Lawyers should note that one of the first and most infamous spamming incidents involved the law firm of Canter & Siegal, which, in April 1993, posted an advertisement for immigration services to thousands of Internet news groups without regard to their subject matter. The response of the Internet community to this flagrant breach of "Netiquette" was swift and furious. Thousands of incendiary e-mail complaints crashed the law firm’s Internet Service Provider’s mail server, causing the ISP to revoke the firm’s access rights. The response of the legal community, while slower, was more severe. In June 1997 the Supreme Court of Tennessee disbarred attorney Laurence A. Canter for a variety of offenses, including "spamming." See In re: Laurence A. Canter, No. 95-831-O-H (Tenn. Brd. of Prof. Resp., June 5, 1997).
  6. Keeping your e-mail private through encryption is a subject entirely unto itself, addressed elsewhere in this issue. See Masciocchi, "Internet E-Mail and Encryption: Privilege, Confidentiality, and Malpractice Risks, " 27 The Colorado Lawyer 21 (Oct. 1998). Good encryption technology is readily available, such as Pretty Good Privacy ("PGP"), available at www.nai.com/default_pgp.asp, and CATLock, available at www.download.com, and elsewhere on the Web. The latest versions of Netscape Communicator and Internet Explorer have some encryption features already built in.

Originally published in The Colorado Bar Association Business Newsletter.

ABOUT THE AUTHOR

Charles F. Luce, Jr.

Attorney

Keep reading

The Matrix Unloaded

09/21/2005