Fact Sheet 18:
Online Privacy:
Using the Internet Safely

Send to PrinterSend to Printer
Copyright © 1995-2016
Privacy Rights Clearinghouse
Posted July 1995
Revised January 2016


1. Online Activities and Your Privacy

2. Resources

1.  Online Activities and Your Privacy

When you are online, you provide information about yourself almost every step of the way.  Often this information is like a puzzle with pieces that need to be connected before the full picture is revealed.  Information you provide to one person or company may be combined with information you have provided to another person or company to complete the puzzle. 

Accessing The Internet

You are likely to access the Internet using one or more of these services:

  • An Internet Service Provider (ISP)
  • A Mobile (Cellular) Phone Carrier
  • A Wi-Fi Hotspot

If you use a computer to access the Internet and pay for the service yourself, you signed up with an Internet Service Provider (ISP). Your ISP provides the mechanism for connecting to the Internet.

Each computer connected to the Internet, including yours, has a unique address, known as an IP address (Internet Protocol address). It takes the form of four sets of numbers separated by dots, for example: It’s that number that actually allows you to send and receive information over the Internet. 

Depending upon your type of service, your IP address may be "dynamic", that is, one that changes periodically, or "static", one that is permanently assigned to you for as long as you maintain your service.

Your IP address by itself doesn’t provide personally identifiable information. However, because your ISP knows your IP address, it is a possible weak link when it comes to protecting your privacy.  ISPs have widely varying policies for how long they store IP addresses.  Unfortunately, many ISPs do not disclose their data retention policies.  This can make it difficult to shop for a “privacy-friendly” ISP.  

When you visit a website, the site can see your IP address. Your IP address can let a site know your geographical region. The level of accuracy depends upon how your ISP assigns IP addresses.

You can block your IP address by utilizing a service such as Tor (https://www.torproject.org/) which effectively blocks this information.  Another alternative is to use a Virtual Private Network (VPN). A VPN replaces your IP address with one from the VPN provider. A VPN subscriber can obtain an IP address from any gateway city the VPN service provides.  

If you access the Internet with a smartphone or other mobile device, you may access the internet using a data plan tied to your cellular phone service.  If you have a data plan, your service provider (such as AT&T, Sprint, Verizon, and T-Mobile) collects data about your usage. 

Browsing the Internet

As you move from site to site online, sophisticated methods can track and identify you.   Almost all browsers give you some control over how much information is revealed, kept and stored. Generally, you can change the settings to restrict cookies and enhance your privacy. Most major browsers now offer a "Private Browsing" tool to increase your privacy.  However, researchers have found that "Private Browsing" may fail to purge all traces of online  activity.  

Websites collecting personally identifiable information about California consumers’ online activities must include information in their Privacy Policy about how the website operator responds to "Do Not Track" signals and whether third parties may collect personal information when a consumer uses the site.  This is the first law in the United States to impose disclosure requirements on website operators that track consumers’ online behavior.  You can learn more about this law at http://www.bna.com/california-attorney-general-n17179890751/

Cookies. When you visit different websites, many of the sites deposit data about your visit, called "cookies," on your hard drive. Cookies are pieces of information sent by a web server to a user's browser. Cookies may include information such as login or registration identification, user preferences, online "shopping cart" information, and so on. The browser saves the information, and sends it back to the web server whenever the browser returns to the website. The web server may use the cookie to customize the display it sends to the user, or it may keep track of the different pages within the site that the user accesses.

For example, if you use the Internet to complete the registration card for a product, such as a computer or television, you generally provide your name and address, which then may be stored in a cookie.  Legitimate websites use cookies to make special offers to returning users and to track the results of their advertising. These cookies are called first-party cookies.

However, there are some cookies, called third-party cookies, that  communicate data about you to an advertising clearinghouse which in turn shares that data with other online marketers. These third-party cookies include "tracking cookies" which use your online history to deliver other ads.

Your browser and some software products enable you to detect and delete cookies, including third-party cookies. 

Disconnect is a browser extension that stops major third parties from tracking the webpages you go to.  Every time you visit a site, Disconnect automatically detects when your browser tries to make a connection to anything other than the site you are visiting.  Learn more and download Disconnect at https://disconnect.me/disconnect.

You can also opt-out of the sharing of cookie data with members of the Network Advertising Initiative by going to www.networkadvertising.org/consumer/opt_out.asp.

Flash cookies. Many websites utilize a type of cookie called a "flash cookie" (sometimes also called a "supercookie") that is more persistent than a regular cookie.  Normal procedures for erasing standard cookies, clearing history, erasing the cache, or choosing a delete private data option within the browser will not affect flash cookies.  Flash cookies thus may persist despite user efforts to delete all cookies.  They cannot be deleted by any commercially available anti-spyware or adware removal program.  However, if you use the Firefox browser, there is an add-on called "BetterPrivacy" that can assist in deleting flash cookies: https://addons.mozilla.org/en-US/firefox/addon/betterprivacy/.

Fingerprinting.  A device fingerprint (or machine fingerprint) is a summary of the software and hardware settings collected from a computer or other device. Each device has a different clock setting, fonts, software and other characteristics that make it unique. When you go online, your device broadcasts these details, which can can be collected and pieced together to form a unique "fingerprint" for that particular device. That fingerprint can then be assigned an identifying number, and used for similar purposes as a cookie. 

Fingerprinting is rapidly replacing cookies as a means of tracking. Tracking companies are embracing fingerprinting because it is tougher to block than cookies. Cookies are subject to deletion and expiration, and are rendered useless if a user decides to switch to a new browser.  Some browsers block third-party cookies by default and certain browser add-ons enable blocking or removal of cookies.

Unlike cookies and flash cookies, fingerprints leave no evidence on a user's computer.  Therefore, it is impossible for you to know when you are being tracked by fingerprinting.

You can test your browser to see how unique it is based on the information that it will share with the sites that you visit. Panopticlick will give you a uniqueness score, letting you see how easily identifiable you might be as you surf the web. A paper reporting the statistical results of Panopticlick submissions titled How Unique Is Your Browser? explains he degree to which modern browsers are subject to "device fingerprinting" through the information that they transmit to websites upon request. 

Unfortunately, fingerprinting is generally invisible, difficult to prevent, and semi-permanent. There's no easy way to delete fingerprints that have been collected. Computer users determined to prevent fingerprinting can block JavaScript on their computer. However, some parts of a website (for example, video and interactive graphics) may not load, resulting in a blank space on the webpage.

One way to block JavaScript is to use the Firefox browser with the “add-on” program called NoScript. The combination of Firefox and NoScript can stop JavaScript on websites. 

Disabling JavaScript stops browser fingerprinting, because it prevents websites from detecting plugins and fonts, which are necessary to effectively fingerprint a device.

Using Search Engines

Search engines have the ability to track each one of your searches. They can record your IP address, the search terms you used, the time of your search, and other information.  You may also inadvertently reveal information through your search strings.  For example, you might do a search to determine if your Social Security number appears on any websites.  You might enter the search terms " Jane Doe 123-45-6789."   The Google search string might look like this: http://www.google.com/#hl=en&source=hp&q=Jane+Roe+123-45-6789&btnG=Googl... Retention of that search string would mean that your search engine has a record of your name and Social Security number.

Startpage (www.startpage.com), a search engine operated by Ixquick, based in The Netherlands, does not record users’ IP addresses at all.  The privacy policy was created partially in response to fears that if the company retained the information, it would eventually be misused. The company concluded, “If the data is not stored, users privacy can't be breached.”  Startpage will remove all identifying information from your query and submit it anonymously to Google. Startpage uses advanced encryption technology for your search queries.

DuckDuckGo (https://duckduckgo.com/) is another search engine that, according to its Privacy Policy "does not collect or share personal information".  Their full Privacy Policy is at https://duckduckgo.com/privacy.

Online Privacy Tip:  It's a good idea to avoid using the same website for both your web-based email and as your search engine.  Web email accounts will always require some type of a login, so if you use the same site as your search engine, your searches can be connected to your email account.  By using different websites for different needs -- perhaps Yahoo for your email and Google for your searches -- you can help limit the total amount of information retained by any one site.  Alternatively, log out of your email and clear your browser's cookies (see Cookies below) before going to other sites, so that your searches and browsing are not connected to your email address.  Another method for preventing a search engine from associating your searches and web browsing with your web mail account is to use a different browser for your email account than for your searches and web browsing.

Online Privacy Tip:  Avoid downloading search engine toolbars (for example, the Google toolbar or Yahoo toolbar). Toolbars may permit the collection of information about your web surfing habits.  Watch out that you do not inadvertently download a toolbar when downloading software, particularly free software.

Using e-mail

When you correspond through e-mail you are no doubt aware that you are giving information to the recipient. You might also be giving information to any number of people, including your employer, the government, your e-mail provider, and anybody that the recipient passes your message to.  An unencrypted e-mail message can potentially be seen by anyone while in transit.  If sent from an employer-owned device, it could be read by your employer.

If you use a webmail service such as Gmail or Yahoo, your e-mails could be scanned by the webmail provider, both to detect spam and to deliver advertising content. Gmail scans incoming e-mails and places relevant advertisements next to the e-mail.  Yahoo Mail says that it performs "automated content scanning and analyzing of your communications content.” If your recipient uses Gmail, Google will scan your message and provide advertisements to the recipient even if you, the sender, do not use Gmail. Microsoft's webmail service Outlook.com states that it does not use the content of customers’ emails to target advertising.

Instant messaging (IM)

IM conversations have a feel of casualness about them, which can lead some to let down their guard.  Although seemingly informal, IM conversations can be archived, stored, and recorded on your computer as easily as e-mails.

The rule that "delete does not mean delete" applies to IM conversations as well as e-mail. Virtually all IM programs have the ability to archive and the IM program may automatically turn this feature on. Archiving IM conversations simply means saving the conversation in a text file just like you would any other file, such as a Word document.  Some of these IM programs automatically save your chats unless you select otherwise.

IM has become a new target for spammers.  “Spim,” usually involves get-rich-quick scams or pornography.  Often the spimmer will include a link in the message, which could cause spyware to be installed on your computer if you click on the link.  You can reduce your exposure to spim by adjusting your IM account to only allow messages from specified people.

Behavioral marketing

Behavioral marketing or targeting refers to the practice of collecting and compiling a record of individuals' online activities, interests, preferences, and/or communications over time. Companies engaged in behavioral targeting routinely monitor individuals, the searches they make, the pages they visit, the content they view, their interactions on social networking sites, and the products and services they purchase.  Further, when consumers are using mobile devices, even their physical location may be tracked. This data may be compiled, analyzed, and combined with information from offline sources to create even more detailed profiles.

Marketers can then use this information to serve advertisements to a consumer based on his or her behavioral record. Ads may be displayed based upon an individual's web-browsing behavior, such as the pages they have visited or the searches they have made. Advertisers believe that this may help them deliver their online advertisements to the users who are most likely to be influenced by them. 

Behavioral information can be used on its own or in conjunction with other forms of targeting based on factors like geography or demographics. Marketers have developed an array of sophisticated data collection and profiling tools which monitor and analyze our online activity. 

Typically, behavioral targeting is accomplished through use of a cookie, flash cookie, device fingerprinting, or other technologies that identify a user or device. Whatever the technology used, it attempts to personalize ads based upon the user's online history and possibly other external data.

Location tracking

Any website or app can determine the approximate location of your computer or device by using one of several technologies.  If you are using a computer, your IP address can identify your approximate location.  Most IP addresses can identify you by your city or metropolitan area.  Some can identify a more specific location.

You can block your IP address by utilizing a service such as Tor (https://www.torproject.org/) which effectively blocks this information.  Another alternative is to use a Virtual Private Network (VPN). A VPN replaces your IP address with one from the VPN provider. A VPN subscriber can obtain an IP address from any gateway city the VPN service provides.

If your are using a wireless connection, Wi-Fi triangulation can determine your location by surveying nearby wireless networks.  Similarly, GPS triangulation can determine your location from a network of satellites.  GPS triangulation is more accurate than Wi-Fi triangulation.  Finally, cell phone tower identification can determine the location of a smartphone.

Your location information might be used for a useful purpose, for example, providing accurate travel directions.  However, it may also be stored and combined with other information about you and used for behavioral marketing and other purposes.

Location information can pose a significant privacy risk, particularly when it is stored or combined with other information about you.  It can reveal your whereabouts at any given time, including your presence at sensitive locations.  It can be dangerous for individuals who are stalking or domestic violence victims.

Illegal activity and scams

Criminals can capture your information online in various ways, but one distinguishing factor is that in some cases you give them the information yourself. And sometimes criminals use technology to steal your personal information without your knowledge.  It is important to recognize that theft occurs both ways. 

Increasingly these activities may lead to financial losses.  Losing money from computer crime can be especially devastating because often it is very difficult to get the money back.  Because of the remote nature of the Internet, computer crime presents at least three challenges: (1) locating the criminal, (2) finding a court having jurisdiction, and (3) collecting the money.  In fact many cyber criminals operate in other countries.  Although law enforcement is becoming increasingly aware of computer crime, you should largely rely on yourself for protection. 

Many of these scams are complicated, and criminals are always likely to come up with new tricks to stay ahead of the law.  If you are buying over the Internet or setting up online accounts, be aware that these risks are out there. 

Online auctions.  Online auction fraud takes many forms.  Some forms of fraud are difficult to avoid, while others can be avoided by taking smart precautions.  Fraud can occur when the seller doesn’t ship what was bought or the product is not as good as promised.  This type of fraud can be frustrating and hard to avoid.  Buyers should pay close attention to fraud alerts posted by the online auction companies.  If you pay with a credit card, your credit card company may be able to reimburse you for the fraud.  Never use a wire transfer to pay for something from an online auction site. 

Nigerian 419 letters. Nigerian 419 letters, also called advance-fee scams, are sent via e-mail to millions of people.  The letters typically relay a story of a foreign person who has inherited a windfall of money, but needs help in getting the money out of the country.  The sender offers the recipient a share of the money for help in transferring the money.   The assistance required is usually to front money to pay for "taxes," "attorneys costs," "bribes," or "advance fees.”  Although this scam sounds far-fetched the FBI reports that the average financial loss from these scams is $3,000.  

Malicious Links

It is very easy to get duped into clicking on a malicious link. If you click on a malicious link, you will most likely be taken to a site that tricks you into providing personal information that can then be used to steal your money, or even worse, your identity. Clicking on a dangerous link could also cause malware to automatically download onto your computer.

Malicious links may look like they were sent by someone you trust, such as:

  • A friend or someone who you know.
  • A legitimate-looking company selling a product or service.
  • A bank or other business that you have an existing account with.

Most people think that malicious links arrive by email. But, criminals are finding even sneakier ways to trick you into clicking on a dangerous link. You could receive the malicious link in an instant message, a text message, or on a social networking site like Facebook or Twitter.

Malicious links are hard to spot. They often:

  • Are ever-so-slightly misspelled versions of well-known URLs.
  • Use popular URL shortener sites to hide the real URL.
  • Use simple HTML formatting to hide the real URL. This is the most common method for emailed dangerous links. You think you’re clicking on a trustworthy link, but you are redirected to a dangerous link.

To protect yourself from malicious links, consider the following tips:

  • Do not click on a link that appears to be randomly sent by someone you know, especially if there is no explanation for why the link was sent, or if the explanation is out of character for the sender (i.e. horribly misspelled or talking about what a great deal they discovered).
  • Do not click on a link that was sent to you by a business you don’t know that is advertising a great deal. Instead, perform an online search for the business, make sure it’s legitimate, and go directly to the business’ website to find the deal yourself.
  • Do not click on a link that was sent to you by a business you have an existing account with. Either go to the business’ site yourself, or call up the business and confirm the legitimacy of the link.
  • Note that some businesses may require that you verify your email address as part of a registration process, which requires you to click on a link contained in an email. Typically, the link will be emailed to you immediately after you register online with the business. It’s a good idea to check your email right after you register with a business.

3.  Resources

Government agencies

The Federal Trade Commission (FTC) is the federal government's primary agency for online privacy oversight. Its website provides a great deal of information on public policy matters as well as consumer tips. 

The FTC’s Onguard Online Web site offers tips for avoiding Internet fraud, securing your computer and ways to protect your personal information.  

The U.S. Computer Emergency Readiness Team (U.S. CERT) offers numerous computer security resource. 

Content type: 
Copyright © Privacy Rights Clearinghouse. This copyrighted document may be copied and distributed for nonprofit, educational purposes only. For distribution, see our copyright and reprint guidelines. The text of this document may not be altered without express authorization of the Privacy Rights Clearinghouse.