当网络在90 年代中期(mid 90s)左右首次成为主流时,其关键特征之一是匿名性。没有人使用他们的真实姓名,您可以以惊人的 33 kbps 在网上过上第二次生活。(life online)
今天的网络非常不同。不仅大力推动人们去匿名化,而且您每天访问的网站都可以记录和捕获有关您的各种信息。什么样的信息?请仔细阅读,找出答案。
您的 IP 地址(Your IP
Address)
这是网站将记录的最常见的信息类型。您的 IP 或Internet 协议(Internet Protocol)地址是一个数字,表示您在 Internet 上的位置。
它与现实世界的地址基本相同。如果有人想给你寄一封信,他们会在上面写上你的地址。当您收到它时,他们的退货地址(return address)将在背面。所以你知道它是从哪里来的。
如果您将“字母”替换为“互联网数据包(internet packet)”,您基本上就知道IP 地址(IP address)是如何工作的。问题是一个网站实际上可以从你的IP 地址(IP address)中找出很多关于你的私人信息。
他们或多或少会知道您从哪里浏览以及您正在使用哪个ISP 。通过更多的侦探工作(也许还有法律授权),IP 地址(IP address)可以将某人直接引向您的门前。
这就是为什么现在有这么多人使用VPN(VPNs)(虚拟专用网络)的原因。VPN充当中间人,因此您正在访问的站点只能看到他们的IP地址。(IP address)
硬件和软件详细信息(Hardware & Software
Details)
Web浏览器向需要它的网站报告各种信息。这包括有关您正在使用的计算机的大量信息。
该站点将了解您的操作系统(operating system)、处理器、GPU等。这似乎是无辜的,但可用于跟踪或识别特定机器。
解决此问题的一种方法是从虚拟机中进行浏览,该虚拟机将为网站提供通用系统信息(system information)。
第1和第 3 方饼干(1st & 3rd Party Cookies)
cookie 是网站保留在您计算机上的一个小文件,用于记录您的网站偏好等内容。所以下次你访问时,它已经知道你的事情了。
Cookie 技术(Cookie technology)本身并不是一件坏事。例如,会话cookie 会在您关闭浏览器时自行删除。(Session)您还可以获得第一方持久性 cookie,这些 cookie 由网站保存到您的设备以供自己使用。
跟踪 cookie(tracking cookie)是一种持久的第三方 cookie,由创建它们的站点以外的站点读取。该 cookie 会累积有关您的网络活动的信息,然后该信息可以返回给 cookie 的创建者。
近年来,关于如何以及何时使用 cookie 的立法一直在收紧。几乎每个站点都会在您第一次访问它的那一刻弹出其cookie(Which)策略。(cookie policy)如果您不同意该政策,则不会在您的计算机上存储任何 cookie。
但是,没有什么可以阻止流氓网站(rogue site)在您不知情的情况下向您的机器添加跟踪 cookie。幸运的是,您可以根据需要使用浏览器的隐私设置来阻止和删除 cookie。
隐形追踪器(Invisible
Trackers)
Cookie 可能是不可见跟踪器的一个示例,但作为一个更大的类别,不可见跟踪器还包括 Web 应用程序和嵌入合法站点的外部站点。
主要新闻网站和其他流行网页通常在文章底部嵌入广告内容,其中包括某种形式的跟踪。谷歌(Google)也这样做。这就是为什么当您在Google(Google)中搜索特定产品时,您会在所有其他具有Google Adsense功能的网站上看到该产品的广告。
幸运的是,有一些以隐私为中心的搜索引擎,例如DuckDuckGo,它们明确不跟踪您。
现代浏览器现在还支持一种称为“不跟踪”的功能,它告诉网站在您访问时应该关闭其跟踪技术。但是,这是一项自愿协议,因此网站可以根据需要忽略它。
对抗隐形追踪器的最有效工具是 EFF 的Privacy Badger。
自动填充数据(Autofill
Data)
您可能已经注意到,当您必须在以前从未访问过的新网站上填写运输详细信息时,您的浏览器会自动填写您的姓名和地址(name and address)等详细信息。这是一个方便的功能,但它也是一个
隐私噩梦(privacy nightmare)。
可以对不道德的网站进行编码,以便在自动填充的那一刻捕获该信息。这意味着该站点现在已经在您不知情的情况下捕获了您的全部详细信息。正如您可以想象的那样,拥有地址、全名或社会安全号码(security number)等信息可能会在坏人手中造成严重破坏。
最好在浏览器设置中禁用自动填充。
您登录的其他帐户(Other Accounts
You’re Logged In To)
当您访问一个站点时,它可以通过他们在您的机器上留下的痕迹来检测您当前登录的其他帐户。这实际上是非常有价值的信息,因为结合已知的电子邮件地址(email address)
,它会告诉黑客您还有哪些其他帐户。
因此,如果其中一个帐户是数据泄露(data breach)的一部分并且您的密码被泄露,您可能会遇到麻烦。许多人跨帐户使用相同或相似的密码,因此这使黑客更容易破坏您的安全性。
最好的办法是为每个帐户使用强而唯一的密码。强烈建议使用生成这些随机密码的优秀密码管理器。(password manager)
详细的输入日志(Detailed
Input Logs)
网站的编码方式可以使您的每一次击键和每一次鼠标移动(mouse movement)都被详细记录下来。网站在这方面的跟踪能力相当广泛。
一篇详细介绍“会话重播脚本(session replay scripts)”的研究论文表明,大多数主要网站都会在您访问时完整记录您的击键和鼠标移动,然后将其用于进一步分析。您可能可以想象这可能导致的各种隐私问题。
浏览器指纹(Browser Fingerprints)
浏览器“指纹”只是浏览器数据的唯一组合,例如您的系统上有哪些 cookie 以及安装了哪些插件。浏览器使用的时间越长,定制的越多,就越容易链接到特定用户。
例如,即使您使用VPN访问站点,该站点也知道您的指纹。因此,如果您在没有匿名保护的情况下使用同一浏览器访问另一个站点,则可以在这些活动之间建立明确的链接。
使用面向隐私的浏览器(例如Tor 浏览器(Tor Browser))是防止这种去匿名化的好方法。
如何检查您泄漏的内容(How To Check What You Are
Leaking)
有几个网站可以帮助您找出您在哪里以及如何泄露信息。Panopticlick是Electronic Frontier Foundation的一个很好的工具,它就是这样做的。
只需单击大的“测试我”按钮,您所有的偏执恐惧都可能得到证实。幸运的是,加强您的隐私实践从来都不是一个糟糕的时机。
What Type of Data Do Websites Collect About You?
When the web first became mainstream in the mid 90s or so, one оf its key
characteristics was anonymity. No one used theіr real names and you could live
a second life online, at a blazing 33 kbps.
The web of today is very different. Not only is there a strong push to
deanonymize people, the websites you visit on a daily basis can record and
capture all sorts of information about you. What kinds of information? Read on
to find out.
Your IP
Address
This is the most common type of information that a website will log. Your IP or Internet Protocol address is a number that denotes where on the internet you are located.
It’s basically the same thing as a real-world address. If someone wants to send you a letter, they’ll write your address on it. When you receive it, their return address will be on the back. So you know where it came from.
If you replace “letter” with “internet packet” you basically know how an IP address works. The problem is that a website can actually figure out quite a lot of private information about you from just your IP address.
They’ll know more or less where you are browsing from and which ISP you’re using. With a little more detective work (and perhaps a legal warrant) an IP address can lead someone directly to your door.
This is why so many people are using VPNs (virtual private networks)
these days. The VPN acts as a middleman, so only their IP address is visible to
the site you are visiting.
Hardware & Software
Details
Web browsers report all sorts of information to a website that asks for
it. This includes a wealth of information about the computer you are using.
The site will know your operating system, processor, GPU and more. This
may seem innocent, but could be used to track or ID a specific machine.
One way to get around this is to browse from within a virtual machine,
which will provide generic system information to the website.
1st & 3rd Party Cookies
A cookie is a small file that a site leaves on your computer to keep a
record of things such as your site preferences. So the next time you visit, it
will already know things about you.
Cookie technology is not a bad thing in itself. Session cookies, for
example, delete themselves when you close the browser. You also get first-party
persistent cookies, which are the ones saved to your device by the site for its
own use.
A tracking cookie is a persistent, third-party cookie which is read by
sites other than the ones which created them. That cookie accumulates information
about your web activities and that information can then go back to the cookie’s
creator.
Legislation about how and when cookies can be used has been tightening in
recent years. Which is way almost every site has its cookie policy pop up the
minute you visit it for the first time. If you disagree with that policy then
no cookies will be stored on your machine.
However, there is nothing stopping a rogue site from peppering your
machine with tracking cookies without your knowledge. Luckily you can use your
browser’s privacy settings to block and delete cookies as desired.
Invisible
Trackers
Cookies are perhaps one example of an invisible tracker, but as a larger
category, invisible trackers also include web apps and external sites embedded
in a legitimate site.
Major news sites and other popular web pages often have advertising
content embedded at the bottom of an article which includes some form of
tracking. Google does this as well. This is why when you search for a specific
product in Google you’ll see ads for it pop up on every other site that
features Google Adsense.
Luckily there are privacy-focused search engines such as DuckDuckGo which explicitly don’t track you.
Modern browsers now also support a feature known as “do not track”, which
tells a site that it should turn off its tracking technology when you visit.
However, this is a voluntary agreement so the site can ignore it if it wants
to.
The most effective tool in the fight against invisible trackers is the EFF’s Privacy Badger.
Autofill
Data
You’ve probably noticed that when you have to fill in shipping details on
a new site you’ve never visited before, your browser automatically fills in
details like your name and address. It’s a convenient feature, but it is also a
privacy nightmare.
Unscrupulous sites can be coded to capture that information the second
it’s autofilled. This means that site has now captured your full details
without your knowledge. As you can imagine having information such as an
address, full name or social security number can be used to wreak havoc in the
wrong hands.
It’s best to just disable autofill in your browser settings.
Other Accounts
You’re Logged In To
When you visit a site, it can detect what other accounts you are
currently logged into by the traces they leave on your machine. This is
actually very valuable information, because combined with a known email address
it tells hackers which other accounts you have.
So if one of those accounts have been part of a data breach and your
password is uncovered, you may be in trouble. Many people use the same or
similar passwords across accounts so this makes it much easier for hackers to
breach your security.
The best thing to do here is use strong, unique passwords for every
account. A good password manager that generates those random passwords is
highly recommended.
Detailed
Input Logs
It’s possible for websites to be coded in such a way that every keystroke
and every mouse movement you make are recorded in detail. The tracking
abilities of websites in this regard are pretty extensive.
A research paper detailing “session replay scripts” demonstrated that most major websites make complete recordings of your keystrokes and mouse movement while you are visiting and then use this for further analysis. You can probably imagine the sorts of privacy issues this could cause.
Browser Fingerprints
A browser “fingerprint” is simply the unique combination of browser data,
such as which cookies are on your system and what plugins are installed. The
longer a browser is used and the more it is customized the easier it is to link
to a specific user.
For example, even if you use a VPN to access a site, the site knows your
fingerprint. So if you visit another site using that same browser without the
protection of anonymity, a clear link between those activities can be made.
Using a privacy-oriented browser such as the Tor Browser is a good way to
prevent this sort of de-anonymization.
How To Check What You Are
Leaking
Several websites exist that will help you figure out where and how you are leaking information. Panopticlick is a great tool by the Electronic Frontier Foundation which does just that.
Just click the big “test me” button and all your paranoid fears may be
confirmed. Luckily there’s never a bad time to sharpen up your privacy
practices.