Learning to live with the Web's insecurities

There's is no such thing as a totally safe Web service. But that doesn't mean you have to go to extremes to use Web services safely. The rules are different for businesses and families with children, who need the extra protection offered by such tools as encryption software, keystroke scramblers, and proxy services (I described the OpenDNS service in a post from May 2010).

The two pillars of PC security for every user are anti-malware software and automatic software updates. Microsoft's free Security Essentials provides real-time protection from viruses, spyware, and other unwanted software. The company's Windows Help site explains how to turn on automatic Windows updates.

Even if you use the latest browser versions at their default security settings, you're sharing quite a bit of personal information as you surf from site to site--and even more when you sign into a social network or Webmail service. (You may stay signed in for longer than you think, so don't forget to sign out when you're no longer using it.)

Who's really watching you on the Web?
As you walk the streets of nearly every city and frequent public establishments, you're captured by hidden video cameras. Few people other than criminals are concerned about having their activities monitored in public places because you're just another face in the crowd. The key is that you know you could be on candid camera at almost any time.

But imagine if the person monitoring you on video also knew where you had been, what you did there, and where you lived. That's the kind of information available to the bots that track us when we browse.

The difference is that Web spies are rarely if ever human--they're just routines that serve up ads targeted to our interests based on what they know about us, primarily our location and recent activities. We may not be anonymous, but our traces are hidden in the white noise of hundreds of millions of other Web users.

There's no room full of employees at Google or Facebook carefully constructing dossiers of our Web habits to be used against us, nor are online ad networks interested in anything beyond getting us to click the links they serve up by the billions.

How effective are Web security precautions?
So much of the conventional wisdom about privacy protection is questionable. Many so-called security experts warn us not to click links in e-mails unless we know the sender, but phishing attacks often propagate by raiding victims' e-mail contacts and sending copies from an address the recipient trusts. It's safest to avoid clicking any links in messages, although this is advice that few people are likely to take (including me).

We're told to disable third-party cookies to prevent online ad networks from tracking our browsing habits, but now we find out that the first-party cookies nearly every other major Web service relies on often leak personal information such as e-mail addresses to third parties.

Researchers Balachander Krishnamurthy, Konstantin Naryshkin, and Craig E. Wills presented a paper (pdf) at the recent Web 2.0 Security and Privacy conference describing how e-mail addresses and other private information is leaked to third parties via Referer headers. The report's authors recommend that first-party sites (such as Facebook, Twitter, and Google) take more responsibility for safeguarding their customers' personal information.

Recent proposals by legislators to mandate such precautions have not met with much success, and the situation isn't expected to change soon. When it comes to security, PC users have only themselves to rely on. Hackers will continue to target the personal information, credit-card numbers, and bank accounts stored on the Web servers of the companies we do business with, and those companies will continue to write off their data breaches as just another cost of doing business.

If we decide the benefits don't warrant the risks, we'll stop using the services. The key is being able to assess the risks accurately. Once you acknowledge that the Web is insecure by nature and that even the security experts can be wrong, you'll likely be more cautious about the personal information you share, the "free" services you sign up for, and the links you click--in e-mail and elsewhere.