When the cookie crumbles

Supermarket shoppers sign up for membership cards that, when swiped, provide automatic savings in return for recording all the holder's purchases. Electronic sensors in commuters' cars allow them to pass through tollbooths without stopping, but they also record the date and time each specific vehicle drives past. GPS devices in cell phones help towers deliver signals, but they also let the carrier know where the subscriber is at all times.

Perhaps the best illustration of the privacy-convenience trade-off is the Web browser. By now, most Internet users are familiar with the "cookie," a digital tag that allows Web sites to remember passwords, and often a little more. Cookies can be easily deleted, and all but forgotten.

Well, yes. But what many Web users don't realize, at least consciously, is that browsers also save, or cache, previously accessed files, images and other documents to local hard drives to make the Web surfing experience as efficient as possible. The browser's "back" button tells us that some information is stored, but not how much and for how long. Web users probably hadn't given those questions much thought until desktop search engines came along.

Desktop search engines index all the content of a hard drive, including e-mails, files and Web pages visited, for near-instantaneous retrieval. And here's the kicker: Like their powerful Web counterparts, most desktop search tools cache information, so they can even find files after they have been deleted. These handy little tools provide a stark reminder that Web browsers leave a trail of crumbs indicating where their users have been and what they've been doing there.

For recreational Web users, this fact has its own set of implications. For remote workers using the Web to access sensitive corporate information, leaving such evidence behind can mean exposing intellectual property, running afoul of industry or government regulations, or worse.

Many businesses are starting to use (get ready, it's a mouthful) secure sockets layer virtual private networks, or SSL VPN for short, to create safe connections for remote workers. The great benefit of SSL VPNs is their ability to access corporate information from any location, public or private, armed with only a Web browser. When data is passing over the connection, it is encrypted in, well, SSL, and very secure. But what happens when it gets to the PC? Because people use a browser for SSL VPN, their information is cached just like any other Web site. The fact is, after e-mails, Web pages and documents pass through the VPN, they remain on the PC, easily retrievable by anyone with the time, inclination and a tool capable of searching the hard drive.

We in the security industry stay up nights worrying about stuff like this, but for the majority of Web surfers, ignorance is bliss. Still, it doesn't require a security professional's imagination to envision a hacker writing programs to scour public PCs in hotels, Internet cafes or airports for valuable information left there by unknowing remote workers or consumers. Fortunately, the security industry has fashioned a one-two punch using browser plug-ins to overcome the VPN's loose lips.

The first, a plug-in called a "cache cleaner," wipes the browser clean at the end of every session. This would seem to solve the problem, but it's not foolproof, since a browser crash or prematurely terminated session can cause a cache cleaner to malfunction. To be certain of safety, the plug-ins are starting to be used in conjunction with session encryption that encrypts every piece of data after it exits the VPN tunnel and hits the remote PC. This way, when the user walks away, the archived data is impossible to read.

These security technologies are new, so be sure to ask your IT administrator about them before you log in from the road. And please, remote workers of the world...encrypt!