The old saw that just because you are paranoid doesn't mean everyone isn't out to get you has a lot of truth when it comes to corporate privacy concerns. And the trouble is, you can't just put a Romulan Cloaking Device over your users and install a single product to make your company's computers invisible or even opaque to the world at large.
Improving your company's privacy will require lots of perseverance, time and care to do it right. This isn't something just for the ultra-paranoid, but for everyone who is concerned about the information users can divulge -- even inadvertently -- when they travel around the Internet.
Another key to ensuring corporate privacy is to screen incoming e-mails to see if they contain what are called Web bugs or hidden pieces of code that can track when your users open their messages. These little critters are insidious and can really ruin your day if you aren't careful. You probably have gotten e-mails that contain them before, but you just haven't recognized them as such. You can find out more about Web bugs (along with software that you download to your Windows machine that will detect whether a site contains any) at Bugnosis.org.
Repelling Web bugs isn't easy, and probably the best solution is to install an enterprise mail-screening tool such as MimeSweeper's MailSweeper (which can also be used to screen out pornography and viruses, but since this is about privacy we'll stick to the topic).Desktop privacy
Now, let's move on to the desktop. Here you want to examine your Web browser configuration to ensure that your users can surf around in private and possibly recommend additional protection for them. As you may or may not know, every time a user connects to a Web site with their browser, the following information is transmitted to that Web server: the IP address of the browser, the version of the browser software, the operating system of the computer and whether or not the computer already has a cookie file that has been previously sent by the server.
Some of this information may or may not be critical to your business; hat depends on how paranoid you are. If you are using non-routable IP addresses on your network, then sending the IP address of your browser (or your gateway, depending on how you network is configured) probably isn't going to reveal too much about you.
But, cookies can be another matter entirely. Cookies have gotten a bad reputation over the years, even though they were invented to save time and as a convenience for Web users. The trouble with cookies comes in when a site other than the one you are visiting attaches a cookie to your machine, what are called third-party cookies. Typically, this can happen when a site includes banner ads and these ads are served up from a provider like DoubleClick Networks.
There are ways to eliminate third-party cookies. Internet Explorer Version 6 (or Windows XP) has settings to eliminate them completely, and if this is a big issue for your corporation you can upgrade everyone to this version. IE V6 also includes some additional privacy controls that are worth taking a look at.
Besides cookies, you might want to know about one of the more infamous services called Anonymizer.com. If you don't want anyone to know who you are, you surf over to this site, and then enter in the URL that you really want to go to. Anonymizer strips all identifying information from your Web browser when it connects you to a destination Web site. Some corporations block access to this site from within their networks, because they want to monitor where their employees are surfing (some people use it to go to porn sites during the work day), but since we are talking about maintaining privacy we won't get into that issue. A good and justifiable use for Anonymizer is if you want to visit your competitor's Web site and not leave tracks of who you are.
Finally, for the ultra-paranoid are tools that can lock down individual desktops and also track exactly which applications communicate with the outside world. My favorite of the moment is Norton's Internet Security software, although there are many other tools that can accomplish the same thing. These come under the heading of personal firewalls and can block everything coming and going to your PC. Windows XP also includes its own personal firewall (enabled by default with XP Home and disabled by default with XP Professional), but its reporting features aren't as comprehensive as Norton's tool.
For more information on this topic, visit these resources:
- News & Analysis: CPO: An enterprise point-person for privacy
- Scheier's Security Product Roundup: CRM privacy management: How you can help
- Executive Security Briefing: Where do you draw the line on employee monitoring?
This was first published in February 2002