Enterprise privacy issues

David Strom helps you sort through a myriad of privacy issues.



The old saw that just because you are paranoid doesn't mean everyone isn't out to get you has a lot of truth when

it comes to corporate privacy concerns. And the trouble is, you can't just put a Romulan Cloaking Device over your users and install a single product to make your company's computers invisible or even opaque to the world at large.

Improving your company's privacy will require lots of perseverance, time and care to do it right. This isn't something just for the ultra-paranoid, but for everyone who is concerned about the information users can divulge -- even inadvertently -- when they travel around the Internet.

There are several things to handle at the corporate level, and then we'll talk about what you need to do on individuals' desktops.

Create a corporate privacy policy

First, let's make sure that you establish a privacy policy for your corporate Web site. Here is a very simple exercise: Take a look at what information you think you collect from your visitors, and then compare it with what your database administrators and site operators actually know about them. Chances are, you probably have some third-party cookies in banner advertisements, or you are doing something that you shouldn't. Do you require visitors to register before they can download something from your site or post a comment? Where do these registrations end up in your corporate empire, and who has access to them? What if those credit card numbers happen to be in a Word file that is also on your general file server's most public directory? Many companies have made this mistake.

Your site should also include an explicit link to a privacy policy statement somewhere on the home page, and to help you formulate such a policy there are several tools, including PrivacyBot.com. For $100, they will help you assemble a policy that you can post to your site. You can get an idea of the kinds of issues that you will have to deal with, such as exactly what information your site collects, and what you do with this once you collect it. To give you an example, you can review the output generated for my site here. However, since I don't collect anything of value on my site, it doesn't really say anything much.

Sweep for Web bugs

Another key to ensuring corporate privacy is to screen incoming e-mails to see if they contain what are called Web bugs or hidden pieces of code that can track when your users open their messages. These little critters are insidious and can really ruin your day if you aren't careful. You probably have gotten e-mails that contain them before, but you just haven't recognized them as such. You can find out more about Web bugs (along with software that you download to your Windows machine that will detect whether a site contains any) at Bugnosis.org.

Repelling Web bugs isn't easy, and probably the best solution is to install an enterprise mail-screening tool such as MimeSweeper's MailSweeper (which can also be used to screen out pornography and viruses, but since this is about privacy we'll stick to the topic).

Desktop privacy

Now, let's move on to the desktop. Here you want to examine your Web browser configuration to ensure that your users can surf around in private and possibly recommend additional protection for them. As you may or may not know, every time a user connects to a Web site with their browser, the following information is transmitted to that Web server: the IP address of the browser, the version of the browser software, the operating system of the computer and whether or not the computer already has a cookie file that has been previously sent by the server.

Some of this information may or may not be critical to your business; hat depends on how paranoid you are. If you are using non-routable IP addresses on your network, then sending the IP address of your browser (or your gateway, depending on how you network is configured) probably isn't going to reveal too much about you.

But, cookies can be another matter entirely. Cookies have gotten a bad reputation over the years, even though they were invented to save time and as a convenience for Web users. The trouble with cookies comes in when a site other than the one you are visiting attaches a cookie to your machine, what are called third-party cookies. Typically, this can happen when a site includes banner ads and these ads are served up from a provider like DoubleClick Networks.

There are ways to eliminate third-party cookies. Internet Explorer Version 6 (or Windows XP) has settings to eliminate them completely, and if this is a big issue for your corporation you can upgrade everyone to this version. IE V6 also includes some additional privacy controls that are worth taking a look at.

Besides cookies, you might want to know about one of the more infamous services called Anonymizer.com. If you don't want anyone to know who you are, you surf over to this site, and then enter in the URL that you really want to go to. Anonymizer strips all identifying information from your Web browser when it connects you to a destination Web site. Some corporations block access to this site from within their networks, because they want to monitor where their employees are surfing (some people use it to go to porn sites during the work day), but since we are talking about maintaining privacy we won't get into that issue. A good and justifiable use for Anonymizer is if you want to visit your competitor's Web site and not leave tracks of who you are.

Finally, for the ultra-paranoid are tools that can lock down individual desktops and also track exactly which applications communicate with the outside world. My favorite of the moment is Norton's Internet Security software, although there are many other tools that can accomplish the same thing. These come under the heading of personal firewalls and can block everything coming and going to your PC. Windows XP also includes its own personal firewall (enabled by default with XP Home and disabled by default with XP Professional), but its reporting features aren't as comprehensive as Norton's tool.

As you can see, dealing with your privacy can be difficult and time-consuming, and involve moving forward on several different fronts. There are plenty of additional technologies available to deal with privacy concerns and there are numerous other products that can lock down individual desktops even further than I have discussed here. I hope to at least have given you a few ideas of what you need to do to begin to understand the numerous issues and also some ways you can improve your own corporation's privacy policy.


For more information on this topic, visit these resources:

This was first published in February 2002

Dig deeper on Security Resources

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close