Why? It should be clear that anyone can access public data, including companies, organizations and future employees. If they find something that they do not like, you can be sure that you won’t get that job that you wanted so badly. It can also have implications on your private life, bullying in class for instance or a divorce.

Forbes is reporting today that “the Federal Trade Commission gave a stamp of approval to a background check company that screens job applicants based on their Internet photos and postings”. The company gets hired to perform background checks by crawling social media sites, networks and other public sites for user information.

But what about data that is secured by an account, like Dropbox for file hosting? Two dangers come to mind: First hacking, which has been happening a lot lately. If hackers manage to break into a site, they can do all kind of things, including accessing your information and maybe even your files.

Second bugs that lead to data being publicly accessible. The latter has actually happened yesterday. Dropbox notified their users in a blog post that an update that they applied to their service had the result that for a brief period of time (according to Dropbox, Techcrunch states four hours) account log ins without the correct password were possible. Someone else could have accessed your Dropbox account during that time, which included accessing and downloading files hosted there.

Dropbox in the meantime has emailed all users who might have been affected by this.

If you need to sync or host files online, use encryption if the files are important to you. Check out BoxCryptor, Dropbox Realtime Encryption or SecretSync, Security Layer To Protect Sensitive Files On Dropbox for software reviews that do that automatically.

Closing Words

The majority of Internet users seem to lack an understanding of privacy, considering that many post public information on social networking sites like Facebook or Twitter, without giving a thought to possible consequences. The information are there for a very long time, which means that employees might base a decision to hire or fire on something that you have posted on Twitter or Facebook several years ago.

Evercookie takes this a step further by dropping as many cookies on the user’s system as possible. In particular, the Javascript API will make use of the following storage mechanisms if supported by the web browser.

• Standard HTTP Cookies
• Local Shared Objects (Flash Cookies)
• Silverlight Isolated Storage
• Storing cookies in RGB values of auto-generated, force-cached
• PNGs using HTML5 Canvas tag to read pixels (cookies) back out
• Storing cookies in Web History
• Storing cookies in HTTP ETags
• Storing cookies in Web cache
• window.name caching
• Internet Explorer userData storage
• HTML5 Session Storage
• HTML5 Local Storage
• HTML5 Global Storage
• HTML5 Database Storage via SQLite

Why would someone want to drop data into that many locations? Easy: For a far superior user identification. When a site drops a cookie on the user’s system it can identify the user for as long as the cookie is active. If the user deletes the cookie it cannot identify the user anymore. It may use algorithms to calculate probabilities but it usually cannot be sure that this is indeed a user who visited the site in the past.

Evercookies introduce a whole new level of user tracking. The website will be able to track the user, and reproduce deleted cookies, if at least one cookie or data in storage locations is not deleted by the user. And we all know that many users still have not heard about Flash cookies, the second most known form of storing cookies on a user system yet. How will those users cope with the news that there are more than ten additional ways of storing data to track a user?

Samy Kamkar has put up a demonstration page where users can set evercookies manually on their system. The same page contains options to rediscover the cookies. The suggested way of using the demonstration is to set the evercookie, delete cookies in all places known to the user to finally revisit the site to see if the evercookie is still existing on the system. The first rediscover button drops all deleted cookies in their place again, the second button does not do that. It is interesting that this method is able to track a user even if the browser is switched, at least as long as the Flash cookie is not deleted.

The JavaScript source is available on the page as well as a small FAQ. So what can you do to protect your system from this new kind of user tracking? Add-ons like NoScript prevent the creation of several of the cookies, as do Flash blockers (or no Flash at all on the system). Private browsing modes are an option as well.

What would you say if someone told you that they could find out additional information about you. Your Facebook or Twitter friends, websites that you have visited in the past including financial, government or adult ones, email accounts or even what you have searched for in the past in search engines.

The What The Internet Knows About You website will display those information and more on its website to all users who are connecting to it.

The method the website uses to retrieve and display those information is not a hack or exploit as it uses build in functionality in all modern web browsers to do that. It basically makes use of the feature to display visited links in a different color than not visited links.

All that needs to be done is to display those links (hidden to the user) on the website and check their link color to find out if a user has visited them. The method checks popular links against the user’s web browsing history to see if the page has been visited.

The What The Internet Knows About You website contains general link collections, e.g. the top 5000 or top 20000 websites in the world but also specialized checks for banks, social networking sites or government websites.

The service explains in detail how the information are retrieved and what users can do to protect their privacy so that these information cannot be retrieved.

• Disabling your browser’s history
• Disabling CSS styling of visited links
• Using a special browser extension to fix the problem

If you want to find out for yourself visit the project’s website to find out what the Internet knows about you..

Each of the four main areas consumer complaints, web bugs, privacy policies and affiliate analysis is divided into key findings, recommendations and methodology. They are complemented by an introduction and an analysis of the top 50 websites on the Internet.

Some interesting findings of the Internet privacy study reveal that Google is able to track users on 92 of the 100 most visited websites on the Internet and still 88% of a total of 393,829 analyzed distinct domains. The high percentage is a combination of services owned by Google including Google Analytics, Google Adsense and DoubleClick.

Microsoft was the company on the second place with an appearance on 60% on the top 100 websites followed by Omniture and Quantcast with 57%. A similar observation was made in the Privacy Policies analysis. All sites making up the top 50 sites of the Internet collect user data and at least 46 share that data with affiliates without disclosing who those affiliates are. The majority on the other hand claims to offer no access to the data to third parties which can be confusing for the user as affiliates are usually seen as third party from the user’s point of view.

The Internet privacy study draws a grim picture of the state of today’s online privacy.

Start Panic tries to raise public awareness for Internet privacy issues on their website. They have implemented a script that will gather information about previously used websites from the user’s web browser. Two aspects make this interesting. The first is that it is a cross-browser solution. It works in all major web browsers including Microsoft Internet Explorer, Mozilla Firefox, Opera, Google Chrome and Safari. The second aspect is that it will display results even if the user clears his web browser’s history, cookies and cache regularly. The current browsing session is recorded normally in all web browsers which usually have options to automatically clear these traces on exit only.

The process is started by the user who has to press the Let’s Start button. It can take a minute or two before the results are displayed. The list should contain the list of websites that have been visited in this browsing session. It might contain more websites if the user is not deleting the history regularly.

Little is revealed about how the script does its magic but it seems to rely on JavaScript. Anyone with JavaScript disabled in the web browser does not have to fear this privacy issue.

This may however be not the only problem associated with private browsing. A recent paper by security researcher Kate McKinley confirms deficiencies in all web browsers and especially in Apple’s Safari. Not only normal cookie and data handling was tested but also plugin related handling of Flash and Google Gears data. The surprising result was that no browser passed all private browsing tests.

In fact, all of the existing private browsing modes have some form of data which is not cleared when users enter or leave private browsing modes. Although Chrome cleared the only tested type of data it stored, it was surprising to find that Gears data was not cleared, since Gears is included in the browser. However, this behavior is consistent across all browsers tested, as we will see later.

Firefox 3.1 Beta 2 clears cookies and session storage properly, but the persistent storage (window.globalStorage) is preserved between a normal and private browsing session.With IE 8 (Beta 2), both cookies and session storage were cleared properly, however the IE user Data stores were not cleared between the normal and private browsing sessions.

Safari on Windows fared the worst of all in these tests with respect to private browsing, and did not clear any data at all, either before entering or after exiting the private mode. On OSX, Safari’s behavior was quirky; in no case was the HTML 5 database storage cleared before or after private browsing. Previously set cookies seem to continue to be available if the user entered a private browsing session, but if the user started the browser and went directly into private browsing, it seemed to behave as expected.

All browsers have troubles with Flash Cookies and their private browsing modes. This is largely due to the way Flash Cookies are created and stored (without user interaction and means to display warnings). So what’s the conclusion in this matter? Users who like to use the private browsing mode should not use Apple’s Safari in its current stage. They should also make sure to either disable Flash and other third party plugins or use settings that prevent them from acting automatically (for example by using NoScript in Firefox).

Check out the Flash Cookies Explained article if you want to read up on Flash Cookies and find out where they are stored and how they can be deleted from a computer system.

With recent announcements that want to force the search engines to reveal what is searched by whom this article should be a must read.