Secret Surfing

How to keep prying eyes away from your Web browser, e-mail, and IM.

Nearly a decade ago, Sun Microsystems CEO Scott McNealy snapped out a warning to the worriers of the Internet Age: “You don’t have any privacy. Get over it.” McNealy’s words look more prescient every year. In 2006, AOL unwittingly divulged the personal lives of 650,000 customers by publishing their search histories as research data. Despite AOL’s attempts to anonymize the info, the New York Times quickly outed a 62-year-old lady in Georgia whose searches revealed her dog was wetting the upholstery. The Justice Department has subpoenaed Google, Yahoo!, MSN, and AOL for lists of search queries. More recently, Facebook employees were caught reading the customer logs.

With more people putting more of their personal lives online every day, there’s a huge potential market for the Web’s privacy pushers. A couple of weeks ago, search engine tried to poach customers from Google by launching a new service called AskEraser. Worried that Google keeps your search queries for ages? AskEraser allows you to force the company to delete your search history from the company’s servers. Great idea, but it’s just a start. How can you use the Web, e-mail, and IM without seeing your Internet Explorer history in the New York Times?

Web surfing. Every Web site you visit logs the unique IP address of the computer that’s requesting its pages. Want to surf anonymously? The way to fool Web servers is to use a go-between server, called a proxy, to make your requests. There are two ways to do this. The easiest is to use a proxy Web site, which serves as a wrapper around whatever pages you want to look at. The coyly named has a bunch of geeky options to block your identifying information from being passed to Web servers. Its default settings are pretty good. You will, however, immediately notice that surfing through a proxy Web site can be frustratingly slow.

There’s a faster way: Configure your browser to use a proxy HTTP server automatically, rather than wrapping your requests in another Web page. Pick a proxy from this list. If it’s slow, try another. Your safest bet is to use a proxy in another country, to prevent your local legal system from going after its records to look you up.

While you’re at it, crank up your browser’s privacy settings to the max. This will disable personalization and other features on some sites, but that’s the price you pay for privacy. The sites you visit won’t recognize you from last time. That’s important, to prevent them from building up a history of long-term use that could eventually be tied to you, like the AOL users’ searches.

If you’re still worried, you can always watch what you search for. Supposedly anonymous AOL users were identified because most people have a habit of searching for their own names, addresses, and obvious family, friend, and work terms. Imagine finding that someone using a computer at IP address had searched for “paul boutin” and “slate” almost every week for the past four years, and had also searched for “buy steroids online.” You wouldn’t need a map to figure that one out.

Instant messaging. Your IM traffic goes through servers at AOL—or whichever other service you use. The easiest fix is to encrypt your sessions, using the option built into AIM 5.0 and higher. Your words will still go through AOL, but they’ll look like gibberish to anyone who’s trying to read them. Only your chat buddy can decipher and read them at the other end, and vice versa. I suggest the free Trillian for Windows or Adium for Macs—both more user-friendly programs than AIM that also support encrypted messaging. These programs will all talk to one another. Security experts love to point out the vulnerabilities of the encryption scheme to a dedicated hacker, but your goal should be to stop AOL from passively collecting your messages, as they did their customers’ search terms.

E-mail. The trickiest of all. Any remote mail server you use—and it’s pretty much impossible not to rely on a remote server unless you’re a pro system administrator—keeps all of your mail on its disks. I used to recommend the Canadian company Hushmail, which offered an encrypted mail service so secure, the company claimed, that even Hushmail employees were unable to read your mail.

But to my shock, that’s turned out not to be true. Court documents revealed by Wired this fall showed that Hushmail turned over completely readable e-mail archives to U.S. authorities looking for illegal steroid distributors. Since then, I’ve been looking for a recommendable alternative. I haven’t found one I can solidly recommend. promises security, but most people will have trouble following the wonky tech-speak on the site.

The Hushmail case shows that privacy on the Web is never a guarantee. It used to be that there was one fail-safe to keep the Net from invading your privacy: Never log on. Now that every Joe Blow has a blog and a camera in his phone, the Net will erode your privacy even if you throw a brick through your computer. Look, here’s my wife chewing me out on the dance floor for my sloppy footwork last week. You can proxy your browser and encrypt your IM, but eventually you’ll have to leave the house. You don’t have any privacy. Get over it.