
Privacy Policy
This is the Internet.
You should expect no privacy.
That's about as simple as I can make it.
All unencrypted communication by Internet, telephone, and fax is subject to interception and archiving. Belief otherwise is folly. Belief that this is somehow changed by stern corporate announcements of wishes for deletion of misdirected e-mail messages by unintended recipients is arrogant folly. Judging by the silly disclaimers that so many corporations require at the ends of outgoing messages, arrogant folly is awfully common.
It is easy for governments to intercept traffic because Internet and telephone traffic must pass through a limited number of backbone interconnection points. The governments simply obligate the telecommunications companies to provide access, or even to do the data collection on behalf of the government. Yes, this process was greatly expanded in the U.S. during the Cheney/Bush administration, but it had already been underway for many years. See, for example:
- The Puzzle Palace, James Bamford, 1982, a detailed and early description of the NSA.
- Body of Secrets, James Bamford, 2001, an update to The Puzzle Palace
- The Shadow Factory: The NSA from 9/11 to the Eavesdropping on America, also by James Bamford.
- A February 16, 2007 report on PBS.
- An article in Wired magazine.
- An article at cryptome.org.
- Chatter, Patrick Radden Keefe, 2006, more general in scope than Bamford's books.
See my information security pages and especially my Just Enough Crypto page for details on cryptographic protection of Internet traffic.
See my page on government surveillance of Internet traffic and other communications for details on government violation of your privacy.
For anonymous browsing, you could try using an anonymizer web proxy, although that only obscures the server's view of things. Your ISP still sees exactly what you're doing unless the anonymizer also uses SSL/TLS.
TOR (The Onion Router) can provide much better protection if used very carefully.
What this server logs, and how to accomplish this with Apache
My
Apache
configuration file
/var/www/conf/httpd.conf
contains the following lines.
Define some aliases for useful formats:
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%h -- %{Referer}i -> %U" referer
Log errors, such as requests for pages that don't
exist (some page, possibly one of mine, has a broken link)
and silly requests from lazy and cheap bloggers
to make my server do the heavy work of
filling their pages with my images:
ErrorLog logs/error_log
LogLevel warn
Just log requests for pages, do not log the many
requests for the images populating those pages.
Notice that the common
format specification captures
your IP address, timestamp, and the page your browser
requested:
SetEnvIf Request_URI \.gif is-image
SetEnvIf Request_URI \.png is-image
SetEnvIf Request_URI \.jpg is-image
SetEnvIf Request_URI \.jpeg is-image
SetEnvIf Request_URI \.ico is-image
SetEnvIf Request_URI style\.css is-image
CustomLog /dev/null common env=is-image
CustomLog logs/access_log common env=!is-image
Log information about referers,
including your IP address, the link you clicked on to get here,
and the here that you viewed.
Notice that if you come from a search engine results page,
the URL of that referring page will show the search you
made to find my page:
CustomLog logs/referer_log referer env=!is-image
Through the magic of
PHP
embedded within this page and executing on the server
before serving up this page, it sees that
your IP address is
54.81.166.196
and local time at the server is
01:49:56 on 21 Apr 18
and so a line like the following just got added to
/var/www/logs/access_log
because of your request:
54.81.166.196 - - [21/Apr/18:01:49:56 "GET /security/privacy-policy.html HTTP/1.1" 200 15792
If you arrived at this page by clicking on the
"privacy policy here" link at the bottom of the
main page,
then the following would had just been added to
/var/www/logs/referer_log
because of your request:
http://cromwell-intl.com/ -> /security/privacy-policy.html
If, however, you somehow reached this page
by asking a search engine to find it,
the referer string is more complicated but still readable.
Here's a real example of someone
at IP address 122.57.185.236, which resolves to
122-57-185-236.jetstream.xtra.co.nz
(this looks like a customer of a New Zealand ISP)
loading
an Internet radio page of mine
through a search for:
vladivostok radio
at
Google's New Zealand search interface:
122.57.185.236 -- http://www.google.co.nz/search?q=vladivostok+radio
&hl=en&start=100&sa=N -> /radio/internet-radio.html
Here, someone
at IP address 89.132.217.153, which resolves to
catv-89-132-217-153.catv.broadband.hu
(so they're a customer of UPC Magyarország Kft.,
a Budapest-based provider of cable television and
broadband Internet connectivity)
loaded
a GSM telephone construction page of mine
through a search for:
telephone interface to gsm
at
Google's Hungarian search interface:
89.132.217.153 -- http://www.google.hu/search?hl=hu&q=telephone+interface+to+gsm
&btnG=Keres%C3%A9s&meta= -> /steampunk/gsm-soviet-telephone.html
Some of the referrer entries are empty. In that case, the client was behind a corporate firewall that functions as an invisible web proxy. To the client, it appears that the connection is made directly to my server. Really, the corporate firewall intercepts the connection attempt, decides whether it is allowed or not, and if so, makes the connection on behalf of the client but with the referrer information stripped out.
In that case, I don't get to see what page referred you to mine. However, your corporation has logged everything about your Internet activity.
Google AdSense and cookies
I have Google AdSense ads on my pages. See the little box of links to the right of this paragraph. Also see the banner across the top of the page, the large rectangle near the top, and the "skyscraper" ad between there and here.
To make that "link unit" appear, this page just had a single
line of PHP:
<?php include($_SERVER['DOCUMENT_ROOT'].'/ads/link-unit-180x90.html'); ?>
That directed the server to replace that PHP code with
the following block of JavaScript code
before sending the page to your browser:
<div style="float: right; margin-left: 12px; margin-bottom: 10px;"> <script type="text/javascript"> <!-- google_ad_client = "pub-5845932372655417"; /* Link Unit 180x90 */ google_ad_slot = "8066800540"; google_ad_width = 180; google_ad_height = 90; //--> </script> <script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"> </script> </div>
If your browser has JavaScript enabled, then it made a
request for /pagead/show_ads.js
from the Google server
pagead2.googlesyndication.com
with those specific
"ad client" and "ad slot" parameters set to give me the
credit for showing you the ad (maybe about US$ 0.0001),
and if you happened to click on the ad, the credit for
sending you to the advertisement
(anywhere from US$ 0 to maybe 2.00, but generally at the very
low end of that range).
Now, Google used to just serve up ads based on their search index's notion of what this page is about. But in April 2009 Google announced a plan to use cookies to try to figure out what your interests are as opposed to just using what this page seems to be about. These would be "id" cookies from doubleclick.net.
If you notice a cookie transaction when loading any of my pages, it is because of Google AdSense.
I certainly don't care what other pages you look at. What little I see in looking at the referer log data once in a great while is far more than enough information along those lines....
Google says that you can go to their Ads Preference manager to see what Google thinks your interests are, and to opt out of the cookie tracking. Then AdSense ads will still appear, but they will be based only on the page contents and not Google's notion of your interests.
What is the PHP trick to show client IP address and server local time?
It's pretty simple. The HTML code for that paragraph looks like this:
<p> Through the magic of <a href="http://www.php.net/">PHP</a> embedded within this page and executing on the server before serving up this page, it sees that <b>your IP address is <?php echo $_SERVER['REMOTE_ADDR']; ?> </b> and <b>local time at the server is <?php echo date("H:i:s"); echo " on "; echo date("d M y"); ?> </b> and so something like the following just got added to <tt>/var/www/logs/access_log</tt> because of your request: </p>To the cyber security page