A decade ago, when Internet was no so popular and web sites represented mostly static html pages, the problem of privacy protection in Internet was not such an important issue as it is today. Currently, with the advent and expansion of Web 2.0, websites require a lot of personal information and use it in many ways. The enhanced social activity, customized and user-friendly sites, online shopping and freelance work ”“ all these features require information about the user, which is stored either on the server, or on the client side. Naturally, mechanisms of protecting online privacy have evolved. The aim of this essay is to discuss major existing mechanisms and procedures for preserving user’s privacy and analyze four websites of different purpose in the context of privacy.
1. Privacy protection mechanisms
Methods of ensuring that data passed by user to the server will not be intercepted by someone else can be divided into two classes: administrative and technological. Concerning administrative methods, one can single out such ideas as proper account management and password policy. Timely warnings and policy passwords, as well as agreements and limitations concerning user passwords can greatly enhance security. For example, if the website doesn’t let user input too simple username, too short password or a password that partly contains personal user’s data, the amount of hacked and misused accounts will be significantly lower. Also, better security is reached when weak passwords are not allowed. For example, the website of cisco.netacad.net accepts only passwords, which are 8 or more symbols, do not contain personal user’s information and necessarily include uppercase and lowercase letters, numbers and at least one special symbol.
Many sites also use “capture”ť pictures to avoid “bruteforce”ť password hacking. Also, the necessity to login for using website features relates to administrative measures. Websites where access is restricted to a certain group of people may apply IP-based control (Bidgoli, 2004).
Finally, verification by third party may be regarded as administrative measure. The example of such service may be TRUSTe ”“ its purpose is to establish trusting relationships between individuals and online organizations based on respect for personal identity and information in the evolving networked world (Bidgoli, 2008). Certificate of this organization means that the website is safe and protects clients’ privacy.
The class of technological privacy protection methods is broad. Since the TCP/IP protocol allows virtually any machine in the same network to access open ports at client PC, a bunch of methods relating to different levels of OSI models have been implemented.
The most widely used mechanism is SSH ”“ Secure Shell – a network protocol that allows data to be exchanged using a secure channel between two networked devices (Bragg & Rhodes-Ousley & Strassberg, 2004). SSH was introduced as a replacement for vulnerable Telnet, and is used for sending confidential data over a net connection. On the basis of SSH, sFTP is built, which offers secure file transfer operations. For websites, SSL (Secure Sockets Layer) protocol is most frequently used. SSL protocol uses a combination of public-key and symmetric-key encryption. Actually, the data is encrypted in a user’s web browser, using an encryption key that belongs to the website.
Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet (Bragg & Rhodes-Ousley & Strassberg, 2004). Usage of both protocols require the server and the client exchange digital certificates (such certificate should be previously installed at the website). Client’s browser creates session key, which is sent to the server, and when the connection is established, all the traffic is encrypted. The level of privacy depends on the length of the encryption key (nowadays it usually is 128 bit).
For e-mail sending, PGP encryption is used, which allows hybrid encrypting with temporarily generated session keys (Bidgoli, 2008). Most programs for e-mail exchange and e-mail management use PGP encryption method. For security issues, the mechanism of sessions is quite useful ”“ after a given time of user’s inactivity he is automatically logged out of the site. Also, during a session all personal data and variables passed to server are encrypted.
ĂĽÂ Â Â Request and receipt of policy reference file
ĂĽÂ Â Â Request and receipt of P3P policy
ĂĽÂ Â Â Request and receipt of webpage itself
Actually, P3P doesn’t ensure that the site adheres to all declared privacy standards; it is aimed at informing the user about existing privacy policies and let him customize these policies.
2. Analysis of websites privacy protection
I have chosen 4 websites for analysis. The websites are of different purpose and for different categories of people.
This website supports secure registration and uses SSL protocol during the whole session. It has a valid digital certificate but doesn’t offer P3P settings. However, constant SSL protection offers significant security. When online sales take place, additional user verification procedures are used.
This website is not much about security; however, it is addressed to those who want to monitor latest news and does not require personal information. Registration is not necessary here. The only data that may be unsafe while using this site are search history and e-mail used for subscription or RSS. Actually, there are no visible security measures at this site, but they are not very important there
EBay is one of the biggest auctions and online selling places. Naturally, it has high privacy protection: P3P support, all-time SSL use, e-mail verification and credit card (together with its security number) verification. Without a valid payment method, one would be unable to register at Ebay, though it is possible to browse and view the items. EBay also uses third-party verification (primarily PayPal) for personality identification.
Since this is a site for online banking, BBT gives even better security than EBay. It offers secure logon and registration (again SSL), P3P, verification of user address, it allows sending secure messages, strict administrative demands for users, timeout and virus protection.
There are many methods of data protection for websites. Our analysis has shown that SSL protection with 128-bit encryption is used frequently, especially when financial data or registration data is sent. Administrative protection measures vary, and mostly depend on the purpose of the website, its popularity and interactivity. For websites where financial actions take place, additional certificate verification, e-mail encryption and various anti-scam checks are common.