Don't Take Cookies from Strangers

By Joel Hoekstra

How does Facebook know you wear Levi’s? Every move you make online can be recorded, tracked, and analyzed. Whether that’s a good or bad thing depends on your views about digital privacy.


Jenny Nunemacher ’95 worries about online privacy when her children surf the web. Her 10-year-old daughter, for example, loves to play computer games but is easily distracted by the flashy advertisements for Angry Birds and the like. So Nunemacher, a business analyst and mother of two who lives in Nederland, Colorado, has chosen to block such ads. Her daughter also logs in with her own account, which Nunemacher has configured to restrict access to sites that aren’t kid-friendly. “My children do not understand the risks, so I reduce their exposure to them,” she says.

But Nunemacher admits she’s not as concerned about her own browsing risks.“I’m not a privacy freak,” she says. She regularly shares information about her activities on social networking sites, although she does use privacy controls. She doesn’t mind when ads for products that she’s searched for in the past—say, a book or a brand of purse—follow her from site to site. Yet even Nunemacher and her husband, Tyson Nunemacher ’95, don’t always agree on where to draw the line. “He thinks I post too much, so I try to be careful about what I share about him and about our kids.”

Who’s Watching?

How to Protect Your Privacy

Update your browser to take full advantage of privacy features in the most recent version.

Maintain multiple e-mail addresses, including one for high-security transactions, like banking, and another for online purchases or other transactions that carry a risk of spamming.

Read privacy policies to understand how your data will be handled, but be aware that websites can, and do, violate their terms.

Understand privacy controls before you share personal information on or with a site. Minimize personal info sharing. 

Strengthen your passwords by including numbers, capital letters, and symbols. Use unique passwords for each online account. And remember to sign out when finished.

Guard your mobile device against theft or loss. Enable options that will allow you to remotely wipe data on the device.

Turn off GPS on your mobile device if you don’t want to share your location with applications and advertisers.

Run up-to-date antivirus and antispyware software.

Online privacy has been a hotly debated topic since the dawn of the Internet. But while many of us say we want privacy when we use the Internet, in practice few of us do much to protect our online activities from prying eyes. The popularity of blogging and social media suggest that many of us are willing to share lots of personal information online—phone numbers, embarrassing pictures, political views—despite the threat of phishing, hacking, and identity theft.

“There are benefits to having an online persona,” says Rich Graves, a senior Unix and network security administrator at Carleton. LinkedIn scans your résumé to suggest professional connections that might benefit you. Amazon combs your purchase history to recommend products you might like. Google even uses search queries to assist U.S. public health officials in tracing the spread of influenza. Individually and as a society, we reap rewards from the collection and analysis of online data.

So who exactly is tracking your online behavior? “Everybody,” says Carleton professor David Musicant, chair of the College’s computer science department. “Anytime you go to a website for anything, they’re collecting data.”

Consider, for example, that Internet service providers (ISPs), our primary link to the Internet, gather basic information about us—phone numbers, e-mail, addresses, billing information, and credit card numbers—when we sign up for accounts. They also log the time we spend online and the URLs we search, and this data is kept for a period of time (retention policies vary by organization, however). Most ISPs have privacy policies that forbid them from sharing this information with outsiders. But even that can be circumvented: Thanks to the Patriot Act, passed by Congress in the wake of 9/11 with the intention of fighting terrorism, government officials with a warrant can demand access to any information your ISP has stored.

Aside from your ISP, every website you visit can track your computer by its unique signature, called its IP address. Therefore, even if you don’t log in to a website and give them your name, it can still track what you’re doing, says Musicant. While website operators may not know which human being is using that computer, they do know a specific computer is being used. They can follow your online activities and build a behavioral history that could be linked someday to more personal history. How much time did you spend reading that Huffington Post article? Did you download a free recipe from The answers to those questions—even if they characterize the behavior of an anonymous user—are a gold mine to marketers or researchers mapping patterns of behavior.

Which is why many companies use digital “cookies” to track our behaviors even after we leave their sites. Like a barnacle attached to the side of a ship, these little bits of software adhere to web browsers, reporting back to the sources that unleash them. Cookies allow Google—aware that Jenny Nunemacher has been browsing purses on another site—to serve up a banner ad for handbags even when she logs onto an unrelated site hours later.

chip-cookie.jpgAnonymity on the web is increasingly the exception, not the norm. Some of us block cookies, and a few more of us switch on “private browsing” when conducting searches we want kept hidden. But more and more, we willingly open accounts with Facebook, Gmail, or Dropbox, potentially allowing strangers access to our personal information, private documents, and search histories. Perhaps unwittingly, we are handing over our personal data in exchange for “free” services.

“Facebook has become a data-gathering tool the likes of which we never imagined,” says Justin Kwong ’03, an unemployment law judge and an adjunct professor at William Mitchell College of Law in St. Paul, who has written about the intersection of digital technology and the law. “The things you like to do, who you like to do them with—that’s all very useful information for advertisers. Facebook is like the Nielsen ratings box times a million.”    

Hacked or Helped?

Few people are more careful about online privacy than Susan Reedy Schnur ’62, who diligently protects her computer with anti-virus software. She downloads her e-mail directly to her computer, rather than storing it online, and she uses complex and varied passwords for almost all her digital accounts. “I don’t bank online,” says Schnur, who lives in Islesboro, Maine. “I have a separate credit card and a separate password for online purchases. And my privacy settings are set to the highest level on Facebook.”

chip-cookie.jpgSchnur had used a simple password for her Facebook account, figuring it didn’t matter because she wasn’t using that account for any financial transactions. However, a while ago, Schnur’s Facebook account was hacked and several of her acquaintances received a message suggesting that she was hospitalized in France and needed money wired to her immediately. (Another Carl figured out the e-mail was part of a phishing scam and alerted Facebook officials and Schnur, who was safely at home.) “After my account was hacked, I switched to a stronger password for Facebook,” says Schnur.

Nowadays, it seems, such scams are commonplace. “Once data leaves your computer, there’s another potential breach where someone can access it,” says Musicant. “The more places you send data, the more possibilities there are that someone can find it.”

But hackers aren’t the only ones with the power to misuse data collected online. More than a few Facebook users have been bombarded by ads that have no relevance to them, merely because they clicked on a news article a few days earlier or mistyped a word during a search query. And most of us receive some amount of spam, because our e-mails have been harvested from one organization’s mailing list and sold to another for a profit.

Personal data helps advertisers draw conclusions about us. When you purchase a book on Amazon, for example, the retailer assumes that you have something in common with other people who have purchased that book. When you search for a topic on Google, the search engine suggests phrases that others delving into that subject have searched. In both cases, the companies use data collected from other users—probably anonymously—to predict your behavior. If you’re logged in to an account, the site can even factor in your previous activity to serve up results that seem custom-tailored.

“There’s a benefit for both of us when a user receives well-tailored personal results,” says Carleton computer science professor David Liben-Nowell. “Google gives me results that make me happier, so I’m a happier customer.”

chip-cookie.jpgBut what if the digital assumptions are false? Suppose that you’ve spent a lot of time online reading articles about the Tea Party. “Subsequently, when I search any subject that’s potentially political, I may get results that skew politically in the same direction as my past viewing history,” Liben-Nowell says. “So there’s a societal question about whether that’s good, or whether that’s reinforcing my existing views—the sort of echo chamber effect. It’s a subtle shift. If you click through to page three, of course, the other results will be there. Google doesn’t prevent me from seeing those results, it just makes me look a bit harder.”

A Blurry Legal Line

The Fourth Amendment to the U.S. Constitution bars government officials from searching private property, including personal computer and e-mail accounts, without a warrant. But beyond that, Americans have no express right to online privacy.

“It used to be what I did in my home was private. What I did in the street was not,” says Kwong. “We tend to think that the things we do at our computer are private, because they’re in our house and on our computer. Of course, the web throws that out the window.” Logging onto the Internet is similar to venturing into the street to have a conversation, go shopping, or attend a political rally. You may be watched, photographed, or recorded—and possibly duped—despite your best efforts to go undetected. When we go online, Kwong says, we essentially leave our homes and travel into the public sphere.

chip-cookie.jpgWorkplace communications aren’t private either. No law prevents your employer from reading your e-mail, monitoring your web searches, rooting through your digital files, and even installing software that monitors your keystrokes. If you access your personal accounts via a company computer or your employer’s Wi-Fi network, your boss is also legally allowed to view that information. A handful of states have passed laws forbidding employers from demanding access to Facebook accounts from current and potential employees, but no nationwide prohibition exists. In fact, the only situation in which workers using company-owned technology can legally expect some measure of privacy is personal calls—and even then, according to the antiquated Electronic Communications Privacy Act of 1986, which governs such matters, an employer can listen in until it becomes clear that the call is not a business communication.

The law is evolving slowly with regard to Internet privacy. A patchwork of legislation passed in earlier decades to monitor other electronic communications—such as phone calls, faxes, and any communication that travels by wire—has been applied to digital privacy cases, Kwong notes. But Congress has struggled when it comes to writing comprehensive and useful laws to govern Internet activity. Currently, the Federal Trade Commission monitors whether companies that have privacy policies keep their promises to users. Last May, the Obama administration proposed a Privacy Bill of Rights that would provide basic online protection guarantees. Congress has not taken up the matter.

chip-cookie.jpgIn the meantime, Internet users will have to find ways to balance privacy and access on their own. “I do consider it creepy when I look at a product and then it seems to follow me from page to page in the form of an ad,” says Graves. “But I don’t really see that as a privacy violation until it becomes personally identifiable.” Liben-Nowell says some risk to privacy is simply the cost of taking advantage of the Internet’s benefits. “In the end, it’s about living your life. There are always risks in everything that we do, and this is no different.”

With neither government officials nor industry players moving quickly to reduce such risks, it’s increasingly up to individual users to figure out what level of privacy is right for them—and then, how to implement it. As tracking technology improves, in fact, privacy is likely to erode even further.

There may be a time in the future when the market demands easy and affordable options for protecting privacy online. For now, though, if you decide to sign up for Gmail or click on that Angry Birds ad—well, don’t say we didn’t warn you.


Add a comment

The following fields are not to be filled out. Skip to Submit Button.
(This is here to trap robots. Don't put any text here.)
(This is here to trap robots. Don't put any text here.)
(This is here to trap robots. Don't put any text here.)