Report of the Office of the
Privacy Commissioner of Canada
Republished with permission

At last count (or best guesstimate) 40 million people worldwide are surfing the Net for fun and profit. Surprisingly, many of them are simply unaware that their communications, transactions—and perhaps even the data on their own computer—are available for others to see (unless they take precautions).

The openness of the Internet should not be surprising—the Net evolved from a U.S. Defence Department communications network (ARPANET) linking military bases, university research centers and defence contractors. It was designed to be open and accessible—to communicate and to be impervious to nuclear attack. Other computer networks and universities quickly joined.

Today the Net is multiple networks with many pathways connecting many computers. Messages can be routed around the world to reach across town and seldom travel the same route twice. The Net resides nowhere and everywhere; it has no headquarters and no-one is "in charge." That is its power—and its challenge to privacy.

Sitting quietly in front of our personal computers, it's easy to be lulled into forgetting that sending email is not like making a telephone call; it's more like broadcasting. We should have few expectations of privacy. In fact, not only are our messages to public newsgroups or forums accessible to others, software available on the Net allows others to assemble a profile of our messages and interests. Soon marketers will systematically mine the Net to assemble personal profiles and target lists to sell products and services on line. And shopping and banking over the Net pose their own risks unless the service is protected by encryption.

The power and reach of the Internet gives users and system operators extraordinary access to data, including personal information. In January 1989, the Association for Computing Machinery (ACM), recognizing the social impact of their profession, drew up a code of ethics to articulate members' responsibilities. One of these is to "respect the privacy of others."

But, given the nature of the Net, individual users must also take responsibility. Here then, are some suggestions for protecting privacy in Cyberspace, adapted, with permission, from a fact sheet of the Privacy Rights Clearinghouse at the Centre for Public Interest Law, University of San Diego, California.

• Create a secure password
  Make up something nonsensical from a combination of upper and lower case letters, numbers and symbols, or something no one could guess; a combination of family names, birthdates or interests.
  
  
• Ask for your system operator's privacy policy
  Most commercial services have written policies which they provide to new subscribers. Avoid those that don't. Read carefully all messages which appear at inital login; many "sysops" inspect email and require new subscribers to allow email to be monitored.
  
  
• Shop around
  Investigate new services before you use them. Post a question in a dependable forum or newsgroup. If others have had a bad experience, you will hear quickly—news gets around in cyberspace.
  
  
• Assume your communications are not private
  Unless you encrypt, do not send sensitive personal information (phone numbers, passwords, addresses, credit card numbers, vacation dates, social insurance numbers) by chat lines, forum postings, email or in your online biography.
  
  
• Be cautious of "start-up" software
  Programs which make the initial connection to a service may ask for your credit card number, chequing account numbers, Social Insurance Numbers, then upload the information automatically for billing purposes. These programs may also be able to access records in your computer without your knowledge. Ask the service for alternate subscription methods.
  
  
• Don't leave footprints
  Use anonymous remailers to avoid leaving tracks of your logins and the commands you executed both at your service provider and remote sites.
  
  
• Remember the "Delete" command doesn't...
  make your messages disappear, that is. They can still be retrieved from back-up systems and your hard drive.
  
  
• Online identities may not be what they seem
  Many network users adopt one or more online disguises.
  
  
• Avoid listing sensitive or controversial newsgroups as "favourites"
  If your online service allows you to compile a list of favourite newsgroups, avoid listing those with which you do not want to be publicly identified.
  
  
• Take care creating your online biography
  If you need to protect your identity, don't create a biography, and ask the operator to remove you from its online directory. Biographies may be searched system-wide or "fingered" remotely.
  
  
• Setting up a personal Web page makes you a marketing target
  This seems self-evident, but it's often forgotten.
  
  
• Be alert to social dangers
  Harassment, stalking, being "flamed"—subjected to emotional verbal attacks, or "spammed"—sent repeated unsolicited messages, are all possible on the Net. Women can be particularly vulnerable; use gender neutral online IDs.
  
  
• Teach your children well
  Make sure your children also learn the privacy lessons. Caution them against revealing information about themselves or your family.
  
  
• Use privacy protection tools
  If you are concerned, consider using technologies which help online users protect their privacy. These are:
  • Encryption: these scramble email messages or files, making them gibberish to both the system operator and anyone other than the intended recipient. Various encryption programs (such as PGP—Pretty Good Privacy) are available online;
  • Anonymous remailers: these servers act as intermediaries for your message, stripping off the identifiers before forwarding the message;
  • Memory protection software: programs which prevent unauthorized online access to your home computer. Some include an "audit trail" to record all activity on your computer.