The FBI wants to look inside your PC. So does Hollywood. Together, their efforts could doom any semblance of computer privacy…unless you take the precautions outlined in this article. 

Big Brother and Big Entertainment are both trying to shut down computer privacy, but for different reasons. BB says it needs to eliminate computer privacy to fight the "War on Terror." BE wants to end it to eliminate theft of copyrighted materials over the Internet. They are now acting in concert—a frightening trend. But by taking the simple but effective steps outlined in this column, you can still protect yourself. 

The Government's War on Computer Privacy

To "bug" your PC (yes, it can be done quite easily) or read your e-mail, US law enforcement agencies must still obtain a search warrant approved by a judge, based on probable cause that you are involved in illegal (not necessarily terrorist) activity. 

What's more, the grossly misnamed "USA PATRIOT Act" permits US Internet Service Providers (ISPs) to "voluntarily" disclose information connected to any "immediate threat to a national-security interest" to police. 

Since this law came into effect in 2002, requests from government agencies for ISPs to "voluntarily" relinquish e-mail and browsing data have grown exponentially. 

The newly enacted Homeland Security Act goes a step further. It permits voluntary disclosure to any federal, state or local government entity and removes any requirement that the ISP "reasonably believe" that an "immediate threat to a national-security interest" exists.

You might be thinking, "But I'm not a terrorist…I don't do anything illegal or suspicious on my PC…I don't have anything to hide." 

But consider…

• Have you ever looked on a search engine for word pairs such as "offshore" AND "privacy?" This could be viewed as evidence that you are considering illegally laundering terrorist assets offshore—even if your actual intent is merely to educate yourself on how to legally protect your privacy internationally. Your "patriotic" ISP disclosing this information to the IRS might result in a long and arduous tax audit. 
• Have you ever visited a Web site that might be a target of a government investigation; e.g., one that explores "alternative views" of current events? This could be viewed as evidence of terrorist leanings and, if misinterpreted, result in the freezing of all your assets and your indefinite detention without arrest or trial under "emergency orders" signed by President Bush. 

Yet many of them are unknowingly violating state and federal laws against child pornography or online gambling. If for any reason your ISP has a grudge against you—or win brownie points from police—it could "voluntarily" turn over browsing records to police, resulting in possible investigation, arrest, imprisonment and confiscation of your property. 

Hollywood to the Rescue?

Or perhaps you occasionally use your PC to make copies of your own, legally acquired, CDs or DVDs.

These innocent actions, some entertainment companies believe, constitute "copyright theft." And in response, the next generation of PCs, for instance, will be equipped with CD and DVD players that incorporate a technology called "digital rights management" (DRM). Essentially, what they will do is "report back" to Hollywood whenever you make a copy of a copyrighted CD or DVD. Microsoft's newest operating system, Windows XP, incorporates DRM technology to streamline this process. 

What's more, Hollywood is now demanding that digital broadcast "flag" be built into every new digital-TV receiver. This would allow copyright owners to track and/or designate which programming is copied to a PC—how often, and by whom.

The Bush Administration announced similar initiatives in its "cyber-terrorism" policy unveiled in January 2003.

To make this possible, the FBI has developed new surveillance capabilities that aggregate Internet traffic in several key locations to facilitate eavesdropping. In this way, Hollywood and Big Brother are working hand-in-hand to terminate your PC privacy!

The newest initiative from Hollywood is the most threatening of all. Entertainment moguls are now sponsoring legislation that would give copyright owners the ability to break into your PC if you are SUSPECTED of a copyright violation. 

The copyright owner would have the right to "disable" or "destroy" offending content. 

Imagine if you could do the same kind of thing where you live. You hear a dog barking all the time. You suspect it belongs to your neighbor, but you're not sure. 

You call your neighbor and she denies she even has a dog. Then you call the police to complain and nothing happens. So, after a few days, you break into the neighbor's home to "disable or destroy" the dog, perhaps with your .45 caliber revolver. Outrageous? Yes. But similar intrusions by copyright owners could soon be authorized by federal law.

Sun Microsystems CEO Scott McNealy spoke the truth when he announced in 2001, "You have zero privacy." But there is no reason to accept his proposed "solution" to this truth—to "get over it." There is a great deal you can do, right now, to protect your PC privacy from inquisitive investigators, nosy ISPs and remote attacks by the copyright police. 

Here are some suggestions:

Using two PCs instead of just one provides an excellent boost to security. If the security of your "online" system is breached, the confidential data on your "offline" system remains intact. 

Every time you connect to the Internet, a hidden partition in your hard disk may be remotely activated and information transmitted to persons unknown.  The only way to deal with this vulnerability is to use a two-PC setup or a hard-switched or removable "C" hard disk with its own operating system installed.  Use one hard disk for high security purposes, the other for routine tasks. Keep the data on the high security drive "encrypted" with a program such as Pretty Good Privacy (www.pgpi.com) except when you're actually using it. 

When you want to copy programs or files to your offline system—after testing them on the online machine—back them up and restore them on the main one using a rewriteable CD-ROM.  Programs like pcAnywhere (www.symantec.com/pcanywhere) also work, but in addition to being a security risk in their own right, can facilitate the transfer of viruses or other malicious programs to your offline system.

If using a two-PC system isn't practical for you, consider the following precautions:

• Don't use Windows XP. The XP licensing agreement gives Microsoft (or anyone Microsoft designates) the authority to automatically and invisibly download future fixes or "upgrades" to XP, including secret code that could monitor everything you do on your PC. Older versions of Windows software (with the exception of the latest upgrade to Windows 2000) do not have these provisions
• Disguise your "online identity."  In Windows systems, go to the control panel and select "System properties" to review registration data.   The "General" tab contains the registration information. This information is recorded in the Windows registry and the only practical way for a non-programmer to change it is by reinstalling Windows. Use the same precautions for your applications software. 
• Physically disconnect your PC from the telephone line or cable modem when you're not online. These connections carry plenty of energy to manipulate chips in your modem, activating programs that can activate the next time your computer is turned on. 
• Disable unnecessary "bindings." Windows systems have multiple levels of "connectivity" that most users don't need. Disable the ones you don't use, following the instructions at http://grc.com/su-bondage.htm.
• Disable printer and file sharing. Bring up "My Computer" on your desktop. Right click on the name of each hard disk. Select "properties," then "sharing."  Click "not shared" for each hard drive.
• Minimize or turn off the Windows "swap file." Data can be recovered from the "swap file" Windows writes to your hard disk. Use Windows help to search for "virtual memory" and follow the prompts to manage virtual memory. Start with 100 megabytes and adjust to zero or as close to zero for your programs to run properly. Set the same "maximum" and "minimum" figures. Whatever size you specify, you must have at least 50 megabytes additional disk space free. 
• Disable "universal plug and play." This is a networking standard designed to make different manufacturer's networking equipment, software and peripherals compatible with one another. Unfortunately, the Windows implementation of UPnP contains security flaws so serious that the FBI issued a warning in advising consumers to disable it. A free utility program to do so available at http://grc.com/UnPnP/UnPnP.htm.
• Wipe "free disk space" regularly. Forensic analysis of the unused "free disk space" on your hard disk can reveal traces of incompletely deleted files and a great deal of additional information you might prefer to keep private. Run at least weekly a utility such as the one in Windows versions of PGP (www.pgpi.com) that permits you to wipe free disk space. Also run the Windows "DEFRAG" facility at least weekly. 
• Preserve e-mail privacy. The most important precautions are to close the "preview pane" in your e-mail program; turn off "active scripting" (instructions at www.europe.f-secure.com/virus-info/u-vbs); and to send and receive e-mail in "plain text" format, not HTML (instructions at www.expita.com/nomime.html).
• Resist "upgrades." Many upgrades come with a hidden cargo: either enhanced surveillance features or the disabling of formerly useful features. The latest upgrades to video and CD software, for instance, incorporate "digital rights management" technology that restricts or completely disables your ability to duplicate (or in some cases even play) CDs or DVDs. Some upgrades are essential, of course, but there is usually no need to "rush to upgrade" from a privacy or security standpoint if you follow the recommendations in this column. 

• Minimize your online sessions.  The fewer sites you visit and the shorter the time you are online, the less likely it is that you'll encounter a rogue Web site that will copy files from your hard disk.
• Obtain anonymous Internet dial-up service. In the United States, two Internet Service Providers (ISPs) that permit prepaid anonymous dial-up accounts are Anonymizer (www.anonymizer.com/services/dialup.shtml) and Cyberpass (www.cyberpass.net). In most other countries, anonymous dial-up service is not available. However, if you use a small ISP, the risk of monitoring is reduced. For instance, in the United Kingdom, only ISPs with more than 10,000 users are monitored. 
• Beware of "always-on" Internet connections. High-speed cable or DSL connections have much higher security risks than dial-up connections. A continuous Internet connection makes it easier for a person running a "packet sniffer" to monitor the data flowing between the Internet and your PC. 

• Use "proxy servers." A proxy server is a computer between your browser and the Web page that you are visiting. When you type in Web page address, your browser passes the address to the proxy server and the proxy server retrieves the page. This protects your privacy because all the Web site sees is the proxy; you remain invisible. A good choice for a proxy server is WebWasher (www.webwasher.com).
• Use browser-scrubbing software. Your Web browser keeps detailed logs of everything you do on the Internet. To eliminate these logs, use a program such as NSClean (for Netscape) or IEClean (for Internet Explorer). Both are available from www.nsclean.com. 
• Use anti-virus software. Good choices are AVG 6.0 (anti-virus) from www.grisoft.com. Do not use anti-virus software from Symantec (Norton) or McAfee; both companies have refused to rule out cooperation with the FBI in making sure their virus detection programs will not deactivate "authorized" intrusion software created on behalf of US law enforcement agencies. This is dangerous not only because it permits invisible surveillance by police, but because is no assurance that hackers wouldn't be able to create the same "digital signature" to fool Symantec or McAfee programs!
• Use firewall software. ZoneAlarm 3.0 (firewall) from www.zonelabs.com is a good choice.  A properly functioning firewall will insure that there is no evidence of your PC even existing when you connect to the Internet! To test the "stealthiness" of your PC, run the programs at https://grc.com/x/ne.dll?bh0bkyd2.
• Use "Trojan" detecting software. It's remarkably easy for a hacker to install a program on your PC, such as Back Orifice 2000 (www.cultdeadcow.com) to secretly record everything you do on it.  BOClean is a utility designed to detect and deactivate such "back door" or "Trojan Horse" software (www.nsclean.com). 
• Use encryption software. Monitoring e-mail communications is easy, thanks to the fact that PC communications pass through multiple computers on the way to their destinations.  Using encryption software creates an armored envelope around your e-mail messages (or the files on your PC) that can be defeated only with great effort or if you make a significant error.   I recommend PGP for this purpose (www.pgpi.com).
• Use "spyware" detection software. Many free or low cost programs downloaded from the Internet secretly install software on your PC that monitors your online activities, then reports them back to the software manufacturer. To detect and remove such "spyware," install a program such as Ad-aware. (www.lavasoftusa.com or www.lavasoft.de). 

If you're a frequent PC user, you'll probably need to configure your own PC for the most private communications possible. But if you only use a PC occasionally, or are traveling, you may need to use someone else's PC to surf or send and receive e-mail. 
However, don't use your PC at work for this purpose—it may be booby-trapped.  Indeed, about one-third of U.S. companies monitor their employees' Internet use, and such monitoring is increasing in other countries as well. 

Instead…go to your local library. Most public libraries in the United States and Canada have free Internet service.  You may have to sign in, but you probably won't have to show an ID (although this is now starting to change, allegedly as an anti-terrorist measure). 

Find a PC with a floppy disk drive, or a CD-ROM drive. Upload encrypted messages you've prepared in advance to your account with an anonymous e-mailer such as www.hushmail.com.  Copy any encrypted messages you receive to your floppy disk.  Decrypt them later on your own computer.

Unfortunately, this strategy is becoming more risky. For instance, the USA-PATRIOT Act permits the FBI to obtain records of library patrons, including their PC use, without a warrant. Library PCs may also be "bugged."   PCs in smaller branch libraries are much less likely to be monitored than in larger libraries.

Commercial PC services and cyber-cafes are also widely available.  I've never been asked for an ID, although you will have to sign in and possibly leave a security deposit. For a list of more than 5,000 cyber-cafes in over 140 countries, see www.cybercaptive.com.

However, you have no assurance when using a "public" PC that the network it uses is secure. For this reason, sending encrypted messages and browsing through a "proxy server" is doubly important. 

In addition, when you use a public PC, your Web surfing may be tracked by a network monitor and evaluated against a list of key words or phrases that if triggered will alert law enforcement. If you can't visit chat forums or certain web sites, the network is probably using monitoring or screening software. 

You should also assume that any online search engine such as Google.com (my favorite) has the same capability.  In China, the Internet police (now more than 40,000 officers strong) make arrests based on certain words used in e-mails or typed into search engines.  You should assume police in other countries have similar capabilities. If you search for phrases like "enriched plutonium" AND "triggering device," an alarm may go off in a network administrator's office—or at the local FBI office. 

You may also be being monitored via closed circuit television every time you go to a public location such as a library or office services store. Your arrival time might later be estimated based on the time you logged on to the Internet.  Film from the estimated time of arrival may be examined to identify your face. A face can be matched against a database of more than 60 million faces in less than a second! 

For all these reasons, use multiple locations if you use public PCs for Internet access.
.
Finally, remove your "tracks" from whatever browser you use when you leave. This requires installing a browser cleansing program such as NSClean, running it, then uninstalling it. However, most public PCs do not permit users to install or run software not already on the system. You'll probably need to manually delete your online trail.  This data is ordinarily maintained in a subdirectories named "archive," "cache," e-mail" and "news," etc. in the Netscape or Internet Explorer program directory.  Locate these files on your own PC using a program such as NSClean or IEClean so you know where to look. Also, delete all files in the Windows "temp" subdirectory and with the extension "*.tmp." 

By taking these steps, you will have achieved greater security than the vast majority of Internet users. Most hackers, upon discovering that your PC is operating in "stealth mode" will move on to less well-secured PCs. And even if they don't, following these precautions will make it virtually impossible for them to break in.

If you are just an occasional PC user, and don't use it daily for work or investment purposes, these precautions are probably sufficient to preserve your PC privacy and security. But if you are a PC power user, you'll want to take additional measures to protect yourself. My newly updated user's guide to PC privacy on and off the Internet, the 5th ed. of Practical Privacy Strategies for Windows 95/98/2000, teaches you how to deal with hidden PC weak spots, vulnerabilities and countermeasures: incompletely deleted files, hackers, stolen files, encryption, etc. To find out more, click here NOW: http://www.agora-inc.com/reports/190SMNPS/W190D117/