One of the most popular sections of this magazine has been "What's On My Hard Drive," a question-and-answer feature about the lesser-known cyber side of some of the world's best-known adult stars. Some of the answers are surprising, some are titillating, and some are just downright funny.
What's probably not so amusing, though, is the vast collection of potentially incriminating evidence stored on the hard drives of adult Webmasters. With no worse intention than "keeping up with the Joneses," many adult Webmasters surf all sorts of Websites just to see what's out there, and what they might be able to incorporate into their own operations. This simple act can have all sorts of unintended consequences due to browser caching: pages, images, sounds, etc., that have been viewed are stored on the computer's hard drive for easy retrieval later. Although they are eventually overwritten with new files, depending upon the amount of disk space allocated to browser cache, they can hang around for quite some time.
Hard drives, like the Internet itself, are inveterate collectors of information, especially when they're managed by a Windows operating system or they contain Microsoft software (notably any of the Office programs, even on Mac systems). For example, according to Microsoft's Knowledge Base, Word creates 15 temporary files for every document that's written in it, whether or not that document is ever saved. Those temporary files are supposed to be deleted when the user closes Microsoft Word - or at the very least when he or she shuts down the system - but because of Windows' legendary instability, that doesn't always happen. Even when it does happen, the files aren't really "deleted." The hard drive space they occupied is simply marked by the system as "available" (technically, "unallocated"), allowing other programs to overwrite it later when they need it.
Without launching into a technical explanation of how computers handle "deleted" data, suffice it to say that nothing is ever really erased from a hard drive without dedicated action on the part of the user, and even then sophisticated forensic tools available to law enforcement and other investigative agencies can recover all sorts of data thought long gone. Not all of the information is in one file, nor is most of it there with evil intent. Users may not even be aware some of it ever existed.
If you're ever the subject of investigation for any reason (divorce, civil lawsuit, arrest, etc.), your computer can provide its interrogators with almost anything they want to know unless you take defensive action to prevent it.
Even if none of this ever happens, you still may be giving away more information about yourself than you're comfortable providing to just any old salesperson. Marketing and advertising firms like DoubleClick have been accused repeatedly of building dossiers on surfers via intrusive cookies deposited on hard drives. DoubleClick, in fact, settled a class-action lawsuit in May that revolved around its data collection practices and policies. And many popular freeware and file-sharing programs - notably Kazaa and other Napster clones - carry piggyback "spyware" that is installed at the same time as the main software. The purpose of spyware is to send information about the user's surfing and buying habits across the Internet to databases maintained by someone the surfer doesn't know and may not want to have the information.
Sound paranoid? Even paranoiacs have real enemies.
Cookies
Cookies are not inherently malicious; in fact, some of them are downright helpful. It's the ones that track your surfing habits across Websites that you might find bothersome. Companies like BannerSpace (www.bannerspace.com), I-clicks Network (www.i-clicks.net), DoubleClick (www.doubleclick.com), and AdBureau (www.adbureau.net) are able to implant cookies on hard drives without the user's permission. As users surf, the cookies are read and modified by other sites in the same advertising network, allowing the company that planted the cookies to track things like a user's path through the Web, the search terms he or she uses, online purchases, and click-through responses to advertisements. As the cookies "phone home" frequently that tracked information, the companies construct user profiles that they insist are not personally identifiable and are only used by their clients to customize content and advertising to the individual user's desires. But the profiles themselves sometimes consist not only of long listings of sites and pages visited, but also "psychographic" data, and inferences about users habits or inclinations based solely on the gathered data. Naturally, all of this personal data is readily available to law enforcement if the agency seeking it has the cookie in hand.
Controlling cookies can become a full-time job if you let it, especially if you use more than one Web browser. Each browser handles cookies a little differently, but each also will let users define which to accept and which to reject. More information is available in the browser's "help" dialogue. A simple rule of thumb is to accept first-party cookies (those that are set by the site you are visiting) and reject all third-party cookies, which almost invariably are set by advertisers and counters. (Rejecting a counter's cookie will either cause your visit not to be counted at all, or it will cause you to be counted each time you load the page on which the counter resides.) Of course, users can always opt not to accept any cookies, but then they must be prepared to log on to membership sites manually each time they visit - and some membership sites (banking and other financial sites, for example) won't accept the visit at all unless cookies for that site or its security provider (which may have a different URL) are enabled.
If you enjoy the experience of being plagued incessantly by dialogue boxes, you can set your browser to warn you any time a cookie is about to be set. Choose this option, and you'll be surprised at the number of cookies that exist on the Web. Very quickly they can consume the entire surfing experience, as some pages even attempt to set or modify a cookie for every image loaded.
But if you want some level of control over cookies beyond the basics without subjecting yourself to the unending dialogue boxes, the most current version of Internet Explorer includes a nice little tool that allows users to block or allow all cookies from specific domains. To use it, click Tools/Internet Options in the browser's menu bar, then click on the "Privacy" tab in the pop-up box. At the bottom, under "Web Sites," click the "Edit..." button. Type the URLs of Websites from which you want to always block or always allow cookies, then click the "Block" or "Allow" button, as appropriate, and the site(s) will be added to a scrollable list below. If you change your mind later, the sites can be removed from the list.
Alternatively, AnalogX offers a piece of helpful freeware that performs a similar function and works on all Windows systems. CookieWall ( www.analogx.com/contents/download/network/cookie.htm) allows users to decide which cookies stay and which go by configuring its easy-to-use interface to delete, notify, or queue up new cookies for the user to deal with later.
The World Wide Web Consortium (W3C) is attempting to standardize its Platform for Privacy Preferences (www.w3c.org/p3p) to make privacy policies and user agreements easier for the common man to understand. Although the standard is only in draft form currently, Internet Explorer provides support for it now, allowing users to permit or restrict cookies based on whether or not they're comfortable with what they read. A "readability" mechanism is also built into the standard, the goal of which is to allow users to read and understand easily the privacy policies of any advertisers or third-party content providers who have placed cookies on the page they're viewing.
Spyware
More insidious than cookies and potentially much more damaging for those who enjoy using freeware is spyware. Spyware arrives quietly with games, MP3 players, file-sharing programs, and all sorts of "helper apps" and burrows deeply within a system (often embedding its tendrils into the Windows registry) by piggybacking on another program. The only clue to its presence the average user is likely to find is buried within the license agreement for the parent program (and not all spyware is revealed even there). Spyware (also sometimes called "adware") generally behaves similarly to advertising cookies: It monitors online behavior or mines data without asking for the user's consent, and the newest incarnations are capable of capturing all sorts of information, right down to keystrokes, passwords, and credit card numbers - making it a security and privacy nightmare. Unlike cookies (which only give up their info when a user logs on to another site in the marketing network from which they were spawned), Spyware proactively transmits its data across the Internet to its owner.
Some popular programs that come complete with spyware are RealPlayer, Netscape's Download Accelerator, Comet Cursor, PKZip, Cute FTP, GoZilla, and Kazaa. Microsoft's version is called a Globally Unique Identifier (GUID), and integrates with Windows Media Player and many other Microsoft apps (including the entire operating system in the case of Windows XP). For an extensive (but difficult to read) list of spyware-infested programs, visit www.fcenter.ru/Software/Miscellaneous/Spyware/spywarelist.txt.
Of course, spyware distributors consistently claim that the software isn't hurting anyone, and that it's only loaded onto people's PCs with the best of intentions. Any information it collects, they say, won't be abused - and besides, its terms of use and privacy policy are included with the end-user license for the software the person downloaded in the first place. In order to use the "parent" program, the user has to have already agreed to the spyware's intrusiveness - so why the outcry?
While it may be true that in the face of pending U.S. federal legislation many companies are becoming more open about what they're really installing on users' computers, license agreements generally are long, complicated documents mired in legalese and jargon, and are difficult, if not impossible, for the average user to understand. A survey completed in mid-2002 by the Richardson, Texas-based consulting firm Privacy Council revealed that although 76 percent of respondents said they were "concerned" about privacy violations on the Internet, only 22 percent admitted to reading privacy policies and download agreements. Among respondents in the 18-25 age group, a core user base for file-swapping apps and other shareware, only eight percent read the fine print.
One of the most notorious outcries about spyware occurred earlier this year, when millions of people discovered that along with Kazaa's popular file-sharing software, they had installed a piggyback program from Brilliant Digital Entertainment. The application had the potential to convert users' PCs into nodes that would host and disseminate music, ads, and other content from various companies as part of a commercial network. When the Trojan component of the program was discovered, Kazaa abandoned it, but continues to include other spyware. The event left a bad taste in many consumers' mouths and clearly illustrated in terms they could understand the awesome and malevolent potential of spyware.
Nor does the U.S. government help matters much. Congress may be fond of proclaiming individual privacy rights, but few of its members understand the pertinent technologies enough to enact legislation that addresses them effectively. Case in point, The Digital Millennium Copyright Act (DMCA) and the Uniform Computer Information Transaction Act (UCITA), which have sanctioned some of the copyright actions of spyware, and, pending legislation, are leaning toward mandating "opt-out" rather than "opt-in" mechanisms, which would allow vendors to automatically access and collect information unless users take specific steps to block it or them. One compromise that might actually make it through the legislative quagmire divides information into "sensitive" and "non-sensitive" categories. Collection of sensitive information like financial data, medical history, Social Security numbers, ethnicity, religious affiliation, sexual orientation, and political party affiliation would require "opt-in" consent. Anything else would be classified as non-sensitive and therefore subject to any "opt-out" mechanism the seeker wanted to put in place.
All is not lost, however. At least one freeware program does an admirable job of giving users a fighting chance against the insidious habits of its intrusive brethren. Ad-aware (www.lavasoft.de/aaw.html), from Swedish company LavaSoft, scans memory, hard drives, and the Windows Registry for known parasitic components from such notorious spyware distributors as Alexa, Aureate, Comet Cursor, Cydoor, DoubleClick, DSSAgent, EzUla, Expedioware, EverAd, Flyswat, Gator, Gratisware, HotBar, OnFlow, TimeSink, Transponder, Web3000, Webhancer, and many others. The list grows as new applications are discovered, and updated files are available frequently from the company's download site.
Easily installed and configured, Ad-aware displays a list of detected spyware elements, allowing the user to remove them selectively (after backing up crucial elements in case something goes horribly awry).
Zone Alarm Pro, from Zone Labs (www.zonelabs.com), isn't freeware, but it also prevents spyware from sharing information in addition to adding support for cookie watching, pop-up ad control, and a firewall to keep hackers out. Zone Alarm takes a different approach, either preventing the implantation of the parasitic program or refusing to allow it to communicate with the outside world, depending on the user's preference. (Sometimes freeware ceases to function if its spyware component is deleted.) A single-user license is $49.95.
Phantom Files
Windows and Windows programs track most of what users do. Initially, this was intended to help users and protect them from themselves and fatal errors committed by the operating system. With the advent of the Internet and Microsoft's never-ending quest for world domination, however, the tracking and information-gathering process has taken on a more monstrous complexion. Hard drives typically are littered with history files for program and document use, temporary files, swap files, backups and previous file versions, cache files, "deleted" files in e-mail trash folders and the recycle bin, and more. As mentioned previously, even if all these files are deleted and the recycle bin and trash folders emptied daily, the data remains on the hard drive until it's overwritten by something else. This compromises privacy and security - just ask any of the thousands of people worldwide who were arrested during Operation Candyman, the international pedophile sting conducted earlier this year. Some of those people obviously thought they'd gotten rid of the incriminating evidence, only to have it rise from the deleted under the skillful application of law enforcement's forensic tools.
In order to be unrecoverable, data in unallocated space must be overwritten several times. A single-character pass of 1s or 0s won't do the trick. In addition, file attributes, file "slack," and "swap" files (sometimes called "paging" files) must be addressed. File attributes like name and creation/modification date remain in Windows' file allocation table after files are deleted, but this can be overcome by running a disk-defragmentation utility after deletion. Windows defrag.exe and most third-party utilities remove references to deleted files from the FAT.
File slack is another matter. Disks are divided into "clusters" into which data is written. Because very few files are exactly one cluster in size and no more than one file is written into any one cluster, there is "leftover" cluster space all over the disk. Sometimes this space is simply empty, but more often it contains the remnants of a previously deleted occupant. This can represent a real liability, depending upon what occupied the space previously. Slack space, like unallocated space, must be overwritten multiple times in order to destroy the data it once contained.
Swap files are areas of the hard drive locked and inaccessible to the user that serve as physical memory when RAM runs low. They contain all sorts of data normally processed by RAM, and without the help of a third-party utility, there's really not much a user can do to cover them up. Users can, however, limit their liability by setting the swap file to a fixed size equal to two and one-half times the amount of RAM and setting minimum and maximum sizes to the same value. That will cause the swap file to be overwritten frequently. Swap files are handled differently by each Windows OS; to determine how to change the size of your swap file, consult the help documentation for your Windows operating system or visit Microsoft's Knowledge Base at www.w3c.org/p3p.
One easy way to handle the potential liabilities of phantom files is to employ a third-party utility that takes care of all of the problems in one fell swoop. The best we've found for this purpose is Robin Hood Software Ltd.'s Evidence Eliminator (www.evidence-eliminator.com), though its power and ease of use come at a price: a single-user license is $149.95, including lifetime technical support and upgrades. Easily installed and highly configurable, the program allows users to destroy beyond recovery almost every imaginable unseen and unneeded piece of information on a Windows-based hard drive with a single click.
Another, less expensive, option is CyberScrub (www.cyberscrub.com), which describes itself as a "military grade file deletion/Internet cleaning utility." Although we have not had a chance to test it, it claims to do everything Evidence Eliminator does for $49.95.
It should be noted that both products warn that the only absolutely 100-percent sure way to destroy data is to destroy the drive itself - an impractical solution at best.
