Picture the scene: you are innocently surfing the web, working on the research for your next assignment and generally minding your own business. But did you ever stop to consider what your innocent little surf has just divulged about your computer and your location?

It is not unusual for a story to be based wholly on material gleaned from email and other online sources, often on sensitive subjects. By booking a holiday using your credit card one minute, and then carrying out background research on some shady internet community the next, journalists are mixing a cocktail of personal and professional online activity. If part of your online life is compromised - all of it may be threatened.

Have a quick look at Browserspy or Showmyip to understand what website owners can find out about you using nothing more than your internet connection.

Defending your privacy is not something that can only be achieved through the right software and a good firewall. Often your best defence is common sense and a canny understanding of hacking and criminal technique.

Criminal networks are increasingly using 'social engineering' to trick internet users into divulging passwords and security information. In 2006, Myspace users who clicked on what they thought were legitimate links were actually carried to a criminal site designed to obtain personal data. A slip you make in your lunch hour on a social networking site may therefore compromise months of painstaking research.

Bear in mind that you may not be the only person with a stake in your privacy and security. "When a reporter promises confidentiality to a source, he or she should be prepared to take whatever steps are necessary to make sure that the identity isn't revealed, whether deliberately or through carelessness,' Knight Chair in Journalism at the Cronkite School of Journalism & Mass Communication at Arizona State University, Stephen Doig, told Journalism.co.uk.

A series of remarkable challenges to the principle of freedom of online expression have been made in the US in the form of lawsuits known as 'cyberslapps'. This occurs when corporations or public figures attempt to intimidate or reveal the identity of people who criticise them online. These lawsuits tend to work because they target people who cannot afford the legal costs of opposing them.

The subpoenas involved often require ISPs to reveal personal information. According to cyberslapp.org, a coalition involving the American Civil Liberties Union, the Electronic Frontier Foundation and Public Citizen among others, ISPs may reveal your personal information in response to a subpoena before you know about the legal action.

Privacy International and the Electronic Privacy Information Center (EPIC) state that the 'current privacy picture in the UK is decidedly grim'.

This is partly down to the electronic surveillance allowed under the Regulation of Investigatory Powers Act 2000, which places an obligation on 'Communication Service Providers' to provide 'a reasonable interception capability'. In 2003 there were 1,983 warrants for interceptions issued in England and Scotland under the Act. Privacy International says these surveillance powers, coupled with moves towards a national ID scheme and weak Freedom of Information (FOI) legislation, mean the UK is the worst-performing western democracy in its 'surveillance league table'.

Your privacy and professional security may be vulnerable in ways that were scarcely imaginable just a few years ago.

Do you think you can be traced by a simple document from your office? Most people would not think so. But the reality is that the US government managed to persuade many desktop printer makers to deploy technology that encodes documents (using tracking dots) in a way that identifies individual machines. According to the Electronic Frontier Foundation, no law exists to prevent authorities from using the technology to compromise privacy. It also says that other governments are using the technology in surveillance operations.

While there are good reasons why journalists need to take even more care online, there are also ways they can take advantage of new services and technology to defeat the crooks and avoid surveillance.

One way of combating laptop theft, for example, is subscription to a service that helps you recover your stolen computer when it is next connected to the internet. See the Undercover service for Macs and the PCPhoneHome equivalent for PCs.

Another remarkable service that enables Mac users to detect unwanted outbound connections and 'network parasites' is Little Snitch. Other helpful tools and sites are listed below.


Most people are surprised about how vulnerable email is to eavesdropping and surveillance. While it is very hard for an 'outsider' to access your mail while it is in transit, your email is at risk at both ends of its journey.

An 'insider', such as someone at ISP level or in one of the networks through which your email travels, can access and even edit email content. Through 'social engineering', someone may gain access to your ISP account or access an unencrypted WiFi network. The recipient of the email may be equally vulnerable and any interception will access the 'plain text' content of ordinary email.

One of the best things you can do, therefore, is to encrypt your sensitive email communication and one of the best solutions is the desktop package for home offices available from PGP. It is PC and Mac compatible and works with a range of popular email clients such as Microsoft Outlook 2007, Qualcomm Eudora 6.2 and Apple Macintosh's Mail.

Unencrypted WiFi

If you set up a wireless network and a wireless internet connection, then your router will probably give you an option of encrypted access. Use it. Unencrypted or poorly configured wireless networks are frighteningly common. "Most people who buy a WiFi router for home don't bother to set up strong encryption," says Stephen Doig. "When I turn on my laptop at home, I can see half a dozen other WiFi signals nearby, most of them wide open."

You should also never use an unencrypted WiFi connection that you stumble upon by chance when you are on the move. These can be 'honey pot' networks that are left open with the aim of luring people into using a conveniently open connection. While your connection is free, your traffic will have no privacy.

Search engines

Most people are surprised to learn that all of the major search engines maintain a record of your search string history. If you have an account with a search engine (for example if you use Google's Gmail) then your history will be directly linked to your name. But even if you do not have an account, your history may be linked to your IP address.

In 2006, AOL accidentally disclosed the records of more than half a million users long enough for the data to be copied and made available from a variety of sources. Some companies defend the logging of search strings, claiming they are developing 'hyper personal' search results based on your interests. But privacy campaigners say the safeguards and privacy policies are far too lax.

To avoid compromising your privacy:

• Do not put personal information in search strings. For example, do not search for your own credit card number or your address.

• Be aware that your search history will be logged to you personally if you create a search engine account. If you do create an account, modify your search behaviour and delete your search history if you can.

• Consider using other tactics such as blocking cookies or browsing anonymously (see below).

For more information on protecting your online search privacy, see the EFF page on search engine privacy.

Social networking

Networking sites such as Myspace and Facebook are grist to the mill for people involved in the media industry, but you need to maintain your caution to defend your privacy. Social network sites are increasingly being targeted by attackers who set up 'phishing scams' (see below).

You need to configure your privacy settings carefully or avoid adding any sensitive information and be careful about how much you reveal to new 'friends'. A common 'social engineering' form of industrial espionage is to befriend someone online just long enough to get them to reveal insider information, the EFF says.


The practice of defrauding people by tricking them into divulging access passwords to banking sites and other private information has seen phenomenal growth. The number of unique phishing sites detected by the Anti-Phising Working Group rose to 55,643 in April 2007. These phishing scams hijacked 172 different brands as cover.

Typically these scams involve fake emails inviting people to change their passwords or PIN numbers either in direct response to the email or via counterfeit web pages. These attacks have grown in sophistication and complexity and sometimes involve very detailed counterfeit websites that mimic banks, credit card companies and other organisations. What surprises many people is that this counterfeiting can, and often does, involve a fake URL - in other words the URL that appears in the browser looks perfectly normal but, in reality, takes the user to a scam site.

If you fall victim to these scams, your entire online identity can be put at risk. For information about how to spot phishing emails and fake websites see:

Get Safe Online and follow the links to Avoid criminal websites.

• The Anti-Phishing Working Group consumer advice page.

Avoid monitoring and surveillance

Marketing firms monitor web use using 'cookies'. These are small text files that sites place onto your computer that can enable the site owner to monitor your web activity. Most are only accessible to those site owners who placed them; others can be used by marketing companies to track your general web browsing.

While it is tempting to block all cookies in order to defend your privacy, cookie use is so widespread that many sites are difficult to use without them. EFF recommends configuring your browser to allow only 'session cookies'. This means that the useful cookies are enabled while the ones that can be used to track your history will expire at the end of your browsing session. But you must remember to quit your browser regularly. For more information about configuring your browser to disable cookies, see this EFF page.

If you do not set your computer to allow only 'session' cookies, then Stephen Doig recommends purging them on a daily basis using your own browser's tools. For more options for managing cookies see this page.

But managing or blocking cookies does not hide your IP address from website owners. One way to defend your work is to find a secure way to browse anonymously. Two of the best options are Tor and Anonymizer.

Free daily newsletter

If you like our news and feature articles, you can sign up to receive our free daily (Mon-Fri) email newsletter (mobile friendly).