Spy on the internet

IT expert: "Somebody can always read along"

DW: Mr. Horchert, is it really the case that secret services follow my every step on the Internet?

Christian Horchert: You have to assume that American security authorities take note of all network activities - in all possible ways. One way is to duplicate the information from fiber optic cables. Another is the targeted monitoring of individual computers. Or the authorities try to get access to databases from other providers. But it is not as if someone is sitting at a desk and constantly looking at the information. They run automatically into databases and are processed further as required and the occasion. A conceivable database query would be: Who has this person communicated with in the past five years? This can be evaluated on the basis of the information collected.

But these are not the only places that record my surfing behavior?

It starts with the browser. So-called cookies provide information about the pages that you have called up. Many websites store these small files on their visitors' computers via the browser. When a page is called up, the browser transmits these cookies to the respective page, which recognizes the visitor and, among other things, learns when he was last there.

In order to be able to identify users even better, a new system is currently being established: "fingerprinting". With the help of Javascript, a character string is created from information from the browser, which is not stored on the visitor's computer but on the operator's server. You cannot delete this fingerprint like a cookie. These fingerprints are now very accurate.

Are there other devices that register my website views?

Christian Horchert: "Remain suspicious"

The router I use to access the Internet at home configures and manages the entire home network. When I log in there with my computer, the router assigns an individual IP address and also shows me the way - the route - to the Internet. In addition, the router translates the address line that I enter in the browser into an address with which the desired page can be called up. The router is a bottleneck through which all page views go. And that carries risks. If the router is taken over by an attacker, he can not only look at my way through the network, but also manipulate it. For example, the router could direct me to pages that I don't want to go to. Remote control of a router is actually common - for example through my Internet provider. An example: If the settings for dialing into the Internet change, it is much easier if the provider changes this in the router instead of burdening the customer with it. Attackers can also take advantage of this possibility of access.

What role does my internet provider play?

The internet service provider I use to access the internet naturally notices which pages I visit on the internet. However, it only saves this information if this is necessary for billing purposes. However, the provider has information about which IP address and at what time a person is in the network.

What if I use public WiFi in a café or at the airport?

It makes almost no difference whether I access the network via my router and provider at home or use a public WLAN in a café. In theory, at the end of the day, the café operator can look at the pages that his guests have accessed. Much more important for the user, however, is whether the WLAN is encrypted. In an unencrypted network, anyone who is logged on can read what I am doing on the network. That can be the host, that can also be the guest at the next table. The individual data cannot be viewed in encrypted networks.

Are website operators also interested in what else I look at online?

When I call up a website, the server of this page writes my IP address and often also the page from which I come. Information about my surfing behavior ends up here as well. In addition, there may be information about my browser, my operating system or the type of my access - whether mobile or via DSL. With this data, website operators can see what is going well, which pages are accessed and adapt their offerings accordingly.

On some pages advertising is shown that comes from a third party. This third party provider also receives data from my browser. For example, he has access to the cookies on my computer. This allows advertisements to be displayed that may be relevant to me.

Does anyone else find out which pages I visit on the Internet?

To get more information about the behavior of their visitors, many websites use the software "Google Analytics". This also transmits the collected data to Google itself. Google receives information from many pages about who has visited them. And can use this to create a profile for each user.

Does that also apply to social networks?

The information that social networks collect about me is just as extensive. Not only because I complete my profile or interact with others. Because users often stay logged in to networks, even if they have long been on other sites. If one of these pages contains a "Like" button from Facebook, for example, visitors will be recognized by this button and by a cookie. The information about this visit is transmitted to the network. In this way, Facebook knows which pages I call up on the Internet.

What tips can you give?

1. Remain suspicious

You have to keep telling yourself that access to the Internet doesn't belong to you. That someone else can read it at any time.

2. Keep software up to date

You should always keep the software on a computer or mobile device up to date. The easiest way to do this is to follow the update instructions for the respective operating system. However, it doesn't hurt to regularly find out about security gaps and, if necessary, download updates from the respective manufacturer.

3. Activate private mode

The most popular browsers offer a mode that neither creates cookies nor a chronicle. This prevents long-term data from accumulating in the browser that can be accessed by websites or attackers.

4. Install browser plug-ins

There are extensions that can be used to secure a browser. An "ad blocker", for example, not only prevents advertisements from being displayed. It is also valuable in digital self-defense because it prevents effective tracking. There is a "NoScript" extension especially for Firefox, which prevents JavaScript from being executed. But there is a catch: Many websites do not work properly without Javascript. "NoScript" must therefore be configured in such a way that it allows certain things again. This is actually unreasonable for normal users.

5. Use encrypted networks

Only encrypted networks offer a minimum level of security. Information about behavior in the network can easily be recorded from unencrypted networks.

6. Select virtual private networks

A virtual private network (VPN) also helps with anonymous and untraceable surfing on the net. These are basically self-contained networks that you also log into and that cannot be viewed from the outside. It is then no longer traceable which pages I call up. Even website operators can no longer easily recognize me. Depending on the provider and technology, such a service costs up to 15 euros.

Christian Horchert is the managing director of #link: https: //www.sektioneins.de/#, an international IT security company based in Cologne. Among other things, Section One searches for weaknesses and security gaps on the web and in mobile applications on behalf of customers. Horchert recently went to Brussels on behalf of the Renewable Freedom Foundation and the Chaos Computer Club to lobby for digital civil rights.