|
In this chapter:
Electronic Footprints
Cookies
Online Anonymity
Anonymous Email
Communications
Establishing an
Undercover Online Persona
The element of surprise is essential in most
investigations. What many novice Internet users fail to realize is that
visiting a website allows the owner of the website to view certain
characteristics about you that often divulge your
identity. To keep your identity secret, it is important to engage
in safe surfing practices.
To see what others can learn about you just from
your visit to a website, obtain a free analysis from
Privacy.net.
With this information obtained, anyone can
look up your registration information (Smith, 1998). If your internal network is
protected by a properly configured firewall, your individual computer’s
Internet Protocol (IP) address will not be
visible to the Web. However, your corporate network’s IP address may be
visible. With that information, a savvy user can identify which company
you work for and maybe where you are physically located.
For a more comprehensive review of IP addressing,
see
Understanding IP Addressing: Everything You Ever Wanted To Know
(3Com Corporation, 2001).
Top of Page
Cookies are small text files saved on a local
computer that contain information generated by websites based on user
interaction (Webopedia, 2003, Cookie). Some websites use them to enhance the browsing experience
and many sites do not work properly unless a browser is configured to
accept them. Cookies are incredibly useful and allow websites to
confirm and remember a users identity, preference, and past browsing
history. This makes targeted delivery of web content possible and is a
great feature of many websites. For example, if a user enters a
zip code on a weather website, the user will see a local weather report
every time they visit that site if a cookie stores the zip code
information.
Cookies can however, be used for less desirable purposes
and may be a privacy concern (Privacy.net, N.D., Bake). Since they
store information about a users surfing preferences, activity, and
possibly more sensitive data, it is important to actively manage
cookies. Most browsers have a default setting to accept all cookies.
Cookies can be managed in one of two ways: with third party software or
via the Internet browser. Third party software can be purchased to
manage cookies and many common security utility software packages
include cookie-management utilities. This option provides the most
flexibility. Alternatively, to manage cookies via a browser,
change the browser's options or preferences to not accept cookies or to
ask permission before accepting a cookie.
Top of Page
There are several ways to cloak your identity when
surfing online. One method is to obtain Internet access through an
Internet Service Provider,
independent of your employer. However, it is not a good idea to trace
the Internet service plan back to you as an individual. Law
enforcement entities can setup fake identities for the
sole purpose of obtaining independent Internet service. Private sector
investigators do not have that luxury.
Other solutions involve masking a real Internet
account and IP address. The simplest method is to utilize a proxy
service. Web-based proxies allow users to enter a destination Web
address and
then filter the data through their service so that the target sees only
the anonymizer service information and not the identity of the user. There are
advantages to using these types of services: some are free,
all are available online and do not require installation of any software
so they generally work regardless of your computer system
configuration. The free versions result in some performance
degradation and many offer additional pay services for full bandwidth.
Since most proxies encrypt your browsing sessions, they allow users to
skirt the firewall filtering many companies put in place to keep
employees from viewing unauthorized material from their work computer. Because of this, many
companies filter the sites used to access proxies. Contact a
representative from your information technology (IT) department to
assist with this type of service.
Lastly, there are software packages available for
purchase that provide the same functionality. These must be installed
on a local computer or network to operate and need to be configured
appropriately. In the private sector environment, this solution usually
requires buy-in from purchasing and procurement, IT services and Information
Security departments and, as a result can be more difficult to
implement.
Top of Page
Email communications are also traceable. The header
information contained in an email provides detail about where the
message originated and the path it took to arrive at the recipient’s
inbox (Privacy.net, N.D., Being Traced). Anonymous email remailers exist which can be used to send
anonymous email to anyone. For a sample list of these services, check
the
Google Directory.
Anonymous email can be useful for investigators to send anonymous
messages to others. However, the problem with this method is that it is
only effective as one-way communication. Anonymous email does not allow
the recipient to reply to the originator. There are some exceptions
where a third party remailer will act as an intermediary between two
individual email accounts. This method is frequently used by personal ad and
dating websites to protect the identity of members until both
communicating parties agree to exchange identifying information. If repeat or reply communication is needed, it is
preferable to setup an email account with an undercover persona.
Top of Page
By establishing an online identity, an investigator
can effectively communicate and interact with individuals, businesses,
and web services without compromising the element of surprise. When
utilizing an undercover identity in the online world, it is best to do
so via the use of an anonymizer service, thus masking the investigators
true location. Setting up an identity is a four step process:
Establish a persona, obtain an email account, signup for other services,
and manage the identity.
Establish a Persona
Depending on what information is needed and how the
identity will be used, it is necessary to prepare some information
before embarking on the remaining steps in the process. Generally, the
following information will be necessary to proceed:
1.
Name (First, Last, Middle Initial) and Sex
2.
City, State, and Zip code
3.
Date of Birth / Age
4.
Occupation
Consider how the identity will be used. If there
will be direct communication with a target or suspect, consider how that
individual will respond to a male versus female identity. Choose a name
carefully. Common names like John Smith are not effective as they
are too obviously vague. Likewise,
extremely unusual names can draw unwanted requests for additional
personal information, like inquiries about nationality or personal
family history. Make sure the city, state, and zip code match
because some registration applications verify that the city and zip code
refer to the same location. A physical address is generally not
necessary for most scenarios but it can be helpful to be familiar with
the area chosen in case discussions about local geography develop.
Carefully consider the date of birth to ensure that the age is
appropriate for the identity. Also consider how others who will be
recipients of communications from the identity will respond to an
individual of a given age. Make sure that the age matches the date of
birth correctly, taking into account any leap year complexities. Take
note of any holidays which fall on the date that is chosen. It is best
to avoid choosing major holidays as birthdates as these will likely
result in more unwanted questions. Also, remember to keep track of the
age of your identity, it changes every year! Choose an occupation that is appropriate
for the purpose and consistent with the other aspects of the identity.
Making a 16 year old girl the CEO of a Fortune 500 company is not
recommended. Avoid company names unless absolutely necessary. Often,
only a vague occupational description is required for registration with “Consultant” or
“Student” among favorite choices. Avoid titles which indicate extensive
knowledge in a subject area, especially if you are not knowledgeable.
While “Software Developer” is sufficiently vague, “Visual Basic
Programmer” implies specific knowledge. Also avoid titles that require
or often are associated with particular certifications. For
example, a “Database Administrator” would likely have a vendor
certification of some type.
After this information is established and recorded
for future reference, some thought should be given to other aspects of
the identity. Examples of items to consider are:
Ø
Education – What level of education has been completed?
Ø
Computer skill level – This person should not be more
skilled than you are!
Ø
Activity & Frequency – How often will this person be
online? In chatrooms?
Ø
Hobbies or Other Interests – Are there any other aspects
of the identity that could be useful: illnesses, sports activities,
travel experience, etc.
Obtain an Email Account
The first web stop that this new “person” needs to
make is a free email service provider.
Hotmail or
Yahoo! Mail are common choices. When setting up a free email
account, carefully choose an account ID as this will be used in the
email address itself. Account IDs and associated email addresses must
be unique. Common configurations like FirstnameLastname (e.g. JohnSmith)
are usually unavailable because they have already been secured by
another user. Consider using numbers (e.g. Johnnie42) or alternative
spellings (e.g. HockeePlaaer) to produce a unique ID. The email account
is the basis for the identity. Cautiously choose whether or not to have
the email account listed in the directory, the email equivalent of a
phone book. Once the address has been
created, login to verify that the address works, check any new user or
welcome messages which may contain details about account usage and
adjust account options to the preferred settings. Take note that
using a free email service does not provide total anonymity. Email
headers even in mail generated by these free services may contain
information linking you to your Internet Service Provider (Privacy.net,
N.D., Being Traced). It is best to use these accounts in
combination with some form of proxy software.
Signup For Other Services
With an active email account, a user can sign up
for myriad other services. Depending on what the needs of the
investigation are, it is recommended that the investigator subscribe to
many of the common Internet services. Often premium access is afforded
only to members. For example, with many services like
America Online or
Ebay, searching for a member profile is allowed only for
active
members. Therefore it is important to establish membership with the
covert identity and email address previously created. IDs and passwords
need to be chosen according to the same parameters described above for
an email account. Services that an investigator may wish to register
for include: Ebay,
Yahoo! Groups,
AOL Instant Messenger (AIM),
and ICQ.
It is common for sites that require registration to
send a confirmation email to your active email account, providing you
with an additional one-time access code that needs to be used for your
first sign-in. This ensures that the service has obtained a valid email
address from the user and is the reason that investigators should setup
an email account first. Check the email account soon after registering
with these other services to see if any action is required to complete
the registration process. Then login to the services and adjust the
user options to the preferred settings. Become familiar with the layout
and functionality of the service, member profile system, and most
importantly, search options. Use access to view other member profiles,
access account histories or transact and communicate with other users as
part of an investigation.
Manage the Identity
After setting up the accounts, the investigator
needs to manage them. The most essential requirement is to regularly
check all email accounts associated with the covert identity that has
been created. This is necessary for two reasons. First, unsolicited
commercial email, or spam floods inboxes. Most free email
providers like those mentioned above have mailbox size limitations.
Once the mailbox is full, new messages will no longer be accepted. It
is important to empty the mailbox from time to time to ensure that
desired communications are able to be received. Second, people may send
mail to the address. Though an investigator may not be expecting it, a
target or subject of an investigation may send an email. The email
address may have made its way to others who could be sending important
messages. To keep up the authenticity of the identity it is important
to maintain regular communication.
Keep in mind that the identity being used should
age appropriately over time. Changes in employment, marital status, and even
hobbies should be tracked. Each investigation has a different set of
circumstances and requires varying degrees of involvement. One
preferred method is to keep one identity for lookup purposes only.
Use this identity only to view profiles or gather information but not to
communicate or interact in any way. Use other identities for email, chat, messaging,
newsgroups, listservs, and so on. Finally, remember to retire an identity
after it has served its purpose. While it is possible to reuse accounts
and IDs several times for separate investigations, reusing accounts for separate purposes can have unintended
consequences. Remember that geographic distance is not a reliable
reason to assume that two people do not interact with each other
online. Most accounts including email will become inactive and then
terminate after a certain period of time. Be aware of these thresholds
to avoid premature termination.
Important Note:
It is extremely important that users read and fully understand the terms
of use and subscriber agreements associated with all services.
Investigators should take care to ensure that their actions do not
violate the terms of these agreements. The author does not condone
usage of any service outside the terms of the subscriber agreement.
Top of Page
Proceed to References
|
