Do you log out of web pages or just close the window?

Log out icon #4I notice that many of my computer support clients just close the window (or tab) when they have finished with web pages – even when the page is important and carries implications for security (such as banking sites, Amazon, PayPal, and so forth).

Is this a security risk?

It might be. If you have signed into the web page then there is definitely an implication that there’s something “private” going on, so it would probably be a good idea to get into the habit of at least considering “signing out” or “logging out” before closing the page. When you sign into a web page, that page places a cookie on your computer. When you sign out properly that cookie is invalidated. If you close the page without signing out then the cookie remains on your computer and it is just possible that it could be stolen so that someone else could log into your account.

Log out icon #1Is it a realistic security risk?

I don’t know. I’ve been looking for some evidence that login information is actually stolen this way but can’t find any. As far as I am concerned, though, that is largely beside the point. The way that I look at it is that the potential cost of having, say, my online bank account or PayPal, or Amazon compromised is huge. Apart from the financial loss, there’s also the massive inconvenience that be could caused in cleaning the mess up (cancelling credit/debit cards, getting replacements, seeking reimbursement for fraud losses etc). It’s never happened to me, but I expect that there would also be a horrible feeling of violation – like being burgled (and I do know how horrible that feels).

How do you sign out?

It seems to have become standard practice that the “sign out” (or “log off”) button or text link is located somewhere near the top righthand corner of all web pages of the site you are signed into. If you can’t find one then click the “Home” button and look there. It’s also just possible that it’s located at the bottom of the screen amongst a lot of other links that are likely to be found there.

Logout icon #3All of the above advice is given on the assumption that you are using your own computer or device. If you are on a public computer then it is even more important that you completely log off any sensitive site. Apart from session cookies being stolen, there is always the possibility that a public computer is infected with a “key logger” that records every single keystroke you make (including your usernames and passwords). Personally, I wouldn’t dream of logging onto my bank or even Amazon from a public computer. I can’t imagine anything being urgent enough that I would need to take the risk.

Finally, you might (rightly) think that most sensitive sites will log you out automatically if you do not use them for a period of time (ten minutes, say). Do you want to take the risk that this actually works and that no-one is going to sneak in during the ten minutes before you are logged out? Your call. As so often with computers, it’s a (largely subjective) cost/benefit analysis.

Summary

Log out icon #2Once the habit is established, it doesn’t really seem an inconvenience to log out of a website. It becomes the natural step to finish off whatever business you had with the site. I have always said that it is impossible to completely eliminate the risks of using the internet without staying away from it altogether. It’s a bit like getting run over by a bus. The only way to prevent getting run over by a bus is to stay indoors. You wouldn’t think it an “inconvenience” to look both ways before you cross a road – you just do it and, thereby, reduce the risk to an acceptable level. As far as I am concerned, the same applies to the basic, sensible steps we can take to remain reasonably safe on the internet. Signing out of websites is one of those steps.

Other pieces of advice that fall into the category of online security that I’ve mentioned before include –

Is that website genuine and safe?
Is it safe to download a file?
Reducing online shopping risks

Other links you may find interesting:

Do I really need to log out of webapps
Logging out of work computers

If you can’t find a text link that says “log out” or “sign out” or something similar, then look for an icon that is similar to the examples in this post.

The so-called “Cookie Law” came into effect on 26/05/2012.

EU stars inside a cookieSo, what are cookies? They are small text files placed on your computer by the website you are viewing. They are used by the owners of that website for various purposes:

  • Analysing their web visitors and what they do on the site.
  • Managing on-line shops (eg, remembering what’s in a visitor’s “shopping basket”).
  • Personalising the way the visitor sees the website (remembering preferences).
  • Tracking the online behaviour of the visitor to target advertising.

And what is the new law about?

It says that a website must seek “informed consent” before placing cookies on a visitor’s computer. This implies that the site must explain what cookies it sets and what their uses are (to ensure that the consent is “informed”), and that the user must agree to the cookies being placed (the “consent” part).

How will websites comply?

Aah, now it gets difficult. It’s been estimated that only about 5% of sites that need to comply have done anything about it. This is probably because no-one wants to use the most obvious solution. This is the introduction of a popup window explaining about consent and requiring the user to click on a button, thereby granting consent to place cookies. It would seem that everyone is watching everyone else to see who comes up with a better way of dealing with this.

And why is it stupid?

It will alienate web visitors rather than help them. They have to click to confirm acceptance of cookies EVERY TIME they visit a site. This, of course, could be repeated dozens of times a day as the visitor goes to different sites.

It’s about as blunt a tool as you can imagine. You won’t get to choose which type of cookies you accept or what the website can do with your cookies or anything like that. It’s simply a question of the website saying (in effect) “if you want to use this website you’ll have to agree to accept ALL the cookies I place on your computer”.

No-one’s going to take the slightest bit of notice of the information that websites will have to provide to ensure that consent is “informed”. Do you EVER read the “terms and conditions” that you have to agree to before you can install/update software? Of course not. It won’t be any different with information about cookies.

There are better ways of dealing with the privacy issues connected with cookies. Settings in the browser (Internet Explorer, Firefox etc) are better placed to deal with cookies in a way that suits the individual user (eg, by deleting all cookies when the browser is closed, denying acceptance of “third party” cookies, etc).

A cartoon of an ass (donkey)Even the authorities appear to think it’s stupid

The government has said that their own websites do not conform.

The ICO (Information Commissioners Office) is responsible for enforcing the new law, but even they appear to be saying “don’t blame us, it’s not our fault” when they say “The Information Commissioner is responsible for enforcing the law, and can’t change the legislation which was passed by the EU, and later implemented by the Department for Culture, Media and Sport (DCMS).” (source).

There is evidence that the government is already trying to wriggle out of having to enforce this law by suggesting that all that websites need to do is rely on the idea of “implied consent” – ie, all the website owners have to do is – nothing. The ICO site says “Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.” The ICO guidance booklet states that “implied consent” can be inferred from the mere act of visiting a website and moving from page to page! Honestly. I kid you not. Page 7 says “For implied consent to work there has to be some action taken by the consenting individual from which their consent can be inferred. This might for example be visiting a website, moving from one page to another or clicking on a particular button. The key point, however, is that when taking this action the individual has to have a reasonable understanding that by doing so they are agreeing to cookies being set. “ Duh!

See this Guardian article for further information on implied consent.

Conclusion: Like almost everyone else, I am not rushing into ruining my website by forcing visitors to respond to popup messages. I am recommending to my own computer clients that they don’t spend time and money making their own websites compliant at the moment as the ICO have made it clear that they are not going to be fining anyone in the forseeable future.

If you get annoyed by such popups on other sites, please have some sympathy for the site owner: they’re just trying to conform to a stupid law introduced by the same government that brought us Pastygate!

And just in case you’re inclined to defend this law by saying it’s only the UK enactment of an EU Directive, then I suggest reading the Guardian article referred to above: it appears that the rest of Europe is not taking this Directive seriously.

Here’s an online petition calling for the scrapping of the cookie law.

Large eye through a magnifying glassWe may be fighting a losing battle with online privacy. As mentioned in last week’s blog on Internet Privacy, companies like Google, Facebook, and Amazon hoover up every crumb of information they can glean about us and use it to target us with ads and content that they think will appeal to us. As far as I know there’s isn’t any perfect strategy for maintaining online privacy, but there are lots of small things we can do that will certainly help.

I’m not concerned here with security on the internet as it relates to the safety of children, or trying to hide our identity so that we may be completely untraceable. I’m just trying to keep down the amount of un-necessary information we give to the likes of Google. These tips are equally valid in a home computer or business computer environment.

So, here are some tips. They’re not listed in any particular order. Some are easier to put into practice than others:

  • Create another email account that you never intend to use for “real” email. Don’t include your own real name in the account name and don’t give real data when completing the compulsory items of information in the account profile. Quote this email address on any websites that demand you supply one and where you don’t expect a normal, ongoing, email exchange (since you don’t want to have to keep checking this account for incoming emails). Having an “anonymous” account like this also helps in keeping spam out of your main email account.
  • If a website demands that you give personal information that is not connected with a financial transaction nor has other legal implications, then LIE. I will NOT give my real address or date of birth online when there is no legitimate NEED for it (and there are few legitimate needs except the protection of the other party in financial transactions). If I am entering a compulsory date of birth on a website where this is “relevant” (but not essential for financial reasons) then I enter a date that is close to my own (so that it makes no difference for the legitimate purposes of the website) but from which I can not be traced.
  • When filling in online forms, exercise judgement in completing any item that is not marked as compulsory (usually indicated by an asterisk or written in red). If they don’t require you to give a date of birth then why would you? If an item is compulsory but impertinent then LIE.
  • Don’t click on any “like” buttons in Facebook or anything similar (eg in Google).
  • Don’t take part in online quizzes or polls.
  • Preferably, don’t use Facebook at all. If you are a Facebook user and have any concerns at all about the privacy of your data, read this article about Facebook’s attitude to privacy.
  • Magnifying glass over computer keyboard

  • If you’re still keen to use Facebook, go through all the settings and mark everything private except what you explicitly wish to share.
  • If you use LinkedIn, do not click on ads without first changing your privacy settings to exclude monitoring your activity re ads.
  • Do not use Gmail or any of its branded versions (I think Virgin’s webmail is one of those). Google reads your emails and bombards you with “appropriate” Google ads (sponsored links). See last week’s blog on Internet Privacy.
  • If you must use Gmail, at least ensure that you sign out when you are not actually using the email as Google records everything you do in your browser if you are logged in as a Gmail user. They then use this info to target you with Google ads. I also sign out of other sites, such as Microsoft Live, as soon as I’ve finished with them.
  • Disable or remove browser add-ons that place “toolbars” and/or “search boxes” at the top of your browser. These often have tracking software in them. Incidentally, your browser performance will also be improved by doing this and your browser screen will be less cluttered.
  • Be very careful about “linking” any social networking site to any other (by giving any of them permission to access others). You might add data to one program, believing it to be private, forgetting that you have linked it to another program that sucks in what you thought was private data and spits it out somewhere more public.
  • Set your browser so that all cookies are deleted as soon as you close the browser (but this has implications – read on).
  • Set your browser to delete your browsing history as soon as you close your browser.
  • Set your browser to disallow third party cookies.
  • Turn off Amazon browsing history.
  • If you use Firefox or Chrome as your browser then you can install AdBlock Plus. This will stop most ads from appearing while you are browsing.
  • If you use Firefox, another excellent add-on is Better Privacy. This deletes the “flash cookies” that are placed on your hard drive by Flash Player. Flash cookies (also known as LSOs – Locally Stored Objects) are not removed or blocked along with other cookies.
  • Do not be misled into thinking that “private browsing” will give you any protection. It does suppress evidence on your own computer but it does not prevent sites you visit from recording your activity. Nevertheless, it may help to turn it on.
  • More technical ways of throwing websites off your scent include using proxy servers and using a dynamic IP address.
  • If you want to make an online purchase from a website that you don’t completely trust, you can use a prepaid Mastercard. This will limit your financial exposure to the value on the card and will also keep all your personal information from the website.

As if all this wasn’t already a nightmare worthy of a Kafka novel, some of these measures nullify others. You can turn off Amazon’s “browsing history” and, similarly, stop ask.com from retaining your history but the instructions to turn these off are held in cookies so if you delete cookies (as recommended above) you’re back to square one with these two sites. Doh!

Some of the tips above are easy to carry out and others less so. I haven’t attempted to give specific instructions (eg for different versions of different browsers) as it would just take too long.

If you’d like some help in tightening up your online privacy, contact me to arrange either a computer support visit or some online remote support.

Remote Support may be suitable for this topic

© 2011-2014 David Leonard
Computer Support in London
Privacy Policy Suffusion theme by Sayontan Sinha