Visible Information:
Data Involuntarily Divulged
When You Use The Internet

Posted:

When you visit a website, there is some information that is automatically divulged which you have little-to-no control over.  I'll try to explain here the most personal aspects of that information.

Your User Agent String

Your web browser automatically identifies itself and its operating system to websites by sending a user agent string[1].  This information isn't particularly personal, but it can be used to serve content more appropriate for your system, or to annoy you with messages like, “We see that you're using a mobile device; download our mono-tab web browser that only shows our website!”

Your current browser's user agent string is “claudebot.”  My simple detection algorithm thinks you're browsing with Unknown vt, and your operating system is laudebot.  You are not using a mobile device.

You can change the user agent string that your browser sends to servers, and there are legitimate reasons to, like when my sister-in-law's husband had to make his web browser pretend to be running on a Linux machine because of the way he was connecting his Windows PC to the internet through his smartphone.  Be aware however that doing so can break websites which put too much weight on your user agent string.

Asynchronous JavaScript Communication

A JavaScript-enabled webpage can constantly communicate asynchronously with a server and share data without the page ever reloading[2].  Thankfully, proper up-to-date browsers have good enough security that the amount of data available to this action is limited (as long as you don't install any malicious or exploitable plug-ins[3]).

Here is some of the information that this page can gather right now via javascript:

There's a bit more than that, but those are the most “exciting” parts.  (If you want to see what else this simple javascript query reveals, pull up your browser's command console, typically by pressing Ctrl+Shift+I, then enter “console.log(navigator);”.)  Each piece by itself is quite innocuous, but taken as a whole, and combined with performance measurements, namely via the HTML5 canvas element, it can actually be used to compile an identifiable profile for tracking[4].

Anything you type into a webpage could be captured and sent to the server without your consent, but without the right kind of plug-in, a web page can't capture keystrokes entered outside of the browser page or snoop through your computer[5].

Your IP Address

One of the most important pieces of information automatically shared by your computer is your public IP address[6].  This is the internet address to your modem[7] (the device that connects your computer or LAN[8] to the internet).  Depending on your ISP[9], it may or may not be your static IP address[10], hence some of the debate about whether IP addresses are personally identifiable.  Static IP addresses don't change so long as the ISP doesn't change and the user doesn't move to a different location.  In any case, ISPs usually keep a record of which IP address was assigned to which customer at which time, for billing purposes if nothing else, and may even log every request you make.  (So-called “private browsing” is no defense against this because your browser still has to tell websites where to send data.)

Your current public IP address is 18.221.146.223.  Using a third-party service, I can automatically figure out the physical location of your ISP, which in most cases is the same city as your current location, usually near where you live, which explains why so many websites display those annoying adverts to “meet single people in [your city's name].”  (If you engage in any legally-punishable activity on-line, law enforcement can use a website's access logs to trace your IP address to your ISP, then demand from your ISP your home address.)

Here's what I learned about you from just your public IP address:  Your ISP is Amazon.com, Inc., which is located in Dublin, Ohio, United States 43017, in Time Zone America/New_York.  Here's a map using the latitude and longitude I got from looking up your IP address:

The above might not be 100% accurate; this method placed my ISP location in an alfalfa field the last time I checked, but it wasn't too far off.

There are ways to obscure your IP address.  One is to fake it, but that won't serve any legitimate purpose because an IP address is like a return address on an envelope in the mail; if the address is wrong, the requested information will never get back to you.

Another way to avoid identification is to use a VPN[11].  In a VPN, you connect to a chain of one or more computers that relay your requests to a website so that it sees only the IP address of the last computer in the chain instead of yours.  Data sent through a VPN are also expected to be well encrypted.

VPNs aren't quite what they should be, however.  You can pay a lot of money for a service but not receive the level of security and privacy you expect[12].  If you don't want to put your trust in the corporations, you could use a free, open-source VPN like TOR, but, nevermind that you're putting your trust in a bunch of strangers, it has been shown to be vulnerable to goverment hacking[13].  Not only that, but in violation of The Fourth Amendment, anybody that uses a VPN is considered a criminal by the FBI and subject to being “remotely investigated[14],” because “only criminals have anything to hide” (just like anybody who closes his drapes or locks his door at night absolutely must be engaging in criminal activity[15]).

You can put one more step of obfuscation between yourself and any websites you access by using a public Wi-Fi connection, but that's still not guarenteed to hide your identity; the elusive founder of the “Silk Road,” an on-line black market, was arrested while using a public library's Wi-Fi[16].

“But I don't engage in any illegal activity on-line; I just want my privacy and security when I read e-mail or look at my bank account, so I should be alright with a good VPN, right?”  Well, you probably won't go to prison for that, but as mentioned above, the very act of hiding your digital activity with encryption is considered a criminal act by law enforcement agencies who will feel justified to violate your rights to privacy should you do anything else to get their attention[17].

No matter how good your personal digital barriers against prying eyes may be, any website administrator can be bullied into providing a government agency with user records or even building in a backdoor[18][19], regardless of legality or ethical implication[20], because the alternative is a wrongful arrest for failure to comply[21] and/or a lengthy, uphill legal battle which can easily result in the loss of one's livelihood.

Ultimately, whether or not using a VPN is worthwhile depends on the balance between risk and value.  There are legitimate uses for VPNs, such as getting around region obstruction so that you can watch a show that Netflix won't stream to your country due to distribution licensing[22][23], or reporting on corruption in the face of a totalitarian regime.

Your GPS-Enabled Device

If you're using a GPS-enabled[24] device, a website can get the global coordinates of your current location, but this action requires your explicit permission (nevermind what your operating system does[25]).  However, if you upload a photo that you just took, and your device is configured to embed GPS coordinates into the photo, there's nothing to stop the website from extracting that information from the photo[26].

Data About You Stored Here

The House of Waffles only records the following data about you:

IP Address:  18.221.146.223
First Visit:  2024-04-18 13:59:56
Most Recent Visit:  2024-04-18 13:59:56
Number of Pages Viewed:  1
Last Page Viewed:  Right now it's this one
Web Page that referred you to this one:  N/A
Web Browser:  claudebot

That's some extremely rudimentary data and not very useful on a commercial level.  No third-party tracking software like Google Analytics is used here.

  1. See User agent.
  2. See AJAX programming.
  3. See What ActiveX Controls Are and Why They’re Dangerous.
  4. See Canvas fingerprinting, Canvas fingerprinting is tracking you, and you don't even know what it is, and Meet the Online Tracking Device That is Virtually Impossible to Block.
  5. Well, mostly.  See JavaScript: Security.
  6. IP address = Internet Protocol address.
  7. Modem = modulator-demodulator.  Also see What is the difference between a router and a modem?
  8. LAN = Local Area Network.
  9. ISP = Internet Service Provider.
  10. Static versus dynamic:  A static IP address is the same every time you connect to the internet, while a dynamic IP address may change frequently and could be different every time you re-connect to the internet.
  11. VPN = Virtual Private Network.
  12. See Detailed VPN Comparison Chart, How NSA-Proof Are VPN Service Providers?, and Can Commercial VPNs Really Protect Your Privacy?
  13. See How the Government Is 'Hacking' Tor, Attacking Tor: how the NSA targets users' online anonymity, and Former Tor developer created malware for the FBI to hack Tor users.
  14. See Tor and VPN users labeled as criminals will be hacked and spied by FBI under new law.
  15. See Auburn Community Upset after HOA Tells Them to Leave Garage Doors Open.  This may not be the government, but it's still the same mindset as that of Big Government.
  16. See Dead End on Silk Road.
  17. See The Government is Spying On You Through Facebook Right…Now.
  18. Apple is one of the few entities with enough resources to resist coercian by the government to add a backdoor.
  19. Germany is writing backdoors into law.
  20. Back doors are idiotically vulnerable to abuse.  See The Danger of Government Encryption Backdoors.
  21. A nurse was arrested for refusing to break the law.  This may not have been computer-related, but it was still a privacy issue.  (See also the first 8 minutes of this video.)
  22. See How to Watch Netflix or Hulu Through a VPN Without Being Blocked.
  23. To watch DVDs/Blu-rays from other regions, I recommend AnyDVD (or get a region-free player).  I have literally hundreds of legitimately purchased movies and TV shows from other countries that I ordinarily could never watch just because Hollywood wants to control my choices via region-locking.
  24. GPS = Global Positioning System.
  25. Tucker Carlson reports on how Google is Tracking Your Every Move.
  26. Three Burger King employees were identified and fired less than 24 hours after publicly posting an anonymous photo of one of themselves contaminating food before it got served to customers.  The GPS data from their photo was used to trace back to their location.  This is a case of personally identifiable data being used for good, but it also succinctly illustrates how quickly the information could be abused.