You should be aware that search engines:

• record your private information
• store your private information
• share your private information.

Can they do it without your permission? Yes, anytime you use one these search engines you give them consent to retain your personal data. Read through the terms of service and privacy policy for each of the search engine services you are using. Understand how they process your personal information before your give them your consent to store, share and pass your information to the third parties. Google’s Privacy Policy describes how they treat personal information when you use Google’s products and services: (http://www.google.com/privacypolicy.html)

What data is retained and stored by the search engines:
Google uses deeply linked cookies that auto renew every two years. Each of these cookies has a globally unique identifier (GUID) and can store search queries every time you search the web. Google does not delete any information from these cookies. Therefore, if a list of search terms is given, Google can produce a list of people who searched for that term, which is identified either by IP address or Google cookie value. If an IP address or Google cookie value is given, Google can also produce a list of the terms searched by the user of that IP address or cookie value.

Types of information retained:

• Log information – When you access Google services, their servers automatically record information that your browser sends whenever you visit a website. These server logs may include information such as your web request, Internet Protocol (IP) address, browser type, browser language, the date and time of your request and one or more cookies that may uniquely identify your browser.
• Location data – Google offers location-enabled services, such as Google Maps for mobile. If you use those services, Google may receive information about your actual location (such as GPS signals sent by a mobile device) or information that can be used to approximate a location (such as a cell ID).
• Services such as Google Toolbar and Google Web Accelerator send the uniform resource locators (URLs) of web pages that you request to Google. When you use these services, Google will receive and store the URL sent by the web sites you visit, including any personal information inserted into those URLs by the web site operator. For example, when you submit information to a web page (such as a user login ID or registration information), the operator of that web site may embed that information – including personal information – into its URL (typically, after a question mark (?) in the URL). When the URL is transmitted to Google, servers automatically store the URL, including any personal information that has been embedded after the question mark. Google does not exercise any control over these web sites or whether they embed personal information into URLs.

What you can do to protect your information

Good news! Some things are still in your control:

1. Delete Google cookies when you close your browser or use an application like CCleaner that supports the cleaning of temporary internet files and cookies and other potentially unwanted files left by certain programs. Download it free: http://www.piriform.com/ccleaner/.
2. Use the Google Analytics Opt-out Browser Add-on. The add-on communicates with the Google Analytics JavaScript to indicate that information about the website visit should not be sent to Google Analytics. If you want to opt out, download and install the add-on for your current web browser. This add-on is available for Internet Explorer (versions 7 and 8), Google Chrome (4.x and higher), and Mozilla Firefox (3.5 and higher): http://tools.google.com/dlpage/gaoptout/.
3. Do not use the same company as your search engine that you use for your email e.g. Google Search, Gmail instead use Google Search and Yahoo Email or MSN Email.
4. Do not use any of these search engines companies if at all possible. Have an email account that is not associated with any of them. There are several search engines that do not track your activities:
   • Ixquick (http://www.ixquick.com/) also known as Startpage (www.startpage.com) search engine – focuses on delivering great search results with the best possible privacy. Ixquick/Startpage has the industry’s leading Privacy Policy: No recording of users’ IP addresses. No identifying cookies. No collection of personal data. No sharing personal data with third parties. Offers secure encrypted connections and a free proxy service that allows anonymous browsing of websites.
   • No personally identifiable information is required by Yippy (http://clusty.com/). This means Yippy never seeks any information related to your name, telephone number, address, or even your email address unless you request a Yippy Service where that information is required. Yippy is intended to be an anonymous service.
   • Proxify (https://proxify.us/) is a web-based anonymous proxy service which allows anyone to surf the Web privately and securely. Through Proxify, you can use websites but they cannot uniquely identify or track you. Proxify hides your IP address and our encrypted connection prevents monitoring of your network traffic.

Courtesy of Hakin9 IT Security Magazine.

The web publishing environment in most higher education institutions tends to be highly distributed. This distributed web environment is such that departments frequently manage their own web resources with their own staff. It is common to have hundreds of top-level websites containing numerous sub-site directories which are then managed by many people who have write-access to the web server.

The problem occurs when web publishers save files in their web directories not realizing that these documents and folders are public and can be viewed by anyone on Internet. They believe that just because you have to authenticate to save/upload the files that the files in the directory are also password-protected for web viewing. Every so often people use web directories as personal file storage to backup their PC or as a convenient file share.

For instance, a department has a website with a URL: http://www.university.edu/academics/.  A web overseer of that department saves an Excel spreadsheet called “grades.xlsx” in the web directory so their colleague can look at the file later. The file is immediately accessible to anyone on the internet to view under the following URL:  http://www.university.edu/academics/grades.xlsx.

The University Information Security Policy prohibits storage of files which contain any confidential or protected information on a publicly accessible web server. This would include files such as:

• Student educational records including grades
• Home addresses and phone numbers
• Employment history
• Performance evaluations
• Social Security Numbers
• Driver’s license numbers
• Credit/Debit card numbers
• Medical information and personally identifiable patient information
• Financial records
• Proprietary research data
• Any other proprietary data that should not be shared with the public.

Even if you are putting your data on a web site temporarily, there is still a good chance that you will forget about it and a web crawler will find it.  The leading search engines, such as Google and Yahoo, use crawlers to find pages for their  search results.   Even so you may believe that no one knows the direct URL to your files, anything you put out on a public-facing web server can be quickly found and indexed by a search engine.  Sooner or later someone will  stumble upon a file containing confidential information in search results or, even worse,  a hacker will find it using Google hacking tools:  ” The dark side of Google’s power.”

A periodic review of review your departmental and personal websites will help you ensure no sensitive information is stored in your web directory.

What to do if you identify sensitive materials on a University web page

• DO NOT IMMEDIATELY DELETE THESE FILES, rather…
• Immediately contact the MU IT Service Desk (304) 696-3200 and the Office of Information Security
• IT and Information Security staff will need to assist you in determining the ownership of the files, how long they have been accessible, and whether they have been recently accessed.
• Once this has been documented, only then should the files be removed from the web server.
• Additionally, we may also need to assist in contacting search providers to request removal of the sensitive materials from their cached search results.

What to do if you find sensitive information on your personal web page

• Review the files in your web directory and be sure you understand how they came to be saved to a public location.
• Delete any files which contain sensitive data.