Most businesses are adopting the practice of finding international talents from outside, but many of them do not understand the legal consequences of establishing cross-border business relations. This will help you identify what needs to be considered into account by your company to build a hassle-free and stable business. An online business employs contractors from a range of countries.
In deciding whether an individual is an independent contractor or an employee, a company has to take up all the factors. There will be many factors that may indicate that the individual is an employee, while others will suggest that the individual might be an independent contractor.
Who are International Contractors –
In particular, individuals who are in an autonomous occupation, company or career offering their services to the public are independent contractors as per the IRS concept. The issuer will have the right to determine only the outcome of the job not what is going to get done or how it is going to get done. Contractors are entitled to self-employment tax and there is no need for companies that hire employees to withhold income tax and give benefits.
Let’s look at the below steps for hiring contractors from abroad
Whether your preferred candidate is from another region, the method of recruiting new employees is somewhat different from a traditional system of in-house placement. Skype or some other teleconferencing device may support the entire interview, but you are going to have to ask questions about the remote work situation— specifically about interaction. Don’t make sure to check past experiences and credentials and any other recruit you could.
When you employ a foreign worker, you may be concerned about securing work permits. If the employee does not stay for the contract period, you do not have to struggle with permits at all. Furthermore, you will have to get the proper paperwork done and get all the permits if you want to bring an international contractor to your region even if it is for a short duration.
There will be different ways of determining international contractors ‘ withholdings, and it’s important to pay income taxes on time. Failure to pay taxes on time could lead to heavy penalties.
Another international payment method that has been developed is a money order. By charging the fee you would like to give including an invoice, this method is very popular among while hiring contractors from abroad.
PayPal – one of the most popular internet payment applications to transfer money.
Xoom which is owned by PayPal, but provides its very own services to individuals and companies seeking to send funds from the United States.
Although recruiting international contractors is certainly different from hiring conventional domestic workers, most employers consider the benefits that make up for the effort needed. If you find a suitable candidate for your business, use the advice above to make ensure that you are prepared properly for the on-boarding process.
Also termed as main contractor or prime contractor, a general contractor is vested with the responsibilities of overseeing a construction site, management of the business vendors and communicating the information to all the stakeholders throughout the course of a building project. They act as the intermediary between the builder/developer and the group of subcontractors who execute diverse job assignments such as electrical, plumbing, carpentry, and flooring work.
A general contractor is an individual or an entity who may hire subcontractors and provide supplies for a given project.
Where are they deployed?
A general contractor can comprise individual partnership, corporation, or any entity or group of entities in business that can execute construction as a contractor. And, they will shoulder total responsibility for the timely completion of the project with the help of the project resources to execute or supervise the work.
General contractors are employed by property developers or property owners to organize and continue the work or diverse types of projects including residential homes, roads, office buildings, treatment plants and government buildings and the like.
They are responsible for hiring subcontractors and overseeing them. They review the architectural plans, purchase building materials, and ensure all deadlines are met.
Educational background required
Any individual aspiring to become a general contractor must fulfill the relevant criteria.
Should be 18 years or older
Must have secured a high school diploma or equivalent qualification duly recognized.
Must be eligible to work in the United States as per law.
Must have a good work record in the construction sector and should be able to discuss and resolve any job-related issues.
State governments may mandate each applicant to pass such an exam as may be determined by relevant law. Further, a few states may also make it mandatory to buy a liability insurance cover, read more about liability insurance by clicking here, get Federal Tax Identification Number and submit the address of business with utility or lease bill.
Importance of experience
Real work experience in construction projects is critical to becoming a licensed contractor. You can get experience by working in diverse crafts as a carpenter, electrician, or a plumber. Supervisors experienced in construction are also useful.
Oral and written communication skills
The applicant must have good communication skills (oral and written). This is important because they need to hire and evaluate subcontractors and participate in project negotiations with property developers and owners.
How to get a license?
To get the license, apply for it once you choose an area of work. You need to register your company. You need to pass the contractors’ exam. You may be required to buy insurance and bond as per the rules of the State where you wish to start contracting. Further, your social antecedent must be clean. You can get a Contractor License when you fulfill all these criteria.
To start the job, the applicant must have a contractor license. It is issued to tradesmen having a predetermined level of expertise and experience. These criteria vary across States.
Benefits of license
Though a few states contracting is permissible without a license, having a license will be advantageous for you. You can market yourself to be reliable and trustworthy to hire.
The license will make you eligible to work as a legal entity.
As you’re licensed, you need to fix electrician, plumbing work, and mechanical work as these types of trades all have license requirements.
It will protect you from all potential legal tangles.
Whether you oversee a building or other construction project, you get exposed to the specifications of diverse specialties. All this will enrich your experience, make you employable at competitive remuneration over time.
A license is a primary requirement for starting any type of business. Contracting business is no exception. Getting a Contractor license without proper knowledge of the process may get cumbersome and complicated. Plus, the run-around that you may have to experience will run you out of all the enthusiasm you have for your new venture. Let’s walk you through the process of procuring a valid contractor’s license.
Determine the Basic Requirements
This is predominantly something you as an applicant, need to take care of. First things first, determine the nature and scale of business you would be doing. Based on that your license class will be determined. Next check if you would want to add a specialization to your business. Then come the naming and registration of your business. You need to register your company as a proprietorship or a limited company based on which the license will be provided in the name of the registered business. Once all your requirements and company registration documents are ready you can then look into applying for a contractor’s license.
Pass an Exam
You may have to sit for a small contractor exam to get a license. Different states have different requirements and the same may vary. These exams comprise of many genera topics based on various business aspects. You may contact the ICC (International Code Council) to know about the exams required in your area. This exam is important as the certificate you obtain after passing this exam is one of the documents required when you apply.
Background Checks and Verification
If you wish to apply for a contractor license you will have to get your background check done by the local authorities. They check if you have any criminal background and provide you with a certificate if you pass the checks. Make sure you retain the Background Check certificate for submission along with the application.
Submit the Application
This is the final and most important step. Ensure that you have gathered all the required documents required to be submitted along with the application forms. Some commonly required documents comprise of; Company name and details, Contracting Class and Specialization, your education and expertise summary, your identification documents, ICC Approved exam passing certificates, Background check certificates, etc. Get in touch with your local authorities and agencies to get the exact details of the required forms to be filled and necessary instructions. Make sure you are filling the forms as per the given instructions. There may be a fee associated with filling and submission of the form. Pay the fees and get an application reference number to track your application.
Wait for It
Good things come to those who wait. And once you have submitted your application you may have to wait a bit but you will eventually get your contractor license. Make sure you obtain a license for each state you want to work in for every state has different regulations. Compliance to the law is the primary reason behind obtaining a license and ensure you are complying with the law of the land at all times in conducting your business.
Are you having difficulties to manage your construction business? Do you want to know how to make profits? Managing a construction business might not be easy especially when you are new to this industry. Construction business demands industry knowledge, expertise in the building process, accounting skills, and understanding of the economic conditions to achieve the desired success. The benefit is that you will always have clients. You just need to know how to reach and inspire your potential clients to invest in new properties. Here are a few things that you can consider to manage your construction company more effectively.
Design Your Team
Your team will have the key role to decide the success of your business. You will have to hire the best skills in the industry. Besides, you will have to train them to perform better regardless of the complexities and demands of projects. You will have to develop a healthy working environment so that your workers will be motivated to contribute to your success, read more about developing healthy working environment at https://www.forbes.com/sites/johnrampton/2015/02/18/8-expert-tips-to-having-a-healthy-company-environment/. You can offer some employee benefits, incentives, and competitive pay. Also, address the safety issues and make sure that all emergencies are handled with the utmost care. These things are important for a successful construction company. As a managing authority, you will have to combine many duties such as training, hiring, firing, and maintaining the discipline in your company.
A manager must know to bid competitively against competitors. Also, you will have to manage your assets properly to ensure that all your workers are paid on time. A construction company has to manage a lot of things both administrative and financial. Therefore, it is important to hire someone to assist with your work. If someone will be there to look after the office, booking tasks, and communication, you can manage other things efficiently. You will have more time for bidding preparation, worker interaction, and other job duties.
Construction business demands huge expenses. Some startups consider outside financing for buying vehicles, tools, equipment, and materials. As the manager or owner of a construction company, it is important to understand the financial needs of your company and how to manage it effectively. You should know how to write your business plan and manage long-term and short-term operating costs.
Manage Your Clients
This is one of the important aspects to create your brand identity. Like any other business, the success of your company will depend on your clients. You will have to take all the required steps to satisfy your clients and win their trust. Make sure that you are present to answer their queries. Good communication skills is required to be effective during a conversation. A good construction manager should develop decision-making and problem-solving skills to manage the business smoothly.
All these tips might help you to lead the industry. A skilled construction manager takes care of every detail to ensure that all his team members are working together for the benefit of the company. Concentrate on your leadership, problem-solving skills, team, and company finance to accomplish your job more intelligently and smartly.
Working as a contractor has many benefits – it pays well than the same salaried job. The predicted growth of the construction industry has made many people consider starting a contracting business. If you’re interested in getting started, here are some considerations you should think about before starting your construction business.
1. Mentoring and expertise
Don’t start a contracting business blindly. There are many resources you will need as a contractor and a business owner. Mentoring is the best way to learn all the ins and outs of any business. Look for a mentor in your local area and spend some time working with him or her. Enroll in a local business class and then develop a business plan.
2. Do your research
There are so many online tools you can use to learn more about running a construction business. Take time to browse blogs, software programs, and general advice. Learn more about software programs that will help you manage your business.
3. Get financing
You need capital to start your business. There are many credit unions and banks offering bank loans at low interest. Look for the best financing option for you. Local Small Business Administration is the best option for a construction business.
4. Name and register your business
Decide on the best name for your business and then register it. The business name should be unique. For better business, use a name that is related to the service your company will be offering.
Before opening the doors of your company, you need to obtain licenses and permits. A general business license and other specific licenses are required to protect your company and your clients. If you are doing plumbing and electrical work, you need a tradesman license. It is illegal to run an unregistered construction company.
5. Insure your business
Look for an insurance company offering a contractor’s insurance plan. Purchase the plan that includes property, general liability, and vehicle insurance. Make sure to adhere to all the legal requirements when it comes to obtaining insurance coverage.
6. Arrange surety bonds
A surety bond is a third party guarantee that pays customers when your company is unable to fulfill all the work obligations stated in your contract. Regulations for surety bonds vary from state to state. Look at your state’s surety bond requirements or talk to a surety bond agent near you.
7. Develop an OSHA plan
The Occupational Safety and Health Act requires all workers employed in a construction company to work in a safe environment. The construction industry has many hazards. It is your role as a business owner to provide your employees with appropriate clothing, footwear, and helmets.
8. Build a workforce
You’re going to hire employees for your company no matter how small it seems. If you are planning to take large or medium-sized projects, you will need to hire a considerable number of employees. Use accounting software such as Zoho and Freshbooks to simplify the bookkeeping chores.
To be on the safe side, research for regulations in both state and federal hiring practices in your state.
All the attempts to protect your online privacy can have no effect in case you ignore your local PC security. Even you are using anonymizing service to hide your IP address and to encrypt your entire Internet traffic, your computer may be vulnerable to network attacks, viruses, spyware applications, and data loss because of insufficient access protection. Viruses can be easily created using various “virus constructors” and sent to you by email as an attachment or uploaded exploiting your computer network vulnerabilities. As an example of specially created spying viruses (trojan viruses) we can refer to infamous “Magic Lantern”, an FBI program that can monitor keystrokes.
You will need special applications that will care of your computer security. There are many excellent products on the market today that provide protection at the highest level.
1. Personal firewall
A firewall acts as filter with custom defined rules to cut off undesired or suspicious traffic. It is a wall actually repelling the attacks from the outside (from the Internet). Also, good firewall software should allow you to configure it so that only “authorized” applications could communicate over the Internet. This will prevent any undesirable connection attempt from inside of your PC, e.g. spyware or a trojan virus may try sending data collected from your hard drive.
Due to large number of network security vulnerabilities in the operating systems it is highly recommended to use firewalls to protect your computer.read more about designing your merchant site by clicking here
2. Antiviral software
Internet is highly contagious environment. It is a general truth nowadays when so many have suffered from virus attack. Antiviral software is a “must” on any Internet connected computer. It should be mentioned that simply buying any antiviral software is not a good idea. Most antiviral software use pattern matching algorithms and heuristics analysis, which may not be effective when it comes to fighting the viruses written by professionals (“Magic Lantern” trojan, for example). In addition to the above methods good antiviral software should perform a real-time audit of active applications and file systems, e.g. monitoring file size changes, issuing warnings about new executables, etc. This approach can guarantee that customer will be warned about any suspicious changes in the system. Even unknown virus or spyware will be detected and deleted.
It should be noted, that virus databases for your antiviral software should be updated as frequently as they are released by the vendor.
3. Hard drive data protection
The best solution is to use the software, which allows encrypting all the hard drive, including the operating system area, not only selected folders. This would guarantee that only the PC owner could access all the data on a PC. Unfortunately only few hard drive encryption tools will satisfy these criteria. Please avoid utilities “hiding” your folders. Using these tools you can hide something from your kids only (and not in all cases). The only way to protect data is to encrypt it, not to hide.learn more about encrypting at https://searchsecurity.techtarget.com/definition/encryption
Good hard drive encryption utility should solve several problems for your privacy.
Computer access security. Password based access to your computer combined with hard drive encryption will make it impossible to copy the data from your hard drive or install spyware while you are out of home or office. Please note, only utilities allowing whole hard drive encryption can provide this level of protection.
Confidential data protection. When it comes to confidential data protection, two problems should be solved: restricting access to the confidential data, and deleting this confidential data when you do not need it anymore. Hard drive encryption will solve both problems. Overall encryption would safeguard your laptop (even a desktop) even in case of theft. Only the person knowing the password will be able to access confidential data. Your private data will remain private. Deleting files is not always as good as it sounds. Even wiped files can be restored in many cases. And, are you sure that all the files were deleted? It is more comfortable to know that all the data is encrypted.
Temporary files and cached files protection. There are many utilities to delete browser cached pages and temporary files. Unfortunately this gives only the illusion of protection. Many applications would create their own temporary files in the most unexpected places, adding records to the operating system registry, etc. We recommend using encryption software for protecting data stored on your local hard drives including system area (where most of the temporary and cached files remains) for the peace of mind. Please note, only utilities allowing whole hard drive encryption can provide this level of protection.
Protecting data on your backup media. In case you perform backups from your working files and confidential data, these backups should be protected as well. Encryption utility should support your backup media.
One more point: your data will be safe as your password is safe. Do not ever share your hard drive passwords.
4. “spyware removal” tools
Sometimes people are using so-called “spyware removal” tools, e.g. software detecting spyware. Those tools deal with unwanted adware and spyware on your computer. The main source of spyware are websites that make use bugs in users’ browsers to install code on your computer allowing to research your browsing habits, etc. Also, “spyware removal” tools can detect and destroy spyware designed to obtain account details for online payment systems like e-gold, PayPal and many others. In case you use online payment systems it is quite important to check your PC with “spyware removal” tool before logging in. In most cases using personal firewall and antiviral software cannot block such spyware. Most of “spyware removal” tools have built-in database of known spyware and tools to remove it, and it is important to keep the database up to date. It should be noted, that only disabling java and ActiveX can guarantee your browser safety and prevent your PC from infecting through the web browser. Not all custom developed spyware (especially those targeted to a separate group of Internet users, e.g. the users of a certain online resource, payment system, etc.) can be detected by “spyware removal” tools. Such spyware will simply not be listed in the tool database.
To summarize all the above, we would recommend installing on your computer the following tools: personal firewall, antiviral software, spyware detection utility, and hard drive encryption utility. Having all this tools will improve your computer security and make it almost impossible to break in.
We all hear about the FBI Carnivore program, about ISP tech staff (motivated by private investigators or competitors) spying on customers, about some companies “monitor all internet activities to cut expenses on IT“ policies. In many cases user’s Internet traffic can be intercepted from the computers sharing same LAN (local area network) or wireless network with the computer being monitored. Data interception is the danger you should count with. How can we protect ourselves from data interception? To find the proper solution we should understand first how the data interception could be performed.
Internet is build as a hierarchy system. Below is a very simplified picture of the Internet: end users are connected to the ISP network through the DSL/cable connections or dialup, ISPs networks are connected to a few bigger, national wide ISPs, and big ISPs are connected between themselves. There are special computers to find the proper path for data packets traveling to the destination – ISP gateways or routers – that examine each packet passing through them and transferring it to the next gateway until the packet reaches its destination. The path between the source network and the destination network is called “route”. Routes (paths between networks) are being chosen depending on the network load, link availability, etc. and change frequently, sometimes a few times a day. Usually data packets are traveling to the destination server through dozen of different networks and gateways.
Let us examine how the data packets travel from your PC to the destination server through the Internet.
After data packets are leaving your PC they are passed to the ISP gateway. ISP gateway, which has multiple connections to the bigger ISP networks, will examine destination IP address, choose proper “next hop” gateway and then forward packet to this gateway. New gateway will perform the same procedure, and so on.
So where is a weak point in this chain? There is a single point where all your data is passed: your ISP gateway. After the packet leaves your ISP network it is almost impossible to predict its route, since it will depend on the destination. Even if the destination is same, the routes change, today it is one route, and tomorrow it will be some other. To monitor somebody’s Internet activities the interested party should monitor the ISP traffic, the single point where all this traffic is passed through. Actually it is how government Internet monitoring systems like “Carnivore” and analogue European system “Echelon” was implemented. Some smaller countries and Arabic countries have a few or even one external Internet connection, which makes it technically possible to block sites or perform monitoring on nationwide ISP level.
To protect your data from the interception you should use traffic encryption. The main idea is that the data should be passed through the ISP network and further – outside of your home country, encrypted. This will guarantee that neither ISP staff nor government authorities can intercept your data. The only technical problem is that both participating parties in data communication should support encryption, and this cannot be achieved in many cases. Most websites, email providers are not supporting encryption. Many Internet services cannot support encryption by design. For example, ICQ, IRC, FTP, newsgroups protocols do not support encryption. This means that data to these servers cannot be encrypted from your PC to the destination.
When the end-to-end encryption cannot be achieved for various reasons, third party services can be used to encrypt the traffic. This will allow safely passing the data through the monitored ISP gateways and country borders links.
Here is the simplified picture of how such services works.
All the traffic will be encrypted on the way from your computer to the special tunneling server, then – unencrypted, and passed to the destination server (mail server, web server, IRC) in unencrypted form. Please note, if the destination server supports encryption itself, https secure web sites for example, traffic will be encrypted twice, e.g. passed through the tunneling server in encrypted form and unencrypted only by destination server. In other words, you may safely send PGP encrypted emails or visit secure sites through such tunneling servers.
Main advantage of these kinds of services is that they provide not only data protection, but IP address anonymity as well. All the remote servers you are communicating through the encrypted tunnel, will see only tunneling server IP address, not yours.
Once you are familiar with data interception techniques and “IP anonymity” problem you may pass to our next page “Internet Security Solutions” where we will review most of the technologies used for data interception protection and anonymizing Internet activities.
The major problem in the Internet privacy protection is to hide your IP address.
What is IP address, and why is it so important to hide IP?
IP address is your computer address in the Internet. IP address makes possible for your computer to communicate with other computers, and every computer connected to the Internet has its own, unique IP address. It is always possible to determine both communicating parties by a pair of IP addresses. IP addresses are assigned by Internet Service Providers (ISP) to its customers dynamically (you get a new IP every time you connect to the Internet) or statically (you have been assigned a permanent IP address). And where does Internet Service Provider get all these IP addresses? There are international organizations responsible for allocation of IP addresses to ISPs, such as RIPE (http://www.ripe.net , Europe), ARIN (http://www.arin.net North & South America) and APNIC (http://www.apnic.net Asia & Pacific). These organizations are allocating IP addresses to an ISP and keeping records of addresses allocated. Also, the ISP will need to report these organizations how IP addresses are used, e.g. for DSL connected users, to provide Dial-Up service, etc. All this data will appear in the records as well. These records are open to public. Using WHOIS tool (you may check our Tools section for WHOIS tool) anybody can access this data any time. WHOIS response on IP address query will contain Internet Service Provider company name, geographic location (for example “Some str., Los Angeles, CA, US” or “Deli, IN”) and IP address pool purpose (for example “DSL IP pool”). Additionally, ISPs can set descriptive reverse DNS entry for the IP address – domain name corresponding to the IP address, e.g. dsl-sezam-st-losangeles-CA.someisp.com.
IP address points to your ISP, and the ISP has logs on the customer’s activities. The local phone company providing you line to connect to the ISP has its own logs. Logs are stored for billing and resource management purposes, as any ISP/phone company will tell you.
In other words, this information is a good starting point for the curious to find out your home address, phone number and other personal details.
Who can find out your IP address?
Anybody you communicate with through the Internet. Anybody having your email address, ICQ number, chat nickname, etc. You leave trails with your IP address in web server logs, chat room logs, peer-to-peer file sharing systems, newsgroups, mail servers, mailing lists, making it possible to track you. Actually your trail will begin in your ISP logs with the record of IP address assigned to you at the moment you establish dial-up connection or turn on your PC on the cable connection. From that moment every your move will leave more and more trails in the Internet.
Is there a way to change or remove an IP address?
Bad news: IP address cannot be simply changed in your PC settings or removed completely. Your Internet connection will stop working if you change or remove your IP. Also, there are no software tools, which would allow you to do this. Good news is that using special anonymizing services you can hide your IP address from the outside world. The main idea of such an anonymizing service is that you pass the traffic, you wish to make anonymous, to them, and they will pass it to the destination using their own IP address. For example, you would like to access website www.somecompany.com anonymously, using one of the anonymizing services. Your browser or special software (supplied by an anonymizing service) will pass the request for the web page to the anonymizing server, and this server will send the request to www.somecompany.com . Web server will reply with page text to the anonymizing server, which will pass that page to your browser. The www.somecompany.com web server will not be able to get your IP address, only anonymizing server IP address will appear in the log files. That’s how anonymizing services work. The same technique can be used to anonymize other Internet activities, not only web browsing.
When you are using an anonymizing service your IP and identity will be hidden from the remote party, e.g. webmasters, IRC channel visitors, etc. Unfortunately IP anonymity will not solve all the problems. There is one more side of the Internet privacy you should be aware of; it is called “Data interception”
There are many reasons to seek the Internet privacy and anonymity while running business. Many small and mid-size businesses are migrating now offshore (big guys always were there), taking advantages of low tax environment and liberal laws. Internet makes it possible to manage offshore business from any part of the world, covering all the aspects of company functioning: emails, faxes, phone calls diverting, voice mailboxes and autoresponders, online banking, web presence, etc. Because of today’s Internet technologies you can build 100% virtual presence in a chosen offshore jurisdiction, and no one will be able to determine where your actual office is located. Unless you will forget to take care of your Internet anonymity…
Before we explain the importance of Internet privacy for offshore company owners let us find out why the majority of open-minded entrepreneurs are going offshore. Here are some major reasons.
To get tax benefits and asset protection. Running Internet business through the offshore company will allow you to save on taxes. Most offshore jurisdictions have no tax on income, tax on sales, corporate and property taxes. Offshore companies are ideal vehicle for running Internet business, international trade, financial services, insurance business, software development, etc. It should be noted that tax avoidance is not the same as tax evasion. There are many ways to run an offshore company legally and save some part of taxes, offering better prices then competitors can offer. Also, offshore banking can provide strong asset protection and offer better investment options for your hard earned money.
To get protection from most of lawsuits. Locating your Internet business offshore will allow avoiding many annoying lawsuits, saving your time and money. It takes much more time and it is much more complicated and expensive to sue an offshore entity. Running business offshore provides protection against the “your-hot-dog-was-too-hot-and-I-will-sue-you-to-get-the-compensation” lawsuits, making them not profitable for the lawyers working on contingency. Also, when running business offshore your company is acting under the law of the offshore jurisdiction, in most cases far more liberal then in “onshore” jurisdictions.
To bypass domestic business regulations. Large part of profitable businesses like gambling, adult services, and financial advice services are restricted or require expensive licenses in most of “onshore” jurisdictions. You should remember, that what is not allowed or expensive in your home country can be legal and cheap in other countries. Obtaining gambling license in offshore jurisdiction takes less time and is less expensive, and some business activities do not require licensing at all.
To get better prices for products and to get more customers. Providing the information on where is your business located can affect product price, and even affect the amount of clients you may have. For example, you are in software development business and your developers and management staff are located in India. Most of your clients will not wish to pay US prices for the products developed in a country with low development costs, i.e. in the country with low prices on job market and low living standard. Many problems can arise because you business is of the African or Eastern European origin. Some clients do not wish to deal with companies registered in African countries or other “risky” countries.
And the last but not the least are privacy concerns. Offshore jurisdictions offer privacy protected by law both for business owners and their customers. Domestic law regulations and reporting rules can make it impossible to run business when the customer privacy is an issue. When your customers need privacy or it is required by nature of your business, you should consider using an offshore company.
Moving business offshore offers huge benefits for business owners. Unfortunately not all engaged into offshore business are realizing risks associated with it. We will leave the questions of privacy with registering offshore companies, opening offshore bank accounts and offshore merchant accounts to offshore professionals, and focus on online privacy issues. Quite often offshore business owners do not care about security and privacy of their Internet communications. And this can be the fatal mistake. A single email message with the real IP address or a single fax sent over the unencrypted connection can ruin the privacy of the offshore funds owner spending huge amounts into development of complicated schemes with offshore companies and offshore bank accounts.
Many offshore business owners have suffered serious damages when ignoring the online privacy issues. If you wish to protect your offshore business and yourself, you have to think about security of your Internet communications before it is too late. Below are the main points you should take into consideration when establishing your offshore company Internet presence or using Internet for communication.
Anonymous domain registration. Having own domain name is a must for a business. Using own domain in emails, having the web site you can refer to, will add credibility to your business and will add customers for you. But when registering a domain you will have to state clearly the domain owner, and this information will be available to public. Providing your real identity will break your privacy, since by running WHOIS query any curious can find out the domain owner’s name and address. To protect their online privacy some people are registering domain names on fictitious names. Right, registrars in most cases do not verify domain owner’s details, but it is unwise to register domain name on nonexistent person or company. There are cases in business practice when you will need to confirm that domain is yours: when you need the SSL certificate for your online store, or when you need to sell it for example. The only solution to gain privacy and to preserve your rights on the domain is to register new or transfer existing domains to the offshore company with nominee directors and shareholders. How anonymous is it? Offshore company registration agent will know the identity of the real shareholder (it is a general requirement in this industry), but government authorities in the offshore jurisdiction will have records with nominee’s personal details only. Unless you commit a serious crime indeed, you will be safe from tracing.
Offshore hosting, offshore dedicated hosting, offshore collocation services and offshore email hosting. When you already have your domain name registered anonymously on your offshore company, or you just planning to do so, it is time to think about offshore hosting for your domain. Offshore hosting can be the only option for many businesses limited by domestic legislation. Adult sites, gambling sites, offshore investment companies, international trading companies using tax saving schemas, all of them need offshore hosting. As a general rule, when you run an offshore business, you should consider using offshore hosting. Even of you do not need a web site for your domain, you can use offshore email hosting to secure your email correspondence. Companies providing services with intensive network and computer resources usage can take advantage of offshore dedicated hosting and offshore collocation services. When choosing a jurisdiction for your offshore hosting you should check for the established electronic privacy laws and modern network infrastructure. Some countries do not have laws that regulate ecommerce and Internet activities, and this can add some uncertainty in future for your business. A good example of jurisdictions with developed electronic privacy laws and network infrastructure can be Bahamas and Malaysia.
Protecting your Internet communications. Running offshore business requires performing various tasks online. This can be online banking, uploading files to the website, emailing to customers and business partners, sending/receiving faxes and voice messages, etc. Doing all this in privacy without providing your real IP address (e.g. identity) is of prime importance. Please read about the details, which can be determined from your IP address on our “Internet Privacy” page. As we have noted earlier on this page, revealing your real location can bring your business to success or failure. Other threat you should count with is data interception. Government agencies are widely using Internet monitoring systems like Carnivore or Echelon to locate the persons using online banking with offshore banks, offshore e-currency services or offshore investment companies. Once you are on a list of “suspected” in using offshore financial services, all your Internet communications will be monitored: emailing, browsing, ICQ, web pages uploading via FTP, etc. After they collect enough evidences they will visit and question you. We have covered Internet monitoring in deep on our “Data interception” page. Fortunately Internet data communications can be protected quite easily by using anonymizing services supporting encryption. You may learn more on how to protect your online activities on our Internet Security Solutions page. Here we will stress again that you should avoid using US based anonymizing services. They can be monitored by government agencies in the first place. Other important Internet service that is used extensively by offshore entrepreneurs is email. When you use “fax to email”, voice mailbox services, communicating with your offshore banker or offshore broker over the email you should take care of your email security. Government monitoring systems can monitor the email traffic by destination or by keywords, adding you to the “suspected” list. You may read our “Email Security and Anonymity” page to learn how to protect your confidential emailing. When choosing the anonymizing service you should avoid partial solutions or services not utilizing encryption. Only protecting all aspects of your Internet communications with strong encryption algorithms can give you peace of mind.
Using e-currency payment solutions. Most of e-currency providers are registered offshore and providing high financial privacy protection for both buyers and sellers. Although you should be ready to undergo the account due diligence if the account exceeds some turnover level. To pass the due diligence procedures the account should not be registered on fictitious names. If you have an offshore company, register e-currency account on it. Just to remember, always use anonymous web browsing techniques to manage e-currency accounts online. Even if you work with SSL protected pages, government agencies that perform data interception will be able to find out that you are using e-currency and ask the questions you would not like to answer.
Local computer security. Local computer protection is an integral part of the efforts to protect your online privacy. Failing to protect your computer from viruses and network attacks can result in serious damages for your business and privacy. Data loses, stolen confidential documents, stolen access details to your offshore bank account or offshore investment account – all these problems may arise if your computer protection is ignored. What measures you need to take to ensure protection for confidential data on your computer hard drive and removable media? Firstly, you should take care of your network security by installing a personal firewall on your computer. It will protect from network attacks, network worm viruses and some trojan viruses. Secondly, consider using good antiviral application. Antiviral software should be able to detect and remove not only known viruses, but also warn about suspicious activities and software on your computer. This ensures that viruses like “Magic Lantern”, an FBI program that can monitor keystrokes, can be detected. And thirdly, use encryption for all your hard drives and removable media used for backups (you are doing backups regularly to protect from data loses, don’t you?). Do not use “folder hiding” software, it can be cracked by kids with one month of computer experience. Do not relay on “boot protection” utilities. When disks with such a protection are removed and installed on other computer as a “slave” drive, data on it can be read like a morning newspaper. Do not relay on data wiping utilities. Using special technologies on examination remanent magnetism (this technologies are available to government agencies) even files wiped ten times can be restored. The only way to protect data when your computer is stolen or can be accessed without your knowledge is to encrypt it in whole including system areas, not only selected folders or drives. Only the person knowing the password will be able to boot the computer protected in this way and access data files. More details on choosing the right software to protect your computer can be found at our “Computer Security” page.
And a few last notes. Do not save on your online privacy and security. You should remember that a penny saved on this could make your business loose thousands. Always include the expenses on Internet anonymity into your offshore company business plan. Gaining Internet anonymity and protecting Internet communications from interception is much the same as protecting money both for the offshore company owners and average Internet users.
The main point in going offshore is to find the jurisdiction where you can run business legally (what is illegal in your country can be legal in some other countries) with minimal costs (cutting business running costs on taxes and license fees) and minimal regulation requirements (saving time and money on paperwork). But there are activities prohibited by law in all countries. Individuals and companies that are engaged in fraud, spamming or child pornography will never have peace. No anonymous services, offshore companies and offshore hosting will provide protection for the business of this kind. But when you run legitimate business in offshore jurisdiction and take all the measures to protect your Internet privacy, you may feel secure.
Here we will review most common solutions allowing you to hide IP address and to encrypt your data transfers. There are three general categories of anonymizing technologies: web-based redirectors, protocol dependent proxies, and VPN tunneling.
1. Web-based Redirector
Internet services protected: web browsing only, excluding secure (SSL) sites. Anonymity: Yes Protection from data interception: redirectors with SSL encrypted access only.
Redirectors work only for web browsing. This service works according to the following scenario: you go to the redirector web page, enter the site URL you wish to browse anonymously and press “go” button. The redirecting software will request the page using its own server IP and redirect the output to your browser window. The main disadvantage is that not all sites can be accessed through a redirector. Redirector will not work with secure sites (https) so you cannot use redirector for banking, shopping and other secure sites where SSL encryption is required. Some services allow working with secure sites, although it is not recommended to use this feature since data can be intercepted by persons running redirector service. Also, redirectors usually block java, cookies, and some other features required for browsing most of the sites. Actually all dangerous content can be blocked or allowed by yourself depending on the site, without using any third party services (e.g. you can allow java while browsing e-bay.com and disallow it on any other site). This will be described in details in our “Anonymous Surfing” page. Many free redirectors will block pop-ups only to show you their own pop-ups. Some redirectors can use SSL encryption to encrypt web traffic, although connection will be encrypted between your browser and the redirector web page only, not to the destination web site.
Conclusion: Redirectors are not convenient; they are ok if you are browsing from time to time, but they are not suitable for active Internet users. Not suitable for banking, online shopping and accessing any other SSL protected sites.
Using a proxy is the most common method of anonymizing Internet activities. In most cases people are using protocol dependent proxies. Different types of proxies should be used for different activities: web proxy for browsing; remailer for emailing (well, remailer is NOT a proxy, but it functions in a very similar way). Also there are proxies for IRC and some other protocols. Some proxy types (like Socks proxy) are more universal and will allow working with several Internet protocols.
Main drawback of proxies is that they are protocol dependent. Example: you have configured your browser to use http proxy. When you click on “http://” link, connection will be passed through the proxy, and your IP will not be visible. But when you are visiting secure site (https:// link) your real IP will appear in the server logs. To anonymize secure connections you will need to use additional https proxy.
Another problem with proxies of any type is that your software should have proxy support. If your software cannot be configured to use proxy, you will not be able to use it.
Also, not all protocols can be used through a proxy, for example you never find a proxy solution for some online games or peer-to-peer file sharing applications.
2.1 web proxy
Internet services protected: web browsing only Anonymity: Not all proxies provide anonymity. This should be checked before you use proxy Protection from data interception: No
Using web proxy is easy. Find the open proxy IP address and set it in your browser settings. All web traffic will be passed through the proxy, hiding your real IP. But not all proxies are anonymous, e.g. some of them can reveal your real IP. You should always check the proxy for the anonymity before using it. You can find URL to proxy checkers at our “Links” page.
Avoid using so called “free open proxy” lists, or “open proxy scanning software”. Free proxy (in many cases simply misconfigured by system administrators), should be used with care. It is a common method for hackers to setup proxy with open access, place it in the “Free proxy lists” and wait for the victims. Everything that you do through a proxy and every password that you use can be logged and used by persons running free open proxy in their interests. And there is no guarantee that these proxies do not have user activity logs. Additionally, proxies in this list can be under the special attention of government agencies hunting terrorists and hackers.
Most commercial services providing web proxies are offering proxies from “open proxy” lists, checked for anonymity in best case. These companies do not have control over the proxy and cannot guarantee that there is no user activity logging. They cannot guarantee that there are no hacker proxies or proxies operated by government in this list.
Important note: a web proxy does not provide data encryption, e.g. your browsing can be intercepted easily.
Conclusion: Avoid using proxies from “open proxy“ lists, it is the same as providing all your passwords, email accounts to hackers or government agencies. Also, proxy connections are vulnerable to data interception. Commercial services can be used in case they provide access to their own proxies, and the proxies are operated by company staff.
2.2 Socks proxy
Internet services protected: depends on proxy type used Anonymity: Yes Protection from data interception: No
There are two types of Socks proxy protocols: Socks 4 and Socks 5. Socks 4 proxy will allow working with TCP protocols only, like HTTP (web browsing), NNTP newsgroup access, IRC. Socks 5 is more advanced, allowing to anonymize UDP protocols as well (ICQ for example). Only the applications having an appropriate Socks protocol support can be used with Socks proxy. For example, Internet Explorer has Socks 4 protocol support, and it cannot be used with Socks 5 proxies. If your application does not support Socks at all, or has only partial support, you will need the Socks client. Socks client is a special software residing in between the application you are using and the network. Socks client allows your application using Socks proxy. Most Socks client software is commercial, i.e. not free. The problem with Socks proxies is that Socks implementations do not support encryption (except for some commercial software) to protect data traffic. If you have set up to use Socks proxy in your browser or IRC client the connection will remain unencrypted.
Conclusion: Socks proxy provides anonymity for most of the Internet services. Applications you would like to use with Socks should have support for Socks protocol. Main disadvantage is lack of encryption making data transfers vulnerable to interception.
2.3 SSH tunneling
Internet services protected: depends on the proxy type used Anonymity: Yes Protection from data interception: Yes
Some companies provide additional service for the data security – SSH connection to the proxy. Using SSH will make your connection to the proxy encrypted thus making it impossible to intercept. Both web proxy and Socks proxy connections can be passed through the SSH encrypted tunnel. SSH cannot be used without the proxy for anonymizing. Conclusion: SSH can be used with proxy only. It adds encryption for the proxy connection.
3. VPN Tunneling
Internet services protected: Any Anonymity: Yes Protection from data interception: Yes
VPN stands for Virtual Private Network. Actually it is the most comprehensive anonymity solution available on the market. VPN technology is widely used by large corporations, financial institutions and government agencies to secure data communications. VPN allows not only to secure communications with high-grade encryption algorithms, but also to anonymize all types of Internet traffic. VPN connection can be compared to anonymous “virtual” dialup service through the existing Internet connection. The scenario is as follows: you connect to the Internet through the ISP (Internet Service Provider) and launch the special VPN application (or built-in VPN adapter for Windows and MacOS operating systems). VPN application will establish an encrypted connection to the service provider. Once connected through the VPN all Internet traffic will be encrypted and a new IP will be allocated so that any Internet application installed on your computer will be using this new anonymous IP address. There are three VPN protocols used: PPTP, IPSec and L2TP. All of them use high encryption, and allow anonymizing any Internet activity. Quite often SSH used for proxy connection is considered as VPN although it is not the same. SSH allows to encrypt data connection and can be used in conjunction with a proxy to secure data transfers between your PC and proxy.
Conclusion: Most advanced anonymizing solution. Gives full anonymity and protection from data interception. Allows anonymizing any Internet activity.
What you should be aware of when choosing anonymizing service
Service provider jurisdiction
Always check where the servers used for anonymizing are located. Use WHOIS tool to find out the anonymizing servers location country behind the IP address. Avoid using the servers located in your home country since law enforcement or intelligence agency monitoring your activities will be able to monitor your anonymizing service provider traffic as well, or it can legally force them to give the information about your activities. It is recommended to use a service located outside your country, then the traffic monitoring would be impossible and law enforcement procedure would be much more complicated or even impossible (in some offshore jurisdictions). Avoid using anonymizing services located in countries with low Internet privacy standards like US or Australia. Remember, that in jurisdiction where data interception is used by government agencies “anonymous” services are monitored in a first place.
Anonymous payment options
If you are considering using commercial anonymizing service, check if anonymous payment options are available. Most popular anonymous payment options are: e-gold (see www.e-gold.com for details), traveler’s checks, etc. If there are no anonymous payment options, avoid this service.
Protocol dependent services
Since all Internet activities are related with each other, protocol dependent anonymizing services should be used with care. For example, you are using anonymous socks proxy for ICQ. You have received the message with a link to the web page from your chat mate. When you follow the link, your real IP address will appear in web log, and your chat mate will be able to track you if he/she has access to the web server logs. Another example: you are using anonymous email service, you have received HTML encoded message with linked images. After you open the message, your email software will automatically download linked images form a corresponding web site. This means that the message sender will be able to determine your real IP address. You should always remember the services you have had anonymized and the services you have had not anonymized to avoid the situation mentioned above, or consider using VPN tunneling services to anonymize all your activities.
The reverse side of any anonymizing technology is slowdown in traffic transfer. Any anonymizing service makes the data packets travel two times the same distance at least. The encryption (if any) adds the delay as well. There is no way to avoid this. In case you have decided to use some anonymizing service you should be prepared to get much slower data transfer speeds.
Paid versus Free anonymizing services
Running an anonymizing service (web proxy, Socks or VPN) is an expensive venture. It requires expensive network equipment (computers, routers) and lot of bandwidth resources. As you know there are no free lunches, so if somebody offers it for free it would be wise to think about the reasons for such generosity. Moreover one would not be in a position to require any privacy guarantee from a free service; usually there is no support either.
A reminder – always ask for anonymous payment options when purchasing anonymizing service.
When we are talking about protecting email privacy and anonymity we consider that it can be compromised by message interception or an email message contains information that the sender was not intending to pass to the recipient. In this article we will try to explain how email system works, what information can be extracted from regular email message, and how email privacy can be protected.
1. Email privacy – how can it be compromised?
Before we continue with topics on how to protect email privacy, we should understand how the email system works and what are the issues related to email privacy.
How the email system works.
Most common way of sending email is using the ISP (Internet Service Provider) or company mail server. When you click on “send” button, your email software will establish an SMTP (SMTP stands for Simple Mail Transfer Protocol) connection to your email server. Server will attempt to deliver a message directly to your recipient ISP mail server, but in case this server is not accessible at the moment it will deliver the message to the intermediate email server known as MX relay host. After traveling through the MX hosts, message will be delivered to recipient mailbox on his/her ISP mail server. It will be stored there until your recipient retrieves the message using POP (Post Office Protocol) or IMAP (Internet Message Access Protocol) protocol. This is how your email message travels through the Internet from the sender’s computer to the recipient’s computer. The same way web mail service work, but instead of email software you would need to use web interface to compose or read emails.
How can an email message be intercepted?
Where it can be intercepted? It can be intercepted at each step along the way. Email message is stored on two servers on its way at least: on sender ISP mail server and on recipient ISP mail server. When traveling through the MX hosts, message is stored on each of MX hosts. When your mail is addressed to the bank, investment company, business partners, it can attract attention of IT staff that perform mail server monitoring. And there is nothing that can prevent unscrupulous IT staff with access to the mail server to open and read that message. Other problem is that unauthorized personnel or hackers can have access to the mail server where physical access security and network security are weak.
There is another way to intercept email messages: network traffic interception. In most cases network traffic monitoring is performed by government agencies at ISP level. Email traffic can be rated according to keywords to “suspicious” and stored for later review by government agencies staff – this is how US Carnivore system works. You can read more on network traffic monitoring and how it can be prevented on our “Data interception” page.
Email headers anonymity.
When analyzing email message we can get lot of information about its sender. Computer IP address, geographic location, time zone, language preferences, computer LAN name, email software used etc., – all this information can be found in email message. And an important point is that all this info is being passed without sender’s knowing about it. Well, what is bad about it, you can ask. This will depend on the way this information can be used. For example, you may not wish your recipient to know that your operating system uses Dutch language as default (e.g. your native language is Dutch), or that you are in Australia now and use one of the local ISPs services. All this information can be easily extracted from the email message headers.
Every email message consists of two parts: message header and message body. Header part can be compared to a letter envelope. It contains message subject, sender’s and recipient’s email addresses, date and time message was sent and arrived, lists the points your message went through on its way to recipient. Message headers also contain service information about sender’s email software. This information is used to deliver message, and allow tech staff to debug email problems when they occur.
Here is an example message headers:
Return-Path: <[email protected]>
Received: from [192.168.157.3] by web5203.mail.foobar.com; Sat, 21 Nov 2003 12:42:20 –0800 PST
Message-ID: <firstname.lastname@example.org >
Date: Sat, 21 Nov 2003 12:42:20 -0800 (PST)
From: “Peter J. Smith” <[email protected]>
Subject: My Private Message
To: [email protected]
X-Mailer: Microsoft Outlook Express 5.00.2615.2000
And here is the information we can extract from the headers (using it to draw a picture of the sender):
Sender IP address: [192.168.157.3] points to the sender’s computer. Anyone can get further details about ISP (address, phone, fax, email) running a search through the WHOIS databases.
Sender ISP: “web5203.mail.foobar.com” and “@foobar.com” – message was sent using web interface from foobar.com (further details available at the website)Senders email software: Microsoft Outlook Express 5.00.2615.2000 (this version’s known bugs could be used for sending a troyan to the computer)
Senders local time zone: -0800 (PST) US Pacific coast (points to the geographic location of the computer)
Senders native language: charset=”GB2312″ – Chinese char set (the user’s probably a member of the local Chinese community)
It should be noted, that only three lines in the message headers were explicitly supplied by the sender: “from” address, “to” address and “subject” line. All other data was inserted by email software and intermediate servers. Usually users have no control over these headers, but these headers are the most dangerous for email privacy and contain lot of information about the sender. There is no problem to track the message sender using headers data. You may learn more on how this information can be used on our “Internet Privacy” page.
Secure email software
Using right email software is an important point for email security. If you are using buggy email software you are open to hacker attacks since email message contains your email software vendor and version number. There will be enough info to write a specially formatted (to use your email software security vulnerabilities) message to hung your computer or infect it by Trojan. If somebody suspects you to store confidential information on your computer he/she can try to hack in to get it. All the attacker needs to start is your IP address from email message header. Using security holes in your computer software (new Windows vulnerabilities are published almost daily) attacker can gain full access to your computer and in worst case obtain all your email passwords, banking and investment account data, private correspondence, business data etc. All this horror scenarios are not a myth but today’s reality, just search on Google on companies offering spying over the Internet. If your competitors can afford spending hundred dollars to know your secrets you are in danger.
How can be web browsing related to emailing you may ask? It’s simple. Most of email applications are capable to display HTML formatted email messages. This is not different from viewing a regular web page, but the web page is displayed in your email software window, not in a browser. When viewing web pages in your email window you are taking the same risk as when browsing, e.g. you have to deal with cookies, Java Scripts, Java, ActiveX controls, etc. IP anonymity and data interception issues should be taken into consideration as well. Please read more on web browsing security and browsing anonymity at our “Anonymous Surfing” page.
There is one popular spying technique: web bugs. To illustrate how they work let us imagine that you are running some online business and have received an email message (possibly business related) form some unknown person:
To attract your attention your full name or your company name can be written in “Subject” line. You have opened this message, and after reading it and considering it to be spam you through it away. But you have not noticed that the message was HTML formatted, and it contained an image. Dot symbol after the word “fine” was replaced by a small image, and that image was automatically downloaded from some website by your email software when you had opened the message. Now, the email sender after analyzing web server logs can get some information on you: date and time you have read this email, your IP address, operating system, etc.
All this means that your email privacy can be compromised when you simply open an email message, even without replying to it.
2. How to protect your email privacy
Even if you have nothing to hide it is a good idea to take care of your email privacy. We have developed recommendations on how to make emailing secure and private as much as possible.
2.1 Use encryption to protect your email messages. The only way to protect email messages from the interception is to encrypt them. There are few techniques to do so.
PGP and S\MIME encryption. Both PGP and S\MIME encryption are used to encrypt message body only, leaving message headers unprotected. PGP and S\MIME can be used if you require end-to-end encryption. Using those methods requires prior agreement between parties, and “public key” exchange should be done before emailing securely.
SSL encrypted connection to mail server. SSL can be successfully used to encrypt email traffic in the whole. SSL encrypted transport prevents from message headers and message body interception on the way to/from the mail server while sending/receiving email. SSL can be used to effectively protect from intercepting your email traffic by ISP or government agencies.
Please note, PGP and S\MIME do not provide anonymity. Even if you encrypt email messages with PGP or S/MIME the message headers still remain open, and will be transferred in clear text through the Internet. You have to understand that unencrypted “To:”, “From:”, “Subject:”, etc. fields may disclose your identity and can contain confidential information. In addition to PGP or S/MIME, SSL connection encryption should be used to protect email message while in transit.
2.2 Use anonymous email services. Your email privacy will depend on your email service provider. Here is a short list of requirements your email services provider should meet:
IP anonymity. Providers mail server should not add the header containing the sender’s IP address. The significance of the IP address for locating of the sender has been dealt with above.
Encryption. Look for email service provider allowing SSL encrypted connection to the server. This will eliminate intermediate snooping. Service should be compatible with PGP and S\MIME message encryption as well.
Email provider mail servers location. Email provider mail servers should be located in a country where electronic privacy is protected by law. Remember, that in jurisdiction where data interception is used by government agencies “anonymous” email services are monitored in a first place.
Anonymous payment options. Anonymous payment options should be present if service is not free.
Do not use free web mail. Using free web mail provides only the illusion of email privacy. Here are five reasons why you should not use free web mail providers:
Great majority of web mail providers, even those claiming to offer anonymous services, will expose your IP address to the recipient should the recipient wish to check the headers of the message to see it. Free webmail servers insert sender IP address into message headers, compromising sender’s anonymity. In spite of the common opinion FREE WEB MAIL IS NOT ANONYMOUS.
Most of free webmail servers do not use SSL encryption to protect customer connection to the web mail interface. In some cases “log in” process can be SSL encrypted, to prevent hackers from snooping your email account password. But all the emails you read or compose online can be intercepted easily, since no encryption is used to protect data transfers.
Message content may be stored uncontrolled in a local browser cache on your HD (hard drive), or in your ISP proxy cache.
You have little or no control on displaying HTML formatted messages.
You will not be able to use PGP or S\MIME encryption to protect confidential data.
And the last but not the least, web mail just is not convenient for business correspondence. Anyone using it knows that.
2.3 Use right email software. Probably the most popular email software is Microsoft Outlook. At the same time, it is the most buggy email software. Most if not all mail viruses that are activated by opening a message (without clicking on attachments) are written to exploit Outlook bugs, and do not affect other email software. There is one more reason to avoid using Outlook: Outlook inserts “Message-ID” headers into an email message that shows the computer network name or ISP domain. In case your computer name contains personal information and cannot be changed (by company network policy for example) you should not use Outlook for private correspondence. Fortunately, there are many powerful email applications on the market to choose from. Please visit our “Privacy Tools and Resources” page for the list of recommended email software.
2.4 Take care of your local computer security. Anti Virus software should be used to protect your computer from viruses sent by email. Email is the main source of virus infections, and ignoring anti virus protection can cause serious damage to the data stored on your computer. Please read more on how to choose anti virus software at our “Computer Security” page.
2.5 Configuring email software properly.
Misconfigured email software can cause serious problems. Here is a small list to check before you start using it:
Disable “return receipts” feature in your email software. Most of email applications have default settings to send receipts.
Always clean “Trash” folders. Messages you thought you had deleted are simply moved to the “Trash” folder by email software, and will remain on your hard drive.
Make sure you have set email software to delete downloaded messages from mail server. If not configured, messages are only marked as “deleted”, but not physically deleted from the server.
Disable displaying HTML content in email window. Disabling it will protect from web bugs. Unfortunately it is inconvenient to disable displaying HTML content, since it is widely used in personal emails and mailing lists. You may use web anonymity tools to protect yourself from web bugs. Read our “Anonymous Surfing” page for more details on web anonymity.
Adjust your computer clock if time zone in message headers is pointing to your location.
Always have in bookmarks support page for your email software and check it for security patches and upgrades from time to time. All security problems with email software should be solved immediately: as practice shows viruses exploiting new bug will be released on the second day the bug report became public.
Before we go to practical recommendations on how to secure your browsing let us explain browsing process flow and define the potential risks.
Browsing process flow
When you enter website address (www.someweb.com for example) in the browser “Address” field and click “Go”, your browser performs the following steps:
Browser will try to resolve the domain name into IP address. To do so, it will send the following request to Domain Name Server (DNS): “give me IP address for the host www.someweb.com ”. DNS will reply something like this: “IP address for the host www.someweb.com is 192.168.3.1”
Browser will try to establish TCP connection to the www.someweb.com web server IP address 192.168.3.1.
Server will accept connection, and store your IP address, i.e. the address from which the request was sent, in logs.
After the connection has been established, browser will send the following query to the server: “GET /”. With this request browser will send some additional details, like his capabilities (browser software type and version, accepted file types, your preferred language, your operating system) and some additional info: referrer website address (in case you have followed this link from some website) and cookies (if any). It has to be noted that all this information will be stored in server logs as well.
Server will reply with some header data (which can contain cookies) and page text in HTML format and close the TCP connection.
Browser will format the HTML and show it to you in the window.
Let us sum this up. Making a click in your browser window you have advised the server owner the following details: your IP address, browser software type and version, file types your browser will accept, your preferred language, your operating system, what site or web page you have visited before. Additionally, you have passed cookies intended for this site and accepted cookies from this site. Later in this article we will explain how safe or unsafe was to pass all this data.
Some potential risks associated with browsing
1. IP address anonymity
Web browsing, as any other Internet activity, will give away your IP address to the web site owner. Giving the IP address is the same as to give your home address, and if privacy is important for you, you should avoid passing the IP to webmasters. There are various techniques to hide IP address: web redirectors, proxy, socks, VPN tunneling. Unfortunately, not all of them are safe and reliable. The most common and most dangerous way to hide your IP is using free proxy service. To learn more about IP address anonymity and about how important it is to hide IP address please read our “Internet Privacy”. In the “Data interception” article we have compared the IP anonymity and data protection technologies used.
2. Data interception.
As we explained in “Data interception” chapter, when accessing non-encrypted pages all the data your browser and web server exchange (i.e. website visited, data passed to that site) can be easily intercepted. In some cases even SSL encrypted connection can be intercepted and monitored. We can refer to the well known “man-in-the-middle” attack against some poor SSL implementations (see article http://www.pcworld.com/news/article/0,aid,103892,00.asp). You can avoid data interception only by using third party services. There are two methods to encrypt your traffic: using proxy through the SSH, or using VPN tunneling service. You may read more on pros and cons of using the above methods in our “Data interception” page.
To configure your browser security settings, start Internet Explorer, choose “Internet Options…” from “Tools” menu and select “Security” tab. Here you will be able to assign websites to zones and tweak security settings for these zones. For example, you use yahoo.com for mailing, trade on eBay.com and shop on amazon.com. You can add yahoo.com, ebay.com and amazon.com to the “Trusted sites”, and set “High” security level for any other sites, e.g. for the “Internet” zone. Default security settings for the zones are reasonable, but if you need more control click on “Custom level” button to configure security level details for the chosen zone. Click “OK” to exit “Internet Options” menu.
Now a few words about cookies. Cookies are the special strings sent by server to your browser and stored locally at your hard drive. Usually cookies are “addressed” to some website, e.g. cookie “www.someweb.com: HelloWorld” will instruct your browser to pass to the server the string “HelloWorld” when you visit www.someweb.com web site. Also, cookies have “time to live”, i.e. time they are stored in your system. Basically, there are two kinds of cookies:
Session cookies. Session cookies are addressed for one site only, with limited “time to live” value. They are used to keep the web session data, in web shops for example, and it is safe to use them. In many cases, you will not be able to use a web shop or a banking site if you have cookies disabled.
“First party” and “Third party” cookies. They are designed to keep data for the time longer then one web session. In most cases they can be disabled without loosing the web site functionality. “Third party” cookies are inserted by one web site to be passed to some another, and are the most privacy dangerous.
There is a simple method to deal with cookies. Internet Explorer and many other browsers like Mozilla or Opera can be configured to block cookies. Here we will explain how to configure Internet Explorer to block undesired cookies.
To configure cookies behavior, start Internet Explorer, choose “Internet Options…” from “Tools” menu and select “Privacy” tab. Using the slider you will be able to set cookies privacy options for websites in “Internet” zone. You may set “Block All Cookies” to block all cookies from all web sites. Please note, cookies from web sites in “Trusted sites” zone will be accepted. To delete all the stored cookies select “General” tab and click “Delete Cookies…” button. New window will appear. Click “OK” to delete cookie files. Click “OK” to save the changes. Click “OK” to exit “Internet Options” menu.
5. Other data passed by your browser
When passing the request for a web page, your browser will give some details on your operating system and browser capabilities to the web server. For example: “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”. Is this dangerous? We believe it is not. There are millions of Internet users who are using Windows XP operating system and almost all of them are using Internet Explorer for browsing. But this data can be used by malicious script code you have downloaded with a web page. To protect your computer, simply disable dangerous features for the not trusted web sites as described above. Among the operating system details, your language preferences are passed to the web server. If you are using German language as your operating system language, web server will be able to determine this. It is quite simple to change your language settings.
To change the language setting, start the Internet Explorer, choose “Internet Options…” from “Tools” menu, select “General” tab and click “Languages…” button. New window will appear. If you would like your browser to pass only “English” language preference, highlight all the “Language” values except “English” and press “Delete” button. Click “OK” to save the changes. Click “OK” to exit “Internet Options” menu. From now, the browser will pass only “English” as preferred language.
6. Temporary Internet Files
Browsers are storing the web pages you have viewed on computer hard drive in cache files. Anybody having physical access to your computer can examine your browser cache, browser history to find out what sites were accessed, what pages were viewed and when. Examining cookie files allow finding the data passed to the websites in many cases. Unfortunately it is not always possible to disable storing cookies and temporary Internet files. Even using special cleaning applications is not 100% safe: cleaning applications will not be able to delete the files during the system crush. The most effective method to protect temporary files is to encrypt data on your hard drive. On our “Computer Security” page in “Hard drive data protection” section we have described the most convenient methods to hide cached files from prying eyes.
If your security requirements are not too high, and you consider not to use hard drive encryption, all cached web pages and stored cookies can be easily deleted by yourself using built in Internet Explorer tools.
To delete all the stored cookies start Internet Explorer, choose “Internet Options…” from “Tools” menu, select “General” tab and click “Delete Cookies…” button. New window will appear. Click “OK” to delete cookie files.
To delete all the temporary (cached) files, click on “Delete Files…” button. New window will appear. Check the “Delete all offline content” check box and click “OK” button to delete cached files.
To delete browser history, click on “Clear History” button. New window will appear. Click “Yes” button to confirm. Click “OK” to exit “Internet Options” menu.
A few words about various services promising to “block all the dangerous content”. Most of the above services are using proxies, which allow filtering out dangerous content like Java, ActiveX, cookies. The problem is that code and cookies are filtered out for all the sites and customers cannot control this proxy behavior. If you filter out cookies and Java you will not be able to browse most of the web sites. Some web redirectors allow controlling cookies per site, but redirector service has other limitations that can make browsing process inconvenient (you may read more on web redirectors on our “Internet Security Solutions” page). In our opinion it is more convenient to control all the browsing aspects by using browser built in security options. This will allow making your browsing safe without loosing usability.