The present disclosure relates to communications networks, and, more particularly, to enhancing the security and/or privacy of network communications for subscribers to a network service.
Communications networks are widely used for nationwide and worldwide communication of voice, multimedia and/or data. As used herein, communications networks include public communications networks, such as the Public Switched Telephone Network (PSTN), terrestrial and/or satellite cellular networks and/or the Internet.
The Internet is a decentralized network of computers that can communicate with one another via Internet Protocol (IP). The Internet includes the World Wide Web (WWW) service facility, which is a client/server-based facility that includes a large number of servers (computers connected to the Internet) on which Web pages, applications and/or files reside, as well as clients (Web browsers), which interface users with the remote servers. Specifically, Web browsers and software applications send a request over the WWW to a server, requesting a Web page identified by a Uniform Resource Locator (URL), which notes both the server where the Web page resides and the file or files on that server which make up the Web page. The request includes the IP address of the client. The server then sends a copy of the requested file(s) to the IP address associated with the client, and the Web browser at the client terminal displays the Web page to the user. Other types of interaction are possible. For example, a file can be requested from a remote file server, data can be requested from an application on a remote server, etc. In any such exchange, the remote server must be supplied with an address to which the response should be sent.
The topology of the World Wide Web can be described as a network of networks, with providers of network services called Network Service Providers, or NSPs, or Internet Service Providers (ISPs). Servers that provide application-layer services may be referred to as Application Service Providers (ASPs). Sometimes a single service provider provides both functions.
Considering the public accessibility of the Web, individuals, groups, and organizations may be concerned with privacy and the protection of sensitive and/or private information. As such, reasonable protections may be used when transmitting such information over the Web. Yet, in some cases these protections may fail, and sensitive information may be undesirably stolen, lost, or otherwise disseminated so as to be obtainable by unauthorized third parties. Furthermore, it is often the case that a user does not know who is operating the server with which the terminal is communicating. For example, a user seeking to download a particular file could be redirected, via a hyperlink, to a server that is unaffiliated with the site the user was visiting. In some cases, a malicious web server may attempt to download a virus, or other malicious software to the user's terminal.
One aspect of WWW communications is that such communications are “stateless,” in that each request from a terminal at an IP address to a server is treated as a separate request that is independent of other requests from the same IP address. This simplifies server design because the server does not need to dynamically allocate storage to deal with conversations in progress or worry about freeing it if a client dies in mid-transaction. However, because the connection is stateless, it may be necessary to include more information in each request. Furthermore, some types of transactions are difficult to conduct in a stateless environment. For example, online shopping requires the server to be able to keep track of a customer's state from one request to the next, so that the server can keep track of items in the customer's shopping cart, whether the customer has checked out yet, what billing information is to be used, etc.
In order to provide state information for a WWW transaction, WWW protocols provide for the use of “cookies,” which are strings of data that are stored at the client terminal. A WWW server can place a cookie on a client terminal. The server keeps track of the contents of the cookie and the IP address at which it was stored. When a request is sent to the server, the cookie is sent, unchanged, to the server along with the request. The server can thereby associate the request with a session, and provide an appropriate response to the request.
Accordingly, cookies can be used for a number of purposes, including authentication, session tracking (state maintenance), and maintaining specific information about users, such as site preferences or the contents of their electronic shopping carts. Moreover, some websites are designed to be highly interactive, and can only be accessed with full functionality if the client is configured to accept cookies.
Cookies can also be used as a means of tracking user behavior. For example, a server can keep track of a user's activities by recording them and associating them with a cookie stored on the user's terminal. By aggregating information over time, a server can build a profile of the user, or at least of the behavior of those users that use a particular terminal. In many cases, this information can be used for the benefit of the user, by permitting the server to provide customized services or offers to the user. However, this information can also be used maliciously, and can in some cases be viewed as an invasion of privacy. In any case, many users simply do not wish to have possibly unknown third parties collecting information about them over the Internet.
Furthermore, many times, the associations of WWW behavior with a particular IP address is erroneous, as the IP address of a terminal can change over time. For example, ISPs have a pool of IP addresses that can be dynamically assigned to terminals. A subscriber who has a laptop computer can be assigned one IP address when connecting to their ISP at home and another IP address when connecting at a remote location. Thus, when associations are based on IP addresses, servers can inadvertently associate browsing behavior of one subscriber with another.
While cookies may only be sent to the server that set them, or one in the same Internet domain, a Web page may contain images or other components stored on servers in other domains. Cookies that are set during retrieval of these components are called third-party cookies. Third party cookies may be particularly troublesome for some users, as they can be used to track the actions of a user across many different servers.