Hello, Leo. I occasionally purchase things online. Nothing terribly
important – just the occasional movie or music album. As such, I’ve always
wondered what information is saved on my computer when I do purchase something
online. I’ve read that certain low quality mp3 files can contain purchasing
information and some music retailers include your purchasing information within
the mp3 file whether they are low quality or not.
How big of a privacy concern is that? In the unlikely event that someone
hacked my computer could they find my purchasing info just by scanning my mp3s
with some program?
Another thing I do begrudgingly is I use online banking. I already know of
the concerns of having my account hacked, or my bank being hacked. However that
still leaves me with questions. When I login to my account, obviously I receive
cookies, but what else if anything is saved on my computer? If anything else is
saved on my computer, how would I know and how would I delete it? The same
question applies to my online email accounts.
Last but not least, what problems do I need to fear if I accidentally
close my browser before logging out of my email account? Or something of
similar importance? And does clearing cookies do the same thing as logging
In this excerpt from
Answercast #27, I look at the various things that are downloaded as you use
your computer and what (if any) you should be concerned about.
Downloading purchasing information
Several good questions in here that I think I want to address in general.
I do want to clarify one thing and that’s the definition of this purchasing information you’re concerned about getting stored on your computer or in your mp3 files.
- The short answer is that your credit card information, your payment information, is not stored in any of these places.
Credit card information is actually held to a fairly high standard by the credit companies. Reputable online merchants are not allowed to store it in any way on your computer or even on their own. There are strong rules and regulations to maintain that level of privacy.
Information in mp3 files
So, let’s talk about mp3 files really quickly.
I download, or I should say I purchase my mp3s from Amazon.com. One thing that Amazon does is they allow me to play those mp3s on any device I own; unrestricted. There is literally no restriction on my ability to play those files on any device that I happen to own (that’s capable of playing mp3 files.)
What they do to prevent piracy is they encode the mp3 file with something that identifies the account that purchased the mp3 file.
Now, I honestly don’t know if it is in plain text. If you can just poke around in the mp3 files and see my email address. I would be shocked!
More likely, it is encrypted in some form. It’s information that only Amazon could use to identify the account that purchased the mp3 file.
So for example, if my mp3 file suddenly ended up showing on peer-to-peer file sharing networks (in other words, it was being pirated), then Amazon could come back to me and say, “Hey, we noticed that this mp3 file has an identifier in it that identifies you as the person who purchased it. Why is it on these illegal file sharing sites?”
Privacy is protected
It’s not something to worry about because I’m pretty convinced my privacy is well hidden and that only Amazon could identify who the purchaser of the mp3 file is.
Nothing more than that is going to be in there. Certainly not things like credit card information, or addresses, or any of the billing info and so forth. So, that doesn’t concern me much at all.
Now with respect to online banking, most of what you are concerned about falls into two buckets: cookies and cache.
When you surf the web, in general, web pages are downloaded and they are downloaded into your browser cache so that the next time you visit that page, it’s already in your cache and doesn’t have to be downloaded… over a possibly slow internet connection.
- There are things on your computer that are saved in your internet cache.
The interesting thing is that https connections are not supposed to be cached. If you do all of your banking over an https connection (which you should), then that issue just goes away.
On https://, everything gets downloaded every time. The upside is that the screens that displayed your banking information, for example, are not being saved on your computer anywhere: with one exception I’ll get to in a second.
The other issue is cookies. Cookies are typically the approach that sites use to maintain your login. When you login to a website, they place a cookie on your machine that basically says, “This person has logged in, and they can stay logged in for this amount of time.”
- Cookies can be persistent or not.
Typically, when you close your browser, non-persistent cookies go away. So if you close your browser and come back to your banking site, you will find that you are no longer logged in because that cookie went away.
Persistent cookies are the opposite. They actually persist across the start and restart of your browser. They typically have an expiration time. They’re good for either hours, days, or weeks or in some cases, years.
They are simply pieces of information that are stored on your computer.
Now, the third place (that I alluded to previously) is the paging and hibernation file. This one gets kind of weird.
While you have your web browser up (like viewing a web page, viewing your banking page), if you then hibernate your computer, there is very strong likelihood that the image of that page and everything that was on the screen at the time you hibernated will be placed in the hibernation file – hiberfile.sys.
If this is something that you are concerned about, I strongly recommend you disable hibernation and delete the hiberfile.sys if you find it.
That makes this problem go away.
The final place is your paging file and that only kicks in if memory is low.
- If you’ve got enough RAM in your computer, the paging file will simply not be an issue.
Unfortunately, there isn’t really a whole lot of control you have over that. It’s rare that something like web page cache information, cookies, anything like that would be placed in a paging file: simply because those are normally stored in other place – on your disk cookies and cache. There’s just no need to keep them in a paging file.
So, bottom line is, if you really are concerned about this, then you really only need to do three things:
- Turn off the hibernation file like I mentioned earlier;
- Turn off the hibernation function if it’s available on your computer;
- Clear your cache regularly
Cache and cookies
The cache shouldn’t be a problem for https connections, but there’s nothing wrong in clearing the cache periodically. It will actually speed up your browsing experience a little bit for a while.
Then, finally, go ahead and clear cookies from time to time. There’s nothing wrong with doing that. I don’t personally believe that there’s a lot of sensitive information that’s stored in cookies, but it’s controlled by your bank so we don’t really know what’s stored in a cookie.
In general, they simply store an identifier that says, “This is Leo,” and then they look up the sensitive information on their computers. It’s never actually on your computer. But clearing cookies periodically is absolutely a good thing to do.
I recommend a program called CCleaner to do both the cache and cookie cleaning. It’s safe. It clears the right things.
Clearing cookies changes a lot of things:
You will find that then when you clear cookies, you are clearing cookies for all sorts of applications. I believe CCleaner will let you set up exceptions, but the bottom line is that you may find yourself suddenly logged out from other applications in addition to your banking because you’ve cleared out their cookies as well.
Next from Answercast #27 – How do I see the “Undisclosed recipients” on an email I sent?
3 comments on “How much sensitive information is stored on my computer when I purchase online?”
Hi Leo, CCleaner will let you set up exceptions for cookies you want to keep. I find it easiest to clean all cookies, then as I visit sites I want to keep coookies for I enter them into CCleaner’s list as I go. Eventually the all cookies I want to keep are on the list.
I’ve nothing against CCleaner, but you can tell Firefox or Opera to clear all new cookies when the browser is closed, and at least in Opera, you can specify exceptions.
In Google Chrome the Clear Browser tool lets you clean the cookies. Click on the Tools/Settings/Show Advanced settings/Privacy/Content Settings/All Cookies and Site Data. Here you can delete any cookies you do not want. Some of the cookies make life easier. But the cookies can build up fast. I routinely go here and delete unwanted cookies.
In IE9 you can also delete unwanted cookies by going to Tools/Browsing History/Settings/ View Files. It is easier to differentiate cookies from other stuff if you do a Delete of the Browser History first. Then you can select the cookies you do not want and delete them.