Whenever you visit a website your computer shares a lot of information this includes...



IP address of the client computer

ID of the client computer

UserID of the client computer

Date / time when the server finished the file request - day/month/year:hour:minute:second zone

Method used for the file request

File requested

Protocol used for the request

Status returned from server to client

File size returned to client

File referrer - This gives the site that the client reports having been referred from

User agent - This is the identifying information that the client browser reports about itself.



This is mostly done so so the content of the website is delivered to you and is increasingly more important as more people are using devices other than computers to access the internet.



For example, if you're visiting an adaptive web site then knowing some of that information changes the view of the web pages you get or it may forward you to the mobile version of a site.



Nearly all web servers have the ability to keep logs of their visitors and it is usually done to provide analysis of how people use the site and to help improve it.



In some countries, NOT keeping those logs is an offense - http://padawan.info/en/2005/02/keeping-server.html The US is among those countries that insist the log files are to be kept - http://www.mcbride-law.com/2009/12/22/production-of-internet-server-log-files/ - and here's the case that it refers to - http://www.mcbride-law.com/wp-content/uploads/2010/01/Mai-Systems-Corp-v.-Peak-Computer-CASD-1992RAM-discovery.pdf



Google had to do the same thing when it got told to hand over all it's YouTube server records to Viacom in July 2008 - http://www.computerweekly.com/news/2240086443/YouTube-strikes-user-privacy-deal-with-Viacom-over-data-hand-over-in-court-battle - This decision was reversed in June 2010 - http://en.wikipedia.org/wiki/Viacom_International_Inc._v._YouTube,_Inc. and as far as I know still in court somewhere.



From your IP address the web owner cannot get much. Who your ISP is and your approximate location. For some reason my IP address nearly always gives my location as Wichita, Kansas or Rochester, New York. My ISP must have offices in those two places because I don't live in Wichita or Rochester or even Kansas or New York state.



The only people who can match your physical address with your IP address is your ISP and they don't give anybody that information without a court order. Verizon, for example, spent a lot of time and money and went to the Supreme court to ensure that those records are kept safe from anyone else.

1

Of course they know. But who cares? If a website didn't know your IP address, how in the hell are they going to know which one of the 1 billion computers in the world to send the page you want to? People get there panties all-in-a-bunch about IP addresses over nothing! In the USA, the only way to get an ISP to release personal information (name, telephone, address etc.) about a particular IP address is with a Court Order. And Court Orders are usually only given out in the case of suspected serious criminal activity. Don't hold your breath. All someone can determine from an IP address is the general geographic location. Perhaps narrow you down to one in a million people.

This is kind of a grey area in computer law. The "rule of thumb" is that unless they tell you otherwise and get your consent (implied or otherwise) then they can only gather basic information. ISP, geo data, browser name and some settings, screen resolution, java information, etc. The type of information sites gather and how it will be used is usually covered on the site privacy policy. Most of those include a statement that says your use of the site constitutes your acceptance of the posted policy. So it's always a good idea to read them.

When you connect to a website, there is a lot of information that -might- be given up by your computer, just in the act of connecting.

- IP Address. mandatory. This is the only way to communicate; each computer has to know the other one's address. This can lead to information like: Who the service provider is: school, a business, a library.. or an individual who owns the IP. It can give a geographic area, a neighborhood, and - if registered to a business - the registry will have contact info like a Name, Address and Phone number.

Commands or searches that may illustrate this include " traceroute" / "tracert" , "ping" , "nslookup", and "whois".



Your Browser info : a header like " Mozilla 5.0 " tells them your browser [ IE, Firefox, Chrome, Netscape, Opera, Safari.. whatever] and - more info about default language [ English, French, German, Farsi], whether you can see Java, Javascript, Flash, Shockwave, Silverlight, ActiveX, CSS, HTML 5, and other technology.

.. by seeing the browser and version, plus any info about scripting - an educated person can make a pretty good guess about what operating system you are using, whether you patch your software or not, and perhaps more data about where you are.



Cookies: Depending on your browser and your security settings, I might be able to set a cookie.

-- If you are voting on Dancing With the Stars, I want to count that you only vote 10 times a day.

I might be able to read an old cookie that I set -- Places like Amazon, even Yahoo.. that might save your last page looked at, your login name & password, and other data.

In some cases, I might even be able to see cookies from other websites.

-- many folks use programs like "GoodSearch", set up so that every time I search, then click on a link - my charity gets a penny or something like that. The vendor paying the pennies is going to want to be sure that (a) you really came from GoodSearch, and (b) which charity or "referrer ID" gets the credit.

Not only just the cookie from the referring site, but if your browser is really open - then I might be able to read a few cookies and look at a piece of your browsing history.



As far a legally,

_ I am not a lawyer, and I don't play one on the internet._ I am probably crazy. If this is important to you, pay a professional for an educated opinion.. or at least someone you can sue if the advice is bad. _



the laws vary from country to country, Territory/ States, even some counties & cities.

In Most of the US - the web master is required to keep a log of at least the IP address, time, and any transaction information. If they do any financial business, then they are required to preserve a lot more data.

From a sysadmin perspective, saving the IP address, time, browser [ and other info] plus pages accessed helps to prevent or diagnose problems accessing the website.

Collecting cookie data is a privacy issue - but by the time you can read the privacy policy, they already have the cookie info. You then have to opt-out or request that they remove your data.

-- this is not always the case, but frequently it is.



As long as all the website does is passively track what you are doing.. there is no chance they are violating the law. (In my crazy opinion.. US laws) Even if they "ask" What browser? What version? -- and your computer answers.. then that seems pretty straightforward to me.



If they want to gather up all this info and mine it later for marketing, or to streamline the website - that is up to them.



The only thing that they cannot do is ask for and save financial or identifying info without encryption; and they they can only save it as long as required. If a bank wants your SSN or Chcking account numbers to log in - they have to encrypt the whole thing, and they can only save the minimum required to prove they did what they were supposed to . ( CYA- covering your a##).



It goes deeper - if any law enforcement officer says they want info about you in relation to an investigation.. they probably don't need a warrant. Most ISPs will turn over: yes, our subscriber John Doe of 123 Anywhere Place was logged on at 0200 AM, and was assigned IP 192.168.1.123.

... and they are not required to tell you.



Even the plain-old-telephone systems are required to tell you about a wiretap. True!

The wiretap warrant/order has to include a judges' order -NOT- to tell the customer they are being monitored, and that order has to be renewed.. (depends on the State, but probably around every 60-90 days). Once the Judges' order expires - the landline phone company will tell you that XXX law enforcement has been monitoring your phone since MM-DD-YYYY.

Legalities varies by country.

Browsers automatically send some info with each asset request (it's IP; what browser version; on-board fonts; etc.) but depending on the configurations, these basic items can be augmented by milking the browser. Of special note would be the flash cookie.

It's up top users to modify the browser to limit these intrusions.



In the US, almost nothing is off-limits: it they can weasel it out of the browser, it's fair game.

In law theory, they are not allowed to make changes to a system, but that's moot point since implanting anything (like tracking cookies) changes the system, but since you consent to using their site, you agree to their rules, and it's a done deal.

Europe has had some policies in place, and appear to be bolstering things at a slow and steady pace, trying to keep up with the changing technology...a better strategy IMHO.



For some really scary insight into what's being gathered about you or your machine, see these:

http://online.wsj.com/article/SB10001424052748704679204575646704100959546.html



See "What Do Online Advertisers Know About You?": EFF @ https://www.eff.org/related/9199/blog



What can be gleaned from your browsers queries test (EFF test of browser):

https://panopticlick.eff.org/

https://www.eff.org/deeplinks/2009/09/online-trackers-and-social-networks



Visualize what these associations are with this Firefox add-on: http://collusion.toolness.org/



And also note that profiles of you, gained through TCP/IP (Internet) techniques can and are being correlated with non-Internet sources, for instance; DirecTV monitors what you watch &/or record; credit card companies routinely track your spending; large chain stores build profiles of your buying patterns; gas stations monitor your travel habits, and so on.

All these individual items can be added up by 'fusion centers' to just about nail down who you are and your color of underwear.

Go to any website like this one, http://www.ip-adress.com/ip_tracer/

And you can get some basic info also if they are threatening/harassing you, contact the abuse email on a whois lookup on their ip or contact the police/FBI and they can pull a persons information and arrest them etc Also non-legal you can use things such as metasploit to gain root access to their computer.

Interesting question!