It has been a year since I have talked about securing browsers against privacy invasion. In that time, things have got worse, not better. In addition to the threat of malware and malicious scripts, we have the frightening new evercookie. Leaving the criminal misuse of tracking for a later date, there is plenty to worry about …
"Because of a peculiarity of how the Chrome AdBlock works, you need to tweak it to protect yourself from tracking."
Wait, something for Chrome (by Google) has to be fiddled with to protect your anonymity and keep people from tracking your web habits? I am shocked, *SHOCKED* I say, to read this.
I am shocked, *SHOCKED* I say,
when I think about how many of the "Generation M" probably don't know the origin of that meme.
Not directed at Armando 123, just a general observation.
The grey one sharing a hook with my fedora.
I'll be at Rick's if anybody needs me.
I am not convinced that any amount of tweaking does the job. It's made by Google, so why wouldn't it have backup surveillance systems? If those systems don't exist yet then they will no doubt be introduced through the many silent updates.
I'm surprised you didn't mention the incognito (pr0n) mode most browsers have these days.
I thought p0rn mode only stopped your dirty habits from being recorded in your history?
Those modes are designed to keep your doings hidden from the other people using the same computer, or potentially from hackers or investigators who gain remote or direct access to the machine. They don't enhance your anonymity in any other ways.
When it comes to computers, there are two types of privacy: privacy from those with access to your computer, and privacy from internet companies who monitor everything. These two types are almost entirely unrelated. I wish people would stop conflating them.
These blockers also reduce functionality (like remembering where you've been, or you having allowed NoScript a script on a given page, etc), so it's not a practical solution to be surfing like it's 1999 on a routine basis.
Social media blockers
I think if you want to protect your privacy that you absolutely have to block these in addition to ads.
I wonder if someone has an add-on that detects requests to these +1 / Like scripts (e.g. https://apis.google.com/js/plusone.js) and replaces the content with a little placeholder which you must explicitly click to enable the script to be included for that site or page.
You can also handle this threat by not joining any social media sites.
I haven't joined Facebook, but that doesn't matter. If I don't specifically block their servers, they get to put their little icon on most of the sites that I may browse to. Facebook can then log all the sites that I visit (even though I am not a member), so they can put together a history of my browsing. They can then do what they want with that (even though I'm still not a member).
However blocking their domains solves that problem, plus the ages it takes to load all the useless Facebook comments about how space probes missed Mars because our theories of gravity are wrong, or similar drivel.
Whether you join a social media site or not is irrelevant. These scripts are still handing out cookies and still tracking you. True, if you are not a member of a site they cannot precisely track you. But it can still be used to deliver targetted ads, affect search results, ad keywords that build up over time. And we've seen with the likes of never-cookie research that Facebook, Google et al could restore a cookie a lot of the time and you would never know. I bet just looking at the IP address range and a fingerprint of your browser's public settings (screen res, fonts, plugins etc.) would reinstate a cookie 99.99% of the time.
NoScript would work to block the scripts but I imagine sometimes the +1 / Like have a use so I would prefer to see something which puts a placeholder where the Like / +1 would go and if you chose to click on the placeholder, *then* it would pull the script in. i.e. unless you click you don't get the script and no script = no cookie.
Its called ShareMeNot
I think its in the article.
The nicest thing about Ghostery (beyond the blocking) is that it visually lets the user know just how many trackers a page is using - a frighteningly high number on some sites! I expect other tools have similar capabilities.
Getting non-experts educated and aware of the issue is an important part of the process and it soon wakes them up to what they would not otherwise see.
Thank you looks like a useful addon, will be watching what it does with interest.
Interesting... Looks ok.... But..., wait... What's this? Their home page contains tracking things from Facebook and Twitter?
Is that Irony?
It's funny how one of the things which makes online advertising so annoying (it coming from other domains, usually via rather slow CDNs) makes it so easy to block. If websites served all their image content and advertising content from the same directory adblock would be a lot harder to use...
Good on you though Reg, when's the switch to a subscription model coming then? :)
I the ads...
...did not flash, pop over/under or otherwise distract from the content, I wouldn't block them so hard. Advertisers and ignorant content providers have made this problem. If they play nice, it will go away.
I agree with The Big Yin. I didn't really have an issue with ads until they started interfering with my browsing. The worst are the big semi-transparent things that obscure what you're trying to read, forcing you to hunt for a tiny close button or X to get rid of them. When those got more common, that's when I started blocking ads.
Everybody's tired of hearing about it...
...but NoScript almost completely eliminates those obnoxious ads without blocking the less intrusive ones. I can't remember the last time I had a popover ad while running NoScript. On the other hand, I was on a NoScript-less browser the other day for some reason and ran into a couple of sites with full-page flash ads that had to be closed. I nearly put my fist through the screen.
I don't understand those ads either. Why would you want me rage-quitting the internet because of your ad? Is that what you want me associating your product with?
does anyone read adverts anyway?
to be honest, I don't give a flying fig whether the adverts are for laptops or viagra. I just don't read them
That's what you may think, but not what can easily be shown.
There's so much priming going on, just like product placement on tv/ in movies; and they're terribly effective [as they have to, to justify their cost]. Especially on those who think that it doesn't have an effect on them.
You don't need to read them for them to take over your page or jump out as the cursor inadvertently moves , to obscure your page like a "AC cannot choose icon" distraction. And worse of all the flashing moving ones. But I guess ads and anonymity are different if connected subjects.
NoScript blocks all scripting by default, but it's very easy to unblock specific domains on a particular site. For example, on this page, I allow theregister.co.uk but block doubleclick.net.
I use FF8 FF9 and nightly, Adblock and no script are installed. Google scripts are blocked on principle. Each new site I visit has the minimum number of scripts enabled to show the content.
Google "do no evil" is a joke. Their data harvesting is vast and every new beta product they release is designed to scrape more information about users. To Google we are product, information for their customers, businesses.
It won't happen, sadly, but the world and his dog really should block 3rd party cookies, also, use noscript, use ad block, flag do not track, use the tools suggested in the article.
This could kill off many advertisers, the intrusive ones at least.
Another trick, click on the "click through" adverts, give google some money in the short term, dont buy anything... make the click through advertising system worthless, persuade the customers, businesses, that they are wasting their time.
(BTW.. the internet is so much cleaner with noscript and ad block running, pages don't have the messy flash crud blinking up, down and across them)
I am always surprised at just how different the web looks when I use a browser without NoScript - UGH, is this what the plebs deal with I say rhetorically? It's just so ugly.
"In general, cookies are harmless"
As El Reg has just dropped 6 of the little blighters on my PC without my informed consent then I hope the ICO also considers them harmless.
Additional plugins to use...
Another couple of Firefox plugins to think about:
TrackMeNot - issues random search queries to Google et al to obfuscate your actual search queries. has a "query burst" setting to make queries seem more human. Terms for queries taken from RSS news feeds, so very nice.
ModifyHeaders - some websites use If-Match, If-Modified-Since, If-None-Match, If-Range and If-Unmodified-Since HTTP Etags (http://en.wikipedia.org/wiki/HTTP_ETag) to determine whether you have visited them before, even if your browser history has been deleted. You can stop your browser sending those headers using this (set up a Filter for each of them).
I would also suggest BetterPrivacy, but I think that the new Adobe Flash plugin manager functionality has mainly made it redundant.
"ModifyHeaders - some websites use If-Match, If-Modified-Since, If-None-Match, If-Range and If-Unmodified-Since HTTP Etags (http://en.wikipedia.org/wiki/HTTP_ETag) to determine whether you have visited them before"
Unfortunately, the Modify Headers add-on cannot block the caching headers. The add-on modifies the HTTP headers before Firefox adds the cache headers. To test, connect Firfeox to a netcat instance, send it an ETag, and see if it returns it.
One can use an HTTP proxy (e.g., Privoxy) running locally to block these headers instead.
Thanks very much for this exhaustively researched article.
Cookieculler is a dream come true: no cookie is kept apart from the ones I really need and want. Configuring it to do that is a gradual process but quite easy.
Ghostery is, by quite a margin, the best privacy add-on since NoScript, AdBlocker and TorButton. It doesn't conflict with any of those, either, so nothing is stopping you from using them all at the same time. Anonymity is like an onion, after all: several layers of protection are needed.
I have considerable doubts regarding opt-out tools such as TACO, Keep My Opt-Outs, and Firefox's built-in Do Not Track feature. Voluntary regulation of companies usually doesn't work at all, and internet companies seem par for the course. Nothing is stopping those companies from either ignoring or cleverly circumventing the opt-outs.
The final bit of the puzzle is how to prevent them from identifying users by the information contained in user agents and other browser configuration info. , as detailed by the Panopticlick project ( https://panopticlick.eff.org )
Extensions such as TorButton, User Agent Switcher and Random User Agent attempt to remedy this, but so far remain inadequate.
It's everywhere and insidious
I went to memegenerator the other day and entered what I thought was amusing but politically incorrect to post on a notorious imageboard only to be met with 'would you like to include this on your Facebook?' replete with my username and login ready to ship.
I only made a Facebook so I could get some info from my relatives and have ensured it has as little real life info as possible but it would not be too hard for someone to 'digg' up my real details with a little effort.
It's really become an issue how this has spread across the web and how every other site has access to your personal details. I've since disabled my Facebook apps and changed some settings, used cookie culler to clear cookies and now make sure I am logged out of Facebook when not in use. But this really should not be required in the first place!
Now to tackle Google (yeah right. Fat chance with that!).
The article mainly talks about tracking your presence around the hintertubes through your browser.
But what if you use multiple browsers.
Mainly I use Firefox when cruising about... but when I want something kept private from the family I use k-mellon which is installed on a separate (encrypted) drive. Both browsers would track different things and never the twain shall meet.
Or am I just being daft?
Sadly, that is largely wishful thinking. Keep an eye out for Part 2. That article will cover why this is so.
Re: Serious Question
Check out privoxy - blocking is done invisibly by a proxy server rather than a tool in the browser. It allows you to follow links it blocks if you want.
Unfortunately. . .
you are still browsing from the same IP address. I would expect that correlating different data based on IP is a big part of this game. Or are you using an anonymizer?
How hard do you suppose it is for them to tie the two browsers together? It's the same IP address. What's more, as soon as you've logged into Gmail, Facebook, or any major tracker, they know perfectly well it's both you.
Privoxy has no whitelist feature
I use deviantART a lot. Even if I set up a domain-specific rule that disables all the other rules, I still cant read any messages. The messages page itself comes up but none of the messages are displayed. If Privoxy has a whitelist feature, I haven't found it.
BTW putting the domain in the "No Proxy For" feature in the proxy configuration tab of Preferences does not help. Everything goes through Privoxy anyway. Filed a ticket with Mozilla on this one.
thanks for the shouts
looking forward to part 2 already
of course what I should have mentioned in the previous post is that I am when I use k-mellon I not surfing anything too dodgy. I would just rather avoid the embarrassed silence when an advertisement for something black and lacy (for the wife not me) comes on ebay when the kids are shopping for DS games.
Never mind the underlying assumption that if you visited site X you are intersted in their products as a lifestyle choice.
It couldn't be that you went there to buy product X for someone else whose tastes are definitively not your own.
Data != information.
Avoid Cookie Culler
It blocked a bunch of stuff and subsequently would not unblock it once disabled. Very tough to undo the semi-permanent changes it makes. Other than that, the rest of the tools in the article are great!
Once a cookie is blocked, you have to unblock it not through Cookie Culler but through Firefox's own built-in cookies list ("Exceptions" under privacy settings). The reason for this is that the extension behaves in a subservient way to Firefox's built-in cookie settings and defers to it. All this is explained in the FAQ ( http://cookieculler.mozdev.org/ffaq.html ) but the developer admits that it can be confusing. Still a very good extension IMO.
If you're comfortable editing your hosts file, there are several good lists available for download that block huge numbers of URLs, including advertisers and tracking servers.
Very, very useful. There's one here:
Important to note
that if you are behind a proxy server then the HOSTS file is not used.
In part 2...
We ask why you didn't read part 1...
I chuckled sir. I chuckled hard!
"Government surveillance is usually the threat bantered about, but that isn’t a real concern to me. Governments are notoriously terrible at actually implementing technology."
Well, yes, but they're rather good at exploiting *other people's* technology. Aside from how nasty they are in their own right, a big problem of the very successful systems Google, Amazon, the cable company et al are building to track us all is that they have very little ability to stop quite a lot of governments from demanding to look at their data on any particular person on rather thin pretexts - and, in some cases, preventing the company from even notifying the user (assuming they want to).
This is _already happening_ with facebook and twitter.
Privoxy (www.privoxy.org) is a locally-run, content-modifying web proxy designed to block ads and privacy/tracking issues. More technical to set up and use than most browser plugins (regexes are everywhere!), but offers more control and finesse than, say, NoScript. Among other things, it can block elements by URL pattern, not just host. Exorcises annoyances such as <blink>, onunload events, JS and HTML content cookies, banner ads by size or link, Google/Yahoo/MSN text ads. Can bypass click-tracking redirection URLs. Also removes/edits HTTP headers, including the ETags mentioned by AC 19:52 .
Not mentioned in this article are the Flash-based 'zombie' cookies. They can be at least partially dealt with by not loading every Flash object automatically. Some browsers include this as a feature; Safari users can install the ClickToPlugin extension (hoyois.github.com/safariextensions/clicktoplugin).
... and use (because I like) IE9 and have Tracking Protection on. However some sites (Google maps/Finance, Android app market and some retail sites) don't work unless you turn it off.....
Does it really matter?
All you're gonna get is better targeted ads - and there has to be some method of paying for all this free technology you are all using! Privacy my left buttock. Just use common sense, avoid pr0n and generally be good netcitizens and all will be well.
- World's OLDEST human DNA found in leg bone – but that's not the only boning going on...
- Lightning strikes USB bosses: Next-gen jacks will be REVERSIBLE
- Pics Brit inventors' GRAVITY POWERED LIGHT ships out after just 1 year
- Storagebod Oh no, RBS has gone titsup again... but is it JUST BAD LUCK?
- Microsoft teams up with Feds, Interpol in ZeroAccess botnet zombie hunt