The Register Guide on how to stay anonymous (part 1) It has been a year since I have talked about securing browsers against privacy invasion. In that time, things have got worse, not better. In addition to the threat of malware and malicious scripts, we have the frightening new evercookie. Leaving the criminal misuse of tracking for a later date, there is plenty to worry about …
"Because of a peculiarity of how the Chrome AdBlock works, you need to tweak it to protect yourself from tracking."
Wait, something for Chrome (by Google) has to be fiddled with to protect your anonymity and keep people from tracking your web habits? I am shocked, *SHOCKED* I say, to read this.
Those modes are designed to keep your doings hidden from the other people using the same computer, or potentially from hackers or investigators who gain remote or direct access to the machine. They don't enhance your anonymity in any other ways.
When it comes to computers, there are two types of privacy: privacy from those with access to your computer, and privacy from internet companies who monitor everything. These two types are almost entirely unrelated. I wish people would stop conflating them.
I think if you want to protect your privacy that you absolutely have to block these in addition to ads.
I wonder if someone has an add-on that detects requests to these +1 / Like scripts (e.g. https://apis.google.com/js/plusone.js) and replaces the content with a little placeholder which you must explicitly click to enable the script to be included for that site or page.
I haven't joined Facebook, but that doesn't matter. If I don't specifically block their servers, they get to put their little icon on most of the sites that I may browse to. Facebook can then log all the sites that I visit (even though I am not a member), so they can put together a history of my browsing. They can then do what they want with that (even though I'm still not a member).
However blocking their domains solves that problem, plus the ages it takes to load all the useless Facebook comments about how space probes missed Mars because our theories of gravity are wrong, or similar drivel.
Whether you join a social media site or not is irrelevant. These scripts are still handing out cookies and still tracking you. True, if you are not a member of a site they cannot precisely track you. But it can still be used to deliver targetted ads, affect search results, ad keywords that build up over time. And we've seen with the likes of never-cookie research that Facebook, Google et al could restore a cookie a lot of the time and you would never know. I bet just looking at the IP address range and a fingerprint of your browser's public settings (screen res, fonts, plugins etc.) would reinstate a cookie 99.99% of the time.
NoScript would work to block the scripts but I imagine sometimes the +1 / Like have a use so I would prefer to see something which puts a placeholder where the Like / +1 would go and if you chose to click on the placeholder, *then* it would pull the script in. i.e. unless you click you don't get the script and no script = no cookie.
The nicest thing about Ghostery (beyond the blocking) is that it visually lets the user know just how many trackers a page is using - a frighteningly high number on some sites! I expect other tools have similar capabilities.
Getting non-experts educated and aware of the issue is an important part of the process and it soon wakes them up to what they would not otherwise see.
It's funny how one of the things which makes online advertising so annoying (it coming from other domains, usually via rather slow CDNs) makes it so easy to block. If websites served all their image content and advertising content from the same directory adblock would be a lot harder to use...
Good on you though Reg, when's the switch to a subscription model coming then? :)
I agree with The Big Yin. I didn't really have an issue with ads until they started interfering with my browsing. The worst are the big semi-transparent things that obscure what you're trying to read, forcing you to hunt for a tiny close button or X to get rid of them. When those got more common, that's when I started blocking ads.
...but NoScript almost completely eliminates those obnoxious ads without blocking the less intrusive ones. I can't remember the last time I had a popover ad while running NoScript. On the other hand, I was on a NoScript-less browser the other day for some reason and ran into a couple of sites with full-page flash ads that had to be closed. I nearly put my fist through the screen.
I don't understand those ads either. Why would you want me rage-quitting the internet because of your ad? Is that what you want me associating your product with?
I use FF8 FF9 and nightly, Adblock and no script are installed. Google scripts are blocked on principle. Each new site I visit has the minimum number of scripts enabled to show the content.
Google "do no evil" is a joke. Their data harvesting is vast and every new beta product they release is designed to scrape more information about users. To Google we are product, information for their customers, businesses.
It won't happen, sadly, but the world and his dog really should block 3rd party cookies, also, use noscript, use ad block, flag do not track, use the tools suggested in the article.
This could kill off many advertisers, the intrusive ones at least.
Another trick, click on the "click through" adverts, give google some money in the short term, dont buy anything... make the click through advertising system worthless, persuade the customers, businesses, that they are wasting their time.
(BTW.. the internet is so much cleaner with noscript and ad block running, pages don't have the messy flash crud blinking up, down and across them)
Another couple of Firefox plugins to think about:
TrackMeNot - issues random search queries to Google et al to obfuscate your actual search queries. has a "query burst" setting to make queries seem more human. Terms for queries taken from RSS news feeds, so very nice.
ModifyHeaders - some websites use If-Match, If-Modified-Since, If-None-Match, If-Range and If-Unmodified-Since HTTP Etags (http://en.wikipedia.org/wiki/HTTP_ETag) to determine whether you have visited them before, even if your browser history has been deleted. You can stop your browser sending those headers using this (set up a Filter for each of them).
I would also suggest BetterPrivacy, but I think that the new Adobe Flash plugin manager functionality has mainly made it redundant.
"ModifyHeaders - some websites use If-Match, If-Modified-Since, If-None-Match, If-Range and If-Unmodified-Since HTTP Etags (http://en.wikipedia.org/wiki/HTTP_ETag) to determine whether you have visited them before"
Unfortunately, the Modify Headers add-on cannot block the caching headers. The add-on modifies the HTTP headers before Firefox adds the cache headers. To test, connect Firfeox to a netcat instance, send it an ETag, and see if it returns it.
One can use an HTTP proxy (e.g., Privoxy) running locally to block these headers instead.
Thanks very much for this exhaustively researched article.
Cookieculler is a dream come true: no cookie is kept apart from the ones I really need and want. Configuring it to do that is a gradual process but quite easy.
Ghostery is, by quite a margin, the best privacy add-on since NoScript, AdBlocker and TorButton. It doesn't conflict with any of those, either, so nothing is stopping you from using them all at the same time. Anonymity is like an onion, after all: several layers of protection are needed.
I have considerable doubts regarding opt-out tools such as TACO, Keep My Opt-Outs, and Firefox's built-in Do Not Track feature. Voluntary regulation of companies usually doesn't work at all, and internet companies seem par for the course. Nothing is stopping those companies from either ignoring or cleverly circumventing the opt-outs.
The final bit of the puzzle is how to prevent them from identifying users by the information contained in user agents and other browser configuration info. , as detailed by the Panopticlick project ( https://panopticlick.eff.org )
Extensions such as TorButton, User Agent Switcher and Random User Agent attempt to remedy this, but so far remain inadequate.
I went to memegenerator the other day and entered what I thought was amusing but politically incorrect to post on a notorious imageboard only to be met with 'would you like to include this on your Facebook?' replete with my username and login ready to ship.
I only made a Facebook so I could get some info from my relatives and have ensured it has as little real life info as possible but it would not be too hard for someone to 'digg' up my real details with a little effort.
It's really become an issue how this has spread across the web and how every other site has access to your personal details. I've since disabled my Facebook apps and changed some settings, used cookie culler to clear cookies and now make sure I am logged out of Facebook when not in use. But this really should not be required in the first place!
Now to tackle Google (yeah right. Fat chance with that!).
The article mainly talks about tracking your presence around the hintertubes through your browser.
But what if you use multiple browsers.
Mainly I use Firefox when cruising about... but when I want something kept private from the family I use k-mellon which is installed on a separate (encrypted) drive. Both browsers would track different things and never the twain shall meet.
Or am I just being daft?
I use deviantART a lot. Even if I set up a domain-specific rule that disables all the other rules, I still cant read any messages. The messages page itself comes up but none of the messages are displayed. If Privoxy has a whitelist feature, I haven't found it.
BTW putting the domain in the "No Proxy For" feature in the proxy configuration tab of Preferences does not help. Everything goes through Privoxy anyway. Filed a ticket with Mozilla on this one.
looking forward to part 2 already
of course what I should have mentioned in the previous post is that I am when I use k-mellon I not surfing anything too dodgy. I would just rather avoid the embarrassed silence when an advertisement for something black and lacy (for the wife not me) comes on ebay when the kids are shopping for DS games.
Once a cookie is blocked, you have to unblock it not through Cookie Culler but through Firefox's own built-in cookies list ("Exceptions" under privacy settings). The reason for this is that the extension behaves in a subservient way to Firefox's built-in cookie settings and defers to it. All this is explained in the FAQ ( http://cookieculler.mozdev.org/ffaq.html ) but the developer admits that it can be confusing. Still a very good extension IMO.
"Government surveillance is usually the threat bantered about, but that isn’t a real concern to me. Governments are notoriously terrible at actually implementing technology."
Well, yes, but they're rather good at exploiting *other people's* technology. Aside from how nasty they are in their own right, a big problem of the very successful systems Google, Amazon, the cable company et al are building to track us all is that they have very little ability to stop quite a lot of governments from demanding to look at their data on any particular person on rather thin pretexts - and, in some cases, preventing the company from even notifying the user (assuming they want to).
This is _already happening_ with facebook and twitter.
Privoxy (www.privoxy.org) is a locally-run, content-modifying web proxy designed to block ads and privacy/tracking issues. More technical to set up and use than most browser plugins (regexes are everywhere!), but offers more control and finesse than, say, NoScript. Among other things, it can block elements by URL pattern, not just host. Exorcises annoyances such as <blink>, onunload events, JS and HTML content cookies, banner ads by size or link, Google/Yahoo/MSN text ads. Can bypass click-tracking redirection URLs. Also removes/edits HTTP headers, including the ETags mentioned by AC 19:52 .
Not mentioned in this article are the Flash-based 'zombie' cookies. They can be at least partially dealt with by not loading every Flash object automatically. Some browsers include this as a feature; Safari users can install the ClickToPlugin extension (hoyois.github.com/safariextensions/clicktoplugin).
You can't get any better at targetting ads at me than just doing it randomly. Seriously. Do not want. Have never ever bought something because I saw it in an ad. The ad could be for a brand new life extending pill that also make you handsomer and that's just gone on sale for 95% off, and I would pass right by it or get up to use the bathroom while it played. I don't want to know about any "product" unless I am out looking for it, just make it convenient for me to find the information WHEN I WANT IT and that's the best you can do. If you try to cram information down my throat just because you think I might be interested you are pissing in the wind at best, more likely planting the seed of annoyance with your "brand" in my head.
"All this free technology" - so everything isn't hugely more expensive because of all the utterly ridiculously pointlessly retarded amount of resources that go into marketing in all its parasitic forms? The unholy triumvirate of financial and legal and promotional, doing their best to make capitalism into way more of an unworkable joke collapsing under its own weight than communism ever was.
Increasingly though, you're being forced to hand over your data. For example, I blocked Google on my network to see what difference it made and found a number of websites could no longer be used. They outsourced searching of their site and captchas used for posting on their site, to Google. So you could sort of use their sites so long as you didn't want to leave a comment or search their articles. Another case is Disqus or other methods of outsourcing discussions on a site. Used to be that you could register on a site and leave a comment. Now its outsourced and if you register on one site, you visit a completely unrelated site and suddenly find you're already logged in under your Disqus identity. Instant loss of privacy!
Good article.
"blocking advertisements altogether deprives the websites you love of the revenue they need to survive"
True. I use AdBlock on The Register. If you banned animated adverts, I'd be happy to turn it off again. I don't mind advertising, but I do mind distractions from what I'm trying to read.
A great article. Many thanks. It's articles like this that make you sit up and think again.
Unfortunately I'm not sure how far I'll get. In the real world, a lot of these privacy features can get in the way of convenient browsing. I got fed up with NoScript when I had to do yet another whitelist exercise on the 99th website that's not working properly.
Then there are the niceties, when the website automatically does something for you. Scary invasion of privacy? Probably. Is it nice and convenient? Definitely.
This is all down to my laziness and technical ineptitude, which is my loss. And the advertiser's gain :-(
I do wonder why every single time people mention the invasion of privacy by tracking every single movement on the web or using the inprivate browsing somehow means we must all be visiting p0rn websites?
Do we really need to have our purchases and movements known to all websites? No is the answer and bravo the folk who write the excellent addons and extensions to block this insidious work to track browsing sessions. <applause>
Yes it really annoys me that I am simply another product to these scumbags but what really gets on my nerves is that all the fun of discovery is taken out of life. With brand recommendations I am held in a narrow field of interest and could miss out on seriously interesting things but "the machine" determines I am happier without any surprises.
I got into heavy metal simply because my mate's brother wouldn't lend me his Iron Maiden album way back when, so I simply went and bought it. I had absolutely no idea what to expect, I was used to the Moody Blues and a little bit of C&W and 60's rock my parents listened to. Being a rebellious sort of 12 year old I simply took a chance with my pocket money and entered into an amazing world which I am still more than happy to be in 28 years later! If I hadn't taken a leap of faith but stuck with what I knew best, I would never have known the wonders of thrash, death and black metal.
I took up archery as a hobby when I was 8 years old simply because we happened to flick through the TV channels one day and my mum asked if fancied trying it. 7 years later I was in the Great Britain Youth squad training to shoot at international level. Just one of life's flukes that lead me off on another of life's wonderful journey's.
I fear for the new generations, they will be locked into little comfort zones, unwilling to simply try something for a laugh and see where it leads. I just hope the arrogance of youth is enough to push through the bullshit, if not then life is going to be come a whole lot more boring.
"blocking advertisements altogether deprives the websites you love of the revenue they need to survive."
I see what you did there.
However I take the typical "If a tree falls and no one is around, does it make a sound?"
In translation. "If I'm not swayed by adverts at all, so will never click on them, whose harmed if I block the ads?"
I'm sure there are many sites that supplement or generate total income through PPC ad revenue. But they make nothing from me directly. Never have, never will.
And while it would pain me to lose a site to a financial defecit, I've got to be honest, I'm quite fickle and just google the subject matter until I find another suitable site.
Additionally, I have to second Big Yins comment about advertisers using underhand tactics to have their ads displayed, only makes me more determined to block them.
With that in mind ,I've found I only ever need to use noscript for all my blocking needs.
If you visit the Better Privacy website (see the link in the article) it WILL NOT let you see anything if you have the "Do Not Track" feature enabled. Just a page telling you the feature is enabled and a picture of a pretty girl next to some marketing crap. You MIGHT be able to get in using the "help us understand" feature but my take is any site that won't show me its content without allowing some sort of tracking is not worth my time figuring out how to get around their demand.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
