Companies are investing more effort than ever before in tracking you online, and not just on their sites. They use the data provided by your browser to build a profile of you that can follow you across the web. In this post, I’ll describe a suite of defensive techniques to push back against this tracking while still able to enjoy the modern web experience.
We have two goals:
- Leak as little information as possible to the sites you visit, while
- Minimize impact to regular browsing behavior as much as possible.
Use an anonymizing VPN
I use Private Internet Access which is $40/year, but there are a number of great options, including self-setup VPNs. All my web traffic flows through them, thus denying sites I visit the opportunity to discriminate based on my IP address — perhaps the easiest way for sites to track you.
Your IP address can be used to geolocate you with an astonishing degree of precision. If you’re serious about privacy, be sure to use a VPN. You’ll also want to enable the option that disconnects your network when the VPN isn’t connected to prevent accidentally using an unencrypted connection.
I love Google Chrome, and it’s been very difficult for me to switch — but using a browser provided by a company whose business model centers around compiling as precise a profile of you as possible is no longer compatible with the goals I outlined above. An excellent example of this is how the default configuration reports a heap of data to Google, while burying the “do not track” setting (which Chrome was the last browser to implement) in “advanced settings” and giving you a warning if you enable it.
I hadn’t used Firefox in years before I switched, but it’s gotten a lot better. In particular, I’m using the UX build (warning: very beta), which has a Chrome-like interface.
It’s easy to tune Firefox to maximize your privacy without diminishing your experience.
Under the “Privacy” tab in the preferences page, select “Tell sites I do not want to be tracked.” Of course, sites are under no obligation to obey this flag, but it doesn’t hurt to make our preferences clear.
Set the history preference to “Use custom settings for history,” change “Accept third-party cookies” to “Never.” I’ll let CNET explain why:
So if third-party cookies offer no direct benefit to users and can potentially be a threat, why do all the major browser makers default to allowing sites to leave all the cookies they want on your machine? Because the advertisers are their customers and are at least as important to them as users are.
Continue accepting cookies in general, though. We’ll get to why that’s OK later.
Uncheck “Remember passwords for sites.” We have a better option.
I tried switching to DuckDuckGo but found that after nearly 1.5 decades of using Google the search quality was much poorer. (For example, when searching for the UX build link above, I searched for “firefox UX”, “firefox UX build”, “firefox UX nightly” etc. on DuckDuckGo, none of which produced the result I wanted. One search on Google and the first result was correct.)
If you want a more privacy-respecting engine than Google but can’t give up (most of) Google’s search quality, use Startpage. This site uses Google as a backend for search results.
Block Referer [sic] Header
Type “about:config” in the address bar, then type “referer” in the search bar. You want to set the
network.http.sendRefererHeader value to 0, which will prevent the browser from sending
Referer: headers. When clicking on a link from page A to B, this will prevent B from seeing the URL of A.
Here are some low-impact extensions that can drastically improve your privacy.
Fun fact: I don’t actually know the vast majority of my passwords. LastPass is a cross-platform (Windows/Mac/Linux/Android/iOS) password manager that generates and securely stores passwords and form-fill info. It uses client-side encryption to protect your data and allows auto-login and auto-fill. Highly recommended.
Automatically and silently redirects you to HTTPS on many popular sites. Easy. This is how the web should work.
Deletes cookies for a site as soon as you close the tab. You’ll want to whitelist sites you want to stay logged into, but this is a one-time operation per site. This can go a long, long way towards preventing sites from building a profile of you. This gets you most of the benefit of disabling cookies while still allowing you to log in.
Blocks ads, and more importantly, the request to third-party sites those ads generate.
Has just one purpose: to disable LSOs (locally stored objects), a type of “super-cookie” used by Flash.
Blocks a wide range of tracking methods 99% non-intrusively. The default configuration gives you a little popup at the upper right of your browser, which is occasionally interesting (“I had no idea this page felt the need to track me in 12 different ways”). Will occasionally break a page in a non-obvious way (“I feel like there should be comments here…”) but it’s easy to disable temporarily if reading internet comments is your thing. cough
Cookies aren’t the only way sites fingerprint your browser — one of the most common methods is the user-agent string. This extension randomizes the user-agent string sent along with your browser on every request, thus spreading your information among a number of different profiles and making you harder to track. It’ll also randomize the HTTP Accept headers.
Unfortunately, the default user-agent list Secret Agent ships with causes problems with sites as their capability-detection mechanisms go haywire (Lynx?!). I’ve created my own list of modern user agents consisting of the most popular browser strings from Firefox, Chrome, and Safari.
Disallows Flash from running by default, replacing Flash applets with a placeholder that runs the applet when clicked. Not only does this protect against malicious (or annoying!) Flash apps, it’ll prevent browsers from using Flash-based fingerprinting methods (such as loading the list of installed fonts). I’ve used click-to-run on Google Chrome for ages and it’s been great.
Out of Scope
There are a number of extensions and options not included here, largely because they have too significant of an impact on regular day-to-day browsing. Tor slows down browsing far too much. NoScript and RequestPolicy require user intervention on virtually every page in order to load properly.
You can see the impact of some of these techniques using Panopticlick. If your browser is unique, don’t worry — just check how it changes on each reload, which Secret Agent should help with.
These techniques should allow you to browse the web with greater confidence that companies aren’t tracking you everywhere you go.
Got any other suggestions for low-impact privacy improvements? Tweet me at @ternus.