Tuesday, July 03, 2012

Basic Privacy Precautions on the Web

As vividly described in a Wall Street Journal article, nearly every action you take on the Web is being monitored by companies you've never heard of, attached to your real identity, and sold. A Firefox plugin lets you watch as these companies track you across the web, with the conscious (and paid-for) assistance of many websites you frequent. What they know includes the exact times you click on links, what you buy, and what you type into search bars and other text boxes. If you need more discussion about why this is a bad thing, here's an excellent analysis of the threat of web tracking for anyone who is politically active. These companies are learning what political causes you care about, what your guilty pleasures are, what you're afraid of, what medical conditions are on your mind, who your friends are, and what types of advertising best trigger you to buy something.

That's unless you take a few steps to fight the most common methods of tracking. You can implement all of these within a few minutes, for free, and without changing your browsing experience much. However if you find that a website isn't working properly, you could always use a different browser to see if one of these modifications was the problem.

1. Use Firefox as your web browser. It's popular, which means that it has a large number of custom plug-ins available (like the ones I talk about below), and it is open source, which means that its inner workings are accessible to experts to review it for security and privacy problems. This open source property probably also attracts more privacy-minded people to write plug-ins for it.

2. Block third party cookies. Third party cookies are the most common way that advertising companies track you from site to site, by placing a little piece of text on your computer that identifies you when you pop up on the next site (and which is connected to your real identity if one of the sites requires you to enter your real name or password) As of the present version of Firefox, go to File -> Preferences, choose the Privacy tab, and uncheck Accept third party cookies.

3. Delete all cookies when closing Firefox. This provides some protection from websites recognizing you on returning to them. For example, if you buy something from Amazon.com, you may want to return to the web page to browse items without Amazon being able to associate the pages you view with your real identity. It also protects a little from your logged-in facebook or google account following you from page to page. You can of course clear your cookies at any given time (under the Privacy tab), but an easy automatic way to take care of that is to clear cookies when you restart the browser, File -> Preferences, choose the Privacy tab, and where it says "Keep until:" choose "I close firefox". The downside is that you will have to log into websites again when you reopen Firefox, but that can be a security advantage, and you can always use "Remember password for this site" which doesn't pose the same privacy risk as cookies.

4. Fight Flash cookies. This are a hidden type of cookie that is used by websites to track people who are deliberately trying not to be tracked, by deleting cookies. Therefore they represent a clear indication that companies will never respect people's wishes about being tracked, and it will always be an ongoing arms race. But Better Privacy for Firefox can fight them in a sophisticated way, allowing them to live for a little while (making web pages usuable), and then kill them, severing the link between your browsing before and after. It also deletes a hidden list of all the flash-bearing sites you have visited, that is still there even if you Clear History! There may be other types of "supercookies", involving Java and more arcane technologies rather than Flash, that I don't yet understand or know how to counteract.

5. Fight web bugs (aka beacons). These are little bits of another company's web page that are embedded in a webpage you are viewing, that allow that company to tell that you're visiting that web page at a particular time and to follow you across the web. They may take the form of invisible images on the page, or something visible, like Facebook "Like" buttons (even if you don't have a facebook account). These are hard to block completely, but the plugin Disconnect will block tracking by that means by Facebook, Google, and Twitter. Adblock Plus is an example of a program that should block many of the other cross-site web bugs, although you have to install a good filter list - one study recommended either Easylist+EasyPrivacy, or Fanboy's Ads+Tracking+Annoy (all done with a couple of clicks once Adblock is installed). An alternative, Ghostery, has the nice feature of giving you a report on the tracking technologies on a page as well as blocking them, although it should remain under scrutiny for being a prong of the advertising industry's campaign to avoid regulation.

6. Consider not using Google for searches. My searches are some of the most personal things I do on the Web, and Google is a company that is hell-bent on connecting that information with my real identity - or at least my gmail identity - and with my travels across the web. It is building giant, permanent dossiers on all of us. I don't know which is more disturbing, the possibility that it is selling this information to hundreds of advertising companies, or that it is keeping them for its own unspecified future purposes. But in any case, here's proof from Google's own promotional pages that, for example, they use the fact that you are searching about a particular city - or are visiting web pages related to it! - to guess that you live there, or are planning a visit there, and to show ads that are tied to that city. Google is probably the best search engine out there, but they are primarily an advertising company, and they are eager to know what's on your mind.

What are the plausible alternatives? Bing is actually quite good, and though it is also tied to another giant, creepy company that owns an advertising network (Microsoft), at least you can be pretty sure that they won't be sharing information with Google. Better, from a privacy standpoint, is Duck Duck Go, which advertises completely anonymous searches: not remembered, not tied to your identity in any way. I made it my home page, and also added it to the search bar in the upper right hand search bar of Firefox, which you can do by simply visiting  Duck Duck Go, clicking the icon in the search bar, and choosing "Add Duck Duck Go". I have found its search results to be about 80% as good as Google, which is good enough for many purposes. And for the purposes where it isn't, adding "!g" to the beginning of the query will automatically go to Google. Duck Duck Go is also helpful for another worrisome non-privacy-related issue called "the filter bubble".

If you can't stand using the alternatives, at least take these steps:
* On your Google account settings, turn off Web Historyopt out of targetted ads  and set the doubleclick opt out cookie.
* If you use GMail (and believe me, I am trying to figure out a good alternative), try to use it in a separate browser than the one you do your google searches in (e.g. Chrome or Safari if your main browser is Firefox). If your gmail address appears on the top right of www.google.com, then it explicitly knows who you are and is associating you with your searches (unless you trust that Google respects the opt-outs in the previous step). Click on it to sign out.

7. Take a lot of care with your social media participation. Keep in mind the quote by Andrew Lewis "If you're not paying for something, you're not the customer; you're the product being sold." Apart from the obvious (and not-so-obvious) real-life problems caused by oversharing, anything you post in public is being eagerly scanned by multiple companies and associated with you as much as possible, and actions you take that should be only visible to your friends on services such as Facebook are still being scanned by the hosting company and sold to advertisers, in particular your network of friends and acquaintances. (I wouldn't be surprised if they're recording whose FB pages you visit most often, so that algorithms can guess at who you have a crush on - maybe before you've guessed it yourself)

With my privacy concerns, I probably shouldn't be on Facebook at all, and I'm scaling back my participation, but I do get a lot of enjoyment out of it, so for now the creepiness is worth it. But besides the hazards of Facebook knowing about you, the company has a habit of continually changing the privacy settings to publicly expose things you don't think you're making public, so do a search to find the latest settings to maximize privacy, in posts like this one. There are other social media hazards you might not have thought of, such as information about your location hidden in photos taken on your smartphone and uploaded. I would think long and hard about *any* service that involves posting information about your location. (I would even recommend keeping your phone's GPS turned off unless absolutely needed, but that's another post)


What about "Private Browsing" mode? This provides protection against some, but not all tracking. It is somewhat effective at severing the link between what you do within the private session and outside of the private session (although it does not affect Flash cookies I believe), but if you link that session to your identity, for instance by logging into Gmail or Facebook, without other precautions your subsequent actions will also be linked to your identity.


These steps can't guarantee anonymity on the Web, in fact there are several known methods for tracking your identity across the net such as browser fingerprinting and clickprinting that are even harder to understand and combat. Another big vulnerability is your IP address, which identifies your location to the city level and, when combined with only a little more info, can identify you - and it is tricky to conceal. But the 7 steps will help, and it makes me angry that most browsers don't have them on by default, so that it's a piece of cake to follow people's every Web move (and the software makers know exactly what they're doing). That means 99.99% of people have no protection, including your mom and dad and your little cousin (unless you help them)

But for those who care, and who have the technical ability to at least follow this and other such guides, it will be an ongoing battle. Perfect protection is only possible against companies that don't keep up with the cutting edge of tracking. Unfortunately that doesn't include Google, the sneakiest of them all and the biggest overall privacy threat. But no matter how the tactics change, two things will remain a constant: companies will always misrepresent the extent of their tracking, the anonymity of it, and what they're using it for (which makes the "pretty please don't track me" option that is now available in many browsers of doubtful use); and noble privacy researchers will always be discovering and exposing them. So if you are still attached to the idea of being able to surf the web without every click being monitored and tied to your real identity, check out the latest battlefronts on websites such as the Stanford Center for Internet and Society, the Wall Street Journal (for some reason) and the Electronic Frontier Foundation. They're doing god's work.

No comments: