Saturday, April 10, 2010

Evading big brother online

More than security from hackers while browsing the web, I am concerned about being tracked by big brother corporations. These guys put little tracking bugs in various partner websites, and on their own, to keep track of what you’re doing, and where. I’m sharing my setup for firefox below in the hopes that y’all will benefit from my experience, and will help keep privacy a reality in the 21st century. This setup will incidentally help you with hacker security as well (though the main add-on for that is Noscript, mentioned below).

The main rule in setting these applications up is that you want a “Global Deny” policy, with a user-defined “whitelist” of trusted sites. The whitelist gets built up as you move around the web and slowly add sites to your list. That is, you don’t have to spend time creating these lists before you start, or before you’ll be secure. The point is that it’s easy. Having said that, this setup probably ain’t for granny. But if you have just a modicum of savvy, or the desire, this should work for you just fine.

Here are the add-ons I’ve installed in Firefox (and sometimes my email client, Thunderbird, too):

Ad-Block Plus

When you install this, you can also install a number of “filters”. I use EasyList, EasyPrivacy and fanboy-adblock. Don’t install a bunch of filters – it will be redundant, and will slow down your browser.

This add-on is not only good to block tracking sites, but it will block advertisements as well. I didn’t care about the latter initially, but there wasn’t a good way to just block tracking sites, so I installed the full set of filters. And boy – how much nicer the web became! Not only are ads generally annoying and intrusive (and we already see enough of them every day), they take up your bandwidth! For the bandwidth-limited, this add-on will improve your web experience even further by speeding things up.

CS Lite

This add-on controls what sites can put cookies on your browser.
You should set the preferences to “Deny cookies globally”. Whenever you come across a site that you trust, and that doesn’t seem to be working for you, click on the CS Lite icon in the status bar and set the site to either “allow cookies”, “allow cookies for session”, or “temporarily allow cookies”. I set up most of my cookies for the session (which deletes them after a time, so you have to log in again later).

Refcontrol

This keeps your browser from telling sites where you came from. This is important because you can be tracked by these referrer strings. Let’s say you’re on your account page for a site, and there’s an ad from doubleclick on that page. Normally, even if you’re blocked cookies from doubleclick, they will see the site you came from when you see their advertisement. If there is identifiable information in the web address where you are (for example, an account number embedded in the URL), doubleclick could track you even without cookies (theoretically). Regardless, in general, it’s not a great idea to be sending around such information to sites that log your visits.

If you have problems with a site, right-click on the ref-control icon in the status bar, go to options, and add the site to your exceptions list (just like the cookies).

My settings:
Default set to Block

Betterprivacy

Flash can set cookies also, but they’re different from normal cookies, so you need a different add-on to control them.

My settings:
Set to delete cookies without asking upon shutdown


Other interesting plugins:

Noscript – starting to use this myself. Again, deny globally, with a user-defined whitelist.

Ghostery – show web bugs and other thingys that ad-block doesn’t catch.

Trackmenot – sends random searches to search engines in order to muddy their characterization of your web behavior.


A Note:

One problem with this setup is that I need to allow some sites to track me, such as Google, in order to take advantage of their functionality. Google is the ultimate big brother. What we can do in this case, however, is to block “3rd party cookies”.

What that means is that, if you go see the google advertisements to the right of this blog post, google knows that *you* are browsing my blog (if you have google cookies). But those cookies don’t belong to blogspot.com – they belong to google.com. Hence, they are a “3rd party”. By blocking these 3rd party cookies, google and other sites you’ve allowed cookies for will only be able to track you, for the most part, when you’re on their respective pages (such as google.com), but not when you’re on other pages (such as nytimes.com). Unfortunately, CS Lite doesn’t have an option to block 3rd party cookies yet (I submitted a query about it – we’ll see if it gets addressed).

Regardless, even if we manage to block 3rd party cookies at some point, Google will still know the IP address from whence the request is coming. So if they’re smart (and they’re pretty smart), they’ll still probably be able to track you with your IP if you’ve visited google.com recently (which you probably have). One answer to the IP-tracking problem is to block ad in the first place, and that’s where Ad-block Plus comes in. By blocking your browser from getting the ads from google’s (or others’) ad-servers in the first place, google will have no way of knowing you’ve gone to pages where their ads are shown. Another option is to use a TOR (http://www.torproject.org/) proxy setup which changes your apparent IP address every so often, but that’s getting a bit beyond the scope of things here. Feel free to look it up online.

14 comments:

Anonymous said...

Came here via your comment on Lifehacker. Very useful stuff. Wasn't aware of RefControl. Thanks.

Anonymous said...

Also came here via Lifehacker.
You give some good advice here.
Thanks

Anonymous said...

Thanks Dude,
Got here from Lifehacker as well. Thanks for posting you link - as already said - very usefull!

Anonymous said...

Came from lifehacker. Thanks for the info.

I thought you could block third party cookies via:
http://support.mozilla.com/en-US/kb/disabling%20third%20party%20cookies

Anonymous said...

Popped over from Lifehackers - thanks for the tips

Anonymous said...

Also came here via Lifehacker. Also wasn't aware of Refcontrol. Also happy.

Anonymous said...

LH reader here...

you just forgot to mention a custom-made hosts-file.

Anonymous said...

Props on the Privacy Extensions. I came from Life Hacker as well.

Anonymous said...

Instead of Google, check out duckduckgo.com. Same functionality, but no tracking.

Anonymous said...

I see I'm not the only one that came here from LifeHacker. Good stuff. Have been trying to figure out the privacy things for years now. Incidentally, I found an option in SeaMonkey to only allow cookies from originating page. I think it's the same thing as saying "Block thrid party cookies". Been using noscript and adblock for years now. Use Flash Block of FF (no Seamonkey extension yet). I'll check out these other wonderful extensions. Thanks for the info

Anonymous said...

LH
Good info.

Anonymous said...

Also From LF.
Nice post. Thanks!

Anonymous said...

I came from your comment on LH as well. Thanks. Been trying to lock down my privacy for awhile now and you posted some very useful info. Unfortunately, when I clicked on CSLite it said that the author had removed it. :/

Anonymous said...

Excellent and worthwhile post.

Also arrived via LH, and I must say first that private browsing is not a headace in FF. On top of that I have been using AdblockPlus and a few others like Ghostery and Disconect. I did not like Ghostery after a while though.

I also switched to Duckduckgo (and installed it as my default search in Chrome and FF) and I encourage my coleagues to do so!

Will try refcontrol.

Unfortunately most of these are not available for Maxthon which is probably the best browser out now.