2013-08-01

Just because you’re paranoid doesn’t mean you’re not being watched.

When you’re on the Internet, there are good reasons to have that eerie sense of being followed.

By now, most of us know that websites can gather a surprising amount of information about your computer. For example, the page request you send to a site’s server includes detailed information about your browser — not just which browser you’re using, but the exact version, its configuration, and even the screen resolution the browser is running in. Other gathered data includes the page you came from, what document you’re requesting, and — yes, your IP address.

And don’t think you have anonymity just because your service provider gives you a dynamic IP address. At a minimum, visited websites can tell what service provider you’re with and what city or region you are in.

What’s more, any communication with a Web server gives it the opportunity to deposit a cookie on your computer. Benign cookies — small text files downloaded through your browser — simply record information needed to make your Web experience better. That can include sign-in information, where you visited on the site, interface customizations, and the like. Most cookies also keep an identifier for each visitor, so that the next time you connect to a site’s server, it can match you up with its records of previous visits. That way, you won’t have to start from scratch whenever you go to the site.

Less benign cookies can let websites track your movements around the Internet, and they often collect more information than you really want to give.

Typically, the information gleaned by trackers doesn’t include your name and street address. But by putting together all the collected data from page requests and cookies, Web servers can effectively fingerprint individual computers and thus track users across the Internet.

What many users don’t know is the extent of the information now collected. If a webpage contains an advertisement, your browser will often send a request to a third-party ad server to download the advertisement. In addition to telling the ad server what site you’re visiting, the request contains yet another identifier — still not your name, but a number that corresponds to your computer.

And that ad server might deposit its own cookie on your computer.

So far, all this tracking hasn’t identified you by name and address. But online tracking companies will have a considerable amount of information — including, again, your computer’s IP address — about your online activities. On some sites, the result is targeted ads, tailored content, and possibly a Web experience that’s customized specifically for you (or, more precisely, customized for the activity on a specific computer).

For example, one day I searched for “line trimmers” on Google. The next day, I went to the Home Depot site. What was the first thing I saw? An ad for line trimmers — and it was no coincidence. Some users will be happy with that result; others will not. Let a friend or family member browse the Web with your computer, and ads for products you have absolutely no interest in might follow you around the Internet for days or weeks.

Good intelligence analysts might be able to figure out who’s behind a computer by analyzing online activities, but for most users, the real danger comes from joining social-networking sites such as Facebook or Google+. By their nature, social sites encourage you to feed them lots of personal information — including your name and address. The social site, and any organizations with which it shares data, can connect the dots back to a specific individual — as opposed to a specific computer. (And we can assume government agencies are doing the same.)

And you know all those social widgets you find on visited sites? Page requests are sent to those servers as well. If you’ve logged into Facebook in the past month, for example, and you haven’t specifically signed out, the widget can track your presence across all sites that also have the widget. If you want to see how visited websites communicate directly with each other, download the Collusion (see Figure 1) add-on for Firefox and Chrome.



Figure 1. Collusion graphically shows the connections between sites you visit.

Trackers can also use embedded bugs or beacons — typically invisible to users — to get notifications when someone has viewed a site or opened email. And any of the sites you visit might use JavaScript to examine your browsing history.

Browsers offer limited tracking controls

So what can you do to manage or reduce tracking? In this article, we’ll start by looking at the built-in controls available in the three most popular browsers. Unfortunately, though these user-configurable tools provide some protection, you can’t rely on them to fully protect your online identity.

In a following article, I’ll go into third-party add-ons and utilities that provide better protection.

The privacy tools in the major browsers focus primarily on cookie management. To understand how the tools work, it’s important to understand the various types of cookies. Here’s the short explanation:

Session cookie: When the cookie doesn’t carry an expiration date, it’s usually a session cookie — one that will be deleted when the browser is closed.

Persistent cookie: Also called a tracking cookie, the persistent cookie will remain on the computer until it reaches its expiration date. These cookies can be accessed by their creators whenever you connect to the creators’ Web servers.

Secure cookie: If the cookie is set with an HTTPS attribute, it’s sent from the Web server in an encrypted form to prevent cookie theft.

HTTPOnly cookie: Such cookies can be transmitted only through HTTP or HTTPS requests, which also helps protect them from being stolen.

Third-party cookie: These cookies come from a source other than the site you’re visiting. Webpage ads, for example, typically deliver their own, third-party cookies.

Supercookie: Tracking technologies that typically do not use HTTP, supercookies are often created by applications, such as Adobe Flash and Microsoft Silverlight, that you might have installed on your computer. These cookies can store up to 10MB of data, whereas an HTML cookie is limited to 4K. Supercookies can also track user behavior across multiple sites.

Zombie cookie: These cookies are automatically re-created after a user has deleted them. This is done by a script that gets the data from a supercookie. For more on zombie cookies, see Woody Leonhard’s Aug. 5, 2010, Top Story, “Eliminate Flash-spawned ‘zombie’ cookies.”

All major browsers give basic controls over the allowed types and duration of downloaded cookies. Some browsers provide additional controls — and they differ in how easy it is to access, understand, and configure these controls. Here’s what you get with the leading browsers:

Firefox: To its credit, Firefox has made it simple for users to access and navigate the browser’s privacy-related tools. All tools and settings — with one exception we’ll deal with below — can be accessed by clicking the Tools menu, then Options, and the Privacy tab.

Firefox can be set to automatically send a Do Not Track notification to websites that support the technology. Once that’s set, every website visited will receive a request in the page header that you not be tracked. But let’s be clear: this is just a request. Firefox isn’t actively preventing tracking; it’s up to each website to honor the request. But it can’t hurt to ask. To do so, just click the radio button next to “Tell sites that I do not want to be tracked” (circled in yellow in Figure 2).



Figure 2. Firefox does the best job of gathering its privacy tools into one easy-to-access location.

Next, you’ll want to adjust your history settings. By default, Firefox accepts all cookies and remembers your browsing history, downloads, and search history. To change that behavior, click on the History/Firefox will: button and select either Never remember history or Use custom settings for history (see Figure 2). You can easily switch between these settings, depending on the sites you plan to visit.

Selecting the custom settings brings up a layered array of controls. I opted to disable my browsing and download history while retaining my search and form history. Then, it was on to cookies. A drop-down list gives you two choices: always accepting third-party cookies or never accepting them. I chose to never accept them, but had I accepted them, I could have stipulated that Firefox delete them when they expire or when I close the browser — or to prompt me each time I close.

The Exceptions button lets me specify sites that will be exempted from the set policy. Try this option for important sites that have lost functionality.

Finally, you can check a box that automatically clears your browsing history whenever Firefox closes.

I had to search for the setting that would disable local-domain (DOM) storage so that supercookies could not use it. As it turns out, this technique — suitable primarily for advanced users — requires manual editing of Firefox’s configuration table. To do so, type “about:config” in the URL bar and hit Enter. A long list of browser configuration settings appears. Scroll down until you find DOM.storage.enable. Right-click on the listing and then click Toggle. Close the browser Window and you’re in business.



Figure 3. To disable local-domain storage, you'll have to call up Firefox's somewhat-hidden configuration page.

Firefox is the only one of the three browsers that lets you set private browsing as the default. While Private Browsing (more info) is on, Firefox doesn’t save a history of visited pages, search-bar entries, passwords, cookies, etc.

That doesn’t mean, however, that websites can’t collect information about your PC during a Private Browsing session. Also, some websites might not have their full functionality when you have private browsing on.

To block beacons, scripts, and other forms of online tracking agents in Firefox, you’ll need to download and install add-ons. Fortunately, they are free and easy to install, as I’ll discuss in Part 2 of this series.

Google Chrome: This browser is the least intuitive of the three browsers when it comes to finding and configuring privacy settings. All Chrome settings are configured on webpages (see Figure 4) that are not especially well designed for ease of use. Moreover, users have to go through several layers to find many of the tools.

To set cookie policy, you start by clicking the three-bar icon in the upper-right corner of the Chrome toolbar and selecting Settings. The Settings page will open in a new browser-window tab — but you won’t see a heading for Privacy or Cookie settings until you click the “Show advanced settings” link at the bottom of the page. Scroll down the now expanded Settings page until you find the Privacy heading.

Figure 4. Google Chrome uses standard webpages for its many settings. Note that Privacy is well down the fully expanded Settings page.

Now click the Content settings button; you’ll finally find the options for managing cookies (see Figure 5).

Figure 5. Chrome doesn't make it easy to find its cookies settings, and the options are relatively basic.

Chrome gives you four choices for controlling cookies: allow or disallow all cookies, allow cookies to be kept just during your current session, or allow only specific third-party cookies.

Like the other browsers, Chrome allows you to enable or disable JavaScript on sites, and you can make exceptions. However, disabling JavaScript entirely might make some sites difficult to use. It would be more helpful if Chrome (and other browsers) detected scripts that are undesirable — as some available extensions (add-ons) will do.

Chrome also lets you show all images on sites — or none. Although it’s not explained, blocking images is a way of blocking Web beacons. Again, if you want to be more discriminating about what images are blocked, you’ll need to download a Chrome extension — a step I recommend.

Finally, like other browsers, Chrome supports Do Not Track requests.

The tools for clearing existing cookies and other tracking information are located on another page. Click on the three-bar icon again and select Tools/Clear browsing data. You’ll then be able to select the specific types of stored data you want to clear. Although it’s not well explained, selecting Delete cookies and other site and plug-in data will remove Flash cookies. (Nothing is mentioned about other types of supercookies.)

Figure 6. Chrome's tools for deleting browsing data are simple to use — though not especially informative.

In Chrome, unfortunately, there’s no way to prevent supercookies from using local storage — unless you prevent all cookies from using local storage.

Chrome includes Incognito mode (more info) for private browsing. It works much like Firefox’s Private Browsing, but cannot be set as the default.

Although Chrome provides many of the same basic privacy controls found in competing browsers, we can forgive users who get the impression that Google really doesn’t want us to use Chrome’s privacy controls. After all, Google is one of largest collectors of online-behavior data.

Internet Explorer 10: Microsoft’s browser has a relatively strong set of privacy tools, though it would be better if they were in one place. As it is, you’re forced to work through several menus to configure all privacy settings.

Starting with cookie management, click IE’s gear icon in the browser’s upper-right corner and select Internet options; then select the Privacy tab. A slider offers six levels of protection, ranging from blocking all cookies to allowing all cookies (see Figure 7).

Figure 7. IE's Privacy tab lets you quickly select from six cookie policies — or set a custom policy.

Intermediate settings allow or disallow third-party cookies that don’t have compact privacy policies and which save information that could be used to contact you. (The dialog box doesn’t say what a compact privacy policy is or why it’s important; briefly, it allows IE to read a site’s embedded policy. For more info, see The Lunch Pail blog.) You can also block first-party cookies that save contact information.

To create a custom policy, click the Advanced tab; you’ll then be able to specify whether first- and third-party cookies should be blocked or allowed, or whether you should be prompted for acceptance. In addition, you can allow or disallow session cookies.

Bear in mind, however, that these settings apply only to HTML cookies and do not impact supercookies, which are managed by other applications. And even though IE 10 doesn’t delete all supercookies when you delete your browsing history, if you have Flash 10.3 or later loaded, IE will at least delete Flash cookies.

To clear your browsing history, simply click the Tools menu (not the gear icon) and select Delete browsing history. IE will then display a list of delete/preserve options, including temporary Internet files, cookies, your list of visited sites, download histories, etc. (See Figure 8.)

Figure 8. The Delete Browsing History tool makes it simple to select just what you want to delete from your browser history.

You can also set how long IE 10 retains its history of online activities. To do so, return to Internet options and select the General tab. In the Browsing history section, click Settings and choose the History tab. Then simply set the number of days. Alternatively, you can simply check the Delete browsing history on exit box back in the Browsing History section.

Next, turn on IE 10′s Do Not Track option. In Internet options, click the Advanced tab and scroll down to the checkbox, Always send Do Not Track header.

Figure 9. You'll have to dig a bit to have IE send Do Not Track headers, but it's worth doing.

You can expect better results, however, by activating IE 10′s Tracking Protection. Click Tools/Tracking Protection, and the browser’s add-on manager will open with Tracking Protection highlighted. When I did so, I found a single, disabled entry labeled “Your Personalized List.” I highlighted that item and clicked the Enable button down in the lower-right corner of the Manage Add-ons window.

Next, I deselected “Your Personalized List by clicking a blank area just below it, which popped up a new link, Get a Tracking Protection List online. Clicking the link took me to Microsoft’s Internet Explorer Gallery, where I was offered a choice of additional, much more extensive, third-party lists. Clicking the Add button for Abine Standard added this list to Tracking Protection (see Figure 10).

Figure 10. IE's Tracking Protection feature offers a quick way to download and integrate third-party tracking protection lists.

Once you’ve enabled tracking protection lists, IE 10 will block all data from going out to those sites.

You can also add some Internet protection with IE 10′s InPrivate Browsing, found in the Tools menu, which works in much the say way as Chrome’s Incognito mode. As with Chrome, InPrivate Browsing can’t be set as the default — you have to enable it for each browsing window.

There are two other controls in Internet Options you might want to use. Click the Privacy tab and check the Never allow websites to request your physical location box. Or click the Advanced tab and uncheck the Enable DOM storage box to prevent supercookies from using local storage.

Beyond cookies: Additional privacy controls

Even though all three browsers offer basic controls over cookies, you’ll need to do more and use additional tools if you want to avoid being tracked on the Internet. Perhaps reconsider your membership in social networks. Or at least review the privacy settings you use on those sites and the information you post.

To beef up your browser, you’ll want to install add-ons that detect and block Web beacons and other data collectors. I’ll be looking at several of the major add-ons in Part 2 of this series.

Show more