How to avoid online tracking. (Hint: you can't.)

Discuss

51 Responses to “How to avoid online tracking. (Hint: you can't.)”

  1. Anonymous says:

    I wonder how unique devices like iPads or iPhones appear – devices which can’t be customized with fonts, etc.? Do websites have access to UDIDs or MAC addresses?

  2. J Random Scribbler says:

    The article is simply wrong when it says most sites take snapshots of all your hundreds of computer settings.

    As part of each and every request to a webserver, your browser sends a few pieces of information in the HTTP headers. These include things like language settings, cookies, the last page you were on (the “Referer”) and your browser type and version (the “user agent”). They do not include fonts, screen resolution and all the other system settings, except for the operating system version which is part of the user agent header.

    To get at all those other pieces of information, an ad company needs to use Javascript, which can be turned off (as someone already mentioned.) However this may be a problem for some people, since the slick user interface goodies on the web today simply won’t work without Javascript.

    Even if Javascript is on, the browser controls which system settings are available to Javascript programs, and thus can be sent back to the company’s website. This vaies a lot by browser and version; some versions of Internet Explorer even let Javascript see that contents of your copy/paste clipboard. The good part about this is that because the browser controls what’s available, a browser plugin could (at least in theory) let you decide whether you wanted websites to know your screen size, fonts, and so forth.

    Flash cookies and the like are a different story. I’m not a Flash programmer, so I don’t know what computer information is and is not available to Flash. However, “Flash cookies” can in fact be deleted; it just takes a browser extension like BetterPrivacy to do it.

    The vast majority of sites don’t bother with any of this, and only capture the information that goes into the webserver logs on every request; the time, the requester’s IP address, the URL requested, the result code of the request, and often the Referer and user agent. Sometimes this also includes your login name if you are signed in, but it’s hardly hundreds of pieces of information for every site.

  3. Anonymous says:

    The author he interviewed a few marketers and no privacy advocates. Perhaps this isn’t surprising, given the venue but makes you wonder if it’s just a terrible article or deliberate anti-privacy FUD.

    Browsers have to have up-to-date lists of every company in the world in order to block anything? O RLY?

  4. Anonymous says:

    Well, this is interesting.

    “Your browser fingerprint appears to be unique among the 1,333,108 tested so far.

    “Currently, we estimate that your browser has a fingerprint that conveys at least 20.35 bits of identifying information.”

    Wow, I’m unique … oh, wait.

    Thing is, I’m not sure why I should care.

    I don’t block or manage cookies any more. I did that for a long while, and approving or rejecting every single cookie got old. So I turned that off.

    However, my firewall blocks ads and many of the third-party monitoring services and URLs that I don’t recognize as anything I want – google-analytics.com, adsonar.com, channeladvisor.com, rubiconproject.com, and so forth.

    My browser has Flashblock, too. I don’t know for sure that Flashblock prevents Flash cookies being set, however, and no doubt some sites where I allow Flash have set some.

    So, OK, they can trace me all over the web. However, as far as I can tell, their objective is to deliver targeted advertising to me. And because I block ads very successfully with the above strategy, none of that carefully targeted advertising ever reaches my eyes.

    It kind of creeps me out that they know who I am and where I’ve been browsing. But if they can’t use that information for their intended purpose, really, what’s the harm? Someone please tell me. What am I missing?

    • Anonymous says:

      Interestingly, they say that the typical browser gives up 20 bits of information, 2^20=1,000,000 approximately, and they stopped the study at the 1.3 millionth visitor. They need to find another 10-12 bits of information per beowser to really identify people uniquely, still it’s interesting.
      Flash cookies, silverlight cookies and globalStorage! Oh. My!

  5. Anonymous says:

    Based on the info found so far in the comments, here is what I did. Installed TorButton and set all proxy ports to 0, so I’m not using the proxy, but I am disabling all plugins. Disabled all Javascript using web developer tool bar which is already installed. Completely disabled all cookies and history, and I’m left with a score on https://panopticlick.eff.org/ of 1 in 52. That’s brought down from 1 in 1.3 million before I changed anything. So while I’m not completely anonymous, the next step would be installing TOR, to actually anonymize my IP address, and I’d be pretty sure that nobody was tracking me. At least not for the purposes of marketing and other such things.

  6. Anonymous says:

    There are ways to change the user agent string of your browser. For FireFox, you can use the User Agent switcher [https://addons.mozilla.org/en-US/firefox/addon/59/] to do so. I originally used this to use FF on legacy enterprise apps which only allowed IE to connect to them, but you can also setup your own user agent or even make your own custom one.

  7. Robert says:

    So apparently every time I add a new font to my Mac or update my Firefox plugins, I’m a new identity! Awesome!

  8. traalfaz says:

    Try this:
    https://panopticlick.eff.org/

    In my normal mode, running portable firefox in private browsing mode through privoxy, adblock plus, flashblock and noscript, there are over 100,000 browsers that look the same as mine. That’s pretty good, I think.

    Unless you take these measures though, yeah, hit that site and you’ll find that your browser is probably uniquely identifiable.

    Taking only some of these measures may even make it worse; since few people make the effort to scratch off the serial numbers, having done so kind of is its own fingerprint.

  9. shanks says:

    How hard is it to block websites from seeing computer settings and do the adjustments behind an information wall on your computer?

    • seanpatgallagher says:

      You could run a privacy-enhancing proxy ( such as privoxy ) on your local machine and configure your browser to connect to the Internet through that.

      That should strip the identifying information from your HTTP headers. This can confuse web-sites that try to customize content depending on your installed plugins, however.

      Privoxy is bundled with Tor – an anonymizing proxy system that is resistant to surveillance.

      -S

      • Captain Obviousness says:

        But Tor was developed by the US government before being released open source. Does it really hide your tracks from everyone, or is it a honeypot?

  10. wrybread says:

    I can easily spoof a different browser, couldn’t someone make a plugin that spoofs many of the settings that are being used to identify us? The “language” and “location” setting are useful enough, but I’m guessing many of these settings could be spoofed every time I load a webpage without negatively affecting me.

  11. GuidoDavid says:

    Yes, you can.
    Set up a VM with a different OS and browse from behind a proxy, no cookies and all the rest. It’d be a pain in the ass, but not too difficult if you _reallly_ want to obscure your details.

    • cory says:

      All that does is make your VM the thing that all those sites have a signature for. It’s still *you*, you’re the only one using that VM.

      Forget personal privacy. It’s going away. Here’s what I really want right now: For the power brokers to be just as naked as the rest of us. If everyone is equally public, the powerful have more to lose than I do.

  12. SamSam says:

    That’s pretty interesting. I don’t really care about who’s tracking my movements, but it was interesting to see how identifiable I am. None of the browsers they tested so far have my exact plugins, and none of them have my exact system fonts.

    Download one esoteric font, and they’ve got you for good.

    • billstewart says:

      Fonts can really leak uniqueness – I may not be the only one with the particular combination of Elvish and Runic fonts on my machine, but my work laptop also has a special font which has the corporate logo rendered just the way the Marketing Department’s Branding Specialists want it this year.

      I’m still old-school about browser font support – HTML is supposed to be a content description language, not a printer format, and it should be my browser’s job to decide what font to display things in, possibly with some hints from CSS, and it’s really not random-webpage.com’s business to find all the possible fonts I’m using. It’s be nice of Firefox had the option to pick what fonts to advertise to web servers. (Part of being old-school is needing reading glasses – it’s nice that I can crank up magnification by using CTRL PLUS, but I’d often prefer the results I get using a bold font at a smaller size.)

  13. spincycle says:

    Owning a computer for a month without adjusting settings? That’s…astonishing.

  14. seyo says:

    What about routinely changing your settings? Changing resolution, input device settings, multiple monitor arrangements? What about creating spoof settings that can also be changed constantly, and hiding the real ones? As Kamen says, don’t tell me something is impossible, tell me you don’t know how to do it yet. (disclosure: I didn’t read the link so forgive me if these questions are already addressed)

  15. Anonymous says:

    ever heard of Linux?

  16. sally599 says:

    I can’t say that I’m disturbed that they know I’m running firefox and which application plug in’s I have, considering that if I test it again tomorrow it’s likely to have changed. I only have my cookies and history deleted after browser close so there is some limited tracking already I just don’t want anyone getting my life history. But I have to say that this totally explains why H and R block kept insisting my screen had horrible resolution and their program might not display correctly (netbook, odd screen size, but the resolution is fine). Please companies don’t assume your remote detection is actually meaningful. If I saw a warped image that was uninterpretable, odds are I couldn’t click next. Thank you.

  17. chriscombs says:

    looks like all the reasonably unique stuff is provided by Flash and Java. THANKS GUYS!!!

  18. Anonymous says:

    Since I run all my settings at default, all the time, I’m guessing I’m pretty difficult to track.

    I do this so that I can use any computer without having to waste my time tuning it. I don’t carry a computer, I just use whatever’s in front of me at any given moment.

  19. hassenpfeffer says:

    Adama was right. NO NETWORKS.

  20. bardfinn says:

    … So people with an information appliance, such as an iPod or iPad — with cookies disabled – have heightened privacy over someone running a Windows machine?

    IRONY

  21. Anonymous says:

    See https://blog.torproject.org/blog/effs-panopticlick-and-torbutton

    “The EFF has recently released a browser fingerprinting test suite that they call Panopticlick. The idea is that in normal operation, your browser leaks a lot of information about its configuration which can be used to uniquely fingerprint you independent of your cookies.
    Because of how EFF’s testing tool functions, it has created some confusion and concern among Tor users, so I wanted to make a few comments to try to clear things up.
    First off, Torbutton has defended against these and other types of attacks since the 1.2.0 series began. We make the User Agent of all Torbutton users uniform, we block all plugins both to prevent proxy bypass conditions and to block subtler forms of plugin tracking, we round screen resolution down to 50 pixel multiples, we set the timezone to GMT, and we clear and disable DOM Storage.” and it continues…..

    Also, why does boingboing need 31 different javascripts across 10 different domains?

    • SamSam says:

      Also, why does boingboing need 31 different javascripts across 10 different domains?

      Because BoingBoing serves up advertising like nobody’s business.

      Frequently when my machine is slow I’ll go to a BB article and the “loading” icon on my browser will keep spinning and spinning and spinning, long after the article itself is loaded. You look at what it’s trying to load and it’s all that other junk.

      If you open your Chrome developer tab to look at all the resources Boing Boing requests, it’s just absurd. Here’s an image of less than 10% of all the files BB made my browser download. How many of those third-party domains are collecting browsing information from me as I go through Boing Boing?

  22. tylerkaraszewski says:

    Sure, this is basically true, but I think it’s also overstated. You’ve always given away identifying information when visiting any brick and mortar establishment (as opposed to a website) because, you know, you look like yourself, and if you come back later, the clerk can say “oh yeah, I saw that guy here last week, too.” This is basically the same thing except online. Sure, you could wear different disguises to camouflage yourself at each different store you went into, but you could similarly use different web browsers for each site you visited. Both are a pain.

    You can only reasonably expect so much privacy, and I think expecting no one to notice or recognize you or anything you do, ever, even when you’re doing it on their property goes beyond ‘reasonable”.

  23. Anonymous says:

    Multiple VMs randomly chosen from several, with changes every so often to each, various profiles and addresses as well as several different TOR networks?

  24. TimmerCA says:

    Actually, just disable JavaScript and plug-ins (Java, Flash, etc), and most of this goes away.

    And, astonishingly, a large percentage of web sites do OK without JavaScript or plug-ins.

  25. Anonymous says:

    What we need is better browser DEFAULT settings: browsers should give out less system information, period. It is really disappointing that the Firefox devs haven’t fixed this problem already.

    While we wait for that, any handy measures to take to minimize the problem?

    Some suggest disabling javascript. Problem is, then THAT can be a trackable characteristic in some use cases, if few others do it.

    The panopticlick helpfully lists the uniqueness factor for each type of data. But what we really need is uniqueness factors for individual subcomponents (plugins, fonts). Does anyone know of a site with information on that?

    I also wonder why the “user agent” field lists the operating system. Why isn’t the browser used enough?

  26. zoink says:

    Visiting that site with NoScript on dramatically reduces my uniqueness, since without js or plugins all they have are an ip address and some headers. It would be clever to write a browser plugin that added noise to the headers…

  27. knoxblox says:

    I wonder if giving up the internet would be as easy as giving up soap?

    • Gaddy says:

      [quote]knoxblox
      I wonder if giving up the internet would be as easy as giving up soap?[/quote]

      Comment= WIN!

    • george57l says:

      “I wonder if giving up the internet would be as easy as giving up soap?”

      No, it wouldn’t – but you’d feel ten times cleaner.

  28. Razzabeth says:

    I think, when it comes to computers, we really can’t ever say can’t.

  29. pentomino says:

    There’s this mythical ideal of the perfect anonymous surfer, who’s on the grid while being off the grid. It’s a paradox. I can understand why people might wish to be invisible in these times, and genuinely need to be invisible in certain contexts. But it takes a personal cost-benefit analysis to determine how much you’re willing to do without, in order to remain out of sight.

  30. Ambiguity says:

    (Hint: you can’t.)

    Well yes, when even boing boing, a site that nominally sides on the side of privacy, tries to load between scripts and content from 12 to 19 different domains onto my computer every time I visit, I’d say yea, it’s difficult.

    Ironically, no other site I visit regularly loads content from so many different domains.

    • BB says:

      So true. I have to hit allow page, like 3 times, in noscript.

      • OoerictoO says:

        most resources i’ve found just say to use noscript and tor to protect against this. the former i use extensively and the latter i use a bit. tor is painful most of the time. is there a better way to hide plugins and fonts? i use useragent switcher.

        noscript works well, but i want to BUY stuff on the internet from the sites that track the most as they have the most benefit from it (other than advertisers). if i want to buy stuff from these places, almost without fail they need JS turned on.

      • Gilbert Wham says:

        I’ve blocked as many as I can without the whole page stopping working. It’s sped up loading the comments page somewhat.

  31. MadRat says:

    How to avoid online tracking. (Hint: you CAN.)

    You don’t need to be behind 7 proxies and it’s not all that complicated. I recommend having a fairly powerful computer, a CD/DVD drive, VirtualBox and a CD/DVD with Knoppix (although you could use another CD/DVD bootable OS). The order isn’t too critical: burn the Knoppix to a disk, install VirtualBox, have VirtualoBox boot Knoppix. If you know how to use Windows you’ll find Knoppix is pretty much the same. The Knoppix disk image is the same on every CD/DVD and cannot be written to, so if someone is trying to track you based on installed software or fonts, they’ll get the reply that your system is exactally like all the tens of thousands of other Knoppix users.

    This isn’t a perfect solution. The Flash plug-in isn’t included with Knoppix (which only contains open source software) so you’ll have to install it every time and you can’t save bookmarks (but they can be copy and pasted from Windows) or cookies. But hey, that’s what I’m using right now.

  32. Anonymous says:

    @30 (anon):

    oh yes, and it comes in many different distributions.

    the panopticlick browser fingerprint of my configuration of iceweasel on debian stable is “unique among the 1,334,079 tested so far”. and panopticlick only tests for a subset of what is possible.

    which operating system you are running your browser on is just one aspect among others.

    among many, many others.

    oh, and by the way: ipv6 is on the horizon. we may be saying farewell to dynamic ip addresses one day.

    .~.

  33. Anonymous says:

    I didn’t know about Flash cookies, I’m really shocked that I even found sites I visited over a year ago.

    To disable Flash cookies do the following (for Windows 7):
    1. Navigate to C:\Users\%username%\AppData\Roaming\Macromedia\Flash Player\
    2. Delete all the folders/files inside there
    3. Right click on “Flash Player” folder > Properties > Security > Advanced > Change Permissions… > Select the username you use for browsing > Edit… > Deny: “Create files / write data” and “Create folders / append data” > OK > OK > Yes (warning dialog) > OK > OK

    I tried to only leave C:\Users\%username%\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol but Flash does not obey this file with the above permissions, obviously it is DESIGNED to work like that and resets to “default” settings.

    Next step will be to reverse engineer Flash library to disable those “default” settings and remove the font tracking.

    I’m going to uninstall Silverligh from my computers, disable Java, Office, Picasa and other..
    Fonts and plugins = unique id!!!

  34. TEKNA2007 says:

    What’s the mechanism that sites use to detect fonts? Does that require Javascript and/or some plugin (Flash, Java, Silverlight)? Is there any other way?

    Can they flat-out get a list of all the fonts on your system? Or would it involve the site trying to use fonts that they know about in general (and not necessarily fonts on your system) one-by-one and then checking the resulting style to see if each font successfully applied?

    • xzzy says:

      They get the font list from Flash.

      Jobs is kind of a dick, but perhaps he’s on to something with this whole “kill flash” thing.

  35. Anonymous says:

    Some good suggestions on how to anonymize your computer’s fingerprint:

    http://dilaceratus.com/identifying-marks-even-your-mother-didnt-even

Leave a Reply