Original URL: http://www.theregister.co.uk/2011/11/01/how_to_stay_anonymous/

The Register Guide on how to stay anonymous (part 1)

How websites use your browser to sell you for cash

By Trevor Pott

Posted in Security, 1st November 2011 13:00 GMT

It has been a year since I have talked about securing browsers against privacy invasion. In that time, things have got worse, not better. In addition to the threat of malware and malicious scripts, we have the frightening new evercookie.

Leaving the criminal misuse of tracking for a later date, there is plenty to worry about from the use – and misuse – of our personal data by legitimate organisations. Advertisers are getting aggressive, and the techniques in use require a stalwart defence if we hope to retain our privacy.

Hello Mr Yakamoto and welcome back to the GAP! How'd those assorted tank tops work out for you?

The most pervasive breach of personal privacy – and threat to online anonymity – is the omnipresent tracking of our every digital move by advertisers and the companies that sell ad space to them. Targeted advertising has already gone so far that it is entirely possible that Google, Amazon and Facebook know more about you than your own mother.

Last night I spent four hours discussing a piece of media distribution software with one of the company’s founders. We went off the rails a little, engaged in some blue sky thinking and came to the conclusion that with some minor tweaking, that firm is sitting on software nearly capable of delivering a Minority Report level of personalised advertising.

minority_report_advertising

It was an interesting thought exercise, and frankly it’s a little scary that such a thing is possible simply by bolting together various different extant technologies. Government surveillance is usually the threat bantered about, but that isn’t a real concern to me. Governments are notoriously terrible at actually implementing technology.

The problem with this is that Mr Yakamoto may not want every website (or store) he visits to have such a personal relationship with him. Knowledge about what we purchase – or research online – when and from whom can have real world impacts.

Flaws in software can leave our entire browsing history vulnerable to malicious websites. Sometimes normally credible websites run by reputable companies simply give your information away.

Having your plans to join the surveillance society revealed inadvertently might not go over well at the next condo meeting. Your coworkers might become disgruntled were they to learn that you read books favouring a political party they despise.

Many of us still share information on our computers by having someone physically look at the same screen we see. The advertisements custom targeted at you can often be seen by those around you, inadvertently revealing more about us than we realise.

Would your employer be upset to see a message informing you about three replies in an advertisement for a job search site? And might there be an awkward moment when your shoulder-surfing girlfriend starts wondering why the advertisements on your nightly news sites have shifted suddenly from being predominantly about video games to predominantly about engagement rings?

What we buy, where and from whom is sensitive information. That this information is often combined with personally identifiable information such as our home address, phone number, credit cards, etc means that putting a real live person behind the data is not that hard. We don’t want to share that information with everyone around us, and yet we unknowingly do so every single day.

But how do they track us, and what can we do about it?

You best defence here is your browser. Since advertising tracking can come in many forms, you need a multitude of configuration changes or plug-ins to keep you safe.

Be wary however, even an up-to-date browser with a full suite of plug-ins – if improperly configured – can still reveal a remarkable amount of information about you. Take the time to run a test if you are concerned. If you use flash, you should go here and review your security settings.

Browser Referral

Every time you click a hyperlink on a web page, your browser sends information to the web server you are visiting. Included in this payload is the website you are currently visiting.

Traditionally, this has been an important source of information to virtually all website owners; it tells them how you found their website. It helps those running websites make the most out of limited advertising budgets and even keeps them informed of forums, complaint websites or news articles they have been mentioned on.

Lately however, more and more web users are becoming aware of the existence of browser referrals, and spoofing them. If you want to block websites from seeing your referral information, there are methods available. (IE, Safari, Firefox, Chrome and Opera)

Social media buttons and badges

Social media buttons are everywhere. They want you to "like" Facebook, Tweet about everything and +1 it on Google. They’re on seemingly every website, even in our demotivators. What most people don’t know is that these little buttons send back all sorts of interesting information to the social media sites in question.

At the top of this article are Facebook and Twitter icons. If you still have active login credentials to these websites, then the sites now know that you have visited this site and read this article. You can check to see if your login credentials are active by visiting the websites and seeing if they still consider you "logged in".

This information is used by social media companies to build a profile of your web activities in order to better target advertising. The more they know about you, the more valuable your information becomes to advertisers as it helps advertisers put their message only in front of those eyes most likely to pay attention.

Traditional script-killer plugins such as NoScript for Firefox will stop these buttons from broadcasting your information, but they also block everything and anything else on a website from running as well. Various Adblock plugins (IE, Safari, Firefox, Opera, Chrome) will usually defeat social media buttons. (Because of a peculiarity of how the Chrome AdBlock works, you need to tweak it to protect yourself from tracking.) This should be used with caution: blocking advertisements altogether deprives the websites you love of the revenue they need to survive.

Ghostery is a less "nuke it from orbit" choice that works on all major browsers and protects against over 500 companies for which it has built profiles. It works well, blocking social media fluff only when it poses a direct tracking risk, letting it slide when it presents itself as a non-threatening hyperlink.

Get Off My Lawn offers a more basic blocking set for Opera and Safari, while Chrome has Widgetblock.

Firefox offers an experimental plug-in called Share Me Not, which prevents tracking without removing the button functionality from the website.

Cookies

Browser cookies are an almost antiquated way of tracking users across the web. The basic principle is simple: when you visit a website, the website asks your browser for permission to store some information on your computer in the form of a text file. This information is used to allow basic functions – such as a persistent login – to function.

In general, cookies are harmless. They contain information related to your journey through a website. They may contain your shopping cart items, or simply a unique ID that serves as a pointer to the information about you the server is keeping in its own database.

Every browser that allows third-party cookies comes with built-in tools to manage them. Cookies can be individually examined, deleted, set to clear on exit or otherwise manipulated. Because of this level of control – and a general public awareness of their existence – on the whole, cookies are a beneficial element of the modern web.

But they can be misused. The biggest issue with cookies are "third party" cookies. While your visit to Joe’s Shoe Shop may require their website to place a cookie on your computer in order for the shopping cart to work properly, the advertising banners running on that site may well place cookies on your computer as well.

Wherever you go on the internet, website after website, those cookies can be read. A great example is Google Analytics. Google probably knows more about your browsing habits through the pervasive presence of Analytics on virtually every website worth going to than it ever will by analysing your search terms.

Through cross-site cookie tracking, companies can build a profile of your activities. Turning off cookies altogether breaks the web, so very few people do so. Blocking third-party cookies only is a reasonable half-way measure offered by modern browsers, but this too can cause problems with badly coded sites. Luckily, there are innumerable browser add-ons to available to combat this sort of tracking without requiring a full-blown blocking.

TACO, Beef Taco (Firefox), and Keep My Opt Outs (Chrome), make use of permanent "opt-out" cookies to inform advertising networks that the user of this browser does not want to be tracked. Along with the various browser-specific do not track flags, these are ways of ensuring many of the most prolific advertising companies will grant you your privacy.

There are however plenty of offenders who don’t play nice. They either blatantly ignore their own opt-out cookies, or don’t offer any such tool in the first place. Ghostery can help here, but tools like Privacy Block (Firefox and IE) or Cookie Culler (Firefox) are better.

The privacy issues detailed above may seem overwhelming a first blush, but these are merely the basic issues that are easily overcome. The second part of this series will cover the more difficult threats presented by poorly configured browser add-ons, locally stored objects (LSOs) and the evercookie. ®

How to stay Anonymous - A Register Guide

Part 1 How websites use your browser to sell you for cash
Part 2 The Evercookie: Like trying to kill Steven Seagal
Part 3 Browser privacy at work: The BOFHs' guide