April 24, 2014

avatar

How to protect yourself against NSA tracking

Jonathan Mayer and I have a new piece in Slate about how the NSA piggybacks on the web tracking activities of advertisers and other services. Essentially, the trackers tag computers and smartphones with unique tracking IDs that are attached to web requests, and the NSA uses those tracking IDs to follow users. I wrote last week about how tracking companies can protect their users by switching to HTTPS, the standard encrypted web protocol.

Unless and until the trackers turn on HTTPS, it’s down to us as users to protect ourselves from NSA tracking. The one and only way to do this is to prevent the sending of tracking IDs by your browser or phone. Let’s talk about how to do that.

Ideally there would be an industry opt-out that let you opt out of tracking IDs. But this does not exist. Existing industry opt-outs limit the use of tracking information, for example forbidding use for ad targeting, but they don’t prevent sites from using tracking IDs. Some companies respond to opt-out by stopping the use of tracking IDs. Others respond to an opt-out request by giving you a tracking cookie—for example, Yahoo, which says it uses the unique tracking cookie to link you to your opted-out status.

Do Not Track is not your solution either, at least not as it is currently defined. Again, the draft Do Not Track standard controls uses of tracking information but it does not rule out the creation of unique tracking IDs that are sent in the clear with every request to the tracking site.

Browser-based controls on third-party cookies will do some good. For example, Apple’s Safari browser puts some limits on third-party cookies, which will reduce the amount of tracking you encounter. Similar functionality exists in prerelease versions of Firefox, but this feature seems to be snagged in Mozilla bureaucracy and is not currently moving toward deployment.

Another approach is to clear your browser cookies and profile, or to use anonymous browsing mode. Again, this does some good, but it’s awkward to do these things on an everyday basis, and anyway you can still be tracked within a session—between clearing events if you’re clearing cookies, or within an anonymous browsing session. And of course there are types of tracking IDs that survive these measures.

At the moment the only surefire way to stop a site from using tracking IDs is to avoid interacting with that site altogether. Some browsers have tools to block access to unwanted sites. But most users who want to block tracking sites will use an ad blocker. Studies show that ad blockers are the single most effective tool for avoiding tracking IDs.

This is unfortunate, because ads are not the problem—at least, not directly. But because ads are so often associated with tracking IDs, blocking ads has the side-effect of blocking tracking IDs very effectively. The problem is that wholesale blocking of ads will eliminate privacy-friendly ads too. It would be better to have a blocking facility that blocked tracking IDs while welcoming privacy-friendly ads.

But of course it would be better yet to have ad companies take a step by protect our privacy by refraining from sending unique tracking IDs on non-HTTPS connections.

Comments

  1. AJ says:

    Any comments on the Ghostery browser extension? It is able to block all kinds of trackers, adverts and widgets, as chosen by the user. It’s not clear how untrackable one is after enabling it, although it seems pretty good. I would appreciate someone studying it.

  2. Mitch Golden says:

    Ed -

    There are a number of settings and plugins for firefox that go quite a way toward alleviating the issue you’re talking about.

    1) Set your browser to clear everything when it closes. As you say, this is a bit of a nuisance, and you won’t be able to retain browsing history, but if you want to stay free of tracking by advertisers (leave aside the NSA) who may be using evercookies (http://samy.pl/evercookie/) this is the surest way to know you aren’t being tracked.

    2) Set your browser not to accept third party cookies. (There is a setting for this in Firefox.)

    3) You can install the plugin Ghostery, which blocks a wide swath of tracking cookies and javascript.

    4) Install the plugin “Self-destructing cookies” which clears out the cookies set by a site shortly after you close the tab it was opened in.

    5) Install the plugin “User Agent Switcher” and change up your user agent from time to time – since IP plus user agent is pretty identifying.

    You can also use search engines that don’t (or at least claim not to) retain your IP address. They have Firefox add-ons that allow the search box to go to these other engines.

  3. Anonymous says:

    I run Disconnect — https://disconnect.me/ — which seems to be a good compromise between no blocking and a full ad blocker. It does block third-party ads, but if I go to the New York Times site, many of the ads show up because they’re coming from the same domain.

    As Mitch Golden points out, you can turn off third-party cookies in Firefox (but you really have to dig to get to this preference): http://support.mozilla.org/en-US/kb/disable-third-party-cookies

    Strangely enough, blocking third-party ads will be better for advertisers in the long run. Creepy targeted advertising is more of a problem for the advertisers than for the audience. http://zgp.org/targeted-advertising-considered-harmful/

  4. Hal says:

    Boot into a Live Linux CD each time you wish to visit a given site. Reboot before changing sites. It may be possible to achieve this by reverting to a virtual machine snapshot, but VMs protect the host from the guest, not the other way around.

  5. Bruce says:

    Thanks for writing on this topic.

    I think there is an opportunity to generate enough noise from my devices that it is difficult to prove which traffic I am responsible for.

    My ISP recently reported that a PC on my network is exhibiting bot behavior – apparently my PC is already sending traffic that I’m not aware of. Am I liable for what that bot is doing?

    We just need a better bot, tuned to create just enough plausible and non-plausible noise from our devices to wash out the real data. The anti-darknet is too bright to see.

    That might buy us time until the NSA quantum computer just as easily calculates an infinite probabilistic view of everybody and everything.