The Webs We Weave

Most people just don’t realize how wide and vast this tracking network really is. The best way I know to explain the pervasiveness of web tracking to you is to use a nifty little web tool called Lightbeam .⁵ When you go to a web site, the content you see is often provided by multiple different companies. In addition to the first-party site (the web site you actually intended to visit), there are often many other third-party web sites that provide ads and other images—and also track what you’re doing. To see these third-party relationships, Lightbeam draws a graph that shows you all the third-party sites that are associated with the first party site you visited. (I know, all this “party” stuff sounds like legalese. It sorta makes your brain want to tune it out. But bear with me here.)

Let’s try a real-life example and graph the relationships behind some popular web sites and their hidden third parties. We’ll start our browsing with Wikipedia (Figure 7-2).

In Figure 7-2, you’ll see the first-party site as a circle—in this case, the one with a W in it, which is wikipedia.org. The little white triangle next to that is a third-party web site that is associated with the site we visited. However, in this case, the third-party site is just wikimedia.org, which is directly associated with Wikipedia (that is, it’s not a third-party advertising or tracking site). It’s not uncommon for the third-party sites to just be extensions of the first-party site, and it’s also not uncommon for the third-party sites to be perfectly normal other web sites that provide things like web tools, images, and other harmless content. However, many of them are marketing firms and other “Big Data” companies whose sole purpose is to build a portfolio on you.

Now, let’s go to Yahoo.com (Figure 7-3).

Our little graph (Figure 7-3) has now grown substantially. While Yahoo.com was our primary target (the white circle with the Y in it), we can see that we’ve also triggered five other sites, only two of which are associated with Yahoo itself. The others are all tracking sites, including doubleclick.net and agkn.com. Note that there is no intersection here—no common third parties. Wikipedia—since it doesn’t track you—is actually pretty boring in this regard, so from here on, we’ll just cut them out of our picture.

Now let’s move to Amazon.com (Figure 7-4).

You can see in Figure 7-4 that loading Amazon’s web site also caused you to communicate with eight other third-party web sites. At least three of those sites were associated directly with Amazon (even though there’s no A logo on them like in the circle). Note that two of the third-party sites were also associated with Yahoo. Those are tracking sites. And they now know that you went to Yahoo and then to Amazon, and they quite likely know a lot about what you did there. Starting to get the idea?

Let’s go for the jugular now…let’s go to Dictionary.com (Figure 7-5).

The graph in Figure 7-5 is so crowded now that you can’t really even read it. It’s hard to tell, but there are 100 third-party web sites there. You’ve visited just four web sites so far. The triangles that have multiple connections are the tracking sites.

So, just exactly how is it that they track you? The details would make your eyes glaze over. It’s very technical, and the techniques are legion and myriad. But essentially it boils down to somehow marking you in a way that can later be recognized if they (or someone they know) see you again. These markers come in many forms. One of the most popular tracking devices is called a cookie. A cookie is a small bit of data that web sites give to your computer, asking your browser to save it off and then repeat it back to them later when they ask for it. This is sort of like a medical chart—the information is kept on you, and when you interact with another party, they look at it to refresh their memories of you. These cookies were originally used by the first-party web site to help keep track of your login, your personal preferences, your shopping cart contents, etc. However, third parties have used them to mark people as they move around to different web sites, tracking all sorts of stuff about you. That’s the key point here... first-party cookies are between you and the site you intended to visit, which tends to be mutually beneficial; third-party cookies are things you generally didn’t ask for and may not even be aware of, and it’s almost completely for the benefit of the third party.

Let’s try an analogy to explain how this works. Let’s assume that your local mall wants to gather information on the people who shop there, and all the merchants agree to participate in the program. It’s time for you to go Christmas shopping, so you park your car and walk in via the Macy’s door. As you walk through the door, a silent little blowgun shoots a sticky dart that attaches to your back. This dart contains a little homing beacon that puts out a unique identifier, specific to you. They don’t know who you are (yet), but they want to be able to distinguish you from all the other people wandering the mall. This ID is logged in a special computer system, along with a little note: “Customer 4372 entered mall via Macy’s East door on first floor.” This entry in the log automatically notes the time and date, as well. You walk through Macy’s and into the mall proper. As you do, you walk by another sensor that detects your tag: “Customer 4372 left Macy’s without buying anything.” Since the time of entry and time of departure were so close, they could probably also conclude that you didn’t even look at anything.

Now you walk into a jewelry store. You look around, find the perfect gift—a diamond tennis bracelet—and go to the register to buy it. Your entry to the store was of course logged, but now you’ve also made a purchase. They now know quite a bit more about you. If the store is trying to be nice, they may only log that you are a white male in his mid-50s who lives nearby (based on your credit card billing address) and that you bought an expensive piece of jewelry. From this, other retailers in the mall (who can see all of this information) may well assume that you are married and have an above-average income level.

You leave the jewelry store and head down to Victoria’s Secret, where you make a very different purchase on a rarely used credit card. Marketing data analysis may suggest that you have not just a wife but also a mistress. You now walk into an electronics store. The store personnel can see from your records that you’re in a buying mood today and you have plenty to spend, so they ignore other customers who show less promise and focus on you. They steer you to higher-end equipment, and given that you probably have a wife, they test your interest in kitchen appliances and push hard for you to get a store credit card.

This is all just from a single trip to the mall. Think about all the other places you’ve been and purchases you’ve made—what could they tell about you? How detailed would your profile be? And would you want that profile to be shared with every store you walk into?

The key here is that all the stores have contracted with the same tracking company. They have a common set of sensors that are all networked together, creating a central place to log your activity. While you might think it’s entirely reasonable for a given store to keep information on previous buying and shopping activity, how do you feel knowing that information is being shared with many other retailers (and credit bureaus, potential employers, insurance companies, and so on)? It may be that this tracking company hordes the juiciest bits of information and gives only partial information to each store owner (depending on what level of service they’ve paid for). But it’s important to realize that even with the best of intentions, the fact of the matter is that that information exists somewhere—and therefore it can be stolen, abused, or even compelled by the government.

Enter the Panopticon

But we’re just getting started! There are several other tracking mechanisms, as well. People have gotten wise to the third-party cookie tracking method and have learned how to block them, so marketing companies have come up with other ways to track you—ways that can be difficult to avoid. Installing things like toolbars and social media extensions in your browser can give them access to all sorts of info. Even those social media buttons such as Facebook’s Like, Pinterest’s Pin It, and Twitter’s Tweet can be used to track you—even if you don’t click them! Sometimes they use tiny little one-pixel images with unique names... when you load that image, they know you’ve been there. Sometimes they use invisible web form fields. The list goes on and on, and the exact techniques change all the time.

Some really clever folks have figured out ways to “fingerprint” your web browser. To help web sites present themselves optimally, your web browser gives up all sorts of general information about your computer and web browser configuration: what plugins you have installed (even if they’re disabled), all the fonts you have on your computer, computer screen dimensions, what type of operating system you’re running, and what type of browser you have. The idea behind browser fingerprinting is that few people will have the same combination of these items.

Unlike regular cookies and other forms of tracking, there is no way to know that browser fingerprinting is happening to you, and it’s very hard to prevent. It’s just not easy to disguise yourself as you traverse the Internet. In this case, your best defense would be to look like everyone else—blend into the crowd. Unfortunately, many of the measures you might take to increase your online security and protect your privacy also tend to make you stand out because so few of us take the time to install these tools. Finally, this is just one technique—if you combine this technique with others (even just looking at your IP address), it becomes difficult to hide your tracks.

By the way, the name Panopticlick is based on an 18th century surveillance and behavioral conformance concept dubbed a Panopticon . An English philosopher by the name of Jeremy Bentham pioneered the design of an institution in the shape of a circle. The residents would be in cells on the rim, facing in, and the guards would be in a watchtower in the center, with a view into all the cells. The genius of this design was that the watchees couldn’t see the watchers, and therefore they could never know for sure when they were being monitored. Even though a handful of watchmen couldn’t actually observe everyone at once, each inmate had to assume that they were being watched at any given moment. This effectively forced all inmates into constant compliance.

I know it sounds far-fetched, folks, but we are truly heading into an era of constant, global surveillance. Our “institution” is the Internet, and the watchmen are numerous. Unlike the 18th century, we have the computing power to actively monitor a large swath of the populace in real time. And with massive data storage facilities, like the one built by the NSA in Utah, our watchmen can record massive quantities of our Internet and cell phone activity, review it later at their leisure, and store it effectively forever.

Most Secure Browser

Let’s just get this out of the way now: it’s almost impossible to know which browser is the most secure. This is largely because all of these browsers are constantly rolling out new security-related features, fixing security-related bugs, and generally trying to claim the title of “most secure.” That’s a good thing—they’re competing to be the best, so we all win. There are dedicated hacking contests to reveal bugs in browsers, but it’s hard to say whether the number of bugs found in these contests really reflects the security of the browser. How likely were bad guys to find these bugs? How severe were the bugs? What about the bugs they didn’t find? These hack-a-thons also don’t address factors like how quickly the browser maker fixes their bugs and whether the browser is smart enough to self-update (because if you don’t have the latest version, you don’t have the bug fixes). It’s really hard to compare the relative security of web browsers.

However, if I had to pick a winner here, I’d probably have to choose Chrome. Google is doing some fantastic work in the realm of computer and web security. That said, I think Firefox and Safari are also fairly secure browsers. And you could argue that because Firefox is open source, it can actually be audited by cybersecurity experts—unlike the other three major browsers. Ideally, this vetting leads to less bugs.

Most Private Browser

Unlike security, there are significant and important differences between the four major browsers when it comes to privacy. And this (to me) is the real deciding factor.

While Google has been a true leader in terms of security, it’s pretty much the worst in terms of privacy. Its whole business model revolves around advertising (Google makes about 90 percent of its money from ads⁷). And that leads to an enormous conflict of interest when it comes to protecting your personal data and web surfing habits. Apple has gone out of its way to basically be the anti-Google, making it a point of pride to collect as little data on their users as possible (and causing a collective freak-out by advertisers because of technology that limits tracking). But Firefox is also doing some great work in this area.

So, who’s the winner in terms of privacy? Today, I’d say it’s a toss-up between Firefox and Safari, with Chrome being dead last. Internet Explorer and Edge are somewhere in between, but with Microsoft’s recent penchant for collecting user data, I would put it closer to Chrome. Chrome has been trying to tame obnoxious ads with a built-in ad-blocking technology, but it’s important to note that it does nothing, really, to prevent tracking.

And the Winner Is…

Based on everything I’ve found in my research, I personally choose Firefox as my go-to browser. No browser is 100 percent secure, and it’s hard for even the most erstwhile browser to completely protect your privacy. But I think Firefox, on balance, is the best of the bunch. That said, there is at least one reason to also have Chrome installed on your system. And we’ll talk about that in the checklist at the end of the chapter.

Beyond the Big Four

There are actually several other web browsers you might want to consider, but I’ll just mention three.

The fifth most popular browser is Opera, and many people enjoy using it. If you’re not satisfied with any of the big four, you might give it a try. Opera is fast and works on both Mac and PC.

The Brave browser is a new, open source browser built for privacy, with built-in ad blocking and tracking protection. However, in a move to try to acknowledge the need for ad-based revenue, it also has a mechanism to insert its own ads, which opens up a lot of issues. I would wait and see on this one.

Lastly, the Tor Browser is all about privacy. In fact, it tries to achieve true anonymity (though that is extremely difficult to do in practice). It’s based on Firefox and builds in several kick-butt privacy tools that are too technical to sum up here. But if you really need to surf privately, you should give the Tor Browser a serious look.

Tip 7-1. Install Firefox and Chrome

Choosing a good web browser is important. For me, the current choice to maximize consistency, flexibility, security, and privacy is clear: Firefox. Chrome is good at all of those, too, except privacy. Google potentially has access to everything you do in that browser, and that creeps me out. Google already knows way too much about me. However... Google’s Chrome browser comes packaged with a copy of Adobe’s Flash Player built in, and Chrome makes sure that Flash Player stays up-to-date. So, my recommendation is that you install both Firefox and Chrome. I would use Firefox most of the time, but when you run across an archaic web site that won’t function without Flash, then (and only then) use Chrome.

Tip 7-2. Configure the Security and Privacy Settings on Browser

To get the best protection, you need to change some default settings. If you already have Firefox or Chrome installed, double-check these options. Note that the Do Not Track feature is often ignored. That’s okay. Register your desire not to be tracked anyway.

Tip 7-3. Remove (or Disable) All Unnecessary Add-ons

Web browsers have become very flexible, allowing you to add all sorts of fun and useful features via plugins, add-ons, extensions, and toolbars. Unfortunately, these extras, many of which are free or get installed with other software, can open security holes and reduce your privacy. Toolbars are often the worst offenders, but any add-on can cause problems. Avoid them unless you really need them. (In the next section, I’ll give you some add-ons that will significantly enhance your security and privacy.) If you have any trouble removing an add-on, try searching for remove <add-on name> in your web browser. Some of these add-ons are tenacious and hard to remove (and these are the ones you most assuredly need to remove).

Note that Java is a plugin most people don’t need anymore. The Java plugin allows code inside your browser to run Java code outside your browser, and that’s generally bad. Having Java on your computer is fine, but there are few cases for regular users to invoke Java from within a web browser. So if you find a Java plugin, you can remove it. (Remember that JavaScript has nothing to do with Java, despite the similar names. JavaScript is widely used for good purposes, and disabling it would bring many web sites to a screeching halt.)

Tip 7-4. Change the Default Search Option to DuckDuckGo

Even the venerable, ubiquitous Google search can (and will) track you. Think about some of the things you might search for and ask yourself if you would like that information saved and made available to someone else. That weird rash on your leg…how to hack your game console…where to find that special adult content…. If this idea bothers you, then you should consider changing your default browser search to DuckDuckGo.

To set DuckDuckGo as your default web browser search engine, the easiest way is to just install the DuckDuckGo Privacy Essentials plugin. Not only will this make DuckDuckGo your default search engine, it will also add some great privacy-protecting features to your browser. See the next tip for help with installing this and other great plugins.

Tip 7-5. Install Security and Privacy Add-ons

Some plug-ins actually enhance your security and privacy by preventing web sites from loading annoying ads and installing tracking cookies. (In fact, these plugins can significantly increase page-loading speed by avoiding lots of stuff you don’t need.) I recommend installing each of the following extensions. They each perform a slightly different function, though there is some overlap. I will walk you through installing one extension. The rest will follow the same procedure.

Let’s start with a plugin called Privacy Badger. There are a handful of effective plugins to block third-party tracking, but Privacy Badger is the only one I know of that was created by a purely nonprofit organization—and it happens to be a group that is strongly committed to protecting people: the Electronic Frontier Foundation (EFF).

Tip 7-6. Be Careful on “Shady” Sites

Some web sites are just way worse than others when it comes to malware, and those sites tend to be associated with what some would call vices…porn, gambling, copyrighted movie and music downloading, etc. I’m not here to judge. Just know that these sorts of sites tend to be worse than others, and the ones that are “free” are ones I’d worry about the most.

Tip 7-7. Beware of Pop-ups Offering/Requiring Plugins

Some web sites will ask/offer to install some malware checker or efficiency booster or video codec. If you get a pop-up window that wants to install something, just close the entire tab or window and walk away. If the plugin is something common like Flash, Java, Silverlight, or QuickTime, you should go directly to those web sites to download and install the plugin. Then return to the web site and see if it works. The rule is: if you didn’t go looking for something or request it yourself, don’t install it.

Tip 7-8. Opt Out Where You Can

Tip 7-9. Use Private or Incognito Browsing

Both Firefox and Chrome have a special “privacy mode” of web browsing. This mode is supposed to remove all local traces of your surfing once you close the special window—your browsing history, cookies, and anything else the browser might remember about your session. The key word here is local While it may successfully block some cookies from being stored permanently, it doesn’t make you anonymous or stealthy on the Web. Its only purpose is to hide what you’ve been doing from people who have access to your computer by deleting all the locally stored traces. To enable this mode, follow the next steps.

Tip 7-10. Change Your DNS Provider on Your Wi-Fi Router

This can be tricky because every Wi-Fi router’s admin page is a little different. I can’t give you a simple step-by-step for every possible router. In the previous chapter, I told you how to find your router’s admin IP address—use that same address to make these changes. You’ll need to look for the configuration for Domain Name Service (DNS) server. It should be prepopulated with a couple addresses—a primary and a backup. The first entry is the one it will try most times, but if that one fails, it will try the second one. The default addresses almost surely belong to the DNS provider used by your Internet service provider (ISP).

Tip 7-11. Change Your DNS Provider on Your Laptop

If you have a laptop, you should also set your DNS settings there because when you’re out and about, you’re no longer using your home’s Wi-Fi router.