Practical privacy and simple cybersecurity.
TheNewOil.org

The Invisible Way You Can Be Tracked Online

What does it take to truly opt out of invasive online tracking, creepy or unwelcome targeted ads, and data collection that you never meaningfully agreed to? In recent years apps and services have been advertising their alleged privacy features but – no surprise – it turns out that many of these features may be woefully inadequate.

Fry from Futurama "I am shocked" meme

In this blog post (which is roughly transcribed from my latest video), I'm going to share what we know about the murky and complex world of fingerprinting and how you can effectively opt out of it.

What Is Fingerprinting?

In 1979 the kid's game Guess Who was released. It would have eventually go on to be picked up by Milton Bradley and then Hasbro. For those who've never heard of this game, the premise is simple. There are 24 cards with cartoon people drawn on each of them. Each player picks one person out of these 24 and the other player attempts to guess the chosen character via process of elimination by asking questions. So for example you might ask questions like, “does your person have glasses?” or “does your person wear a hat?” or “is your person a girl?” The goal is to be the first to correctly guess the other players's card before they guess yours.

Fingerprinting works much the same way. Fingerprinting is when a company combines several pieces of information about your device or browser to uniquely identify you out of all of the other devices and browsers out there. As long as your fingerprint stays the same – which, by default, it usually does – they can easily track you across multiple unrelated websites or apps. This is why targeted advertising can sometimes be creepy accurate: they are literally stalking you using characteristics that are nearly impossible to change. Imagine if everywhere that you went in the real world, there was some invisible for-profit company hiding behind the security cameras, writing down a detailed description of every person who goes in and out. And I'm not just talking about things like Black Metallica T-shirt and white Nike shoes. I'm talking about things like hair color, hair length, eye color, height, weight, walking speed, gait, style of walk, accent, language spoken, and so on.

Slenderman artwork
Actual photo of targeted advertisers.

It's hard to get an exact read on what data is collected for fingerprinting, how pervasive it is, or even exactly how it works. Companies don't exactly publish their materials publicly, probably because they know it's super creepy. But we do know that it is happening, and it is at very least pretty common, and services like Cover Your Tracks or Am I Unique? can give us insight into what sort of information companies are able to easily collect and therefore probably are collecting. We know that a fingerprint can consist of things like what browser you use, what extensions you have installed, your screen size, your time zone, your language settings, and more.

Now, to be fair, some of this makes sense. As a native English speaker, I would really appreciate it if YouTube or Wikipedia gave me the English versions of their websites. But other stuff, I mean, come on! Is it really Wikipedia's business if I'm reading about the taxonomy of snails and slugs at 3:00 a.m.?

Disclaimer

A quick side tangent: I mentioned services like Cover Your Tracks or Am I Unique? These sites can be really useful to figure out what sort of information you're revealing, however I wouldn't put too much stock in any of these sites, especially the the total score. Most of these websites are comparing you to other people who visited them, and guess who's visiting these sites? A very, very, very small portion of the population who's really into privacy and probably checking to see how much information they're revealing. You're not getting an accurate sample size compared to the actual, overall population. It would be like comparing your net worth to a list of billionaires. That's a really small sample size that skews heavily to one end of the spectrum and doesn't really give you a fair or accurate comparison of where you really stand in comparison to the general population as a whole.

On the topic of skewed data sets, it seems from my perspective that in recent years there has been a lot more talk even in the mainstream about privacy. As a result, we're seeing a lot of companies put more emphasis on advertising their privacy features or entirely new companies springing up claiming to offer various levels of privacy in various ways. But there's also a lot of snake oil out there. Not every service or feature is created equal. Some will be more effective than others while some won't do anything at all and they'll just takey our money or sell your data anyways. So before I outline what does work, let's talk about some of the common suggestions that don't.

Ineffective: Blocking Third-Party Cookies

First off, there's been a huge hullabaloo these days about “third-party cookies.” For those who don't know, cookies are small text files that get downloaded to your device while you browse the web that help the website identify your unique device. In some cases, this is a good thing. Cookies can allow you to stay logged into a website or for a site to remember what's in your cart when you return at a later date. The problems typically start to come in with third-party cookies, which is basically what allows websites to track you even when you're not on their website. These work because many websites will contact a third-party service for a lot of reasons that you may not even see. Google Analytics is a common one. That third-party service will place their own cookie on your device and then when you visit another site that uses that same third-party service, they'll read the cookie, see the same ID as before, and they know that it's you on both websites.

Most modern browsers block these third-party cookies by default, and Google has even been making a big deal for the last few years about promising to replace third-party cookies entirely with something allegedly more privacy-respecting while still being advertiser-friendly. It has yet to materialize. There's even some popular browser extensions that clear cookies as soon as you navigate away from the page you're on. But cookies are just one tiny part of tracking. One website that I found promoting fingerprinting services to other businesses as an anti-fraud measure claimed that a fingerprint can consist of “dozens to hundreds of characteristics.” Cookies are barely even worth a mention in this context. It would be like robbing a bank and then the only change that you make to hide yourself is changing shoes. Or shoe laces. Clearly they're using a lot more information to identify you.

Now, just to be clear, blocking third-party cookies isn't a bad thing, it's just not enough. But while we're on the topic, it's worth noting that Chrome is literally the only two mainstream browsers that doesn't block third-party cookies by default. Brave, Firefox, Safari, even Opera and Edge, all block known tracking cookies out of the box with no adjustment from the user. This is just one more reason to drop Chrome.

Ineffective: Extensions

I also mentioned there are commonly recommended extensions to help defeat fingerprinting. Cookie Auto Delete is the one I see recommend recomended most often but all of the browsers I recommended can be set to erase all your data including cookies as soon as you close the browser, which I encourage. Brave specifically has an option to clear cookies as soon as you navigate away from the page you're on, therefore making the Cookie Auto Delete extension completely obsolete. I've also seen some people recommend extensions that claim they will randomize your browser's user agent. it's a little bit tricky to explain what a user agent is without getting overly technical, but the short version is that it's a string of text your browser sends to the website that contains a lot of information about your browser and device, like your operating system, the specific version of your browser or operating system, and more. In my experience, none of these extensions deliver on their promises. Every time I've tested them, websites are still able to accurately identify my true information, so I don't recommend these.

(Mostly) Ineffective: VPNs

Last but not least, let's talk about VPNs. VPNs make a lot of empty promises, and I have a whole video (and maybe blog post) coming up that will dive into VPNs in more detail, but right now I want to focus on a common marketing claim that a VPN can make you anonymous online. VPNs do two things that could theoretically help here: they change your IP address and most VPNs can block known ads, trackers, and malicious domains. As far as that first one goes, IP addresses are like cookies: it's true that companies can use them to uniquely identify you, but it's just one small part of the picture. In fact, in some places, residential IP addresses automatically rotate every so often, so IP addresses are arguably even less important than cookies. And as for the blocking features, you can easily recreate this for free and arguably more effectively with extensions like uBlock Origin or by changing your DNS resolver if you're techy enough to do that, though for the record: it's really not hard and I recommend you at least look into it. Even if you'd rather let the VPN provider just handle all this for you, keep in mind that either way, they can only block known threats, and in an overcrowded, constantly evolving industry that is intent on collecting every piece of your data they can at every possible turn, there's always new companies, new domains, new analytics, and new malware popping up that they have to stay on top of.

So is there anything that does work? With so many things that are half-effective at best, what can really protect you from fingerprinting? As it turns out, lots of things. You have lots of great options. When it comes to defeating fingerprinting, there's basically two schools of thought: conformity and deception. Conformity is the idea of making everyone look exactly the same so that nobody stands out while deception focuses more on feeding false data to obfuscate the truth.

Most Efective: The Tor Browser

Unarguably the best option for defeating fingerprinting is the Tor Browser. The Tor Browser functions on the conformity model by making everyone look exactly the same: same extensions, same screen size, same time zone, etc. Additionally the Tor Browser relays your traffic through multiple “nodes,” making it harder for even advanced surveillance agencies like governments to trace any one individual around the web through other, indirect means. However, it should be noted that the Tor Browser does have significant drawbacks. For the average user, it can often be very slow, and many websites block it to prevent abuse of their services. But if you're willing to put up with some reduced speeds and th services you use most often don't typically block it, you really can't beat the Tor Browser. For those who are interested in learning more I have an older video that you can check out that explains how the Tor network works and how to use the Tor Browser for maximum effect.

Most Convenient: Brave

My next recommendation – which will probably be the sweet spot for most folks – is the Brave browser. Brave takes the deception approach by randomizing your fingerprint so that you look different to any services trying to track you every time you use the internet. Now, I know I mentioned before that a lot of extensions claim to do this and don't seem to work very well. I'm not sure what Brave does differently. Maybe it's because it's integrated deep into the browser itself and it's not just an extension, maybe it's because they do more than just change your user agent. Maybe it's Maybelline. Either way, I've tested this myself and Brave's anti-fingerprinting measures do seem to work as far as I can tell. The good news for you is that Brave does all of this in a way that's totally invisible to users, so you probably won't even notice any difference from using whatever browser you're currently using. But for the record, if you find a site that's broken, there is a way to easily report it so they can fix it. As an added bonus, Brave includes a built-in ad blocker to help make the internet a little bit more tolerable. It should be noted that I do recommend some additional changes to Brave on my website that will help protect you even more.

Honorable Mention: Mullvad Browser

Finally, if you prefer not to use Brave but Tor is a little bit too hardcore, I recommend the Mullvad Browser. The Mullvad Browser is literally the Tor Browser but without the Tor network. Instead, it's designed to be used alongside a VPN. As a result, it's usually way faster and you'll probably experience less site breakage, but for the record that depends on what VPN and servers you use. When used with a VPN, the Mullvad Browser uses the conformity school of thought just like Tor by making all the users look identical. I know I just said that VPNs don't offer anonymity, but that doesn't mean that they're totally useless. Again, I've got a whole video coming on the topic.

Also Effective: Fewer Extensions

Regardless of what browser you ensions to a minimum. Websites can see which extensions you have installed; like “which one individually” not just a total number. This works exactly like that game Guess Who: they can cross reference that list as another data set to help fingerprint you on different websites, even with a browser like Brave or Mulvad or even Tor. Think about it this way: tens of thousands of people – probably more – are probably using Grammarly, right? But how many of those same people also use uBlock Origin, and Honey, and Reddit Enhancement Suite, and Pinterest, and so on and so forth? The more extensions you use, the smaller the list of people who use that exact same set of extensions. So use the absolute fewest number of extensions that you can to make yourself harder to fingerprint.

In my opinion, uBlock Origin is the most powerful content blocker currently on the market, and it's really the only extension that I strongly recommend to everyone right now. It blocks ads, trackers, and tons of other stuff and it can even be configured to do some of the same stuff that some other more advanced extensions do for power users. For a complete and up-to-date list of what extensions I'm currently recommending, be sure to reference my website.

Bonus: Apps & Smart Devices

Finally, we have to talk about how to block tracking in apps and Internet of Things (aka “IoT” or “Smart”) devices like gaming consoles or smart TVs. These can be a little bit difficult to control because in a lot of cases, you can't choose which apps to use to access the service or to install any ad blockers inside the IoT device, for example. But you still might be surprised how much control you have outside of the app or device that affects the app or device itself. So first off, I'd be remiss if I didn't start by saying “check the settings in the app or device.” Sometimes you can opt out of targeted advertising or other invasive features. For phones and tablets in particular, I really recommend digital minimalism. The less apps that you have, the less apps that are trying to track you, not to mention there's less risk of a hack on your device. I recommend getting rid of any apps that you don't use often or anything that isn't time sensitive. For the apps that you do keep, all modern smartphones now include some pretty powerful permission settings which allow you to control the app's access to things like location, microphone, camera, contacts, photos, and sometimes more. You should absolutely disable anything that your app doesn't need access to. Apple allows you to disable some additional tracking permissions by disabling the App Tracking Transparency setting, and while Google doesn't allow you to permanently disable this, you can reset your Advertising Identifier as often as you'd like. Be sure to check my website for the latest instructions on how to find and disable those features.

I mentioned changing your DNS earlier, and this is another really powerful technique. Privacy Guides has a list of DNS resolvers that they recommend, so I would consult them, and most of those resolvers offer apps for a user-friendly experience on phones and tablets, although if you prefer you can also enable them manually. If you're not sure how to do that I recommend doing a web search for “change DNS” and then whatever operating system you're using, such as iOS, Android, etc. For IoT devices, you may need to do this on your router, which you can also look up instructions for by searching “change DNS” and the model of router you're using. Alternately, I mentioned that most reputable VPN providers offer content blocking with their service. Again, I want to emphasize these won't block everything or make you anonymous, but they're absolutely helpful in this specific use case for managing some of the tracking that comes from these apps on your devices. There is a growing trend where some smart devices will support certain VPNs directly but if not, most higher-end routers do. So again, you're going to need to do some research to figure out if the VPN you want to use is supported by that device or how to load a VPN on your router of choice. Last but not least, on mobile devices you could consider trying to use the app as a progressive web app instead of a native app. I made a short video on the topic that you can check out for more information on what PWAs are and how they can help reduce app tracking.

Conclusion

So there you have it! The web has become an ad-riddled hellscape of stalking, but it doesn't have to be that way. There's so many tools out there like the Tor Browser, DNS resolvers, and just some good online habits that can easily and completely change the game in allowing you to decide what you do and don't want to share with advertisers or what you'd rather just keep to yourself.

Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...