I've got a friend who seems to be paralyzed with fear of the
tracking happening on the modern Internet. He barely dares turn on a
computer. This is someone who was a very early adopter of the Internet,
worked for many years building web sites and infrastructure.
This
bit of writing will hopefully help my friend assess the risks and take
appropriate actions to re-connect with the modern internet safely. It's
generally applicable so worth reading to anyone.
How am I the expert?
I've
been using the Internet since before the World Wide Web existed and
built a career around being an Internet nerd. Building web sites,
helping companies get online. Eventually the discipline of web analytics
emerged and I got heavily into it. So much so that I started
a very successful meetup nearly ten years ago that has grown into a fantastic community of practitioners who run a monthly meetup and an
annual unconference.
Tracking
peoples' behaviour on the Internet is what I do. I even have a bookmark
folder labelled "Evil Tracking" which chronicles mechanisms people have
developed to get around security limitations and track in ways you're
not supposed to.
Then I got concerned
I
never worried too much about all the tracking we were doing. For many
years the default for people like me was to track everything you could
and worry about how you'd use it later. It wasn't such a huge problem at
the time because the technology was too primitive, the data sets too
disjointed and no single player really had a thorough enough view of any
individual's behaviour to be worrying.
The
technology got better, the players consolidated into the now familiar
omnipotent FAANGs (Facebook, Apple, Amazon, Netflix and Google) who
could see vast portions of your online behaviour. There's a good chance
that your behaviour right now is being tracked by some or all of those
players. If you're reading this on my site, it's got at least Google
Analytics on it.
My friend is right about
what's going on: every app you open and web site you visit is tracking
you and sending the data to powerful global players. Mostly they do this
to target advertising at you with slightly more precision, then measure
the impact of that targeting and advertising.
These
days I spend a huge amount more time thinking about and taking action
on privacy. The last few years I've spent a lot of time with lawyers,
privacy experts and ethicists. I've also had a lot to learn about
ethics, ethical reasoning, mechanisms to work through the implications
of proposals and more general philosophical matters.
Match your action to your level of risk
If
you're Edward Snowden, a dissident Uigher, an ambassador or spy, your
level of risk is going to be much higher than an ordinary schlub like
me. The Snowden leaks of the NSA's
Taillored Access Operations
show that if you're important enough for the spooks to put in some
effort, they can physically intercept your hardware and install
basically invisible stuff to monitor everything at the hardware level.
You
and I are not those targets. Nobody cares enough to break into our
house, open our laptop and solder in an expensive custom minutarized
implant to send everything back to Fort Meade, Beijing or Tehran. It's
sufficient for us to protect ourselves from the wholesale harvesting of
data and not go to the levels of effort you'd need to have to protect
yourself from the NSA.
Third-party dragnet tracking is easy to block
I'm
not an absolute zealot on this. I run Android. My email and file
storage uses Google. I watch a lot of YouTube. I have to be practical.
However where I try to keep things under control is the vast range of
uncontrolled third-party tracking on the web and in apps. Fortunately
it's relatively simple to block the vast majority of this.
What I mean is that if you're visiting
somesite.com and it's sending data to
creepytracker.com, you can trivially block that and still use
somesite.com without any negative impact to you. Needless to say if you go to
creepytracker.com's
site directly (or Google or Amazon etc), they're going to be able to
track you. You have to pick the battles you can take on and the steps I
take
massively reduce my data exhaust being hoovered up. But I'm not invisible.
Browser and browser settings
The
first level of protection is to use a browser that doesn't straight up
invade your privacy. Don't use Chrome. Firefox is a good choice, though
they're not perfect. They use some mildly dark patterns to trick you
into sending telemetry back to their servers by default. Go through the
settings and pick the most stringent settings you can work with.
Introduce exceptions where you have to and are willing to.
This is your first line of defence.
I don't use
Brave,
though it's probably not the worst choice. I just don't trust the guy
who started it (also responsible for unleashing JavaScript on the world,
make of that what you will). The various ways they've been found to do
slightly iffy things hasn't filled me with confidence either.
Ad and tracker blocking
Next
you want to block ads and tracking pixels. Here we're fortunate that
most developers are lazy. The tracking code on the web is loaded from a
central location and the tracking data is send to a central location.
Ad
blocking extensions in your browser load up blacklists of known
tracking endpoints and simply block them. This means faster loading
webpages, no ads and importantly no tracking! A better world all around.
Of
course there is a cost. Sometimes the ad blocker will interfere with
site functionality. If you're willing to tinker, you can often disable
just the bits causing problems and continue. In the worst case, you can
whitelist a specific site so it runs all its crap. Or open up your
browser's
Porn Mode,
do what you need to do on the offending site, close the window and all
the associate cookies and other long-term tracking info is gone.
The best ad blocker is without a doubt
UBlock Origin.
Just having it loaded with the defaults is a great start. Go through
the settings and you can add more stringent blacklists and rules. It
also has the cool dropper tool where you can select specific DOM
elements in the page to remove. Great for popups and other annoyances.
DNS blocking
Next
line of defence is DNS blocking. As most of the trackers and ad crap is
centralised, you can block the DNS entries for much of it so it never
even loads. This approach captures devices where you can't install your
own software, like smart TVs, Internet of Things devices, phones and
anything else connected to your local network.
There's a couple of ways to do this:
- The Pi-hole
uses a Raspberry Pi (or other cheap, low power computer) to run a
custom DNS server with a range of blacklists on it. It's a great little
system and works well, though only on your local network. Apart from the
cost of the Raspberry Pi (and you can use one of the older, lower
powered ones), it's free.
-
NextDNS
is a paid service I use which does much the same but without you having
to run a local server. It also allows you to protect your phone and
other devices when you're away from your local network. It's really
handy and simple to use.
A nice
side effect: your ISP's blacklists that block things like The Pirate Bay
are avoided because they're also done at the DNS level and you're no
longer using their DNS servers.
How about your phone?
Mobile
phones are filthy cesspits of tracking. Even if you don't have any apps
(which all have tracking software inside), the manufacturers are all
tracking you, whether that be Android (Google), iPhone (Apple) or one of
the other Android players (Google still gets their data, Samsung,
Huawei etc take their own too).
The only option
I can offer if you want a phone but are totally uncomfortable with the
tracking would be some of the open source options. But they're clunky
and you won't have any of the particularly useful apps. Though I suppose
you can browse the web and make phone calls.
Some options. I haven't explored this recently.
Of course the browser on your phone should be something like Firefox too, which has some limited ad blocking functionality too.
App telemetry
If
you're going to be paranoid, you're going to need to get used to going
through any settings on software you're using. The defaults tend to
phone home and send telemetry, which you might want to disable.
So
you've mostly cleansed your own hardware and software, but what about
the services? Well you can still do a lot of things locally the old
school way, and there's generally alternatives for any of the
particularly problematic applications.
-
Search:
-
DuckDuckGo
are a great search engine. Change your browser over to it now. Learn
about the shortcuts that will take your search to other search engines
for when it doesn't find you what you need. And don't install their
apps, you don't need them.
-
Email:
- Use a local email client and your ISP's mail server
- Online services Fastmail, Protonmail are probably kosher
-
Maps:
- It's
funny to think how much we've got used to Google Maps. Of course
Google's tracking where you go! You could try OpenStreetMap which isn't
bad, though their directions routing isn't as good
- Music:
- Old school: load mp3s and FLAC files and use a local player
- BandCamp are a great company, though I bet their apps have third-party tracking
- The old Logitech Squeezebox music server software is still going strong and now supports a wide range of playback hardware including some cheap devices.
-
Media:
-
Jellyfin is an open source alternative to Plex for playing back video files