EFFecting Digital Freedom
by Cooper Quintin (cjq@eff.org)
Creepy Web Tracking Tricks
How many websites do you visit every day?
Maybe ten, twenty, or more if you are a heavy web user. You may think that your web browsing is fairly anonymous; perhaps no one but your ISP and you know what you are reading. But in reality, hundreds of different companies are tracking almost everything you read on the web.
At least 86 percent of websites include some third-party resources, 96 percent in the case of media and news websites.1
These are images, scripts, or other files that come from a domain other than the one that you intended to visit. These third-party resources are often included for the purpose of displaying ads. They can also be used to deliver content at a faster rate, or measure how you are using the site. However, regardless of their primary role, they often have the added function of tracking what you are doing on the web.
Some of the companies doing this you have probably heard of, like Twitter, Facebook, and Google/DoubleClick. Others you have probably never heard of at all, like Scorecard Research, AddThis, Axicom, MathTag, IMR WorldWide, Moatads, ande, and more. These companies are all in the business of tracking what you read online. Web tracking is big business, and the companies doing it are making billions of dollars2 from building detailed profiles about you and selling them to the highest bidder.
There are four main ways that tracking happens on the web: IP address, cookies, supercookies, and fingerprinting. The basic mechanism is the same for all three, with the exception of IP address: the third-party domain assigns you a unique ID, which can then be read any time you visit a website that includes that same third-party domain. This lets the third party know who you are and what websites you visit. The third-party script gets to know what domain it is being included in due to a part of how the web works called the "Referer header," which tells a resource where it was loaded from. Using this, Google, for example, could store a unique ID in your browser when you looked up your local weather on one site, and then read that ID again when you visit a popular tech blog. From this, Google would know that you are interested in technology and where you live; with a few more visits they might have a good idea of your age, gender, income, sexual preferences, and what diseases you might have.
Cookies are the most ubiquitous form of tracking. A cookie is a little piece of text that a site can store in your browser and read back at a later time. Cookies are often used legitimately to log you into a website and remember preferences. The problem is that a third party can store a unique ID in a cookie and then read it on any other sites that include that same third party.
Supercookies - a.k.a. Evercookies3 are similar to cookies in that they are a way of storing a unique ID for your browser. The advantage for advertisers is that they can be harder to clear from your browser, since they can also be used as a backup in case the cookie gets deleted. There are a number of ways that a tracker can make a supercookie. Flash Local Shared Objects are common. These are like cookies that can only be seen by Adobe Flash. Additionally, HTML5 technologies such as local storage, websql, session storage, window. name caching, ETags, web history, and cached images all can be used to store supercookies. These features are all necessary for the rich web we have today. You can't watch videos, play games, or run applications online without them. But they can be used for tracking. For many of these, the browser offers no easy way to clear them. For most people, supercookies will stick around indefinitely.
Fingerprinting is newer than the other methods mentioned here, but it appears to be in widespread use already. EFF demonstrated browser fingerprinting with our Panopticlick site (panopticlick.eff.org) in 2010. Essentially fingerprinting uses the unique properties of your browser to generate a unique ID for it, which will be the same as long as your browser retains those properties. The properties used for fingerprinting can include: font enumeration, user agent, plugin enumeration, hardware quirks, and more. Fingerprinting is uniquely devious in that there are no files you can get rid of and browsing in "incognito mode" may not prevent you from being identified.
You might be thinking at this point that the situation is pretty dire. You might be asking yourself, "Should I just stop using the web altogether? Or use some archaic browser that doesn't support any modern features or cookies?" No, of course not. You can protect your privacy and still have all of the features of the modern web.
To help people protect themselves from creepy third-party tracking on the web, EFF has released a tool called Privacy Badger (eff.org/privacybadger), an open-source browser add-on for Chrome and Firefox. It watches for domains that appear to be tracking you as you browse the web. If a third-party domain appears to be tracking you - for example, by setting uniquely identifying cookies - Privacy Badger will automatically block that domain so that it can never track you again. Privacy Badger also enhances your privacy in other ways. For example, certain domains that are useful for the web but may have a side effect of tracking will be blocked from setting or reading cookies, but can still load resources. This lets you use a service like Google Maps without being tracked by Google. Privacy Badger also changes some other default settings in your browser to enhance your privacy. Privacy Badger learns dynamically what's tracking you, so the longer you use it, the better it will get at blocking trackers.
EFF is also working on a revision to the Do Not Track (DNT) standard (eff.org/dnt-policy). We are creating a contract document that states that the site publishing it will not keep logs and will not keep user identifiers for any user expressing their desire to opt-out of web tracking by sending the DNT:1 header, which will be sent with each request by Privacy Badger or if you have "Do Not Track" turned on in your browser. Third-party service providers on the web can prevent Privacy Badger from blocking their domain by agreeing to EFF's DNT policy and posting it on their website.
Like it or not, advertising and tracking has become the main model which is used to fund the web. We need to find a better model for generating revenue, one which doesn't invade users' privacy. Until then, you can protect yourself from creepy trackers by installing Privacy Badger.