Who’s tracking the trackers?
This is a guest post by Josh Snodgrass.
As the Mathbabe noted recently, a lot of companies are collecting a lot of information about you. Thanks to two Firefox add-ons – Collusion (hat tip to Cathy) and NoScript — you can watch the process and even interfere with it to a degree.
Collusion is a beautiful app that creates a network graph of the various companies that have information about your web activity. Here is an example.
On this graph, I can see that nytimes.com has sent info on me to 2mdn.net, linkstorm.net, serving-sys.com, nyt.com and doubleclick.net. Who are these guys? All I know is that they know more about me than I know about them.
Doubleclick is particularly well-informed. They have gotten information on me from nytimes.com, yahoo.com and ft.com. You may not be able to see it on the picture but there are faint links between the nodes. Some (few) of the nodes are sites I have visited. Most of the nodes, especially some of the central ones are data collectors such as doubleclick and googleanalytics. They have gotten info from sites I’ve visited.
This graph is pretty sparse because I cleared all of my cookies recently. If I let it go for a week and the graph will be so crowded it won’t all fit on a screen.
Pretty much everyone is sharing info about me (and presumably you, too). And, I do mean everyone. Mathbabe is a dot near the top. Collusion tells me that mathbabe.org has shared info with google.com, wordpress.com, wp.com, 52shadesofgreed.com, youtube.com and quantserve.com. Google has passed the info on to googleusercontent.com and gstatic.com
I can understand why. WordPress and presumably wp.com are hosting her blog. Google is providing search capabilities. 52shadesofgreed has an ad posted (You can still buy the decks but even better, come to Alt-Banking meetings and get one free). Youtube is providing some content. It is all innocent enough in a way but it means my surfing is being tracked even on non-commercial sites.
These are the conveniences of modern life. Try blocking all cookies and you will find it pretty inconvenient to use the internet. It would be nice to be selective about cookies but that seems very hard. All of this is happening even though I’ve told my browser not to allow third-party cookies. If you look at cookie policies, it seems you have two alternatives:
- Block all cookies and the site won’t work very well
- Allow cookies and we will send your info to whomever we choose (within the law, of course).
So, it would be nice if there were a law that constrained what they do. My impression is that we Americans have virtually no protection. Europe is better from what I understand.
I’ve found another add-on called NoScript that is very helpful but also very disturbing. It tells you about JavaScripts that want to run when you visit a site.
I’m trying to access a site and there are scripts waiting to run from:
- Brightcove.com
- Quantserve.com
- Facebook.com
- Po.st Scorecard.com
- Wxug.com
- Admeld.com
- Googleadservices.com
- Legolas-media.com
- Criteo.com
- Crwdcntrl.com
Clearly a lot of those are about tracking me or showing me ads. As with cookies, if you block all the scripts, the site probably won’t function properly. But the great thing about NoScript is that is makes it easy to allow scripts one by one. So, you can allow the ones that look more legitimate until the site works well enough. Also, you can allow them temporarily.
NoScript and Collusion are great. But mostly they are making me more aware of all the tracking that is going on. And they are also making it clear how hard it is to keep your privacy.
This isn’t just on the internet. Years ago, an economist had an idea about having people put boxes on their cars that would track where they went and charge them for driving, particularly in high congestion times and places. The motivation was to reduce travel that causes a lot of pollution while no one is going anywhere. But people ridiculed the idea. Who would let themselves be tracked everywhere they went.
Well, 40 years later, nearly everyone who has a car has an EZ-pass. And, even if you don’t, they will take a picture of your license plate and keep it on file. All in the name of improving traffic flow.
And, if you use credit cards, there are some big companies that have records of your spending.
What to do about this?
I don’t know.
I like conveniences. Keeping your privacy is hard. DuckDuckGo is a search engine that doesn’t track you (another hat tip to Cathy). But their search results are not as good as Google’s.
Google has all these nice tools that are free. Even if you don’t use them, the web sites you visit surely do. And if they do, google is getting information from them, about you.
This experience has made me even more of a fan of Firefox and add-ons available in it. But what else should I use. And, none of these tools is going to be perfect.
What information gets tracked? A lot of privacy policies say they don’t give out identifying information. But how can we tell?
Just keeping on top of what is going on is hard. For example: what are LSOs? They seem to be a kind of “supercookies”. And Better Privacy seems to be an add-on to help with them.
FT.com’s cookie policy tells me that:
“Our emails may contain a single, campaign-unique “web beacon pixel” to tell us whether our emails are opened and verify any clicks through to links or advertisements within the email”
Who knew that a pixel could do so much?
The truth is, I want to see these sites. So I am enabling scripts (some of them, as few as I can). The question is how to make the tradeoff. Figuring that out is time consuming. I’ve got better things to do with my life.
I’m going to go read a book.
mathbabe 
For what it’s worth, you can block most of the trackers using just 3 addons in Firefox.
* Adblock Plus (https://addons.mozilla.org/en-us/firefox/addon/adblock-plus/)
* Ghostery (https://addons.mozilla.org/en-US/firefox/addon/ghostery/)
* ShareMeNot (http://sharemenot.cs.washington.edu/)
If you use Facebook at all, you probably want to also throw in :
* Facebook Disconnect (https://disconnect.me/)
* Facebook Autologout (https://addons.mozilla.org/en-us/firefox/addon/facebook-auto-logout/)
LikeLike
@cranky: Thanks a lot. They look good.
Disconnect looks very good, too. It looks worth having. Are you saying that the other three cover everything so Disconnect isn’t needed except for Facebook?
Thanks again
LikeLike
If you use Facebook, then you should probably have all 5 installed. Well, 6 if you include Better Privacy to kill of the Flash cookies. You really want the LSOs gone as they basically never expire and they do not have to comply with your privacy settings built into your browser.
One thing that’s not obvious to non-tech people is that the tracking situation is even worse than you think. There are brokers who pass tracking data across different ad networks. The surveillance economy is pretty awful.
LikeLike
I’d like to understand the point of Facebook autologout better because it seems to me it raises much broader concerns.
Can Facebook see what is going on in other tabs of my browser? If so, logging out only addresses part of the problem. I would never want to log in with anythign else open. And Facebook wouldn’t be the only one I would worry about.
But it surprises me to hear if that’s true. Wouldn’t the browser restrict what it sends where?
LikeLike
FWIW, My strategies for stopping tracking (using Firefox/Mac) are working pretty well. They are:
1) 3rd party cookies OFF – turn back ON when bank or such sites act dumb. Remember to turn OFF again (in my case OFF/ON requires a Firefox restart).
2) Keep open “Firefox Preferences > Privacy > Show cookies”. Delete all cookies periodically. Little, if anything, seems upset by this.
3) Use “Do Not Track Me” (DNTMe) http://www.abine.com
– Seems to block embedded J-scripts/web-bugs (lots of them) from sending back data. It reports which ones it caught.
– On my system it caught 25000 separate tracking attempts in about 7 weeks.
4) Use tracker blocking from “Privacy Choice” http://www.privacychoice.org
– Blocks cookies from a huge number of tracking sites when set up to do only that. All oddly named/sourced cookies disappear from your cookie list. Remaining ones all seem benign.
– Don’t use the “Opt out cookies” feature. It fills your cookie list with an array of Opt-outs which confuse the picture.
Trackers can ignore them anyway, I believe.
What irks me greatly is that all these tracking bugs are present at the behest of the web site owner/creator. It’s instructive to see how many DNTME catches on sites you thought were your friend.
LikeLike
great guest post.
LikeLike
with the caveat that the 52shadesofgreed.com link is broken.
LikeLike
Thanks.
I don’t have access to fix the link.
LikeLike
There’s 2 things that are happening when you hit a website if you haven’t logged out of facebook.
1) The site serves it’s own content
2) Advertising and social sharing buttons load.
When #2 happens, that happens via script code loading from the respective advertiser or social network.
In the case of Facebook like buttons -that code loads from Facebook.
Everytime your browser connects to a website, it sends up any cookies that pertain to that site. So if you haven’t logged out, then your Facebook cookies also go up to Facebook which effectively identify who you are.
The browser also sends up referrer header information so Facebook knows exactly what URL you are reading so they can see what page you’re loading.
You can find more information on 3rd party cookies from here : https://blog.mozilla.org/privacy/2013/02/25/firefox-getting-smarter-about-third-party-cookies/
You can also drop us a line over here if you want clarification on anything : https://groups.google.com/forum/?fromgroups#!forum/mozilla.dev.privacy
LikeLike
@Crankycoder. Thanks a lot for this info.
And even more so, thanks to the whole Mozilla development community for creating these tools. It is very inspiring to see collaborative efforts like that doing such good work.
LikeLike
Thank you for the gift of this post. Fantastic stuff!
LikeLike
Another approach is a domain blacklist in your hosts file. Here’s an example
http://someonewhocares.org/hosts/
LikeLike
The browsers with the best cookie management seem to be Opera and Omniweb. (Omniweb is Mac-only). They both give you the usual global control over cookies (accept none, accept only from the current site, accept all), and also extensive site-specific controls. So, you can specify the global setting for cookies to accept none, and then on the few websites where you need cookies, you can specify accept from the current site only, which overrides the global setting for that specific site. (They allow you to control a lot of other site-specific things as well.) Using this, I’ve been able to keep my cookie count down to a very small number.
I’m also using Ghostery. When you set it up make sure that you specify automatic updates. I discovered though that the automatic updates are not necessarily automatically activated. Somewhere I clicked on an “advanced” tab which allowed me to tell it to automatically activate all new updates.
I used to use Omniweb for security reasons and for it’s capability of placing tabs on the side (in thumbnail images if you desire). However, the developers have not been keeping up with the latest Webkit updates, and I began having stability problems. I looked at Opera and discovered that it had the same extensive and easy site-specific controls that Omniweb has and can also place tabs on the side in thumbnails just like Omniweb. In Opera you get to site-specific controls for a site merely by right-clicking on the webpage and selecting “Edit Site Preferences.” In Omnniweb you can set up a toolbar button for this purpose.
I had to overcome two problems with Opera though. First, though it renders pages perfectly on the screen, it does not print well directly to my HP printer. So instead, on my MBP I select “Open PDF in Preview” and print from that. I don’t print a lot from browsers, so this is fine, and in fact gives me a perfect print preview allowing me to avoid printing pages that are all garbage. The more serious problem with Opera on the Mac is the absence of a built-in PDF viewer. I finally found the Schubert PDF Plugin. It works beautifully. You can right click on a PDF page, tell it to hide the tool bar, set preferences, save the file, print, etc. There was one additional tricky thing I had to solve though. When you install the plugin in a default location it imposes itself on all other browsers and overrides their internal viewers. You may not want that. The installer puts it into a folder called “Internet Plug-Ins” (in the system or user library). I created a sub-folder called “Disabled Plug-Ins” and moved the plug-in into there. Opera still finds it, but the other browsers don’t.
Oh, one more thing. I set the global cookie preference to none and then set up Amazon to reject third party cookies. Amazon would not initially let me log in. I changed it to allow all cookies, logged in, and then changed it back to reject third party cookies. It’s worked since then. In general, although I’ve been rejecting cookies from all but a small number of sites, I’ve encountered very few problems.
LikeLike
Definitely believe that that you said. Your
favourite justification seemed to be at the internet the easiest thing to take into account of.
I say to you, I definitely get annoyed at the same
time as other folks think about worries that they just don’t understand about. You controlled to hit the nail upon the highest and defined out the entire thing with no need side-effects , folks can take a signal. Will probably be again to get more. Thanks
LikeLike