Cyberstalkers Are Watching You. Take These Four Steps to Block Their View.

Decoding the tech world.
Sept. 26 2013 12:53 PM

This Is How the Cookie Crumbles

The four steps to controlling how you’re tracked online.

(Continued from Page 1)

Step 3: Forgo Flash

Adobe’s Flash, the software engine commonly used for multimedia content, has long been a security and privacy black hole, offering its own insidious, cookie-like mechanism called a “local shared object” (LSO), which isn’t subject to the privacy restrictions of normal cookies. LSOs are a headache to monitor and clean and have resulted in several lawsuits for tracking users without permission. Adobe has slightly improved matters over the years, but pretty much everyone except Adobe wishes Flash would go away.

So if you can’t do without Flash completely—and it’s hard to quit those incessant nagging autoplay videos—go to Adobe's settings page and disable third-party Flash cookies. Better yet, use browser extensions like NoScript and BetterPrivacy, which allow fine-grained control of LSOs and sites that use them, at the cost of a significant amount of micromanagement. (I never said this was going to be easy.)

Advertisement

Step 4: Use a filter

The previous steps should make clear that managing privacy is an active and ongoing process, not a one-time fix. Technology changes and new tracking mechanisms evolve. Even without scripting and cookies, “Web bugs” or “Web beacons” can track you simply by loading an image from a tracking site.

Unless you want to severely limit your Web functionality by turning off cookies, images, and Flash completely, nothing short of an active community effort can separate tracking websites from nontracking sites. Thanks to the generally obsessive nature of tech culture, these collective groups playing Tracker Whac-A-Mole exist, updating active lists of tracker sites weekly and often daily. (You may notice that with these filters, you stop seeing some advertisements as well. There’s always a price to pay.)

One of the easiest filters use is the Disconnect extension, originally made by ex-Googler Brian Kennish. Available on Chrome, Firefox, Safari, and Opera, it claims to block more than 2,000 tracking sites, with quick buttons to selectively enable the big three: Facebook, Google, and Twitter.

On Android phones, Chrome doesn’t allow extensions, so you’ll have to use Firefox. Disconnect is not yet available for mobile devices, but a more technical and more aggressive option is available: Adblock Plus. Most major ad blockers these days support a standard format for lists of content filters, and the one we care about here is the EasyPrivacy list. Install the Adblock Plus extension in Firefox, browse to the EasyPrivacy site, click on “Add EasyPrivacy to Adblock Plus,” and you’re set.

As for filters on iPhones and iPads, you may be out of luck. I am not aware of a single simple way to use privacy filters on iOS. (If anyone knows of one, leave a comment and I’ll update this article.) Until Firefox comes to iOS or Safari or Chrome allow browser extensions, you’ll have to trust in Apple’s limit ad tracking. Sorry—complain to Apple! (Mozilla has said they will not build Firefox for iOS because Apple refuses to let them use Firefox’s own Web engine, only the Safari engine, and no iOS apps are allowed in the Apple Store without Apple’s explicit permission.)

Outside of iOS, actively maintained filters are probably the closest to a one-stop fix as you can get. You are entrusting your privacy to the judgment of a community of idealistic techies, whose judgments are not perfect but who are at least more disinterested than the advertisers. It beats the alternatives. Do not, however, use TRUSTe’s privacy list, which can actually override other lists to allow some tracking, including shady marketer Acxiom. You can’t trust(e) anyone these days.

Sadly, trackers will not simply roll over and settle for you blocking them. New technologies are being invented all the time—for example, device fingerprinting attempts to identify a single user based not on cookies or any sort of explicit identifier but merely on information sent in the normal course of loading a website: what browser version you’re using, screen resolution, preferred language and encoding, IP address, etc. It’s not an exact science, but it’s surprisingly accurate and may make much of the current tracking technology obsolete.

The steps outlined here may feel like bailing water from a sinking ship. For our online privacy not to capsize altogether, our hope is in informed consumers demanding specific and consistent treatment of their own profiles and standing up against new cyberstalking technologies.