Over the past few years, it has been more and more complicated to surf on the web without being annoyed by marketing attacks, privacy hold-ups or cookies overheating. Does this sound familiar:
"I know I am going to be tracked, I have no choice."
do you tell yourself this every time you click on some accept button?
when you are asked to accept cookies or not ?
"Seeing mattress ads because you searched for 'buy mattress' on Google 2 days ago"
tired of this happening ?
Then keep reading !
I used to surf without taking any privacy measures, but I totally changed my strategy 2 years ago. I progressively abandoned services I was addicted to, set up security policies and finally found a way to radically improve my browsing experience.
In this article, I am going to present you the results of my research and experimentation. All techniques exposed here are focused on "big privacy improvement" with "low impact on everyday browsing". I will show pros, cons, share tips, and you will be able to find your way to surf in peace.
One thing before we get started: I assume that you are mainly using a computer to surf on the internet. It’s slightly more complicated to configure privacy and install plugins on a smartphone.
There are 2 main browsers competing: Google Chrome and Mozilla Firefox.
Knowing that the business model of Google is to scrape any information of users and resell it to companies, we will think about "degoogleization", meaning trying to use Google's services less and less (further articles on "degoogleization" coming soon!).
Mozilla is an organization working for the health of the internet, and its browser Firefox is offering the same navigation functionalities as Chrome. This browser is open-source, which means that any motivated programmer can see and modify the source code, so there is no space for backdoors and spying techniques as there could be on Google's product. Websites offer the same level of compatibility for both browsers, so if you are using another one, it won't be a big deal to switch.
Using a browser built by an ethical organization is maybe the easiest and best move you can make !
Firefox offers a tracking protection tool by default. Go to about:preferences#privacy and set it to "strict".
Now, if you click on the "Shield" address bar icon of the current website, you will see Google Analytics tracking script blocked. Believe me, this is not done by default in Chrome :)
This is a concept created by Mozilla. Since it’s more and more common to wish privacy by default, this option is a way to say to websites "Hey, you do not need to try to track me. If you try, my tools will block it.". For curious developers around here: documentation of this HTTP Header.
Go to your settings and choose "Always" in order to have the signal sent even in Private Navigation mode.
The problem with cookies is that they are not all good or all bad. Cookies can be used in two ways:
- Store your sessions
- Track you
It is a little piece of information stored on your computer in order to remember that you signed in to a website.
But it can also store information about the content you accessed recently in order to serve custom ads when you access other websites.
It is impossible to constantly inspect all cookies and filter them by hand. You would spend more time doing this than surfing. As I like to do, I chose the "hard way" to start: I chose to delete all cookies when I close the browser. It means that I cannot be tracked between 2 internet browsing sessions, but it also means that each time I open Firefox I have to log in to all websites again (this is actually not so bad according to the "slow down" philosophy, coming in another article :D). Later I will explain a more advanced version of cookie handling, but let's keep things simple for now.
If like me, you want to handle cookies and site data separately, you cannot use this option:
But you can go to the History section and click Settings to have a finer control on this:
Well done ! You are not an Anonymous yet, but you made a great step forward to your privacy.
One more thing: in Europe, recent GDPR laws require a website to ask your permission to store cookies (both good and bad cookies). The good thing is that lots of people realized cookies exist.
The bad thing is that it became very annoying to have to accept cookies or not when you go on a site for the first time ! As said earlier, it is not possible to make a choice for each website, so we just click Accept to make the popup disappear, in the same way we always accept terms and conditions.
Here is an example of what you can see if you click the "Configure". Have you ever done that ?
In this example, it could be theoretically possible to allow useful session cookies, but deny tracking ones.
In this other example there is no "Configure" button, and you are obliged to accept, or leave the page.
On top of that, people like me who are wiping cookies each time they close their browser get the cookies warning again and again, even on websites visited in the previous browsing session.
But I have solutions for that :)
- Use a VPN and set your location outside European Union.
- Or use "I don't care about cookies" extension (more details in next section)
- Or add a new cookies banner filter list to your ad blocker
Half of the work to take control back of your privacy is to use the right tools and know how to configure them. The second part of the work is to mitigate drawbacks and improve the entire setup by installing add-ons and use clever apps.
Before installing "Adblock Plus", read the next section on "uBlock Origin" so you can make your choice wisely.
Blocking ads is very important to be able to surf without being brainwashed.
After installing Adblock it is good to configure extra lists to:
- block additional tracking
- block social media icons tracking (it is also used by advertising networks to know what websites you visit, but even worse than cookies because it is integrated in the layout of the loaded page)
If in the previous chapter you chose the option "add a new cookies banner filter list" in order to block cookies banners, then do the following:
Optionally, you can delete the "Allow non-intrusive advertising" entry which is a whitelist for responsive ads. My recommendation is to leave it because sites you may like (to read news for example) are relying on ads to get money. If you allow responsive advertising, it will motivate these to include ads only if they are not ruining your browsing experience. Sites are also more and more setting up alternative business models like donations or subscriptions plugins (example Memberful).
To contribute to the health of our dear internet: keep in mind that when you block ads and tracking, you are not the product anymore (you do not give your information away anymore so they make money), but the sites are becoming products again.
Doing the same as above: blocking ads.
uBlock Origin is a more aggressive version of AdBlock Plus. It also blocks ads, but there is no whitelist functionality: all ads will be removed, regardless if they are considered responsive or not.
This extension is also using less CPU and RAM, this will make a difference if you have lots of tabs opened simultaneously.
Install this plugin if you want to block cookies banners. Alternatively you can add an extra list to your ad blocker to block these (as described above).
This is one of my favorites ! This is also one of the most important points for your privacy.
Tracking Cookies, Social Media Tracking Icons, IP address, ... these are not the only ways for companies to track you. A very simple way for a company like Google to spy your activity is to tell websites, "Hey guys, look, we provide a way to your users to signup very easily using their already existing Google account, pleasee include it on your page." This is the biggest trap, because companies offering this system called "Social Media Login" can then know exactly what services you are using, and when.
"Well, then I can sign up without using Social Media Login and it will be good, right ?" It’s better, but you will still give your official email address, and this is not a good practice for three reasons:
- if your address is composed of your first name and last name, they will automatically know who you are (based on all information already stored on you in the past)
- if your address is composed of your first name and last name, and the emails + passwords database of the website is leaked, a hacker can get other information about you (like what other services you use)
- you will get spam !
When I began my investigations two years ago I had 26432 unread emails. I thought this should be the first thing to fix to be more productive, and I found Burnermail.
Burnermail is an application shipped with a browser extension that lets you generate one email per account. It acts as a proxy between your generated emails and your main one. All messages sent to generated email are forwarded to your main one, but you can then disable forwarding even before getting the first spam. In free mode you can generate only a few addresses, but if you have a bit of money to invest for your mental health, I highly recommend upgrading !
On top of burner emails, you can get burner phone numbers. Here is how to do it.
First, subscribe to SMS Service Online and buy some credits, then when a sign up form is asking you to give your phone number and verify it, go to the SMS Service Online app, buy a temporary number then wait for the verification code.
I was a bit afraid of using this app at the beginning (because of the payment form written in russian ><), but it turns out I never go stolen.
Be aware that it doesn't always work ! Sometimes you do not receive the code. But when this happens, I notice that I get refunded. This app seems to be fair as of January 2021.
Be aware that you can only receive codes using these numbers. An alternative is the OnOff application. It is more expensive, but you can keep numbers and receive messages + phone calls.
If you wipe out all cookies when closing the browser you will need to login again to each app, which is pretty painful. However, if you use a password manager you can log in automatically. I personally use Dashlane, but feel free to try several and see which one is best for you.
Using a password manager is also good for security because you can generate a unique password for each website. This allows your passwords to be more complicated and secure.
A common situation is that an application you subscribed to has been hacked and all the passwords were leaked. If you use the same password for other accounts, hackers can easily gain access to your information.
Here is a tool to know if your password has been published (created by Mozilla once again :D): Firefox Monitor.
An extension to containerize tabs. Containers is another method to mitigate tracking. It is more complicated to set up, but very secure. Opening tabs in separate containers means: isolate websites from each other. It would be similar to creating a new browser session for each website you are accessing, and having the "delete cookies when close browser" option enabled.
If you go further with this extension, you can configure it to not have to login to websites again and again, and not allow tracking cookies at the same time !
The problem with this technique, is that it heavily impacts your navigation.
Not everyone has the time and motivation to use the "Container Tabs" extension for each app, this is why Mozilla created "Facebook Container". It forces Facebook to open in a new container, but the rest of your browsing experience will be still the same. Why specifically Facebook ? Simply to protect you against the most advanced spying system on earth. Concrete example:
- you are logged in to Facebook in Tab 1
- in a new Tab 2, you go read an article saying Donald Trump is bad. This page includes a "Facebook Like" button.
- Since your Facebook session cookie is shared across all tabs, and there is some spying content on Tab 2 allowed to read the session cookie (the famous "Like & Share on Facebook" button), the company can save this information in a database: "User xxx opened the article 'Trump is bad' and actively spent 73 seconds on this page, so he read it until the end. Based on the personality of the user, we can change his mind."
- A company (like Cambridge Analytica) partners with Facebook, and tells: "For all users who read the article 'Trump is bad', put them the following article 'Trump is not so bad' as top post next time they go to their Timeline."
Fighting for privacy has way more impact than what we believe !
When you go on Youtube with this plugin it looks like this:
- You access the main Youtube page
- You see a video title "Girl Biker performs - You must see" half a second, then it disappears
- You are not distracted and you search what you really want to see (not what the algorithm wants you to see)
When you watch a video, recommendations in the right panel are disabled:
In the same way you can disable Youtube main page and recommendations, you can disable Facebook news feed. Indeed, it also became poisonous for our browsing experience. Over the past years people have started using ad blockers more and more, so the new method is to advertise in a more subtle way: make posts and advertisements look the same, and displayed in the same place (the Timeline), so Adblockers cannot make any difference and cannot block it.
Sometimes you want to try out a service for 1 month, and after the first month have the choice of continuing or not. Cancelling subscriptions is often difficult, and some companies are exploiting this to get your money. But as you read this article you become a less and less easy target ! Here is what I propose: generate credit cards on the fly.
In France there is a mobile app called Lydia. If you pay the premium subscription you can generate as many credit cards as you want, and disable them after the first payment (or even before the first payment). That the availability of such apps depends on the country where you live. I would be happy to discover similar applications, so if you have one for your country, let everyone know in the comments.
Search engines can be very dangerous when trusted blindly. As it is recommended to verify information using multiple sources, it is also a good habit to search information using multiple engines.
It is known that the Google search engine is opinionated. Depending on your location and the information the company stored concerning your tastes, it will display something different. This is to maximize profit and make investors happy. Other search engines work the same way.
To tackle that, DuckDuckGo was created with a "no-tracking" philosophy. Often you find the same kind of results as Google, sometimes you find better results. For very precise searches (like developers searching a stack trace), DuckDuckGo might be worse than Google. To keep DuckDuckGo as your main search engine but use Google only in specific cases, you can use the Bang feature to be redirected to another engine. Demo:
There's also a browser extension that lets you know how good or bad website is from a tracking point of view:
IP address = "Internet protocol" address
VPN = "Virtual Private Network"
Is browsing the internet using a VPN equivalent of having "burner IP adresses" ? Answer is: no, you will share an IP with other people.
I showed you how to generate emails, passwords, phone numbers, credit cards numbers, ... but for the rest it's more complicated. I will explain why I don't recommend to use a VPN for everyday browsing.
An IP is the equivalent of your phone number, it is mandatory to use the internet network. By using a VPN you essentially borrow an IP address (shared by many people) from your VPN provider.
Those who are tracking you will have the following reaction: "Oh, the user we may already know under another IP just got a new one. Oh, 999 other requests are using the same IP. Well, we are going to display lots of CAPTCHA verifications to make sure it's not a robot. Well, it's not a robot, he is using a VPN and we cannot use his IP to know exactly who it is. No problem ! We are going to use the unique properties of his browser to identify him. Let's see ... among these 1000 requests, he is the only one using the outdated Firefox version 1.3.4567. Bingo !".
Let's assume you find a way to bypass CAPTCHA verifications and use a VPN. If your ennemy is an advertisement network, he will try to idenfify you with your browser fingerprint. If you are thousands and thousands of people having the same browser properties, then you are hidden in the mass. Go on this page and click "View my browser fingerprint" to see how many people have the same fingerprint. The ideal way to obfuscate your identity would be to find and adopt the setup which is mostly shared among users.
In a nutshell:
- if your ennemy is an advertisement network, VPN will bring useless cons (slow internet, CAPTCHA, price, ..) if you don't also take care of your browser fingerprint
- if your ennemy is an Internet Service Provider putting fines when you download Torrents, then VPN is useful (they are allowed to rely on IPs only to give fines)
To be fully anonymous when surfing you have no other choice than ruining your browsing experience. If you want to make things more difficult for trackers, my methods are a good compromise between privacy and comfort.
I hope you learned a lot with this article. The rule is always the same: keep things as ephemeral as you can, give the least possible information about yourself, and think about alternatives.
We began with basic defense methods and ended with pretty advanced ones. Now it’s your job to set up your own methodology, and what should drive you in this journey is:
finding peace in your internet mind.
This is only the first article, I have a lot to share with you !
Show me some love to motivate me to writing these other articles :)
Special thanks to my friend Darren who fixed typos.
MP me for any dead link !