The Five Days of Privacy -- Day 2: Filter Bubbles and Online Tracking

When we protect ourselves from tracking, we gain necessary tools to extend our information literacy.

December 14, 2016
Bill Fitzgerald Director, Privacy Initiative
Director, Privacy Initiative

CATEGORIES Privacy Evaluation Initiative

In this post, and in this series, we describe steps we can take to regain an element of privacy as we browse the web and find information. The steps we define here stop many types of tracking; however, an additional benefit of freeing ourselves from pervasive tracking is the ability to move outside our filter bubbles. We cover this in more detail in various sections, but good privacy practice is also good information-literacy practice. Steps we take to increase our privacy also increase our awareness of how information is presented to us and the different forms of bias embedded in that presentation.

Good privacy practice improves our ability to retrieve information short-term and long-term. They feed each other. Conversely, bad privacy practice limits our options, and these limits get reinforced over time. The steps we outline in this post help us reach beyond our filter bubbles and see a more complete picture.

General Maintenance When Online

Part of maintaining our privacy involves making sure that our device or computer software is up to date. When fine-tuning our privacy and security protections, we need to ensure our device is not compromised before we start. Check for malware and viruses. Uninstall and delete any software or apps that are not needed, as unused applications are often a source of security issues. If Flash is not required, disable it and delete it -- many ugly security issues target Flash, and having it enabled can leave you exposed. When in doubt, a clean reinstallation of the operating system is often the safest starting point. Using a service like Malwarebytes to scan for malware and protect you from it is definitely recommended.

Once your system is at a good starting point, install operating-system and software updates in a timely way. Read our Windows FAQ and our OSX FAQ.

Going online exposes us to the wonderfulness of the internet, but that wonderfulness also brings the fetid practice of tracking and behavioral-advertising technology. Due to the ongoing and well-documented overlap between malware and adtech, we document protections against tracking as an effective defense against exposure to various forms of malware.

As with all the sections in this post and in this series, the options described are not intended to be comprehensive. The full suite of options for securing computers running Windows, Mac OS X, or Linux are outside the scope of this post. However, checking for malware and installing updates regularly can help avoid some common problems. The sections that follow detail different areas that we need to think about when protecting our privacy.

Using Sites Where You Have an Account

When we visit any website, we generally are tracked by various methods. In this post, we lump different tracking methods and technologies into a blob that we will call "trackers." Technical differences exist between different types of trackers, but a thorough description of them all is outside the scope of this post.

It's also worth noting that when we go to a site where we have an account (or use an app on our phone that connects us to an account), our use of the service is generally tracked because we willingly identify ourselves to the site. For example, when I log into Google to check email or to Twitter to post 140 characters, I am identifying myself and my activities to these sites. Choosing to log into a site generally means that we are agreeing to be tracked by that site. The privacy policies of these sites describe how they use the data they collect from you. (Note: Most commercial sites can use and share your information with few restrictions, including sharing it with unnamed "partners" and combining it with data from other sources to create detailed tracking profiles.) It is possible to minimize tracking by browsing these sites without logging in whenever possible and only logging in when absolutely necessary.

When using social media, clicking on things such as quizzes can expose huge amounts of personal data to trackers or provide answers to your password-reset security questions. In some cases, the companies behind the quizzes use the data to compile personality profiles that are used in political campaigns. Even seemingly simple things like the "like" button or responding via emoji can allow for fairly precise tracking. Fortunately, avoiding this form of tracking is simple: Stop taking the quizzes, and stop using emoji-based reactions (people have experimented along these lines in the past).

We are also seeing more hackers looking for ways to exploit bugs or flaws on social media sites. While the patterns of different attacks may vary, many attacks can be thwarted by not opening files that you haven't explicitly downloaded from a trusted source. Deleting the contents of your "download" directory can help prevent the risk of accidentally opening a file that contains malware or ransomware.

But in general, when we create an account on any site, that site will track our behavior or how we use that site to some extent. The best way to avoid this type of tracking is to use sites without logging in whenever possible and to clear your cookies and browser cache frequently. Later in this post, we will cover how to clear cookies and other methods of minimizing tracking.

Sites that require people to create accounts also use and allow for a range of third-party trackers that monitor activity. This means that, on sites where we create accounts and log in, we are tracked by the sites we log into (for example, Facebook, Instagram, Twitter, WhatsApp, Evernote, Pinterest, Google, and so on), by the vendor themselves, and by the third parties they allow on their sites. In addition, sites that allow apps (for example, Facebook, Edmodo, Google Apps for Education, and so on) all expose us to tracking via any of the third-party apps we choose to enable.

Third-Party Tracking

Third-party tracking is pervasive on the web. Several thousand tracking companies exist, and in most cases, people browsing the web are never told which trackers are in use, what information they gather, or how that information can be used. Data collected by third-party trackers are often sold to data brokers, who combine data from multiple sources (a process known as "data enhancement" or "data recombination") and then sell access to that data. Some news sites, such as the Huffington Post, place upwards of 100 trackers when you visit their site. Trackers can also get information based on searches; in some cases, this can lead to searches for sensitive information -- such as searches for health information -- getting shared with data brokers.

To minimize the impact of tracking, we have a few tools at our disposal. These tools can help protect us from tracking by advertisers, political campaigns, and other undisclosed parties who can use our personal information without notifying us or without obtaining our informed consent. Some of the steps outlined in this section can also help disrupt filter bubbles and protect others from accessing our browsing history.

Blocking Trackers, the Long Way

The tools here focus on browsing the web using either Firefox or Chrome as our browser. We focus on these browsers because they are freely available and supported on Windows, Mac OS X, and Linux. While both Chrome and Firefox offer an option to create an account to sync settings across machines, we recommend not using this option and storing your preferences locally.

To get a sense of what trackers are placed on a site, use Lightbeam, a Firefox-only add on. Lightbeam allows you to create a list and a visualization of trackers that are placed by sites. While Lightbeam also supports blocking trackers, we use it primarily for research to get a sense of which trackers are placed by which sites.

To block trackers and other services that collect and use our information without notification or consent, use the combination of Privacy Badger and uBlock Origin. Privacy Badger does a good job of picking up most third-party trackers, and uBlock Origin catches trackers that Privacy Badger might miss. Both of these browser extensions have versions for Chrome and Firefox.

Clearing your cookies, cache, and browsing history regularly minimizes the amount of data available to trackers (read our instructions for Chrome and Firefox).

Firefox also has an add-on named Self-destructing Cookies that will destroy cookies automatically after a tab is closed or after the browser is closed. This can help prevent tracking, and it can also protect against someone accessing your computer and being able to access sites where you have logged in.

HTTPS Everywhere protects against connecting to websites via an unencrypted connection. This browser extension, supported in both Chrome and Firefox, doesn't protect against third-party tracking. However, for people who travel and use internet connections in hotels, coffee shops, conferences, or other public spaces, HTTPS Everywhere can protect against people snooping and looking at traffic on the network.

Unfortunately, tracking occurs in multiple ways, and blocking trackers will only go so far. Some companies use a technique called browser fingerprinting. Some of the elements targeted by browser fingerprinting can be blocked by blocking JavaScript. In Firefox, the best option for this is NoScript. In Chrome, the best option for this is ScriptSafe.

In addition to these steps, disabling and removing unused browser plug-ins is strongly recommended. In some instances, advertising companies have bought moderately popular extensions and used them to push trackers and malware. Disabling and deleting unused browser extensions minimizes this risk (read our instructions for Chrome and Firefox).

A final note here involves the use of so-called "private" or incognito browsing. Avoid it. If you want private browsing for everyday activities, use the steps outlined in this section. If you want truly private browsing, use Tor, as described in the next section.

Blocking Trackers, the Short Way

Use Tor. Tor protects against tracking and in some situations allows people to approach being anonymous online (we say "approach" because true anonymity does not exist). Tor was designed to provide protection for journalists and dissidents in repressive countries and helps protect against everything from tracking protection to, potentially, having traffic intercepted by governments and other organizations. While Tor is the most accessible option out there for blocking tracking and preserving a semblance of anonymity, it can't be overstated that even Tor has vulnerabilities.

We will discuss this in more detail later in this post, but using Tor to search for sensitive information provides a good level of protection for most people.

For many of us, if we have Gmail accounts (either a personal or work account, or both) and we use Google for search, we almost always search when we are logged in to Google. This gives Google a very complete view of what we search for, which allows them to "personalize" searches to what Google thinks we want to see (if you want to see a small subset of what Google knows about you, visit https://myactivity.google.com/myactivity when logged into a Google account. While this is only a fraction of what Google knows about you, a quick scan through your search history is often illustrative and petrifying). "Personalization" ensures that two people searching for the same topic won't get the same results. However, when results are invisibly tailored "for" us, bias can appear in the results. There have also been substantial charges that Google has abused its position as a leader in search.

However, the same mechanisms that target ads to us also target search results and news to us, and this can create what some people call a filter bubble. Accordingly, all the steps outlined above to protect against ad tracking also help us receive less biased search results. We can expand the reach of what we see online by using different search services. These three services provide protections for privacy that are not as accessible with other search engines:

Additionally, if you set your browser's default search option to something other than Google, you will reduce the chance that you will accidentally provide Google with additional data. This allows you to make a deliberate choice around using Google relative to other search options.

Finally, when reading news sites, make a point of visiting sites that are counter to your usual sources of information. If you usually visit Huffington Post, head over to the Daily Caller. If you're a dedicated USAToday.com reader, head over to Time.com. Drop by Alternet or Yahoo! News. (In addition to getting the cookies from these sites stored on your browser, you will also read opinions outside your bubble or circle. You don't have to agree with them, but knowing what they're saying can be useful.)

When searching for sensitive information that you don't want shared, the best approach is to use Tor and search via Duck Duck Go, StartPage, or Disconnect.me. Adding in a VPN, which we discuss in tomorrow's post, is an additional layer of protection. Using this strategy helps protect you from having your personal data collected by data brokers while searching for information.

Conclusion

In today's post, we discussed the importance of keeping our systems up to date and different methods we can use to avoid online tracking. Online privacy and information literacy are mutually supportive, and minimizing how we are tracked allows us to escape various forms of digital redlining that can occur.

In Wednesday's post, we will look at more secure practice with email and online file storage and using virtual private networks. On Friday, we will look at tools that help us create and remember better passwords and some strategies for safer use of smartphones and tablets.


Share your thoughts