When you browse the Web, it’s like you’ve allowed a bunch of companies to implant a tracking device in your arm and a small camera in your head, recording where you go and what you look at. Thanks to ad networks, search engines, ISPs, and social networks, your online activities are tracked, analyzed, and sold. But there are a few things you can do to maintain some degree of privacy.
The risk: Advertising networks such as DoubleClick, Quantcast, Microsoft, Yahoo!, and many more others use a variety of techniques to know which sites you visit and which ads you respond to. They do so in order to specifically target the ads you see.
The most common way they do so is by setting a tracking cookie using a Web bug (a small image or piece of code that links back to the ad networks’ servers and sets or reads a cookie). Each cookie has a unique code to identify your Web browser; when combined with site-specific information sent by the Web bug, it tells the ad network which sites and pages you visit. (Such cookies are distinct from those that Websites themselves set to track you locally or preserve preference settings).
Tracking cookies are just one technique ad networks use to track your activity. And those networks can track you only when you visit sites that participate in their programs. But because nearly every Website now shows ads and because some ad networks are so pervasive, they can track and record a significant chunk of your Internet usage.
In theory, ad network cookies are anonymous; they track your browser, not you personally. However, they can be correlated to your name using things like your IP address. Right now, that’s more creepy than dangerous. But down the road, cookies could be tied to you more personally and used to customize things like the prices you see on products.
There are initiatives to stop or curb this free-for-all: currently, a bill to prohibit ad companies and other online businesses from tracking and sharing your personal information is being examined within the U.S. House of Representatives, and popular browsers like Firefox and Chrome have been experimenting with “Do Not Track” options within their respective applications. Unfortunately, as these strategies are still in early negotiation and beta, you’ll still need to use multiple defenses for thorough protection.
How to protect yourself: There are moves afoot to provide blanket protection from tracking—do-not-track settings in browsers and even laws mandating do-not-track registries. But until such measures acquire some muscle, you can opt out of the major tracking networks by visiting the Network Advertising Initiative’s Opt-Out page. This industry-run Website checks your system for tracking cookies from participating ad networks and allows you to opt-out from them one at a time or all at once. It does so by setting “do not track” cookies that many marketing networks respect. Remember to visit this site on every browser you use.
The next step is to block cookies from third-party and advertising sites. In Safari this is under Preferences > Security > Accept cookies. Click the radio box next to “Only from sites I visit” to protect yourself. In Firefox, go to the Privacy tab in Preferences, select Use Custom Settings For History from the Firefox Will drop-down, then deselect Accept Third-Party Cookies.
You can also use your browser’s private browsing mode. Private browsing in Safari (under Safari > Private Browsing) isn’t very effective since it still saves cookies. Firefox (Tools > Start Private Browsing) saves less, but still allows tracking for that session and doesn’t stop tracking by IP address.
If you want to really browse under the radar, you’ll need to install additional browser plugins. To start, I recommend AdBlock for Safari and AdBlock Plus for Firefox. These add-ons block most Internet ads and any embedded tracking. But they won’t stop all tracking. To further bolster your defenses, install Ghostery for Firefox, Safari, or Chrome; it blocks Web bugs, tracking tags, and other techniques for over 200 tracking companies.
If you really want complete control of your browser, try NoScript for Firefox (the best browser security and privacy tool out there, though it takes some getting used to) and the Plugin Customs extension for Safari. The only problem is that they can disrupt the way sites themselves work.
As a final stopgap, use a privacy tool like MacScan to sweep your system for any lingering tracking information (as well as malicious spyware and trojans).
The risk:Local Shared Objects are small text files saved by Adobe Flash that function much like cookies and often evade other privacy controls. These are extremely common on major Websites and frequently used for tracking.
How to protect yourself: Visit the Adobe Flash online settings manager to restrict how Flash stores LSOs. In the Global Storage Settings panel on that page, deselect the Allow Third-Party Flash Content To Store Data On Your Computer (that will get rid of tracking). Setting the allowed storage space to 0 will let you manually approve any requests for a new LSO.
For additional control in Firefox, I recommend the BetterPrivacy plugin add-on. This will delete all LSOs when you exit your browser or after a specified period of time. Note that, if you do a lot of Flash gaming, you will want to allow LSOs for those sites.
[Rich Mogull has worked in the security world for 17 years. He writes for TidBITS and works as a security analyst through Securosis.com.]