Main Page
Services
Forum
Support
News
About Us
Organisations
 
Why Our Services ?
 
Privacy & Security Articles
 
Public Key
 
Our Policies
Safe Surfing - Stop Tracking Me !

The character of the Internet has changed over time. The Internet started as a communications and collaboration tool between groups of researchers. As the Internet was built, there was hardly any thought about keeping things private. The focus was on open communication. The fundamental communication element, a packet, carries not only the destination address but also the sender’s address. The Internet user community has been growing all the while. User population growth was fueled by the “World Wide Web” that started being implemented in December 1990. This is a system of “hypertext to link and access information in a web of nodes in which the user can browse at will". This worldwide web or the web fueled the explosive user growth. Even the growth rate is accelerating. The user community doubled during the five year period 2007 to 2012. What used to be 1.15 billion users grew to 2.27 billion during that period. The browser was the tool to access the web and obtain useful information and buy products and services from the increasingly commercialized Internet. Social networking was another phenomenon on the net. People took to social sites on a huge scale. For example, Facebook members have now surpassed what used to be the total number of Internet users back in just 2004; the year the social networking phenomenon came about. This is a large possible source of buyers of products and services that no business could ignore. The usual techniques of marketing, increasing brand recognition, brand building, promotion etc became equally important to web based commerce as in the real brick and mortar world. It is equally important in the virtual world to be able to divide prospects into as many definable segments as possible. Then all the commercial activity costs could be kept minimal, and made more efficient by exploiting these segments to the fullest.

Accurate profiling of prospect behavior, in both real world and the virtual, is needed to address appropriate segments. Collecting detailed data is absolutely vital for sellers of products and services. As long as this data does not contain any personally identifiable data, actual address, name, social security number etc the data about a person is simply statistics and privacy of the subject is protected. No one should be able to misuse that data. Several items of personally identifiable data by themselves and in accordance with other non-personally identifiable data can uniquely identify a person and compromise his privacy. These include beside the name, address, social security also date of birth, birthplace, email address, IP address, vehicle registration, driver’s license, creditcard details, digital identity, face, fingerprinting, handwriting etc. There are other details that can help identify individuals. What’s so important about maintaining privacy is that such data can be criminally exploited. Scope for such exploitation in the cyberworld is much more, as there is a criminally motivated section of entities always looking for opportunities to exploit individuals for profit, politics, power and other reasons.

While the aggregated profiles are a legitimate need for marketing purposes, there are no guarantees personally identifiable data (by themselves or in combination with other pieces of data) would not be misused. One of the major activities related to the demographics data is to sell this data to others for gain. As some personally non-identifiable data could be used to track down individuals, it is prudent to be very careful about profile data and to whom it is given out. Malicious attacks that cause damage and stealing of private data and real money from bank accounts happen often. They are a big threat to Internet use. Most of the problems could be avoided if complete anonymous and private access was widely available. Whatever policies, protocols, systems are implemented to protect users are basically retrofits on the system that was intended to be free and open. It is very difficult to completely close all the cracks in protecting privacy. Being on guard seems to be a critical step towards protecting your digital footprint.

In the Internet world there are a range of companies in the electronic business who want to utilize the surfing behavior of people visiting various sites. These companies acquire the data by tracking the surfing behavior of individuals and then aggregating and categorizing them. Most such companies maintain that no personally identifiable data is collected or traded on. However, such data could be collected easily if these companies wanted to or they might be doing it anyway which is most likely for some. This article looks at how the tracking is done and how a user, concerned with privacy, could minimize the digital footprint of a surfing session. The terms plug-in and add-on are used interchangeably. When we talk about “companies” it should be read as “entities” since it can concern any party doing the tracking/breaching for any reason. Although this article will try to cover a lot of the basics for safer browsing it must be noted that there is a lot more to learn and use when it comes to privacy which cannot be written in a single article.

Trackers Entry Points

This section takes a look at how the tracking is done, the tools the tracking companies use and the technological vulnerabilities that could be exploited. The anti-tracking tools that could be used to avoid being tracked will be discussed later in this article. Anti-tracking tools are able to identify and protect you against these tracking companies. They offer options to allow or disallow a particular company to track your online behavior - if you trust it enough. This is particularly true, when you have faith in the company that the details provided will be used only in aggregated form and no personally identifiable information will be used. This is equivalent to filling out a survey from a trusted company in the real world, which you may do willingly.

Problems start with things that evolved over time to facilitate the user. This includes (super)cookies. Others are inherent problems in programming languages and web technologies used to create attractive and dynamic sites. These include problems with Flash based applications, Java applets, ActiveX, Javascript and many more. There are some sites where users are invited to use their real (residential) IP addresses to enable free products or services. Then there are the streaming audio/video sites that offer to install their own plugins. plugins then can send details to some designated server(s). To top all these issues, the user-agent in the browser you use, offers the information on the major and minor version of the browser software. That clearly tells someone the security patch level of the browser and what vulnerabilities to exploit if one wanted to. By providing the version data of the browser, the intention was, to help web sites dynamically adjust the web experience that is optimized for the user accessing it. Malicious exploiters, on the other hand can use the browser vulnerabilities to easily remotely exploit computers. What’s more, the features that were supposedly implemented to facilitate the user through the browser, often make it easier for the attackers.

The Tracking Process

Cookies were introduced to make website visits a little more comfortable. This is a process by which the website visited stores data on the user's computer. On a later visit, the website is able to identify the preferences of the user (potentially the user identity too). For example, if you wanted the site to remember your password and help you log in easily from the same computer, the cookie can help. The cookie can hold details that setup the website so that color preferences and other options available at the site are remembered. You do not need to set up these preferences every time you visit. Since the sites are able to store data on your system, it can store identifying data snippets. This data then can be used to track your movements to other sites and the pattern of your visits, which sites, which specific pages and what activities are undertaken by this user. What started off as a means of convenience for the user as well as for the websites to setup the site preferences of large number of users (without wasting storage for them and spending the search time to find them), has become an easy means of tracking your movements across cyberspace.

Notice, for example, when the website can clearly associate the userid and password with you, you become vulnerable to many kinds of attacks. This information could now be sold to others and if it does match the pair you use for your bank, then that could easily be under attack. Other part of the threat is that the free sites we love to use need to earn revenues by some means. The usual means is to let advertisers run ads on the site. These companies would like to show the user specific ads that are tailored to the customer preferences, identified by the data in the cookies. These companies store their own cookies that help track the user and find his/her behavior on the net. These thirdparty cookies are used to track users. The ads can take the form of popup ads, banners or other variations. Profiling through the cookies involves collecting several events (which URLs you visit) that are linked to the original user. Cookies from traffic tracking sites are installed and additional information is tagged to the cookie. The data is sent to a tracking server. The behavior history in the cookies keeps growing with each session.

Aggregated surfing behavior would be legitimate, if stripped of personally identifiable data as discussed already. But the whole cookie process is a stealthy process; you are normally never aware of who dumps a cookie into the local storage via the browser although modern browsers can block cookies. However, this can make visiting your preferred website inconvenient. The site would not be able to handle the preferences anymore. Nowadays many browsers let you automatically delete cookies after a surfing session ends. As tracking/profiling depends on continuing access to the undisturbed cookie, blocking them altogether or purging the cookies after a session could be an effective defense against profiling. This led to use of other cookie varieties known as Flash cookies, persistent cookies, zombie cookies and ever cookies. Flash cookies, a.k.a locally stored objects, exploited vulnerabilities in Flash technology and are difficult to erase. All of these newer cookies have this property in common. With recent versions of various browsers, it is possible to delete these local shared objects (LSO) of the flash player. Except for flash cookies, all the other cookies get stored in different storage modes. So if the one stored in the browser or the local storage is erased, other copies could be accessed or the cookie regenerated. Zombie cookies are stored in folders that are common to all the browsers. Thus, even if you were to change the browser, the zombie cookie remains accessible. Evercookies are a type of zombie cookies. These are Javascript applications that have the ability to store the cookie via ten (or more) different types of storage mechanisms of a browser. When the application detects any one of the copy to have been deleted, it is recreated and stored back. Most current browsers have the ability to exterminate the Evercookie now. That is another reason to keep your browser updated.

Other situations that enable tracking include Java applets download. Allowing interesting sites to download and install (useful) applications (plugins) can open you to vulnerabilities. Downloaded Java applications can do anything beyond the stated features, such as storing a cookie that enables tracking. Similar concerns apply to that nifty application downloaded and installed by the streaming audio/video/game-sites you found. ActiveX, another popular scripting technology, has vulnerabilities that could be easily utilized. As discussed here, totally avoiding cookies and thereby tracking, is nearly impossible. Thus the next level strategy is to detect these trackers and block them as you move from site to site. Browser plugins that help prevent tracking your browser (you) are designed around this defense strategy.

Popular Privacy Plugins

In the following sections we will discuss several plugins for various browsers starting with Firefox. Firefox is reputed to be the most secure among the popular browsers that include Internet Explorer, Opera, Chrome and Safari. The three most popular Firefox plugins that help defend against tracking are named “Ghostery”, “NoScript” and “Flashblock”.

Ghostery:

Is a plugin that recognizes the hooks used on websites by the analytics and ad companies to tag your browser for tracking. They are able to identify the companies trying to track you. These companies use what is known as “web bugs”. Like a real life bug in a room, these are left hidden in a webpage or an email that helps trackers to find if a user is visiting the site or a mail was opened by the user. Often they are called by names such as beacon, tag, etc. These are implemented as pixel, clear GIF, 1x1 GIF (...) elements which are a single transparent embedded image to be loaded from a server of the tracking company. The request reveals your IP address as that is where the image is requested from. The trackers use this address to place a special tag in some kind of a persistent cookie into your local storage. As the browser is used more and more the cookie inside your computer builds up browsing history. Periodically cleaning cookies helps as it fragments the history collected. The webserver that serves the pages of sites you visit usually logs your IP address. However, the thirdparty trackers do not get access to these logs and have to resort to listening to the communication interchange when a page is requested, much like listening to a bug in the physical world to find if someone has entered the bugged room. Identifying such trackers comes down to monitoring if image requests are going to external servers and identifying them. If these images are prevented from loading and any further communication then the tracking will be blocked. The images being transparent do not interfere with the webpage presentation. So called iFrame HTML tags are also used to help the thirdparties place a cookie on your computer.

You can set pre-emptive settings to stop all tracking companies found. A purple box appears on the right hand corner of the screen and shows the names of companies detected and deleted (displayed with a strike-through on the name listed if blocked). Additional information about the company, their privacy policy and contact details regarding privacy matters are provided by the plugin with a single click of the mouse. Ghostery also has an option, known as GhostRank which allows sending anonymous statistical information the servers of the Ghostery developers. That helps update data and protection against these tracking companies. Ghostery is available for all the major browsers Firefox, Internet Explorer, Chrome, Opera, Safari and works the same way. The plugin is also available on the iPad, iPod Touch and iPhone. When you download the plugin, a wizard helps set up the plugin. The plugin is entirely free to use and does not violate your privacy.

DoNotTrackMe:

Previously known as DoNotTrack Plus is an addon that has similar functionality available across the major browsers except Opera. It may not be able to block everything compared to Ghostery. Trackers that are being blocked can be viewed. Cookies are blocked as are ads with tracking functionality. Alerts are provided when privacy policies of the tracking sites change. Some websites will force you to enable a specific tracker before you can continue using their service which is a very questionable practise.

NoScript and Similars:

Firefox has a plugin named NoScript and prevents scripts from any website to execute in your browser unless the user specifically allows it. JavaScript, Silverlight, Flash, ActiveX, Java and others can only be executed if you allow them. Creating a whitelist will enable adding trusted sites that are allowed to execute scripts on a continuing basis. The script execution can be enabled very easily with a simple left click on the NoScript status bar icon when visiting a specific site. The plugin helps block (the vulnerabilities related to) these scripts and gives you control. It has some other advantages from a security standpoint too. It prevents cross-site scripting and click-jacking among others. This plugin affects the working of many sites. What a user needs to do is build up the whitelist for their favorite sites. This needs to be done manually one by one.

Internet Explorer script policy could be set through the Internet options available in the tools menu. Disabling of different flavors of scripting is available through the Security set of options. Security level high disables everything as expected. You can selectively whitelist sites in different security zones defined in IE by default.

Opera has a plugin named ScriptWeeder which is similar to NoScript functionality. It has three modes; whitelist, whitelist + same origin and blacklist. Scripts are blocked unless they are on the whitelist. In the second mode, the only exception made is if the script is from the same domain (script being run from the original website). In the blacklist mode all scripts are allowed to run unless the site is listed on the blacklist.

Chrome has the NotScript plugin with functionality similar to NoScript for Firefox but is somewhat limited. The usual whitelisting functionality is available. The limitation is that some java applets may not be blocked properly.

Safari has recently a plugin available called JavaScript Blocker. It is in many ways comparable to the NoScript plugin for Firefox but requires a very recent version of Safari.

Flashblock and Similars:

Firefox and Chrome have a plugin named Flashblock which blocks downloading elements like Silverlight, Shockwave, Flash and other variations. Placeholders are shown on the pages where they would normally appear and clicking on them downloads the specific element. Flashblock will not work if a scriptblocker like noscript is active or javascript disabled. Whitelisting is available for sites that can be allowed to work unrestricted.

Internet Explorer has a kind of flash-blocking option built-in. It is not very obvious but can be turned off/on easily. Default is to allow all flash elements. To set its status you need to go to Manage Add-ons and select it from the list assuming a flash plugin was installed. This also depends on which version of IE you are using since microsoft does not seem to have a clear path about the future of flash / thirdparty plugins in recent versions like IE 10.

Opera has a Flashblocker plugin, equal in name, available although it does require some attention in the way to use it. It is recommended to check the latest instructions.

Safari has a built-in plugin-blocking mechanism that stops older Flash versions from downloading through its plugin blacklist feature. Only the latest secure version will be allowed. To block flash you can use the ClickToFlash add-on available for Safari. Elements are turned into placeholders and clicking on them loads the content. Flash videos get converted to H.264 format from selected websites with a single click. It also offers whitelisting features.

Conclusion

It is always a good idea to take care of the following issues to be safe in your journey through cyberspace. By default you should always have a capable virus and malware protection system, constantly updated, as a first level of safety. The starting point is to keep everything patched up to the latest patches released by the manufacturers. The operating system, your browser and certainly the browser plugins. It is easy to forget about updating the plugins. Keeping, among others, Java, JavaScript, ActiveX and Flash controls turned off. Allow them only when you are absolutely certain of the site providing them to you. Have the option setup such that you are alerted when needed and then be able to choose to allow them. Revert to no-script settings as soon as you are done. Disable cookies, if it interferes with operation of your favorite sites then delete them after a browsing session; do this regularly. Keep all applications, particularly if they are for multimedia, patched and configured up to the latest security levels. Blocking pop-ups can help as some may contain a malicious payload. Always be vigilant when it comes to your data and the digital footprint you leave in cyberspace. It is very difficult to repair your privacy on the internet if it is out in the open. A known good firewall that is always kept current is another strong protection layer against privacy invasion and security threats.


Privacy & Liberties is our business
Take your privacy back today !
The TriTeam


     
Copyright © 2005-2018 Trilight Zone. All rights reserved.