Anonymity in the Internet: we know who you are

Wallet with money, by Nocholas Gemini, Wikimedia CommonsAh, how unique we all are. Each of us a special snowflake: a walking wallet that the marketeers would like to tap.

When you visit a big, commercial website, the owner of that website would like to know exactly who you are, what your purchasing habits are, what kinds of products you are likely to be interested in, how much money you have to spend, and much more. This provides us, as website visitors, with some limited benefits, for example, the website can draw our attention to specific items that we may genuinely be interested in.

However, it can also be to our detriment. Based on our purchasing habits, at this site and elsewhere, prices may be automatically adapted. If you are known to be price-insensitive, you may see higher prices than other customers. The website may suggest more expensive products in a category, rather than inexpensive ones or sales items.

If you are logged into a website, there is really nothing you can do to prevent tracking within that site. You have identified yourself, so of course the site will know what pages you look at, what products you purchase.

Eliminate cross-site tracking services

Wallet with money, by Nocholas Gemini, Wikimedia CommonsHowever, there is a great deal we can do to prevent tracking across multiple sites. First and foremost: install the browser extension Ghostery. This extension identifies the various tracking services used by websites; you may be shocked at just how many of these there are.

You can choose which tracking services to allow or disable; start out by disabling them all. This will eliminate certain web-services that you may use (e.g., Gravatar) - but the marginal benefit those services provides is really just bait: their real purpose is precisely to track your activities as you move around in the Internet. You can decide if you want to re-enable specific services, but be aware of the price you pay. As the saying goes: "If you are not paying for the service, you are the product."

Browser fingerprints

Even if we disable all of the tracking services, we may still be identifiable through our "browser fingerprint". You can see your browser's fingerprint by visiting Panopticlick, a service of the EFF. After starting the test, you will almost certainly see the result "Your browser fingerprint appears to be unique", which means that you can be uniquely identified by any website that you visit. The websites can - and do - share these fingerprints with the big data collection services, who then reconstruct your internet activities.

Fighting the browser fingerprint is difficult. Some of the most specific information comes from Adobe Flash, for example, the list of system fonts. The best solution would be to get rid of flash, but this is not always easy. First, it is still used by many websites; second, it is pretty much build into the Chrome and Chromium browsers. You can specifically prohibit Flash from sharing your font information by adding

  DisableDeviceFontEnumeration = 1

to your "mms.cfg" file. Under Linux, this file is located in

  ~/.config/chromium/Default/Pepper Data/Shockwave Flash/System

If the file (or the lowest "System" directory) does not exist, you can create them. For other operating systems, search the Internet for the correct location. For non-Chromium-based browsers, there is apparently a global configuration file in /etc/adobe; however, I have not verified this information.

This still leaves piles of information available: your browser and operating system version, the set of plugins you have installed, your screen size, your language preferences, and much more. Taken in combination, they almost certainly still suffice to uniquely identify you.

Further steps

There are further steps you can take:

  • You can install a "user-agent switcher" to "lie" about your browser and operating system versions.
  • You can disable JavaScript (with the plugin "NoScript"). Unfortunately, this disables important features on many websites.
  • You can surf via a proxy. Unfortunately, proxies often also make many websites unusable.
  • You can surf from within a virtual machine, using an absolutely standard installation, say, Windows 7 with the default version of Internet Explorer. This works well enough, but requires discipline to use consistently. Plus, you have the work of setting up the virtual machine.

Currently, no good solution

None of these ideas are entirely satisfactory. The best solution would be for browser manufacturers to agree on a "privacy mode", whereby their browsers would report only essential information to websites. Thiswould be a logical extension to the "incognito" mode that already exists.

Bradley Richards
December 2014