Ubiquitous Tracking by Big Mega Corporations and What We Can Do About It

Nowadays, if you surf the web like any normal person, chances are your movements on the internet will be tracked. There are a lot of companies tracking you and building detailed profiles about your behaviour on the internet. With all the news about the revelations of Edward Snowden about the mass surveillance going on by the NSA, GCHQ and other Three-letter agencies, you might almost forget that there is a whole world out there with various corporate entities who also build profiles about you, either with or without your knowledge and consent.

Why big corporations are tracking you and building profiles about you

Profiles about your Internet behaviour most often get built by simply surfing unprotected, with your browser executing any and all JavaScript that it comes across, which usually does some data collection about your browser and operating system, which then gets sent back to third-party advertising networks who make money building profiles about every user on the internet. Now, of course they claim this is done to better target ads, so you get ads aimed specifically at your current interests and your geographical location or linguistic background, for instance. You see, when you search for something on the internet, you are revealing something very private indeed: you are revealing what you think at that very moment. What things you are likely interested in.

This information is worth a lot of money to marketers, who are always on the lookout for ways to target and market their products to just the right audiences. Knowing exactly what people are up to and what their interests are is something marketing departments the world over crave. For if you know exactly what your audience’s interests are, you can tailor the marketing of your products to exactly fit their needs, leading to more sales. Selling access to this information is Google’s main profit model. The major problem with this data collection is that it is all happening without our knowledge or consent. There are only a few large companies in the world who hold a virtual monopoly on acquiring a lot of data about people via the internet. An example would be Facebook; a lot of sites on the internet (tens of millions) have a certain link with Facebook, via their share buttons. Because these buttons are so ubiquitous, found on almost every other site, this causes Facebook to know quite a bit about your surfing behaviour, even if you’re not a Facebook user. Your data still gets collected and stored in a shadow profile, where it is then of course susceptible to acquisition by government agents as well.

Major problems with personalized results

As more and more people discover their content and news through personalized feeds like those found on Twitter and Facebook etcetera, the stuff that matters gets pushed off the feed. People who live in the filter bubble, a term coined by Eli Pariser, can easily miss vital information about certain major events. I’ll give an example. During the Egyptian Revolution of 2011, two people may be getting two completely different results on Google. One, who is more interested in holidays, according to the profile built up by Google, may be getting more links in the search engine results page (SERP) about holidays to Egypt, and miss news about the revolution completely, whereas someone who is more politically active, may only get links to news sites with articles about the revolution. This is already a major difference in the results you get. You may be under the impression that the results generated by Google are the same for everyone where, evidently, they are not. They are generated based on your personal interests, information you and/or your computer shared with Google. The question is: is it really always a good thing that we only get to see stuff we are interested in? And that some big mega-corporation like Google is deciding that for us? This way we may miss vital information, as the information that reaches us gets censored transparently, without our knowledge or consent. If we only get our news from personalized news feeds like those provided by Facebook, Google and Twitter, we may miss out on a lot of information. Therefore it is prudent to always use as many different sources of information as possible, so efforts to filter our results and trap us in the filter bubble have as little effect on us as possible.

Steps we can take to arm ourselves

There are various things we can do to arm ourselves against tracking by and building up of profiles. First step is using a common browser. This may sound strange, but let me explain. There’s this tool written by the Electronic Software Foundation called the Panopticlick. With this tool you can check all kinds of information about what kind of fingerprint your browser leaves behind, and with how many computers it shares that fingerprint. By having a very large pool of potential computers, all with the same browser fingerprint, we make it harder for companies to track our movements on the internet, as the pool of possible targets will be larger. Browser fingerprinting works without cookies, so it’s a big threat to your online privacy. In terms of browsers, Firefox is a good one. Chrome not so much, as it’s sharing information about which sites you surf with Google. I also recommend Firefox not only because it’s open source, but also because of the vast repository of add-ons available for it. Make sure you disable the setting of third-party cookies. Secondly, it helps if we install browser add-ons like Ghostery, NoScript and AdBlock Plus. These add-ons will specifically disable any Javascript tracking going on, either by completely disabling JavaScript completely (in the case of NoScript), or by having a list of common advertising companies and other various trackers, which it specifically blocks (in the case of Ghostery). AdBlock Plus removes all ads from the websites you visit. They don’t even get loaded. JavaScript is a programming language, with which we can do a lot of cool stuff and make web pages seem more responsive, have our webapps feel more like desktop apps, etc. A lot of stuff is possible with JavaScript. This is in part because it most often gets executed on the client, not on the server. Every browser capable of running JavaScript basically has a virtual machine like Google’s V8, or something similar with which it can run JavaScript. The problem is that with JavaScript the script writer can also get a lot of information back from the browser, and all kinds of nifty hacks are possible if JavaScript is enabled. So disabling JavaScript wherever possible is a very safe thing to do. And with NoScript, you can still enable JavaScript on a per-domain basis as well, if you need it. This will already prevent a large part of the tracking stuff from ever loading on your computer. Other add-ons like RefControl (which will forge or block the HTTP_REFERER header from your browser) also work to enhance your privacy. By reading the HTTP_REFERER header, a site can normally see from what site you came from, and by blocking or forging this header, we don’t reveal any information about our surfing behaviour in this way. HTTPS Everywhere is a good addon to have as well, as it enforces HTTPS (secure, encrypted) communications on sites that support it. Some sites, like Facebook for instance, do support HTTPS communications, but redirect all their links to the insecure HTTP variant. By installing HTTPS Everywhere, which is written by the EFF, we force sites like these to use HTTPS all the time. To check with what sites your browser has shared information about you, you can install Collusion. With this add-on, you can open up a tab with information about which sites you have visited during your browsing session, and with which sites your browser has shared information. This is often substantially more than the sites you actually visit. Many sites for instance use advertising networks, which load their ads from another domain, and data about you gets sent to these networks to track and profile you. To see whether and to what extent this is happening to you, you can install Collusion. To get better protection against tracking, we can change our surfing behaviour by avoiding certain US companies like Google for instance. You can instead search the internet using Startpage. Startpage uses the Google engine, but strips all identifying information from the request before it sends it off to the Google servers, allowing you to search tracking-free. They also don’t store any logs whatsoever, and they use encryption by default.

Right, am I done yet?

The tips above are only good advice in general, and will protect against most profiling attempts by advertising and other profit-oriented companies which try and sell your profile to their clients, but won’t protect you against a determined, well-financed adversary like an intelligence agency. For this, you need to encrypt the hell out of your life, and use crypto like AES, etc. (VeraCrypt) and PGP (GnuPG) as much as possible. Why should we be making it easy for the spooks? In that case, you might also read up on VPNs, and check out the Tor network (but keep in mind that many exit nodes are run by intelligence agencies, so always use end-to-end encryption (e.g. HTTPS) when using Tor). In this case, also try to avoid using any service made available by any US company whatsoever. Think SAAS providers, cloud services, etc. Because of the Patriot Act, US government agencies (and of course, through them, other, foreign intelligence agencies which cooperate with the Americans) can easily request any and all information some company with US ties stores about you. So try to avoid that as much as possible in this case. This is the reason why I’ve moved my online persona to Switzerland, and also running my mail on a mail server that I control. Also think about the security of your devices, and only run free software, so there’s less chance of a back-door hidden in the software you use. But you can read up more on the measures you can take when you’re up against a more powerful adversary. But with the above tips, you’ll be well on your way to better securing your communications. Notice: The above article also got published on UKcolumn.org. While I am very happy with the syndication, I don’t agree with everything published on UKcolumn.org.