This note describes the steps I take routinely to keep from being tracked online by advertisers, publishers, social networking sites, and other parties desiring to profit from information I consider personal and private. The steps below constitute pretty much what is required not to be tracked today. Few have the patience to do so much work to safeguard their own privacy.
The most basic step anyone who is concerned about being tracked on the Net should take is to block third-party cookies in their browser(s).
My default browser is Safari, and while it offers the option of blocking these cookies, its implementation of the blocking is half-hearted. In Preferences, in the Privacy tab, click the choice “Block cookies from third parties and advertisers.” This does not prevent such cookies from accumulating on your system; it merely prevents the cookies from sending information back to their owners. This means that if the third-party blocking option is ever unchecked for any reason, all the hundreds of cookies that have accumulated will be free to send their tracking information when you next visit their owners’ sites.
Several times a day, I open Preferences > Privacy, click Remove All Website Data…, and confirm. I empty the cache (Safari > Empty Cache… and confirm) and quit the browser. I then run a script that replaces any and all cookies that have survived the above process (and there usually are some) with a set of cookies I have deliberately chosen: those that simplify logging in to my banking site, for example.
I log out of Facebook when I’m not using it, which forecloses some tracking. For Google I log in only when it’s required for Google+ or some Group I belong to, or Google Docs. Most of the time I’m logged out. I essentially never log in to Twitter, opting instead to use a desktop client (Echofon). These habits stop tracking by the Like, +1, and Tweet buttons that are ubiquitous across the Web.
AdBlock and Ghostery
The AdBlock extension stops ads from displaying in the browser. When the graphic for an ad displays, it enables a very simple and venerable form of tracking — a record in the server log of the machine on which the graphic resides, tied to my IP address.
I run the Ghostery extension in each browser. The way I have configured it, the extension blocks the action of 1003 of the 1009 cookies, trackers, beacons, etc. that Ghostery knows about today. It will be more tomorrow. I allow the remaining 6, which include Google Analytics and the Twitter button.
LocalStorage, cache, and Flash cookies
LocalStorage is an HTML5 mechanism that many sites now use for tracking. The script that overwrites my Cookies files for each browser (see above) also overwrites LocalStorage with known good content.
I also disable the on-disk cache for my main browser (Safari), as more and more tracking is taking place via this mechanism now. I do this by setting the permissions to zero on the cache directory. Taking this step means I’m using more bandwidth than would be the case with a functioning cache; it’s one of the prices I’m willing to pay for enhanced privacy.
I disable so-called Flash cookies (Adobe calls them Local Storage Objects) by making their storage directory unwritable. Flash cookies were popular for tracking some years back, but their use is declining now, perhaps because privacy researchers are on to them.
Don’t track me bro
Most browsers offer a Do Not Track option. DNT is on the way to becoming a standard under the auspices of the World Wide Web Consortium. Safari, Firefox, Internet Explorer, and Opera provide a DNT choice — at this writing Google Chrome does not. Checking the DNT box has no practical effect at this time, because very few advertising companies honor it (Twitter is one of the ones that do). In the future, DNT may be meaningful.
If I am ever going to do a search or visit a site I absolutely don’t want tracked or recorded, I open an Incognito browsing session in Chrome and activate a virtual private network (WiTopia is the one I use) so that my IP address is not any of the ones usually associated with me.
The steps outlined here don’t protect against tracking by means of device fingerprinting, which companies such as BlueCava are offering to advertisers and others desirous of tracking users across the Net.