How Not to Be Tracked

2012-06-24 12:29

This note describes the steps I take routinely to keep from being tracked online by advertisers, publishers, social networking sites, and other parties desiring to profit from information I consider personal and private. The steps below constitute pretty much what is required not to be tracked today. Few have the patience to do so much work to safeguard their own privacy.

Cookie basics

The most basic step anyone who is concerned about being tracked on the Net should take is to block third-party cookies in their browser(s).

My default browser is Safari, and while it offers the option of blocking these cookies, its implementation of the blocking is half-hearted. In Preferences, in the Privacy tab, click the choice “Block cookies from third parties and advertisers.” This does not prevent such cookies from accumulating on your system; it merely prevents the cookies from sending information back to their owners. This means that if the third-party blocking option is ever unchecked for any reason, all the hundreds of cookies that have accumulated will be free to send their tracking information when you next visit their owners’ sites.

Several times a day, I open Preferences > Privacy, click Remove All Website Data…, and confirm. I empty the cache (Safari > Empty Cache… and confirm) and quit the browser. I then run a script that replaces any and all cookies that have survived the above process (and there usually are some) with a set of cookies I have deliberately chosen: those that simplify logging in to my banking site, for example.

Social tracking

I log out of Facebook when I’m not using it, which forecloses some tracking. For Google I log in only when it’s required for Google+ or some Group I belong to, or Google Docs. Most of the time I’m logged out. I essentially never log in to Twitter, opting instead to use a desktop client (Echofon). These habits stop tracking by the Like, +1, and Tweet buttons that are ubiquitous across the Web.

AdBlock and Ghostery

The AdBlock extension stops ads from displaying in the browser. When the graphic for an ad displays, it enables a very simple and venerable form of tracking — a record in the server log of the machine on which the graphic resides, tied to my IP address.

I run the Ghostery extension in each browser. The way I have configured it, the extension blocks the action of 1003 of the 1009 cookies, trackers, beacons, etc. that Ghostery knows about today. It will be more tomorrow. I allow the remaining 6, which include Google Analytics and the Twitter button.

LocalStorage, cache, and Flash cookies

LocalStorage is an HTML5 mechanism that many sites now use for tracking. The script that overwrites my Cookies files for each browser (see above) also overwrites LocalStorage with known good content.

I also disable the on-disk cache for my main browser (Safari), as more and more tracking is taking place via this mechanism now. I do this by setting the permissions to zero on the cache directory. Taking this step means I’m using more bandwidth than would be the case with a functioning cache; it’s one of the prices I’m willing to pay for enhanced privacy.

I disable so-called Flash cookies (Adobe calls them Local Storage Objects) by making their storage directory unwritable. Flash cookies were popular for tracking some years back, but their use is declining now, perhaps because privacy researchers are on to them.

Don’t track me bro

Most browsers offer a Do Not Track option. DNT is on the way to becoming a standard under the auspices of the World Wide Web Consortium. Safari, Firefox, Internet Explorer, and Opera provide a DNT choice — at this writing Google Chrome does not. Checking the DNT box has no practical effect at this time, because very few advertising companies honor it (Twitter is one of the ones that do). In the future, DNT may be meaningful.

If I am ever going to do a search or visit a site I absolutely don’t want tracked or recorded, I open an Incognito browsing session in Chrome and activate a virtual private network (WiTopia is the one I use) so that my IP address is not any of the ones usually associated with me.


The steps outlined here don’t protect against tracking by means of device fingerprinting, which companies such as BlueCava are offering to advertisers and others desirous of tracking users across the Net.

One way to defeat this and similar forms of non-cookie-based tracking is to control what Javascript code you allow to execute in your browser. The Firefox extension NoScript does a comprehensive job of this in that browser, but its developer cannot port it to Safari because Webkit (the rendering engine underlying both Safari and Chrome) does not provide certain crucial low-level APIs.

Even on Firefox though, where NoScript works in about as convenient a fashion as possible, it quickly becomes tedious to wrangle with all of the Javascript code that interpenetrates the modern Web. Dealing with NoScript day in and day out can feel like more trouble than it is worth, even for a person near the extreme privacy-sensitive end of the spectrum.