Browser Privacy: Cookies and Tracking and Scripts, Oh My!

I'm co-leading a Privacy Study for the LWV Los Alamos. As part of that, I gave a Zoom talk at Eastgate Toastmasters on browser privacy.

Some background on me: I'm a programmer by trade (mostly retired now). I spent quite a few years as a Mozilla developer (at Netscape), and wrote some of the code Firefox uses, though a lot of things have changed since then. I've also written a lot of small websites, though I've never been a professional web developer, so I know something about that end as well.

The talk

It's on YouTube: Browser Privacy.

Here's an approximate transcript of the talk:

Most of us spend a lot of time browsing websites. That's even more true in this age of COVID. But what is your browser telling companies about you? In this talk I'll show you some of the ways your browser might be compromising your privacy -- and some countermeasures you can take to help.

The two biggest factors in browser privacy are cookies and JavaScript.

First, cookies. A cookie is a small piece of information that a website stores inside your browser.

Cookies do lots of useful things. For instance, when you log in to Gmail or Amazon or Facebook, the website sets a cookie, and the next time you go back there, it sees the cookie and knows who you are, so you don't have to log in again.

And there's nothing wrong with that. The biggest problem is what's called "third-party cookies". That's a cookie from a different website -- not the page you're on.

For instance, let's go to the calendar for upcoming county council meetings. This is Firefox, but I'm going to switch to Chrome for this part.

To view cookies, first you need a Developer Tools window. Right-click and choose Inspect.

I'll be going through this fairly fast, and I know it's hard to remember details, so I'll give you a link at the end that has all the information you need for both Firefox and Chrome.

Okay, click on the Application tab, and here are the cookies. You'll see 14 cookies from losalamos.legistar.com -- who knows why they need all those cookies, considering I haven't logged in or done anything except look at a single page -- but what are these addthis and bluekai things? What are all these extra cookies?

AddThis is a social data mining platform. They provide buttons on websites for "Share on Facebook", "Share on Twitter" and so forth. (point out upper right buttons) And they also share information with advertisers.

Remember way back in 2013 when Facebook got sued for the information they were collecting from "Like" buttons on sites all over the web? The companies involved are still around, still collecting your information.

So every time you view the county council calendar on Legistar, AddThis is getting information about you that they might share with -- well, anyone.

Let's look at the same page in Firefox. Again, right click and choose Inspect. Then click on Storage.

Hey, that's interesting ... AddThis shows up, but if you click on it, there aren't any cookies there! Apparently Firefox is already blocking cookies from AddThis. Nice to know! But you can't count on that. I'll show you in a moment how to make sure.

Enough about cookies. An even bigger attack surface is JavaScript.

JavaScript is a programming language that lets web pages run programs inside your browser.

JavaScript does a lot of cool stuff. It lets you drag interactive maps around, read your Gmail, and stream video.

However, JavaScript is also a great way of invading your privacy. JavaScript can monitor every character you type inside the browser, or every mouse move you make. It can look at what other websites you've visited recently, and what's going on in your other browser tabs. It can read the cookies other websites have set. It can read your location ...

... well, maybe. Most of the time it gets that wrong. For me, sometimes it's not even in New Mexico. But it takes a guess. And it can send all this information to anybody, anywhere in the world.

And it might come from anywhere. Remember third-party cookies, where you're on one site but it sets a cookie for another site?

There's third-party JavaScript, too. For instance, let's go back to that county council calendar. In Firefox, click on Debugger to see scripts. Legistar runs JavaScript from at least 10 different places.

Here are all the scripts that Legistar downloads and runs when you go to the calendar page. Any one of these scripts might be tracking you, or sending your information to some other company. And it's not easy to find out what they're doing.

Is there anything you can do about any of this? Let's talk about BROWSER COUNTERMEASURES.

First, cookies. There are Preferences (aka Settings) that can control cookies. Look under Privacy and Security.

Notice Firefox gives you a lot of control here. You can block all third-party cookies as well as other types of trackers, and it's definitely worth checking those boxes. Chrome lets you do some of this, but it doesn't have as many options.

The easiest way to manage cookies is this checkbox: "Delete cookies and site data when Firefox is closed". Chrome has that too. Then as long as you exit your browser every few hours, or at least once a day, your cookies get cleared.

There are probably some cookies you don't want to clear. For instance, if you use Gmail a lot, or Facebook, you probably want to stay logged in. You can click on Manage Permissions here to add rules for particular sites, but you have to type in the addresses explicitly.

An easier way is to install a Firefox extension. From the main menu, choose Add-ons and search for Cookie AutoDelete.

That gives you a cookie button up here. Now, when you go to a page, you can click on the button and see the cookies, and make rules to whitelist or blacklist the cookies it uses.

There are some other great Firefox extensions that help with privacy.

For instance, AdBlockPlus. It blocks a lot of the most annoying ads -- the ones that blink and flash and distract you while you're trying to read -- and it also blocks a lot of trackers, because a lot of advertisements include trackers.

Getting more radical, you can use NoScript to restrict JavaScript. Here's the NoScript button: you can see here where I've enabled Javascript from some sites, blocked it from others.

But that's not for everybody. A lot of websites break without JavaScript. For instance, here's what the Santa Fe New Mexican looks like with NoScript. If you click on the button, you find that it wants to run scripts from 16 different sites. Sometimes it takes some experimenting to figure out which ones you really need to enable to make the page work.

If you want to try NoScript, I'd be happy to talk to you about getting started.

As you see, browser privacy is complicated, and I've only scratched the surface. But people need to know some of the ways companies -- and governments -- can track you, and some ways you can start protecting yourself.

If you want to know more, you can find the details on my website, and I'll mail out this link.

Thank you, and stay private!

The Details

Here are details of some of what I talked about.
I used the Los Alamos County Council Calendar on Legistar for most of my examples -- not because it's a particularly bad example, but because it's a government site that a lot of us are forced to deal with.

Cookies

If you want to understand cookies beyond the brief description I gave in the talk, the Wikipedia page on Cookies is pretty good. A lot of pages will give misinformation, like saying that a cookie is a local file on your disk (not true: apparently someone said that a decade ago and reporters have been repeating it ever since).

To view cookies in Firefox:

If that little space at the bottom of the browser window annoys you and you want to pop it out to its own window, you can click on the three-dot button ... near the top right of the developer tools pane and choose "Separate window".

To view cookies in Chrome/Chromium:

In either browser, you'll also see other items, like Cache Storage, Indexed DB and others. These are all similar to cookies but different in subtle ways, and they can all be used to track you, so it's probably worth looking at all of them.

This window (or pane) you're looking at is called the Developer Tools window.

JavaScript

JavaScript is a language for writing programs your browser will run.

Note that Javascript and Java are two completely different languages. Java is used to develop applications for Android phones, and for some large web server platforms. There used to be a type of Java that ran inside a browser, but that doesn't really exist any more. JavaScript runs inside your browser and is used by a majority of modern websites.

If you have any interest in what JavaScript programs looks like under the hood, take a look at my Learning JavaScript page, which includes slides for a 15-minute talk as well as a one-day course I designed for a summer camp for high school girls.

Right-click and View Page Source will show you not only the HTML used for the text of any web page, but also a lot of the JavaScript. But JavaScript written to track people tends not to be very readable.

List the Scripts Running in the Current Page in Firefox

From the Developer Tools window (see above). click on Debugger.

See Scripts in Chrome/Chromium

I haven't found a way to get a list of scripts in Chrome. But if you click on Sources from the Developer Tools window, you'll get a list of all the resources the current page loaded, which includes scripts, images, data files, etc.. That's useful too (and is a shockingly long list, for many websites), and I don't know of a Firefox equivalent.

IP Address Tracking

I didn't have time in a 10-minute talk to cover browser fingerprinting. But, sadly, all your countermeasures against cookies and JavaScript are for naught against a really determined opponent ... like Google.

First, there's your IP address (IP stands for "Internet Protocol"). Every computer accessing the web has a unique IP address, though your IP address may change every few days, weeks or months depending on your internet provider.

It's easy for sites to track you by your IP. Suppose there's some fictional advertising company named clicktwice.com (any resemblance to real company names is purely coincidental) and lots of people use their services. Suppose you have disallowed cookies and JavaScript from them, being concerned about your privacy. You go to DrugKing.com and search for laxatives. The DrugKing website has a ClickTwice ad on it. Even though your browser doesn't let it set a cookie or run any JavaScript, the ad includes an picture of a child holding a kitten, which your browser loads. ClickTwice's servers see a request from your IP address for the kitten image, with a reference saying that you were on DrugKing's website.

Now you go to FoodQueen.com -- what's that laxative ad? How does it know? Well, FoodQueen also has a contract with ClickTwice, and it sees the same IP address it just saw on DrugKing's laxatives page.

An extension like AdBlockPro (see below) can reduce this. But not enough, given that some advertising companies are owned by sites you probably don't want to block, like, say, Google.

Browser Fingerprinting

Even aside from your IP address, every browser is a little different. You're the one running Firefox 77.0.1 on OS X 10.152 with Cookie AutoDelete and Privacy Badger installed, in the Mountain timezone ... you get the idea. If you allow JavaScript, they can tell a lot more about you, like the list of fonts you have installed, what sort of CPU you have, the size of your screen, and so forth.

Using your browser fingerprint, companies can track you the same way they can with your IP address.

Two sites that can tell you how identifiable your browser's fingerprint is are AmIUnique.org and Panopticlick (Panopticlick doesn't work if you use NoScript; AmIUnique works either way).

Countermeasures

Cookies

In both Firefox and Chrome, the cookie preferences are under Privacy and Security. In Firefox, just scroll down til you see Cookies. In Chrome, you have to click on Site Settings, then Cookies and site data.

You can see the cookies currently stored in your browser by clicking on "Manage data..." in Firefox, or "See all cookies and site data" in Chrome.

Turning on "Delete cookies and site data when Firefox (or Chrome) is closed" works pretty well. This is sometimes called "session cookies" because you only keep the cookies for the duration of your current browser session.

Of course, session cookies are only useful if you quit the browser regularly. If you keep the same browser session going for days on end, then session cookies will persist as long as your session does.

The biggest problem with session cookies is that it's hard to make exceptions (whitelisted sites) for sites where you want to stay logged in. This is true in both Firefox and Chrome. You can click on Cookie Permissions (Firefox) or Allow (Chrome) and type in domains, but that assumes you know which domains you need. For instance, to stay logged in on eBird.org you need a cookie from cornell.edu, not just eBird.org.

If you want more control and want to be able to whitelist sites, consider the Cookie AutoDelete extension (see below).

Firefox's Enhanced Tracking Protection

While you're in that Privacy and Security preferences tab, take a look at the Enhanced Tracking Protections. You can disable all third-party cookies here, and I recommend that you do so. It's possible that it might break some sites, though I've only seen one site that was broken because of third-party cookies.

In Chrome, look in "Cookies and site data" for the setting to block third-party cookies.

Firefox Add-Ons

(Sorry, I don't know anything about Chrome add-ons.)

In Firefox, Tools -> Add-Ons brings up a list. Use the search bar to find useful extensions like:

An article that compares several cookie management extensions: Enhance Firefox Cookie Management with these add-ons.

While you're looking at Add-Ons, Themes (another type of add-on) are also useful: they can make your browser look prettier, but, more relevant, they can help you tell different browser profiles apart.

Speaking of which, ...

Browser Profiles

You can run several browsers of the same type (several Firefoxes or several Chromes) at the same time without letting them share information by setting up different profiles.

For instance, I have a profile I use for my all-day-every-day browsing, but if I want to log in to Facebook, I run a different Firefox profile. In my Facebook profile browser, Facebook can set all the trackers it wants, but I don't load any other pages, like shopping sites, in that profile so the information doesn't get shared.

I have another profile I use only for banking, and a profile I use for the Gmail account connected to my phone.

Here's Mozilla's page on Multiple Firefox profiles, explaining how and why to use them. And here's an article by someone I use to work with at Netscape on How to Set Up and Use Multiple Profiles (User Accounts) in Firefox that suggests that using something called Multi-Account Containers might be better (I need to look into that myself!)

Here's an article on How to create and manage multiple user profiles in Chrome and a somewhat more elaborate discussion of how to use Chrome Profiles.

Private/Incognito Windows

A private window (chrome calls it an incognito window) forgets everything when you close it, and doesn't share information with other windows (at least not in theory; there have been bugs). It's a good, simple solution when you just need to go to one page that you know is a privacy risk.

In Firefox, use File -> New Private Window. In Chrome/Chromium, it's New Incognito Window.

You can also run Firefox or Chrome in private mode from the command line (for instance, if you want to make a button on your desktop that fires up a new incognito window automatically): firefox --private-window or chrome --incognito.

Of course, there are other ways besides cookies and JavaScript that browsers can invade your privacy. For instance, they can use your camera and microphone. There are also "web bugs" (which are more important for email than for browsing). There wasn't enough time to fit them into this talk, but I hope to cover them in future talks. When/if that happens, I will update this page accordingly.