I'm co-leading a Privacy Study for the LWV Los Alamos. As part of that, I gave a Zoom talk at Eastgate Toastmasters on browser privacy.
Some background on me: I'm a programmer by trade (mostly retired now). I spent quite a few years as a Mozilla developer (at Netscape), and wrote some of the code Firefox uses, though a lot of things have changed since then. I've also written a lot of small websites, though I've never been a professional web developer, so I know something about that end as well.
It's on YouTube: Browser Privacy.
Here's an approximate transcript of the talk:
Most of us spend a lot of time browsing websites. That's even more true in this age of COVID. But what is your browser telling companies about you? In this talk I'll show you some of the ways your browser might be compromising your privacy -- and some countermeasures you can take to help.
First, cookies. A cookie is a small piece of information that a website stores inside your browser.
Cookies do lots of useful things. For instance, when you log in to Gmail or Amazon or Facebook, the website sets a cookie, and the next time you go back there, it sees the cookie and knows who you are, so you don't have to log in again.
And there's nothing wrong with that. The biggest problem is what's called "third-party cookies". That's a cookie from a different website -- not the page you're on.
For instance, let's go to the calendar for upcoming county council meetings. This is Firefox, but I'm going to switch to Chrome for this part.
To view cookies, first you need a Developer Tools window. Right-click and choose Inspect.
I'll be going through this fairly fast, and I know it's hard to remember details, so I'll give you a link at the end that has all the information you need for both Firefox and Chrome.
Okay, click on the Application tab, and here are the cookies. You'll see 14 cookies from losalamos.legistar.com -- who knows why they need all those cookies, considering I haven't logged in or done anything except look at a single page -- but what are these addthis and bluekai things? What are all these extra cookies?
AddThis is a social data mining platform. They provide buttons on websites for "Share on Facebook", "Share on Twitter" and so forth. (point out upper right buttons) And they also share information with advertisers.
Remember way back in 2013 when Facebook got sued for the information they were collecting from "Like" buttons on sites all over the web? The companies involved are still around, still collecting your information.
So every time you view the county council calendar on Legistar, AddThis is getting information about you that they might share with -- well, anyone.
Let's look at the same page in Firefox. Again, right click and choose Inspect. Then click on Storage.
Hey, that's interesting ... AddThis shows up, but if you click on it, there aren't any cookies there! Apparently Firefox is already blocking cookies from AddThis. Nice to know! But you can't count on that. I'll show you in a moment how to make sure.
... well, maybe. Most of the time it gets that wrong. For me, sometimes it's not even in New Mexico. But it takes a guess. And it can send all this information to anybody, anywhere in the world.
And it might come from anywhere. Remember third-party cookies, where you're on one site but it sets a cookie for another site?
Here are all the scripts that Legistar downloads and runs when you go to the calendar page. Any one of these scripts might be tracking you, or sending your information to some other company. And it's not easy to find out what they're doing.
Is there anything you can do about any of this? Let's talk about BROWSER COUNTERMEASURES.
First, cookies. There are Preferences (aka Settings) that can control cookies. Look under Privacy and Security.
Notice Firefox gives you a lot of control here. You can block all third-party cookies as well as other types of trackers, and it's definitely worth checking those boxes. Chrome lets you do some of this, but it doesn't have as many options.
The easiest way to manage cookies is this checkbox: "Delete cookies and site data when Firefox is closed". Chrome has that too. Then as long as you exit your browser every few hours, or at least once a day, your cookies get cleared.
There are probably some cookies you don't want to clear. For instance, if you use Gmail a lot, or Facebook, you probably want to stay logged in. You can click on Manage Permissions here to add rules for particular sites, but you have to type in the addresses explicitly.
An easier way is to install a Firefox extension. From the main menu, choose Add-ons and search for Cookie AutoDelete.
That gives you a cookie button up here. Now, when you go to a page, you can click on the button and see the cookies, and make rules to whitelist or blacklist the cookies it uses.
There are some other great Firefox extensions that help with privacy.
For instance, AdBlockPlus. It blocks a lot of the most annoying ads -- the ones that blink and flash and distract you while you're trying to read -- and it also blocks a lot of trackers, because a lot of advertisements include trackers.
If you want to try NoScript, I'd be happy to talk to you about getting started.
As you see, browser privacy is complicated, and I've only scratched the surface. But people need to know some of the ways companies -- and governments -- can track you, and some ways you can start protecting yourself.
If you want to know more, you can find the details on my website, and I'll mail out this link.
Thank you, and stay private!
Here are details of some of what I talked about.
I used the Los Alamos County Council Calendar on Legistar for most of my examples -- not because it's a particularly bad example, but because it's a government site that a lot of us are forced to deal with.
If you want to understand cookies beyond the brief description I gave in the talk, the Wikipedia page on Cookies is pretty good. A lot of pages will give misinformation, like saying that a cookie is a local file on your disk (not true: apparently someone said that a decade ago and reporters have been repeating it ever since).
If that little space at the bottom of the browser window annoys you and you want to pop it out to its own window, you can click on the three-dot button ... near the top right of the developer tools pane and choose "Separate window".
In either browser, you'll also see other items, like Cache Storage, Indexed DB and others. These are all similar to cookies but different in subtle ways, and they can all be used to track you, so it's probably worth looking at all of them.
This window (or pane) you're looking at is called the Developer Tools window.
From the Developer Tools window (see above). click on Debugger.
I haven't found a way to get a list of scripts in Chrome. But if you click on Sources from the Developer Tools window, you'll get a list of all the resources the current page loaded, which includes scripts, images, data files, etc.. That's useful too (and is a shockingly long list, for many websites), and I don't know of a Firefox equivalent.
First, there's your IP address (IP stands for "Internet Protocol"). Every computer accessing the web has a unique IP address, though your IP address may change every few days, weeks or months depending on your internet provider.
Now you go to FoodQueen.com -- what's that laxative ad? How does it know? Well, FoodQueen also has a contract with ClickTwice, and it sees the same IP address it just saw on DrugKing's laxatives page.
An extension like AdBlockPro (see below) can reduce this. But not enough, given that some advertising companies are owned by sites you probably don't want to block, like, say, Google.
Using your browser fingerprint, companies can track you the same way they can with your IP address.
Two sites that can tell you how identifiable your browser's fingerprint is are AmIUnique.org and Panopticlick (Panopticlick doesn't work if you use NoScript; AmIUnique works either way).
In both Firefox and Chrome, the cookie preferences are under Privacy and Security. In Firefox, just scroll down til you see Cookies. In Chrome, you have to click on Site Settings, then Cookies and site data.
You can see the cookies currently stored in your browser by clicking on "Manage data..." in Firefox, or "See all cookies and site data" in Chrome.
Turning on "Delete cookies and site data when Firefox (or Chrome) is closed" works pretty well. This is sometimes called "session cookies" because you only keep the cookies for the duration of your current browser session.
Of course, session cookies are only useful if you quit the browser regularly. If you keep the same browser session going for days on end, then session cookies will persist as long as your session does.
The biggest problem with session cookies is that it's hard to make exceptions (whitelisted sites) for sites where you want to stay logged in. This is true in both Firefox and Chrome. You can click on Cookie Permissions (Firefox) or Allow (Chrome) and type in domains, but that assumes you know which domains you need. For instance, to stay logged in on eBird.org you need a cookie from cornell.edu, not just eBird.org.
If you want more control and want to be able to whitelist sites, consider the Cookie AutoDelete extension (see below).
While you're in that Privacy and Security preferences tab, take a look at the Enhanced Tracking Protections. You can disable all third-party cookies here, and I recommend that you do so. It's possible that it might break some sites, though I've only seen one site that was broken because of third-party cookies.
In Chrome, look in "Cookies and site data" for the setting to block third-party cookies.
(Sorry, I don't know anything about Chrome add-ons.)
In Firefox, Tools -> Add-Ons brings up a list. Use the search bar to find useful extensions like:
An article that compares several cookie management extensions: Enhance Firefox Cookie Management with these add-ons.
While you're looking at Add-Ons, Themes (another type of add-on) are also useful: they can make your browser look prettier, but, more relevant, they can help you tell different browser profiles apart.
Speaking of which, ...
You can run several browsers of the same type (several Firefoxes or several Chromes) at the same time without letting them share information by setting up different profiles.
For instance, I have a profile I use for my all-day-every-day browsing, but if I want to log in to Facebook, I run a different Firefox profile. In my Facebook profile browser, Facebook can set all the trackers it wants, but I don't load any other pages, like shopping sites, in that profile so the information doesn't get shared.
I have another profile I use only for banking, and a profile I use for the Gmail account connected to my phone.
Here's Mozilla's page on Multiple Firefox profiles, explaining how and why to use them. Here's an excellent article on containers by someone I use to work with at Netscape: How to Set Up and Use Multiple Profiles (User Accounts) in Firefox. That article suggests a newer technology, a Mozilla-created extension called Multi-Account Containers, might be easier to use and more powerful. I will be investigating these. There's also a simpler version that only applies to Facebook: Facebook Container.
Here's an article on How to create and manage multiple user profiles in Chrome and a somewhat more elaborate discussion of how to use Chrome Profiles.
A private window (chrome calls it an incognito window) forgets everything when you close it, and doesn't share information with other windows (at least not in theory; there have been bugs). It's a good, simple solution when you just need to go to one page that you know is a privacy risk.
In Firefox, use File -> New Private Window. In Chrome/Chromium, it's New Incognito Window.
You can also run Firefox or Chrome in private mode from the command line
(for instance, if you want to make a button on your desktop that fires
up a new incognito window automatically):
firefox --private-window or