Identity Theft

Reader Tips to Avoid Online Tracking (Hint: We’re Still Doomed)

Comments 4 Comments

Anti-trackingDoomedLast week I wrote a story about how none of the tools at consumers’ disposal to avoid being tracked online actually work. There are many things you can do to minimize how much information about you is gathered online. Tools like browser settings and cookie-deleting super-cookies may reduce the number of companies gathering data about you, and how much they can get.

But none of those tools will do what some people want: Block all tracking, everywhere, all the time. Each one can be foiled, either by high-tech tracking devices like beacons or by the simple settings of your own computer.

Well, a number of readers wrote in – both on Creditbloggers and BoingBoing – to tell me that I was an idiot. Some even said they have discovered the magic app for online privacy. “I think this is wrong Chris,” someone with the screen name “Silner” wrote. “TOR Adblock Disconnect all seem to work fine.”

[Article: FTC “Do Not Track” Proposal: Q&A With A Privacy Advocate]

I’m actually something of a technophobe. I treat my computer like I used to treat my old Honda – drive it until it stops working, and then start swearing at it. So I called up Ondrej Krehel, information security officer and all-around computer genius at our sister company Identity Theft 911. He reviewed all the comments to see whether any of the tools they suggest could squash all tracking devices and render people completely anonymous online.

Ondrej’s findings in a nutshell: Nope.

All of the suggestions made by readers are good for privacy, because each one will limit the number of companies that can track you online and the amount of information they can gather. But none of them is the silver bullet, the one tool that can protect your private data online.

So here, in order, are the suggestions made by you, our valued readers, followed by Ondrej showing where the vulnerabilities lie.

- “Adam from London” writes:  “Ha I’m running Firefox with Flash blocker and the Panopticlick site doesn’t collect anything. It takes 20 seconds to install the flash blocker and it stops flash from running on any site you haven’t specifically allowed.”

Ondrej says: Flash blocker only blocks Flash content, like Flash cookies. That’s important, because some Flash cookies are created to re-spawn after you delete them, making them impossible to remove from your computer once they’re already there. But Flash blocker can’t block regular cookies, which aren’t Flash-based. And they can’t stop Panopticlick or anyone else from seeing your computer’s settings and using that to create a unique identifier for you.

“It’s a very specific tool that only blocks Flash video,” Ondrej says.

- “Jane” writes: “I’ve got a program which assigns a random IP address whenever I want to surf the web anonymously.”

Ondrej says: Using a randomized IP address may prevent online trackers from figuring out certain things about you, like your exact location. But it won’t do much to protect you from other tracking tools.

“If I have a cookie on my computer, it doesn’t what IP address I have, it’s still gathering content,” says Ondrej. “Cookies store the information on that user independent of the IP address.”

- “Silner” and “Ufa” – Told us to check out TOR Adblock Disconnect, above.

Ondrej says: TOR allows you connect to the internet via a network of outside computers, which does the same thing as Jane’s suggestion: Gives you a randomized IP address. And it has the same effect, blocking trackers from figuring out where you are while still allowing them to learn everything else about what you do online.

“The cookies still work,” Ondrej says. “And TOR can be very slow depending on who else is using it, so it’s not the way to go if you want to download big things on the internet.”

[Article: The Credit Card Spies You’ve Never Heard Of]

“Jack Tripper” – Gave us many tools to try, including ad-blocking software, BetterPrivacy to remove Flash cookies, and NoScript to bloc JacaScript.

Ondrej says: Each of these tools comes with its own set of problems.  Ad-blocking programs like Adblock Plus from Firefox don’t block Flash cookies. They also can’t block tracking technologies that are not based on cookies, like Microsoft Silverlight or HTML 5. All the information you save to a cloud, including data you post on Facebook and Twitter, and anything you write or save to your e-mail account, isn’t protected.

“If you have content on Facebook or Gmail or Yahoo mail, there’s no way to turn that off,” Ondrej says.

So again, each person who wrote in has a good idea. That’s why I wanted to write about this, to give more readers the chance to learn about other tools that may reduce their exposure to online tracking.

But according to Ondrej, who eats and breathes this stuff, anybody who uses these tools should do so with an ounce of caution. Because none of them can shut off the online trackers entirely.

“I’m not saying it’s useless,” Ondrej says. “It helps. But it only handles small pieces. These all can limit your exposure to being tracked online, but they can not keep you entirely safe.”

Image: Lindsey T, via Flickr.com

[Featured products: Monitor your credit score]

  • http://anonymous anonymous

    Your friend is an idiot. Tor with the Tor button extension is good enough to keep you from being tracked. Ask your friend about this:

    Tor

    Tor Button (Blocks cookies and hardens the browser in many other ways, for example it spoofs a user agent that is very common giving you a large crowd size to blend into)

    Javascript disabled

    Firefox compiled with GCC propolice extension, a stack smashing protector that makes compiled applications more resistant to buffer overflows

    SElinux mandatory access control kernel patch

    all inside of a virtual box virtual machine

    Good luck tracking that or hacking through through that unless your friend is an NSA agent. Tor has some weaknesses but it is still good enough to keep you anonymous from anyone other than an intelligence agency, even FBI and Interpol can’t track people who use Tor and Tor button. If you are worried about being tracked by an intelligence agency look into Mixmaster or Mixminion, although they are only for untrackable E-mails.

    Your friend is actually probably not an idiot but he obviously knows more about general computers than he does security / counter-intelligence in particular.

  • http://anonymous anonymous

    Also you could just use Freenet, then you are very resistant from being tracked and even if you are traced you have plausible deniability.

  • http://anonymous anonymous

    Allow me to explain in more detail. First of all let’s explain the terminology. Traced should be used to mean that the attacker finds your location. This is done usually by finding your IP address but it is also possible to do with out an IP address. One way your location can be determined with out an IP address is via a WPS attack. WPS attacks look at the access points your network adapter can see and measure their signal strength. This data can be compared to a list of AP’s recorded by organizations such as Google and Skyhook. They record GPS location and AP signal strength all across entire nations. If they can determine the AP’s your wireless network card can see they can use a technique similar to triangulation to determine your geopositioning to within a few meters. With an IP address they can determine your location if they issue a court order for customer records to your ISP.

    Tracked and traced are not the same thing. Tracked means that multiple sessions can be tied together, so even if the attacker can not determine your location they can determine your browsing habits (the websites you surf). There are various ways to track a person online. Tracking involves pseudonymity, a unique or semi-unique identifcation string. This could be from a cookie, a browser user agent or anything else.

    Tor works to help you avoid being traced but not to help avoid being tracked. Tor forwards your communications in layers of encryption through three routers around the world. These routers are semi-randomly (they take precautions to avoid using the same autonomous system, a group of interconnected ISP access points) selected from around two thousand volunteer nodes. Tor also takes other precautions such as padding packets to 512 bytes to counter traffic fingerprinting attacks and multiplexing streams from the first to second node to prevent netflow trace back attacks. A traffic fingerprinting attack can counter encryption by comparing the size of streams, for example even if I load this website with SSL an attacker can still see the size of the objects (images, text, etc. HTTP protocol sends objects as individual streams unless pipelines are used). If the attacker fingerprints this page they can compare the size and number of streams to the size and number of streams they see in my encrypted connection and come to a % chance that what I am loading is this website. Tor pads packet sizes making the accuracy of this attack much less (complex Tor traffic, such as websites with many objects or large files, can be fingerprinted with around 55% accuracy versus near 100% accuracy for VPN and regular SSL traffic. Text by itself can not really be fingerprinted because the word dog and cat will both match, they are not complex or large enough).

    Netflow trace attacks follow streams of data back by looking at their size. If the ISP’s on the Tor route keep netflow logs the attacker merely needs to follow the stream size back to your location. Tor prevents this by multiplexing from the entry to the relay node. Multiplexing merges all the data going from an entry node to a relay node into a single stream. This means if I send a 5 KB stream while someone else sends a 15 KB stream, the netflow log will show a single 20 KB stream. Of course there are likely to be hundreds of different people sending streams at the same time, so the multiplexing is quite effective at leaving an attacker at a dead end once they hit the relay node.

    Tor by itself is enough to prevent being traced by any attacker less than a first world signals intelligence agency. FBI and Interpol are far more sophisticated than a marketing company and even they can not trace people through the Tor network, as evidenced by the huge amount of criminal activity taking place on Tor. As a matter of fact there is proof from 2008 that Interpol and FBI were both incapable of tracing through the Tor network as they attempted to trace members of a child pornography ring and failed to do so.

    To avoid being tracked (versus traced) you need to use other technology. The first thing to do is make sure you do not have a very unique user agent or other browser characteristics that can be fingerprinted. Using Tor button spoofs a common browser fingerprint for you. This creates a large crowd. A crowd is the number of people with the same ‘pseudonym’ as you. If a million people have the same browser fingerprint then you can not really track any of them with a browser fingerprint, there is a one out of a million chance that any page with the targets browser fingerprint in the server logs actually belongs to the target. Tracking browsers by their fingerprint is only effective if the target has a unique browser fingerprint.

    Of course you also need to disable flash, silverlight, java etc. All of these can be used to side channel Tor for one and for two they can also be used to track you. No one who uses Tor and knows anything about it would surf with these technologies enabled. The firefox Tor button extension will disable these for you.

    Another way you can be traced or tracked oe is if you are hacked through your browser. The attacker can avoid the need for network forensics if they can exploit you at the application layer, they send the exploit to you through tor then root your box and command your box to send data to one of their servers directly instead of through Tor. To protect from this there are a few things you can do. First of all you should compile firefox from source with the GCC Propolice module. This hardens the source code of everything compiled with it and makes it resistant to buffer overflow attacks, the most common way of being exploited. You should really compile everything that faces the network with propolice enabled. The next thing you can do is use a mandatory access control kernel patch such as SElinux. These change the way permissions are managed. Traditionally permissions are done by users and groups, meaning if firefox is run by Bob and the attacker exploits firefox then the attacker can run code with the permissions of Bob. Mandatory access controls create permissions on a process level. Firefox does not need the same access abilities as Bob, a proper MAC profile for Firefox will limit the attacker to the access Firefox actually needs to operate. This greatly reduces your chances of being hacked and also will contain to hacker to a profile unless they can find a kernel exploit to disable the mandatory access controls. The next thing you can do is run everything inside of a virtual machine that you reload from a snapshot every single session. Using a virtual machine will contain an attacker to a virtual compartment, it is difficult to go form a guest OS to a host OS. The only way to do this is to find an exploit for the virtual machines hypervisor, adding further complexity to the attack. Plus if you reload the virtual machine from a clean snapshot, even if one session is compromised it wont be able to cross over to the next session unless the attacker manages to break through the hypervisor.
    Using virtual machines also has the advantage of making you less positionable with WPS attacks, the attacker can only see a virtual network adapter with a virtual wired connection to your WiFi device. This means they are incapable of seeing the wireless access points your network device can see and triangulating you with a WPS attack.

    So use Tor, Tor button, Propolice, make sure to disable all plugins and also disable Javascript (most browser exploits require Javascript to be enabled), use virtual machines, open WiFi to be extra safe, etc. Unless your adversary is NSA or GCHQ this should be plenty to keep you both untraceable and untrackable. If your adversary is a marketing agency you have nothing to worry about.

  • http://www.abine.com Andrew Sudbury

    Greetings Chris,

    I agree that blocking tracking is a large and complicated problem. You have to block many different tracking technologies and techniques simultaneously. That’s the only way to actually be private online. A bit is not enough, however…

    I disagree that there are not useful tools out there. Here at Abine Inc. we’re working hard to make it an all-in-on solution for blocking online tracking and personal privacy protection. You can go to our website and download the Privacy Suite (http://www.getabine.com) which uses all the most advanced privacy protecting features available.

    Here’s what the Privacy Suite does to protect your online privacy:

    * Lets you control all local storage of browser cookies, flash cookies, and silverlight cookies. Since just block all of these cookies can break some websites we let you control all this on a site-by-site basis

    * Blocks any or all web beacons and bugs that take the form of javascript, imgs, etc. We have a constantly updated list and ruleset to stop advertisers from tracking you.

    * Hides your IP address with a fast proxy service if you want

    * Protects your email address and phone number – you can easily register and login at websites with different profiles, including auto-generating disposable email addresses and phone numbers

    * Cleans out cookies of all kinds on automatically when you close your browser, while letting you still keep any you want (like your flash game high-scores)

    * and there’s even more advanced features in the works to foil browser fingerprinting, evercookies, and everything else that comes along…

    Online privacy is a hard task, and we’re the only company that’s 100% on the side of our users. I encourage you to take a look at our Privacy Suite and regain control of your online privacy (http://www.getabine.com)

    Regards,

    -Andrew

  • Pingback: New Service Offers Anti-Tracking Protection Online | Credit card Search

  • Pingback: Adam Levin: Google’s New Privacy Policy: Close But No Cigar Rhonn Mitchell Rhonn Laighton Mitchell

  • Pingback: Google’s New Privacy Policy: Close But No Cigar at googlechili.searchengine.hoops227.org

  • Pingback: Google’s New Privacy Policy: Close But No Cigar | DesiP2P.com

  • Pingback: Google Privacy Policy Update

  • Pingback: Google’s New Privacy Policy: Close But No Cigar - Identity Theft 911 Blog

Find out where you stand.
Get your FREE personalized credit report card.

Sign Up Now
X

Stay connected to our experts

Please submit your email address to get credit & money tips & advice
from our team of 30+ experts, delivered weekly to your inbox.