Why I am a paranoid, tinfoil hat wearing freak and why you should be one too

Posted on Wednesday, August 25th 2010 at 4 a.m.

You’re being watched.

Every page you visit, every search, every click you make, it’s all being recorded and analyzed. They can tell how long you spend on a page, what draws your eye and what gets your attention. They can deduce how old you are, whether you’re male or female, where you work,  and how much you make. They know where you live, what your passions are and what you do with your free time. They’re indexing your thoughts and opinions, sifting through them so they can target you…

They say that they don’t know your name, that you’re just a number. Interclick knows me as 40ea24c2-c7a5a-821d3-7fc93. Quantcast calls me 7b383-bcf55-f09b1-bb7e6-614ed6e67a0e. (*)

But I don’t take any comfort in that. With all the data they compile and the analytics they run, it wouldn’t be hard to figure out what my name is. Or I could just click an ad on Facebook (or anywhere else online that I use my real name) and do the work for them, the referrer in the HTTP header would lead them right back to me.

Advertising companies are putting enormous effort into figuring out everything about you. Online, it isn’t about knowing your audience, it’s about the individual. The better they can figure out what a specific user wants, the more targeted their ads can be and the more they can charge for their services. There are three methods that they’re using to figure you out: Cookies, Flash cookies and Beacons.

Cookies are pretty simple. When you visit a site (example.com) and that site serves you an ad from another site (badvertising.com). Badvertising.com stores a small text file on your computer, and through that, they know that you’ve visited example.com. As you browse the internet, you’ll visit more sites that serve ads from badvertising and badvertising starts to compile a list and make a profile for you based off your browsing habits which they use to target their advertising toward you.

Flash cookies are a little more complex. Adobe’s Flash has it’s own cookie system completely separate from your browser. For the purposes of advertising Flash cookies are used much like traditional cookies, they keep track of what sites you visit but they’re special for two reasons. One, if you decided to delete your browser cookies, advertisers can use Flash cookies to respawn them. Two, you can’t delete Flash cookies by traditional means. The only way to delete flash cookies is to go here.

The newest trick is a beacon. Beacons are scary and they’re what inspired me to take a second look at what traces I was leaving around the internet. Beacons can be as innocuous as cookies, being used just to track what pages you visit or they can also be privacy massacring bits of javascript that keep track of every single thing you do on a webpage.

It’s not the former I worry about.

The effective information gathering, the really scary stuff, is done with beacons. Cookies can only really tell them where you’ve been. Beacons can tell them what you did. Compile enough of this data and they can build an accurate and detailed log of how you spend every minute of your day online.

The Wall Street Journal recently did an excellent article on the privacy implications of these methods of online advertising. In the article, they show a woman the profile an advertising company has generated on her. It includes things like how old she is, where she lives, her favorite movies and what she likes to do online. She admits that it’s a pretty accurate read on her life.

Another girl  found out that she is known as 13 to 18 year old female who is interested in weight loss. She admits that she’s down some online research on how to lose an extra 15 pounds and says that every time she goes online now, she see ads for weight loss. Advertisers are feeding on her personal insecurity.

I understand the need for advertising on the internet. Servers, bandwidth and staff don’t pay for themselves, and I understand the value of targeted advertising both from the consumer and corporate standpoint. What I object to is the complete loss of anonymity online. There’s a line between effective marketing and being invasive and it’s a line that I can’t trust a third party to maintain.

Do I mind that an advertising company knows that I hike and like to take pictures? No. I’m also a geek who loves computers and video games and I live some where near Charlotte NC. This is all pretty innocent knowledge and could be useful toward marketing products to me. But what about all the other stuff I may do online, searches on medical symptoms or the socially deviant websites. All the stuff you do online that you don’t want anyone but maybe a select group to know about? They just might know about that too.

The Internet is a wonderful resource with a wealth of entertainment and knowledge. For this to fully be utilized, it also needs to be a place where anonymity can be ensured. I can’t trust advertisers or website owners to protect my privacy for me, so I have to be proactive.

Here’s my tinfoil setup, the goal here is to maintain a usable web experience while protecting my privacy and security. My goal is not to completely subvert the advertisers, but to have some level of control over what information about me is leaking out:

Firefox - Chrome won’t cut it. Google doesn’t allow add-ins to have the level of access they need to properly protect you from ads and javascript. Ad blocking plugins for Chrome just hide the ads, the plugins I list below actively block them from loading.

Ad Block Plus - Leave this on by default, but be nice and disable it for sites you frequent. They deserve what ever funds they can get and the rest of the plugins here will ensure that whatever data leaks out is relatively harmless.

Cookie Monster - In Firefox, disable accepting ALL cookies. You can then use Cookie Monster to selectively white list sites as it’s needed. Usually you only have to do this for sites you log into or shop at.

BetterPrivacy - Deletes Flash Cookies based off certain conditions. You can set it up on a timer (every X minutes), or just clear them out when you open or close Firefox.

NoScript - NoScript is kind of a nuke it from orbit solution to both privacy and security. It completely disables javascript unless you whitelist the domain. In addition to blocking any beacons, it protects you from the myriad of script based exploits on the web. It also protects you from cross site scripting attacks, and some other common internet browsing threats.

Ghostery - Ghostery is awesome. As opposed to NoScript’s domain based script control, Ghostery can block the specific scripts that advertisers use. It uses a regualarly updated listed of advertising scripts, and makes a great backup for when I have to allow a domain through NoScript.

(*) Those aren’t my actual UIDs.

comments powered by Disqus