The modern web is fantastic — it offers super advanced functionality and APIs to the point where Progressive Web Apps are actually plausible replacements for full-blown native programs (although I personally am against them, it’s clear that they satisfy the use cases for the vast majority of users, given their popularity).
So what can we do? What can we, the humble users of these products, do to protect ourselves from all this tracking? Well…as someone who’s been trying to fight this stuff since I learned about it, I’ve come up with a couple of tricks, which seem to work fairly well.
Of course, standard disclaimer: Please take this with a grain of salt! There may be things I’m missing and haven’t thought about. If you’re in a situation where a slip-up may cost you your life, please seek out solutions built for your specific situation — this is more for the general user who cares about privacy but doesn’t face dire consequences should they be unmasked.
- Use Firefox. It’s by far the most privacy-respecting browser out there of the mainstream browsers and they’ve been integrating some awesome stuff from Tor (via the “Tor Uplift”) that we’ll cover in later points. Some of the later mitigation techniques rely on Firefox (or a fork which implements those points). See my note about Chromium-based privacy browsers at the end for more information.
- Use a VPN. I won’t go into it here (maybe I’ll do that in a future post), but one of the biggest identifiers you will always send is your IP address — it’s how your browser is able to get any websites at all. The problem is that your IP address can easily be tied to a general vicinity (so doing things like disabling the Geolocation API as we do below won’t really help, since they can just look up your IP address). Using a VPN (look for a no-logging VPN) can help by effectively disguising your location. As a bonus, using one that is fairly popular means that your IP address becomes mostly worthless, at least on its own. And since that’s largely the one identifier you have to send, masking it effectively is crucial to a proper privacy routine.
- Beacon API (Set beacon.enabled to false)
- Battery API (Set dom.battery.enabled to false)
- Performance API (Set dom.enable_performance to false)
- Resource Timing API (Set dom.enable_resource_timing to false)
- Clipboard events API (Set dom.event.clipboardevents.enabled to false)
- Context menu event (Set dom.event.contextmenu.enabled to false)
- High resolution timestamp (Set dom.event.hirestimestamp.enabled to false)
- Asynchronous Clipboard API (Set dom.event.asyncClipboard.enabled to false)
- FileHandle API (Set dom.event.filehandle.enabled to false)
- Gamepad API (Set dom.gamepad.enabled, dom.gamepad.extensions.enabled, and dom.gamepad.haptic_feedback.enabled to false)
- IndexedDB API (Set dom.indexedDB.enabled to false)
- Pointer Lock API (Set dom.pointer-lock.enabled to false)
- Service Worker API (Set dom.serviceWorkers.enabled to false)
Storage API (Set dom.storage.enabled to false)
- Vibration API (Set dom.vibrator.enabled to false)
- Oculus VR API (Set dom.vr.oculus.enabled and dom.vr.oculus.invisible.enabled to false)
- WebAudio API (Set dom.webaudio.enabled to false)
- Notifications API (Set dom.webnotifications.enabled to false)
- Window.event API (Set dom.window.event.enabled to false)
- Geolocation API (Set geo.enabled to false)
- Web Speech API (Set media.webspeech.synth.enabled to false)
- WebGL (Set webgl.disabled and webl.disable-webgl to true)
There are more preferences for other APIs which I did not include as they are disabled by default, and some of these may break some websites or your particular workflow, so play around with enabling and disabling these APIs until you reach a state that works for you.
- Enable Contextual Identities (Containers). In order to prevent various methods of client-side tracking (think: cookies, local storage, etc), enable and use Firefox Containers. It is basically a generalization of Private Browsing mode, where each container has its own set of cookies, local storage, and so on. Containers are built-in to more recent versions of Firefox, but to enable them and use them effectively, you should install Multi-Account Containers. Using that extension, you can create new containers, open a tab in a specific container, and so on. A great companion extension is Temporary Containers, which can be set up to automatically create and delete containers based on certain rules. For maxmium privacy, enable “Deletes History” Temporary Containers (in “Advanced”) and tell the extension to isolate subdomains. Warning: This will break logins on several webpages, so either be prepared to create exceptions for certain websites or have a separate profile for logging into sites.
- Enable First-Party Isolation. First-Party isolation automates (to some extent) the segregation provided by Containers and can act as another layer of defense, especially in the case that you don’t use Temporary Containers or another extension like it to automate the segregation. Imagine that sites A and B both have a Facebook tracker embedded. When Facebook stores a cookie through site A, the cookie will be called A.facebook.com. When Facebook stores a cookie through site B, the cookie will be called B.facebook.com. This is a very simplistic explanation, but it hopefully helps get the point across of the value of First-Party Isolation — it helps ensure that common third parties (read: Facebook, Google, Amazon) cannot easily track you across sites — even if they’re all loaded in the same container. To enable First-Party Isolation, go to about:config and set privacy.firstparty.isolate to true.
Enable fingerprinting resistance. This preference helps ensure that your computer looks “the same” as any other computer using this preference. That is, it tries to help foil the browser fingerprinting techniques discussed in the opening of this post. Keep in mind that this may cause issues with certain websites, and unfortunately there is no easy way to disable the preference on a specific site. That being said, I personally have not run into too many issues when browsing with this preference enabled. To enable fingerprinting resistance, go to about:config and set privacy.resistFingerprinting to true. If you want to be notified of websites attempting to read your canvas data (the HTML5 Canvas is yet another fingerprinting mechanism, so fingerprinting resistance obfuscates your canvas data), you should also set privacy.resistFingerprinting.autoDeclineNoUserInputCanvasPrompts to false — this can help if something like WhatsApp Web (which generates a QR code) silently fails.
Note: This preference can break some things. Most notably, it may prevent you from installing certain extensions the usual way (e.g. by clicking on the “Add to Firefox” button on addons.mozilla.org. You can get around this two ways:
- Temporarily disable the preference, install the extension, and toggle it back.
- Right click on the “Add to Firefox” button and click “Inspect Element”. Copy the href attribute and paste it — this will bypass the user agent check that addons.mozilla.org does and allow you to install the extension.
That being said, most extensions (in my experience) install just fine even when fingerprinting resistance is enabled.
- Enable built-in tracking protection. It’s useful to have a decent content blocker enabled as a fallback to when you need to disable some of the extensions below (e.g. uBlock Origin or uMatrix) because they’re too aggressive (it happens rarely, but it does happen). To enable this, go to about:preferences and select the Privacy tab. You should enable Firefox’s built-in tracking protection using the strict list in all windows (select “Custom” and tick the appropriate boxes). You can also tell Firefox to reject all third-party cookies as well to at least get some additional privacy if you’re not going to use Cookie AutoDelete. If you’re using Cookie AutoDelete, you can go ahead and uncheck the Cookie box entirely, since having multiple places cookies are handled can get a bit confusing and hard to manage.
- Change your search engine. All of this is useless if you’re still using Google as your search engine! I recommend either Startpage or DuckDuckGo. In Firefox, you can do this by going to about:preferences and clicking on the Search tab.
Install privacy-enhancing extensions. While the last few tricks only worked on Firefox (now you can see why I recommend it), this tip should work on both Chromium-based and Firefox-based browsers. The list of extensions I use as well as what they do is given below:
- Cookie AutoDelete: Automatically delete cookies once they’re no longer needed. Firefox
- Decentraleyes: Intercept and serve scripts and stylesheets from popular content delivery networks (CDNs), thereby ensuring you never connect to them. Firefox
- firewall: Allow editing of user agent, headers, etc. Firefox
- HTTPS Everywhere: Easily disable all unencrypted connections (prevents eavesdropping, man-in-the-middle-style attacks). Firefox
- Privacy Possum: Obfuscates data commonly used by trackers (mainly a fallback mechanism if everything else fails). Firefox
- Request Control: Remove tracking parameters from URLs, disable certain classes of resources from loading. Firefox
- Skip Redirect: Automatically skip to the final request (useful when you have a tracking URL that redirects to the actual website after logging that you’re visiting it — see: Google Search). Firefox
- uBlock Origin: Flexible content blocker (blocks ads, malware, etc). Firefox
- uMatrix: More advanced content blocker (you can block or allow certain requests from certain domains on certain domains — for example, you can allow facebook to load, but only on facebook.com (and block it everywhere else)). Firefox
There are probably things I missed — stuff I did long ago that I set once and completely forgot about. Let me know if I missed something — if there are additional APIs I should be disabling or additional extensions I should be using.
I’ll also try to keep this updated as additional APIs (and methods to disable them) crop up or as additional privacy-enhancing extensions appear.
Note: Many of the mitigation techniques I describe here (for example, First-Party Isolation, fingerprinting resistance, and containers) are only available on Firefox. While you can obtain some measure of protection through the extensions listed at the end (which exist on Firefox-based and Chromium-based browsers) and while there are some fingerprinting mitigations available in e.g. ungoogled-chromium, I have come to the conclusion that if you want privacy, you need to use something Firefox-based (whether Firefox or a fork/derivative that keeps up with the latest features privacy-wise). There is simply no match for the depth and breadth of features and options available to Firefox users to lock down the browser.