This Is How the Cookie Crumbles

The four steps to controlling how you’re tracked online.

Crumbling cookies.
Online privacy shouldn’t be one tough cookie.

Photo by Wavebreak Media/Thinkstock

In Tuesday’s column about Google’s foray into alt-cookies, we touched on the idea that a seemingly simple goal—to prohibit any tech or advertising company from tracking your activities across websites that they don’t own—is incredibly difficult to achieve. Below I’ll lay out a few simple ways to ameliorate, though probably not prevent, the wide-scale tracking of our Internet activity by corporations. We’d call it cyberstalking if it were a human being doing it.

Much of this tracking is for adverting purposes: to collect data on you to show you more relevant ads. Sometimes it’s used for other publicity purposes, as with Facebook collecting data on your Web activity in order to suggest relevant interests. Since many companies have no policies restricting their use of the data they collect, it could be deployed for all sorts of other purposes too, or of course, handed over to the National Security Agency.

You may think, “It doesn’t matter, because the data is anonymous.” It’s true that your name is generally not associated with such advertising profiles, but just because your name isn’t on the data doesn’t mean it’s anonymous. Given enough consumer data—even completely noninvasive data about your interests and purchases—it is quite easy to de-anonymize you. In a 2008 study, two University of Texas–Austin researchers identified a significant number of people from their Netflix queues alone, using a dataset Netflix had made public as part of a campaign to improve its movie recommendation system. According to law professor Paul Ohm, the law is far behind on regulating this sort of mass corporate cyberstalking. Maybe your cyberstalker just wants to show you ads. That doesn’t change the fact that he’s stalking you! And this cyberstalker never gives up.

At any rate, people should be making an informed, affirmative choice about how much tracking they will consent to. To control the amount of access that Internet companies have to your activity, you need enough knowledge to follow a few fairly simple steps.

Step 1: Block third-party cookies

If you are using Chrome, Firefox, Internet Explorer, or most other browsers to read this piece—anything but Apple’s Safari, more or less—third-party cookies are most likely on by default. (Internet Explorer sends a supplicating “Do Not Track” header, but it’s akin to a Dickens orphan asking for seconds. For the most part, the industry ignores it.) Advertising companies like DoubleClick and AppNexus use them to track individual consumers across sites where they serve ads. When Firefox threatened to turn them off by default, trade lobbying group and astroturf merchant Interactive Advertising Bureau called it a “nuclear first strike, ” and Firefox has so far relented.

How can you resist throwing a dirty bomb at those bullies? Here’s how to turn off third-party cookies on Chrome, Firefox, and Internet Explorer. The Google Chrome browser on Android doesn’t allow you to turn off third-party cookies only, so if you’re using Chrome, you’ll just have to disable all cookies.

In general, mobile devices are substantively less private and anonymous than PCs. Every smartphone is tied to one specific account that does have your name on it. Especially on mobile, switching to a more flexible third-party browser—such as Mozilla’s Firefox—is well-advised.

Step 2: Opt out

The consumer benefit to switching from cookies to a company-controlled identifier—Apple’s at the moment, and potentially Google’s in the future—is that it centralizes privacy controls, giving the company some incentive to police grotesque privacy violations by their corporate clients. The downside is that Apple or Google may limit just how much users can opt out, since they will effectively have a monopoly on tracking identifiers. They don’t want to kill the goose that lays the golden eggs; they just want to own the roost.

Google and Apple both offer reasonable opt-out choices such as Google ad preferences, DoubleClick opt-out, and iOS’s limit ad tracking. It’s unclear exactly to what extent they prevent data collection, rather than just limiting advertising. But having your name on a company’s list of people who don’t want to be tracked can’t hurt.

Step 3: Forgo Flash

Adobe’s Flash, the software engine commonly used for multimedia content, has long been a security and privacy black hole, offering its own insidious, cookie-like mechanism called a “local shared object” (LSO), which isn’t subject to the privacy restrictions of normal cookies. LSOs are a headache to monitor and clean and have resulted in several lawsuits for tracking users without permission. Adobe has slightly improved matters over the years, but pretty much everyone except Adobe wishes Flash would go away.

So if you can’t do without Flash completely—and it’s hard to quit those incessant nagging autoplay videos—go to Adobe’s settings page and disable third-party Flash cookies. Better yet, use browser extensions like NoScript and BetterPrivacy, which allow fine-grained control of LSOs and sites that use them, at the cost of a significant amount of micromanagement. (I never said this was going to be easy.)

Step 4: Use a filter

The previous steps should make clear that managing privacy is an active and ongoing process, not a one-time fix. Technology changes and new tracking mechanisms evolve. Even without scripting and cookies, “Web bugs” or “Web beacons” can track you simply by loading an image from a tracking site.

Unless you want to severely limit your Web functionality by turning off cookies, images, and Flash completely, nothing short of an active community effort can separate tracking websites from nontracking sites. Thanks to the generally obsessive nature of tech culture, these collective groups playing Tracker Whac-A-Mole exist, updating active lists of tracker sites weekly and often daily. (You may notice that with these filters, you stop seeing some advertisements as well. There’s always a price to pay.)

One of the easiest filters use is the Disconnect extension, originally made by ex-Googler Brian Kennish. Available on Chrome, Firefox, Safari, and Opera, it claims to block more than 2,000 tracking sites, with quick buttons to selectively enable the big three: Facebook, Google, and Twitter.

On Android phones, Chrome doesn’t allow extensions, so you’ll have to use Firefox. Disconnect is not yet available for mobile devices, but a more technical and more aggressive option is available: Adblock Plus. Most major ad blockers these days support a standard format for lists of content filters, and the one we care about here is the EasyPrivacy list. Install the Adblock Plus extension in Firefox, browse to the EasyPrivacy site, click on “Add EasyPrivacy to Adblock Plus,” and you’re set.

As for filters on iPhones and iPads, you may be out of luck. I am not aware of a single simple way to use privacy filters on iOS. (If anyone knows of one, leave a comment and I’ll update this article.) Until Firefox comes to iOS or Safari or Chrome allow browser extensions, you’ll have to trust in Apple’s limit ad tracking. Sorry—complain to Apple! (Mozilla has said they will not build Firefox for iOS because Apple refuses to let them use Firefox’s own Web engine, only the Safari engine, and no iOS apps are allowed in the Apple Store without Apple’s explicit permission.)

Outside of iOS, actively maintained filters are probably the closest to a one-stop fix as you can get. You are entrusting your privacy to the judgment of a community of idealistic techies, whose judgments are not perfect but who are at least more disinterested than the advertisers. It beats the alternatives. Do not, however, use TRUSTe’s privacy list, which can actually override other lists to allow some tracking, including shady marketer Acxiom. You can’t trust(e) anyone these days.

Sadly, trackers will not simply roll over and settle for you blocking them. New technologies are being invented all the time—for example, device fingerprinting attempts to identify a single user based not on cookies or any sort of explicit identifier but merely on information sent in the normal course of loading a website: what browser version you’re using, screen resolution, preferred language and encoding, IP address, etc. It’s not an exact science, but it’s surprisingly accurate and may make much of the current tracking technology obsolete.

The steps outlined here may feel like bailing water from a sinking ship. For our online privacy not to capsize altogether, our hope is in informed consumers demanding specific and consistent treatment of their own profiles and standing up against new cyberstalking technologies.