Visualizing Behavior-Tracking Cookies With Firefox

An anonymous reader writes "Using Firefox, and a new (open source) add-on called Collusion, you can see for yourself just how extensive the third-party behavior-tracking system is. Simply leave the Collusion website open, browse the web for a bit, and then return to see that your favorite websites are letting at least four or five behavior tracking companies follow you around the web."

Google Analytics

[cgeys]

Google Analytics is the largest offender in this. There are others, but they have their fingers everywhere. Here on slashdot too.

Re:Google Analytics

[wintercolby]

Yeah, I picked that up from how the advertisements matched things I've searched for on Google, no software necessary.

Re:Google Analytics

I see what you did there ...

Microsoft is the largest offender in this. There are others, but they have their fingers everywhere. Here on your desktop too!

PS: What kind of retarded monkey mods that up insightful?

Re:Google Analytics

Microsoft isn't anywhere near as ubiquitous as Google. Especially Google Analytics is just a useful and free tool to many webmasters.

Re:Google Analytics

[BrokenHalo]

I guess Microsoft might be such an offender if you happen to use Bing search. But since people only do that on TV, we're comparatively safe. Google Analytics is, as you say, a useful tool for webmasters, but for the casual user there's very little impact if you simply block it via hosts file or adblock, other than having to manually type the URL for top-ranked listings into your location bar every now and then.

Re:Google Analytics

[Zaiff+Urgulbunger]

Are you saying that GA is tracking users between sites and that data is being used to inform the advertising?

I was under the impression that GA was simply used by webmasters to track their own usage only, which doesn't seem entirely unreasonable. But if the same data is being further exploited then that would be an issue.

Re:Google Analytics

[cgeys]

Their terms of services allow for this, yes.

Re:Google Analytics

[Jah-Wren+Ryel]

Are you saying that GA is tracking users between sites and that data is being used to inform the advertising?

Of course it is. To think otherwise is naive at best. Google's sole business model is to provide services in exchange for targeted advertising. They aren't going to give away the GA service for free any more than they give anything else away for free.

Re:Google Analytics

[garyebickford]

IOW, for GA we (our eyes) are the product, not the consumer.

I have had GA blocked in NoScript for a long time. I don't know if it has any real effect, of course. Maybe I'll check out the topic of this /. article just to see if it has any effect. I also blocked doubleclick.net permanently a long time ago after one too many pop-ups. I don't block everything either with NoScript or AdBlock, just those that are offensive, obtrusive and/or creepy. I feel that letting them show me ads is part of the bargain. But knowing the size of my underwear is not.

Re:Google Analytics

[Zaiff+Urgulbunger]

Stupidly I hadn't given it much thought. I'd just assumed that if they (Google) collected any information, it was purely statistical rather than linked to an individual... I feel violated now! :O

Ghostery may help

I believe an add-in named Ghostery blocks most of those bugs from tracking your browsing.

Or use Ghostery

[DeHackEd]

Ghostery is another Firefox add-on that does much the same, except also supports blocking the cookies.

Re:Or use Ghostery

[gbjbaanb]

Or RequestPolicy which is an easy-to-use plugin that shows you the sites the site you're currently browsing wants to contact. Once you've whitelisted the domains that are really part of the site (eg slashdot.com might have a few elements from slashdot.org) then you can leave the rest safely blocked. And unless you ever visit statcounter.com or similar, they'll never get to see your cookies.

Re:Or use Ghostery

[cvtan]

Although I appreciate the intent, I am finding RequestPolicy a little difficult to deal with. How do you whitelist things that are "really" part of a site? Some places have 50+ items to wade through. Most sites have pieces that are invisible unless you allow everything. Push on a button and there is a warning that an email from Autoweek is sending you to an Autoweek site. Why is this a concern? You can't tell the bad actors by looking at site redirect names.

Re:Or use Ghostery

[CastrTroy]

Not only that, but many sites use a CDN to host images, JS, and CSS. So, it's often hard to tell just by domain name what to allow and not allow.

Re:Or use Ghostery

Step 1: Set Firefox cookie default policy to "reject".
Step 2: Install Cookie Monster addon (you can force it, and it work even on FF5).
Step 3: Whitelist cookies manually on the handful of sites you visit where you really need them. And differentiate between those that just need session cookies as opposed to persistent ones -- very few need the latter.

Re:Or use Ghostery

[kangsterizer]

Step 1: Check "Do Not Track"
Step 2: ???
Step 3: Profit

Alright I know, DNT is not supported everywhere, very far from it (and its voluntary), but ideally one should at least mention DNT.
Google is supposed to follow it afair.

Re:Or use Ghostery

[grubwort]

Lots of sites use Flash cookies (LSOs) to track you in addition to the good old fashioned HTTP cookies.

Ghostery does a pretty good job of deleting Flash cookies, but it takes a brutal all-or-nothing approach; it'll delete them all if you enable the option.

If you want finer control over your Flash cookies you'll also need Better Privacy. Now you can save your progress when playing Kongregate games but not get tracked while you do so :)

Re:Or use Ghostery

[surveyork]

1. UN-check "accept 3rd party cookies".
2. Check "keep cookies until I close Firefox".
3. Profit.

Installing Beef TACO, Better Privacy and TrackMeNot may help too. Hey, it's not paranoia if they really are after me.

Wait a second...

[Chrysocolla]

You're saying I should let an add-on send my cookies to a website and trust it because... it's Open Source?

Broken Web site.

[John+Hasler]

When I go there with Firefox 4.0 I see a block of text overprinted by a menu.

Re:Broken Web site.

How did you expect it to inspect your cookies without javascript?

Though some alt-text when javascript is disabled would be nice.

Re:Broken Web site.

4.0? Try using an up-to-date browser like Firefox 3.6!

Re:Broken Web site.

[KiloByte]

This is not flamebait: 3.6 has security support, 4.0 is EOLed already. And 3.5 has third-party support from Debian and Red Hat for long years to come.

Re:Broken Web site.

When I go there with Firefox 4.0 I see a block of text overprinted by a menu.

Allow the site in script block or stop complaining when sites with JavaScript don't work or look correct.

Re:Broken Web site.

Are you using NoScript or similar?

Re:Broken Web site.

[gknoy]

Wait, really? (Oh wait, we're on Firefox 5 now. I didn't even realize it. Thanks.)

Re:Broken Web site.

[surveyork]

B*tches don't know about my Fx Nightly 8. Nor about Fx 9 scheduled for December 2011.

Enable ads on slashdot

[cultiv8]

Not *too* bad, only three entities tracking /.'ers.

Big deal, you think?

[arisvega]

Then use Adblock Plus, NoScript, header spoof and allow session-only cookies from specific sites only. Apart from IP profiling, there is not much mainstream techniques one of said sites can use for tracking.

Re:Big deal, you think?

[Lennie]

Look up Evercookie, I'm sure it still has some techniques that still work.

How about E-Tag. I don't think any tracking company uses that right now, but it could be.

why accept them?

Tracking cookies must be accepted by your own computer to work. So why would anyone accept them these days, when (A) this tracking is so well known it's been THE lead story on CNN and BBC multiple times, and (B) tools to avoid the tracking are trivially available with a few clicks?

Hosts file

[drooling-dog]

There are over 10,000 entries in my /etc/hosts file pointing to 127.0.0.1, and this is the main reason why.

Re:Hosts file

share?

Re:Hosts file

[trifish]

LOL That must have been a shitload of work to get that blacklist together, let alone maintain it. What about white-listing instead?

There is a very promising Firefox addon, that does exactly that.

https://www.requestpolicy.com/

No third party will ever track you again, unless you explicitly allow their domain name.

Re:Hosts file

Google 'hosts file ad blocker' or something like that I think this, http://winhelp2002.mvps.org/hosts.htm, is the one I use.

Re:Hosts file

[Abstrackt]

You can download one from here It's about 600kb and works fairly well.

Re:Hosts file

[Lennie]

I've been using it for years. Although you pretty much need be a webdeveloper if you don't enable the pre-configured whitelist to know what and what not to enable.

Re:Hosts file

[Derek+Pomery]

Much more efficient to use a local dns cache.
I use tinydns/dnscachex locally, Apart from doing lookups for my domain, it relays everything to opendns except for domains or subdomains that are nosy bastards.

And you can always layer on a host file if necessary. But doing a *.doubleclick.net is much more efficient.

Re:Hosts file

+1 MVPS

Re:Hosts file

[Idbar]

Perhaps on Linux this is a simpler task and works well for you. Windows (at least XP), on the other hand, takes forever to parse that file. I had to disable that mechanism to block websites, because it was messing with the whole networking behavior.

Spybot uses this mechanism to block malware-sites, and I had at some point to disable it for that reason too.

Re:Hosts file

[Derek+Pomery]

Oh, and of course, that way it applies to all the local computers without the need for copying hosts files.

Re:Hosts file

[gknoy]

I wanted to do that, and had a bear of a time trying to get my server to handle things correctly INSIDE my NAT while also resolving things correctly OUTSIDE the NAT. Eventually I gave up and have foo*.dyndns.org. :(

* Not my actual domain.

Re:Hosts file

That is a good tip. However, I think it is safer to have the hosts file or DNS server point to an address other than the loopback (at the office, we use a local subnet IP that is never assigned to any computer). That way, you don't have to worry about certain attacks against the machines.

Re:Hosts file

[Derek+Pomery]

dnscachex can specify servers for arbitrary domains. If you want some stuff to be internal only and don't want to mess about with replication, just run a 2nd DNS server on a specified local interface (maybe an alias), and point dnscachex at that for that domain.

Or of course, you could just put your local records in your DNS, and not worry about it.

Re:Hosts file

[Derek+Pomery]

Oh, and 255.255.255.255 works nicely. Resolve them to that and the lookups fail immediately with no delays.

Re:Hosts file

[TheTyrannyOfForcedRe]

There are over 10,000 entries in my /etc/hosts file pointing to 127.0.0.1, and this is the main reason why.

I changed my hosts file to send everything to 127.0.0.1. Now all I see is porn. Did I do something wrong?

Re:Hosts file

replace 127.0.0.1 with 0.0.0.0

NoScript FTW

No Script addon deals with all that. Not a single connection tracking sites.

Use Permit Cookies

[JSmooth]

Permit Cookies is very useful (need to disable extension checking and it works with FF5) in limiting tracking while still providing a usable web experience. It turns all cookies into session cookies that are gone when you close the browser and has a shortcut to override for sites that you do want to allow permanent cookies to be set. When I restart my browser I am a new person. For complete protection I also use NoScript, Ghostery and Better Privacy.

https://addons.mozilla.org/en-US/firefox/addon/permit-cookies/

Re:Use Permit Cookies

[CastrTroy]

Firefox has this option a standard feature. Go to Tools(Edit) -> Options(Preferences) and go to the Privacy Tab. Select "Use Custom Settings For History". You can choose to delete cookies as soon as the browser is closed, making all cookies into session cookies. You can then use the exceptions button to configure sites that you want to allow to store cookies for longer.

Re:Use Permit Cookies

I'm not sure about Permit Cookies, but I use Cookie Safe and it uses a whitelist so I only have to screw with it when I need to add a site, and all the options are right there in the add-on bar, not buried in the preferences some place. I can also choose to temporarily allow cookies so they will return to being blocked after I restart the browser. (It also allows session only cookie option.) It also tells me pretty much any information I want to know about cookies I am running or blocking.

Proprietary software. I wouldn't trust it.

[ciaran_o_riordan]

Here's the entire licence file of the software they tell you to install to protect your privacy:

All source code, images and other intellectually property in this extension is owned by or licensed to privacychoice LLC. It may not be used in any way with written permission. Copyright © 2011 privacychoice LLC

If no one can modify it, that means it's unlikely that anyone will bother looking at the source code. There's no community verifying or improving the privacy of this software. There has to be free alternatives.

Download and upzip: http://releases.mozilla.org/pub/mozilla.org/addons/247581/trackerblock-2.0.1-fx.xpi

How is this legal?

[ArgumentBoy]

Seriously - how is this legal? People can't wiretap me without a warrant, they can't look into the windows of my house, and they can't read my (paper) mail. I don't accept a EULA for web sites and no one owns the internet. Why isn't this hacking?

Re:How is this legal?

[Haedrian]

People can't wiretap me without a warrant,

Not American eh?

I don't accept a EULA for web sites and no one owns the internet. Why isn't this hacking?

If you look at the bottom of sites, they generally have terms and conditions which you are following by using the website. Its not akin to someone looking into your house, its akin to the cashier person looking at your purchases at the supermarket and next time offering you something you might like. You're using their website/advertising service and they're seeing what works.

Re:How is this legal?

You permit the cookies to be set. If you're worried about it, it's trivial to change settings or find an addon/extension/plugin for non IE browsers to stop it.

Re:How is this legal?

[Haedrian]

Here's what you agreed with when you used /.

http://geek.net/privacy-statement
http://geek.net/index.php/terms-of-use/

"Web beacons

Geeknet uses web beacons from time to time. Such web beacons may be provided by Geeknet’s third party advertising companies to help manage and optimize Geeknet’s online advertising. To opt out of targeted advertising delivered by Network Advertising Initiative members, click here: http://www.networkadvertising.org/consumer/opt_out.asp ... "

Re:How is this legal?

[am+2k]

I wonder whether that's legal, since you can't get to that page without getting tracked already.

Re:How is this legal?

[Lennie]

EULA's are pretty much illegal anyway, atleast in my country.

Re:How is this legal?

Yeah, well haven't you heard? The US Justice Department can demand extradition of ANYONE from ANYWHERE if they've performed a copyright violation according to US laws despite EULA's having no legal standing in your country. Welcome to Pax Americana, citizen!

Re:How is this legal?

[John+Hasler]

How is what legal? Offering to send you a cookie and then sending it when you request it? The Web sites didn't configure your browser to silently accept and pass on cookies. No site can store or read back anything from your computer without active cooperation from your browser, which is entirely under your control.

Re:How is this legal?

Exactly. If you don't want cookies, don't accept them! It's completely, 100% up to you.

Re:How is this legal?

[vux984]

I really have no objection to websiteX tracking my movements through websiteX.

I don't see why I should have to submit to Google tracking my movements through websiteX, websiteY, websiteZ, and half a million other sites though.

The closest thing we have right now to this in the real world is VISA. But they only track your purchases, not everywhere you go. And it is pretty easy to simply not pay for everything with VISA and avoid being tracked.

Its not akin to someone looking into your house, its akin to the cashier person looking at your purchases at the supermarket and next time offering you something you might like. You're using their website/advertising service and they're seeing what works.

No. This analogy fails because the cashier looking at my purchases at the supermarket doesn't follow me to the mall to record what I buy there too, then follow me to the ballgame, then follow me to the movies, then follow me to the gastation.

These 3rd party tracking companies do there best to track you everywhere on the web, and some of them have a VERY wide coverage. There are places you can go that don't use let them watch you, but its astonishing how many places that do. If they use analytics, google ads, or doubleclick... google knows you went there. That's a huge percentage of the web, and most of the major portal sites. Including slashdot.

Does the girl at the supermarket stand behind you and read over your shoulder while your on slashdot? No... I didn't think so. :)

Re:How is this legal?

[garyebickford]

I listened to a keynote speech by a futurist at the 2001 O'Reilly Open Source Conference in Monterey California. He was talking about how existing technology would be used. Among other things, when you went to the mall face recognition systems (along with other stuff like wi-fi and bluetooth snooping) would attempt to figure out who you are. You would have HW that tries to prevent that by jamming or other means. Then as you walk down the entry hall, floating holographs would appear in front of you with sound only you can hear (sonic holography), saying "Ah, Mr. Doofus, welcome back. Two years ago you bought sneakers at Shoes-R-Us. Those are probably worn out. Shoes-R-Us is no longer here but Joe's Sneakers is offering you 20% off on all sneakers, just for you. Turn at the next corridor on the left. And that blouse your wife looked at two weeks ago at SuperMs is still available. Perhaps you'd like to get it for her birthday? SuperMs can give you 10% off just for today."

For myself, I'm gonna live in the woods, or on the ocean - far from any mall.

Re:How is this legal?

[garyebickford]

A majority of sites that I go to (especially news sites) do not work correctly unless both cookies and javascript (at least _their_ javascript, plus maybe Google API, if not a bunch of third party javascript). And the pool of sources for that stuff that is required to make things work is expanding at a high rate. So one can not just block all cookies all the time. So one has to allow or disallow on a site-by-site basis. Installing the extensions (NoScript, Adblock, et al) is the easy part. After that it requires dealing with the NoScript options on almost every site. I do it, and it's helpful, but it's not trivial. A lot of sites use flash for video or slideshows or audio, that won't load unless you allow scripts at least temporarily. I'm not disagreeing, just whining. &_&

PFFFT!

Big deal, I turn off third party cookies in every browser I use, and trash my cookies and cache when I close my browser.

Unless they're compiling information by IP (and I'm sure they're doing that too), "they" don't have as much behavior on me as they do for typical users. (right?!)

Cookie Monster and NoScript

Others have mentioned various add ons which can be used to prevent tracking. Personally I use the Firefox addons Cookie Monster, and NoScript.

Cookie Monster has a number of options, including the one I use which is deny all cookies by default. I then enable for the few sites that I visit regularly that require cookies. You can also temporarily websites to set cookies, and that permission is revoked when you next start Firefix.

NoScript is used in a similar way. I block all JavaScript by default. I then enable for a few websites (including Slashdot) which I trust and seem to require scripting. If I come across a site that requires script that I want to check out, I can temporarily allow that site to use Script. Revoking permissions is as easy as giving them. Some sites require JavaScript, and I don't trust them at all, I go elsewhere.

I explicitly block certain websites (such as Google Analytics) from doing anything at all.

Does this exist as a chrome extension as well?

For those of us that are firefoxless, is there

Re:Does this exist as a chrome extension as well?

[Lennie]

You don't need to be firefoxless, pretty much anyone can install it. There is even a version for OS/2

The typo is also their property

[ciaran_o_riordan]

(I just noticed that their licence notice doesn't make any sense. I presume they meant to write "with*out* written permission")

I just went looking for free alternatives but NoScript is all I found!

* https://addons.mozilla.org/en-US/firefox/addon/noscript/

TrackerBlock, BetterPrivacy, and Ghostery all seem to be proprietary software. What a disappointment.

FSF maintain a list of free mozilla-compatible plugins:
http://www.gnu.org/software/gnuzilla/addons.html

I see one free plugin that I haven't tinkered with: https://www.requestpolicy.com/

Re:The typo is also their property

I switched from requestPolicy to Ghostery for one major reason: requestPolicy prevents my custom data: URIs - that I like to use for various things like extra web-based protocols - from working.

delete cookies every time I quit or press a button

[canoeberry]

I delete all my cookies except a few every time I close my browser. That works in Chrome, Safari and Firefox now. In chrome I press a button to remove the cookies it would delete if I exited right now. I checked the advertising sites and they don't know me. Google knows me for as long as I keep my browser window open. Facebook doesn't follow me around on the web either. I use the Vanilla plugin for chrome. Hope that's good enough.

NoScript

[Krneki]

kkthxbye

Re:NoScript

[Anon8---)]

Doesn't block cookies afaik and collusion showed me that pretty well.

Re:NoScript

[Krneki]

No need, if you block those pages from loading then you won't allow them access to the cookies in the first place.

Re:NoScript

[Anon8---)]

I tried that. I forbade AdBrite, Facebook, Google Syndication and many other scripts, yet when I checked Occlusion's graph and my cookies, cookies of those blocked sites existed. After installing Ghostery most of them [cookies] weren't created and Occlusion didn't register them.

Is there a setting in NoScript I'm missing besides the "Forbid x" ?

Not compatible with 3.6.18

Okay then.

Re:delete cookies every time I quit or press a but

[Synerg1y]

to build on this, disabling 3rd party cookies, clearing the cache on browser close, and checking the new but not fully implemented do not track checkbox in firefox are all great ways to prevent tracking.

what about smart phones?

My desktop browser is one thing -- it's my smartphone that they really want to track. Anything like Better Privacy available for iPhones and Android phones yet?

off the grid

[Gravis+Zero]

we all know that excluding trackers ends up being a game of whack-a-mole. you block some trackers and more will show up when you aren't looking. the solution is simple: whitelisting.

cookies
whitelisting cookies is a must because good guys, bad guys and even the oblivious have sites that want to store cookies on your system.

JavaScript
JavaScript is a lesser offender but noscript can help you here.

flash
the most insidious of cookies are flash cookies. some argue flash is the most insidious in it's own right but that is another issue. using Flashblock prevents those lame invisible flash trackers while not completely incapacitating a site you want to use flash on. just click on the flash object and voila!

images
we've all seen and not seen them: tracker images. they are either the unseen invisible ones or the "site stats by X CORP!" image. their mechanism is rudimentary and can be thwarted by not allowing off site images which can be troublesome with some pages that use high-speed hosts for static images.

however, there are going to be places you enable one of these that you don't want to be tracked.

there are proactive measures for most trackers.

do not track cookies
the only (sane) way to enjoy their site and not be tracked is to use "do not track" cookies. they are used as an opt-out system. you have a cookie that says to not track you and in turn they dont activate their tracking mechanisms. these are silver bullets: one do not track cookie will shutdown a tracking service. ghostery is a very nifty add-on that loads your system with do not track cookies. it updates the list on it's own so if you select the option so that nobody can track you, you are golden.

all these suggestions and add-ons will do a great job but the bottom line is that if you REALLY dont want people to track what you do on the internet then STAY OFF THE INTERNET! ;D

Maybe it's broke, I don't see any dots ;)

[laslo2]

I don't see any collusion dots when I browse the web. I don't see any ads either. Zero.

Of course, the addons I have tacked onto Firefox might have something to do with that (Adblock Plus, AdblockPlus Pop-up addon, BetterPrivacy, Certificate Patrol, Cookie Monster, Element Hiding Helper for Adblock, HTTPS Finder, HTTPS-everywhere, Ghostery, and NoScript).

I've been adding to my Adblock Plus filter list for about a year and a half as well.

I won't make the claim that I'm not being tracked by someone with more Kung Fu than me. But they're gonna have to work at it.

AdBlock - NoScript

I use adblock and noscript. As for FireFox defaults in the privacy section I have "Accept third-party cookies" unchecked

Adblock and noscript close, except....

[wiresquire]

...the problem I find a lot nowadays, is that a lot of sites require you to allow scripts from 3rd party domains, eg, googleapis, for the site to actually work.

So, naturally by allowing this you can be tracked.

Re:Adblock and noscript close, except....

I can't say I've come across any I want to visit on a regular basis. for the occasional link I click on that takes me to a site like that I tend to open up a separate Firefox instance running a clean profile in Private Browsing mode.