Beyond the password: A look at online privacy and tracking techniques

Introduction

Privacy matters; privacy is what allows us to determine who we are and who we want to be.

Edward Snowden, 2013

The word privacy has expanded in meaning since the arrival of the digital age. One of the most notable examples, highlighting the necessity of online privacy, were the revelations by whistleblower Edward Snowden in 2013. As a result the current landscape has changed significantly in the 10+ years since: encryption in web traffic and end-to-end encryption are the standard of modern private communication. 

This, however, has not stopped organisations from collecting vast amounts of personal data online. Most of us do not realise that our identities are tracked in between sessions and browsers, through our phones and tablets, using multiple techniques ranging from the average cookie to more shady practices like browser fingerprinting. 

Today, the global nature of internet traffic, coupled with ambiguous and at times, uncertain, legislation, has shifted the burden of protecting one’s online presence. It has meant that every user must assume responsibility for their own use of the internet. While many different regulatory frameworks exist to govern data processing and use, these frameworks are triggered once we have lost control of our data. While a right to be forgotten exists, it does not necessarily constitute a deletion, and has been outpaced by technology.

At Daemon, we take online safety seriously. We participate in trainings and make use of best practices to ensure that all our data is secure. Many of these behaviours we adapt are applicable to our every day life as well as a healthy work environment.

This is part one of an article focusing on privacy. In this article we will focus on how we are being tracked and what ways exist to block or mitigate those trackers.

Cookies

cookie01

Image generated by Leonardo AI

Cookies aren’t really that bad. Most cookies are used on a day-to-day basis to ensure the best possible user experience. They remember what we put in our baskets, recognise us when we visit our favourite site, and so on. 

There are, however, also the other kind of cookies, the ones that generally are there to make a profit. Their job is to observe our behaviour and report it back to advertisement companies which in turn provide targeted advertisement. 

This is not necessarily a problem. Some people prefer targeted advertisements over general ones - because make no mistake, there will be ads! So online safety is really about awareness and taking control over who is allowed to access this data. 

Fortunately there are solutions. Many browsers come with integrated blockers that can be fine-tuned to meet your personal preference. Some browsers don’t offer this functionality out of the box but allow users to install plugins to govern this behaviour. 

Beacons

beacon2

Image generated by Leonardo AI

Another popular technique to track online interactions are beacons. You can imagine a beacon as an invisible part of your website or email. 

When a browser renders the resource that contains a beacon, it will request this beacon from the source. This could be a transparent image, maybe a logo, or anything else. Once this beacon is loaded by the website, it can start tracking the user.

The same is true for a lot of email campaigns. If we examine a typical Netflix email with recommendations, it contains a red button linking to Netflix content. However, links also have attached identifiers. This means that the sender can determine whether you have interacted with their email. Or, in other words, whether that particular content has piqued your interest. 

Fortunately, simple techniques exist to protect you from this kind of online tracking.

Email clients can be configured to prevent automatically loading remote content, specifically the loading of remote images. While the email might appear differently, the benefit is that no-one is notified once you open it.

Some browsers have a context menu reading “Copy clean link” that allows to view links without being tracked. If this is not available, most links can be cleaned by removing anything that comes after the ? symbol.

Browser fingerprinting

fingerprinting

Image generated by Leonardo AI

The upside of cookies is that we can delete them, and once deleted, we can no longer be tracked through these cookies. 

Obviously, this is not ideal for some Internet actors who prefer the continuous tracking of users. For this reason, despite being able to opt-out of cookies, users can still be tracked through the fingerprint of their browser. 

When we connect to a website, the browser must send a range of information to the server that hosts the website. This information includes the browser’s name, the IP address of the user, information about the version and operating system, among other things. This information is shared by many users on the internet, however, by combining all of the separate data points together, a unique combination of data emerges. 

In addition to this data, websites can implement scripts that enrich this data with even more unique properties, such as the screen’s resolution, a list of the fonts your browser has access to and most notably, the content of a rendered image.

All browsers render images differently. This is due to the configuration of the software and hardware that is used by that browser. While the output image to the human eye would appear the same, the images are distinct. Combined with the other data transferred this creates a unique representation of a computer on the internet, referred to as browser fingerprinting. 

This fact allows for users to be tracked even when deleting cookies and blocking other tracking techniques. 

There are a handful of browsers out there that currently can prevent this kind of tracking. The most common approach is to continuously randomise the fingerprint generated by the browser so that the results become unusable. 

Phones

phonetrack

Image generated by Leonardo AI

The biggest tracking culprit is always with us: our phone.

The make and model is no longer important, all phones track users. Google as well as Apple both have been caught up in their own news cycle of privacy issues. While both of them sometimes take steps in the right direction, the responsibility of using our phone safely lies with us.

Every phone has some setting that allows us to configure the amount of data that we want to share with third parties. These settings do not necessarily apply to the data we send to the manufacturer of that phone.

All phones track their user’s location. This does not include the separate user tracking that happens within the apps that we download. Additionally a lot of the apps will refuse to function correctly unless being granted a lot of permissions. Should instagram really have access to my call logs? And why do I need to share all my contacts with Whatsapp if I want to contact a single person?

Unfortunately we are at the mercy of the phone manufacturers when it comes to most these controls. While a VPN can help mitigate the risk of being tracked, a more robust alternative is to opt for a different operating system.

Graphene OS is such a system that enables a secure android phone, without any additional proprietary software coming from Google. It has extra controls for fine grade permissions and comes with many default security features, such as randomising your hardware addresses. It is separately maintained to provide security updates as they become available rather than on a release schedule.

VPN

vpnpuppy

Image generated by Leonardo AI

From proclaiming that only people who have something to hide use a VPN to more technically oriented arguments related to degraded performance - VPNs sometimes do not enjoy a great reputation in the public.

I believe a VPN should always be running. Regardless of whether it is on our phones, at work, on our laptops or anywhere else, there really is no reason to not use a VPN connection. 

A VPN connects us to our destination via an encrypted communication with the VPN server. All requests that we make travel through this VPN server and anyone listening in on our communications only sees this as the source of all our data. Since the data is encrypted, even if someone were to access it, it would not reveal any information.  

A good VPN will also protect our data from trackers. And when run on a phone, it can even protect us from trackers that run within an app. 

There are many reasons for why we should use a VPN. Maybe we are looking for a birthday gift for a loved one and don’t necessarily want targeted advertisements of that particular thing? Maybe we are experiencing some personal difficulties and are looking for a solution, which will inform 3rd parties of our problems? Whatever the reason, we have the right to keep it private.

With a sea of VPN providers out there it is important to make the right decision and do a bit of research. Many free VPN providers have similar problems to any other free service on the internet. The paid ones are more secure and reliable and often come with some extra security features. Often they provide reference to previous cases and transparency reports that relate to requests to VPN providers to share user data. A good VPN provider will not be able to share any of your information, because no information exists. This is known as a no-logs policy. 

Summary

The amount of ingenuity that goes into tracking humans is a testament to the need to protect ourselves as best we can.

Privacy on a technical level is an overwhelmingly large subject with many different angles. Fortunately there are experts and privacy advocates that put the user’s experience and safety at the core of what they are doing. These people and organisations make it their mission to create user friendly tools and services that are giving back control to their users.

We have seen a few simple ways that help protect our online identities and data. Hopefully this will make us aware of what we are doing online and how we can protect ourselves.

In the second part of this series, we will focus more on information that we part with voluntarily to create awareness around this sensible data, as well as alternatives and ways to safeguard ourselves.

Back to Blog