Privacy matters

You don’t know what information you might need to protect, and you won’t know you needed to protect it until it’s already too late

The above quote is to the point, and it is the reason we should all strive for better privacy online. Just because information seems benign or not telling at a given time, doesn’t mean it won’t be in future – minimising the exposure of your data to third parties and being mindful in what you share with first parties is crucial in ensuring that information of yours is not used against you in some form or another, especially in a way you would never consent to knowingly.

With recent data scandals such as that of Facebook and Cambridge Analytica increasing awareness to the privacy problem (which us paranoiacs have long-since annoyingly complained to others about at length!), now seems a prudent time to finally publish this article in the hopes it will help people gain some insight and an arsenal of tools to better mitigate the risks of such issues going forward.

There are plenty of solid arguments available on the web already discussing the implications and importance of retaining one’s right to privacy online, so I will assume that I would be preaching to the choir for readers of this article. And, it is indeed a right — one that has been subtly and gradually eroded. It is often difficult and unwieldy to know how to defend against privacy concerns.

This article is designed to be a primer on how to achieve a good level of privacy online with minimal configuration. I have wanted to write such an article for a while now, I often get requests from friends for information on the topic, and following some recent research this is the best configuration I have achieved (in terms of performance, usability and overall efficacy).

All the while you’ll be enjoying faster browsing speeds and less distractions.

These methods should also allow respectable advertisers who abide by good standards and practices to advertise responsibly to you, which is a good thing for everyone. Advertising or tracking is not always bad, but there is a great deal of haze around a lot of tracking and many trackers do not honour reasonable requests to respect aspects of user privacy.

Steps to take

I would just briefly like to introduce a wonderful not-for-profit named EFF. In case you aren’t aware of them, they have been fighting for digital privacy rights for nearly 30 years now, since 1990. They do lots of research in the field, offer tools to help one retain privacy, and work with lots of other companies and regulatory bodies to uphold standards.

You may have to do additional work for privacy on the go. If you’re using Android, Firefox for Android should support many of the add-ons and you can easily synchronise your setup using Firefox’s built-in sync feature. For iOS, I recommend checking out disconnect on the App Store.

For a bit of fun, open up their tool, Panopticlick, in your browser of choice https://panopticlick.eff.org/ and hit ‘Test me’. Chances are, your browser footprint comes back as unique, like in this example below, using the latest MacOS default Safari install:

Uh-oh unique fingerprint from a total of ~1.5m samples — MacOS (10.13.4), Safari (11.1)

This test is actually a somewhat simplified version of what many advertisers online are using in order to pin your browsing activities to your identity.

Without further ado, follow the next steps to regain better control of your privacy on the web within 5 minutes**

Download Firefox

Firefox Quantum — a complete rewrite of Mozilla’s brilliant web browser, now the fastest browser available

[1] Download the latest Firefox Quantum (if you haven’t already) by clicking here

Otherwise, set up a new profile in Firefox using the profile manager. Then continue with each subsequent step.

It is faster in all tests than the latest Chrome builds, and is built by another not-for-profit foundation named Mozilla. Firefox was once upon a time plagued by performance issues and the new Quantum release is a monumental improvement — one which leads me to recommending their brilliant browser once again. It is open source, and they care about user privacy – it also has a very good track record regarding security.

One thing you must realise is that if you use Google Chrome, you are paying for the privilege with your data, and any steps you take to prevent tracking are undermined already, since Google will be able to track you regardless. As incredible as Google and its tools are, it is a business and the world’s biggest advertiser, and they consequently use your data and online movements to target ads to you by using cookies. There is nothing explicitly wrong with that, but it’s important to be aware of nonetheless. One can still reduce one’s exposure to their services by adjusting browsing habits.

[2] Enable “Do not track” headers to be set

Enabled “Do Not Track” header via Firefox’s preferences pane

This, in theory, tells advertisers not to use your personal data to target adverts to you, though as mentioned later, is unfortunately often not heeded.

Installing privacy-boosting add-ons

[3][a] The best thing you can start with is widely considered to be NoScript

NoScript — arguably the best way to improve your online privacy

NoScript works by using a whitelist-based approach to loading scripts from websites. JavaScript is the language of the web, and scripts are what are used to perform fingerprinting as discussed above.

Visit the link above, then hit the “Install” button on the left side of the page in your newly installed Firefox browser.

It is important to note that the most secure way to use NoScript is the default installation, however that will cause problems initially of varying degrees for lots of websites out there.

Once you visit a site, if there are issues, you can click the NoScript icon in the top right of your browser and select “Trusted” (if you trust the site of course). This is slightly more labour intensive initially, but you can enjoy fine-grained control against new sites you visit. This is my preferred method, but I may be a masochist.

Otherwise, for temporary usability’s sake, you can choose within NoScript’s options to enable temporary trust for the domain you’re visiting, which will address many issues automatically. Only make permanent the domains and content providers you really trust, or those which you know to have good privacy policies.

[3][b] Alternatively, less configuration is needed by default if you instead use uBlock Origin

I’d like to give a very honourable mention here to uBlock Origin, which is a fantastic add-on with lots of capabilities in this remit also. It is similar to NoScript, but it is slightly easier to “plug and play”, of course that comes slightly at the cost of finesse, but for most intents and purposes is perfectly fine and much less likely to break any websites. Gorhill (the main developer behind this add-on) is highly skilled and the repository is well-maintained.

Also, in fairness, uBlock performs incredibly well.

[4] Next up install Privacy Badger (by EFF)

Privacy Badger — the secondary weapon in your armory for blocking third party trackers

Privacy Badger looks for scripts on pages that appear to be tracking you, and automatically blocks them if they’re invasive. A side effect of this is that almost all ads online will be blocked — this is because many advertisers do not heed the browser’s “Do not track” requests. It is plug-and-play, and works wonderfully out of the box.

It respects responsible advertisers who meet strict requirement (though very few do!). The only thing you need configure with Privacy Badger is enable the “Prevent WebRTC from leaking local IP address *” option. This will prevent your IP address from leaking should you use a VPN (or similar).

This, paired with NoScript (or uBlock), will offer excellent tracking protection already, but there are still further steps required to achieve a good fingerprinting score.

[5] Install HTTPS Everywhere (by EFF)

HTTPS Everywhere — ensures that sites don’t serve some mixture of secure and insecure assets

HTTPS Everywhere is super simple, it looks for any insecure connections made on secure websites, and tries to force them to be secure (which is typically supported, but not properly implemented). This is known as “mixed content” and could reveal details about your browsing habits unnecessarily

This is another plug-and-play add-on. Install and enjoy secure connections where they weren’t before. I recommend enabling the option to block unencrypted requests. This will force redirection on pages which do not by default point to https. This will provide protection in multiple ways — it should also lessen the amount of information you’re revealing to your ISP.

[6] Install Cookie AutoDelete

Cookie AutoDelete — clears cookies once you leave a site

A while ago, there was a great extension named Self Destructing Cookies. With Firefox’s new release, some add-ons became outdated and this beauty replaces the aforementioned. Works on a whitelist basis like with NoScript.

Once you’ve installed this, enabled the option for “Automatic Cleaning”, just click the icon and then settings to find that.

After that, simply whitelist only the websites you trust and wish to persist session data with. That is, for example, if you didn’t want to be signed out of Medium after closing the tab or restarting your browser, you’d whitelist medium.com. Similarly, you can greylist websites so that you won’t be signed out upon tab close, but on browser restart you would — which offers a compromise between usability and better privacy. Generally you shouldn’t face issues if you simply let it delete cookies — you’ll just have to sign in each time you visit the site.

Sometimes features can degrade without cookies, but generally it will be absolutely fine and a big privacy boost. Generally, they are used to track you across different domains, or for re-marketing purposes.

[7] Install Blur (by Abine)

Blur — its most useful feature in my book

Blur has lots of great features, some of which are covered already by the other add-ons (tracker blocker). If you’re US-based you can enjoy both phone and card masking, they are paid features though. Those can be great if you don’t really trust a website or need to activate an SMS but don’t want to reveal your real number.

This add-on is well worth an install — once you install, you’ll have to register for an account with Blur. If the features are available to you, premium can be a good option for the features mentioned in the blurb above.

I mainly use Blur for generating ‘masked emails’ — it’s an amazing feature for when you’re unsure about giving out your real email address. You can generate them on the fly while signing up to a newsletter for example, and cancel them anytime.

[8] Install Decentraleyes

Decentraleyes — a remarkably clever add-on which deals with a sneaky privacy issue

This add-on protects you against tracking through “free”, centralized, content delivery. It prevents a lot of requests from reaching networks like Google Hosted Libraries, and serves local files to keep sites from breaking. It also complements regular content blockers.

No configuration required here. Combined with the previous add-ons, you should largely be safe to whitelist domains like jquery.com or, since this add-on will intercept that request and return with a local file.

Lots of websites require scripts (usually libraries) to add functionality to them. It’s a rather ingenious add-on which looks for requests being sent to “content delivery networks” (CDNs) — it then intercepts the request and instead it serves a local version of the library file, the result being that you get faster browsing speeds and better privacy. Win-win.

[9] Test your new setup with Panopticlick

A fresh profile in FF configured with exactly what’s mentioned above — success!

Congratulations! You should get results like above when you test now, which shows you’re protected (remember, this is a small dataset and this kind of obscurity is a mammoth improvement — it is very unlikely you can be tracked with such a small amount of identifiable info).

Of course, if you’ve come from another browser, check whether your favourite add-ons of the past are supported – they probably are, or alternatives available.

Other things to take care of

We’re not quite done yet. Search engines, like the behemoth Google, as mentioned earlier, use your information in order to make money. This is fine, and clearly one viable revenue model. There are also companies with other motivations, which offer, and pride themselves, on respecting user privacy.

[10a] I recommend switching your default search engine in Firefox to use DuckDuckGo. If you visit about:preferences#search in a new tab in Firefox, you can change your default search engine to DuckDuckGo

DuckDuckGo is a reputable search engine which works very well — I find it fine for normal usage.

[10b] If you prefer Google’s results, take a look at https://www.startpage.com/. This anonymises requests via Google, and is also a fantastic resource for better privacy

[11] Be conscious about the information you share online. With whom you share it (company or individual), and what you share. Make sure you’re taking advantage of the many privacy settings offered by most social media giants et al

Bonuses

[A] Disable referer headers from being sent to websites

Set the value to 0 to disable referer headers

Visit about:config in a new tab, then search for network.http.sendRefererHeader. Set the value to 0 by double clicking on the value field. The default value for this field is 2.

This effectively tells websites you visit where you came from, which is of no benefit to us generally and is mainly used for tracking purposes.

[B] Install UserAgent Switcher

UserAgent switcher — this helps you cloak yourself

This one is slightly less obvious, but one revealing piece of information your browser provides regardless of prior efforts is what’s called a User Agent string. This, in effect, reveals information about your host operating system and the browser version you’re running. If you’re keeping your OS & browser updated (and you should be!) this will often be surprisingly identifying.

Once installed, simply click on the little icon installed and select a User Agent string which closely matches with your environment, but that isn’t your actual UA string. Here is a list of common UA strings, which of course ought to reduce the amount of identifying info you’re offering up.

An important note here is that depending on the website, features may break if you have a vastly different UA string to the environment you’re actually on — so this is somewhat advanced, and not entirely necessary since you ought to be able to achieve a good score without this unless you use a really unusual setup.

That just about covers everything I can think of right now — with the configuration mentioned (even without the bonuses), you’ll enjoy much greater privacy online and much faster browsing speeds.

TL;DR

The above is verbose since I think arming oneself with the proper knowledge on these topics is crucial to understanding how to maintain privacy going forward, not least to realise just how much is going on here. However, I have collected the steps so it easy to refer somewhat to get set up quickly!

Here are the steps:

[1] Download the latest Firefox Quantum (if you haven’t already) by clicking here

[2] Enable “Do not track” headers to be set

[3][a] Either Install NoScript

[3][b] Alternatively, less configuration is needed by default if you instead use uBlock Origin

[4] Install Privacy Badger (by EFF) — Recommended: enable “Prevent WebRTC from leaking local IP address *”

[5] Install HTTPS Everywhere (by EFF) — Recommended: enable “Block all unencrypted requests”

[6] Install Cookie AutoDelete

[7] Install Blur (by Abine)

[8] Install Decentraleyes

[9] Test your new setup with Panopticlick

[10a] I recommend switching your default search engine in Firefox to use DuckDuckGo. If you visit about:preferences#search in a new tab in Firefox, you can change your default search engine to DuckDuckGo

[10b] If you prefer Google’s results, take a look at https://www.startpage.com/. This anonymises requests via Google

[11] Be conscious about the information you share online. With whom you share it (company or individual), and what you share. Make sure you’re taking advantage of the many privacy settings offered by most social media giants et al

Bonuses (see above for details):

[A] Disable referer headers from being sent to websites

[B] Install UserAgent Switcher

Wrapping up

Online privacy is a right, and great steps have been taken to revoke that right by untoward practices. It requires a little thought on our part, but together we can revel in better privacy simply by employing tools that other great people have spent time developing, or by simply adjusting our behaviour slightly while online.

One final thought on why digital privacy matters regardless of intent:

Everyone knows what you do in the bathroom, but you still close the door

I hope you enjoyed this. Next up I have some ideas for a guide that would help with security if you’re dealing with cryptocurrencies, and further general ways to lock down the rest of your computational habits as best you can from a security/privacy perspective (outside of just the browser).

Some resources

The official EFF website has a blog with lots of great content

EFF’s guide to surveillance self-defence — this is a very comprehensive set of resources that answer many questions; avoiding phishing attacks, secure messaging, etc. Well worth a look, though out of the scope of this article!

**if you run through the TL;DR!