Wednesday 23 March 2016

Stop Websites Spying On You

Stop Websites Spying On You

Ever get the feeling you’re being watched? Wayne Williams reveals who’s snooping on your online activities and explains the best ways to protect your privacy on the web

You’re never alone when you go online; there’s always someone or something observing what you do, even if you’re not doing anything particularly interesting. Many of these ‘spies’ are perfectly harmless, merely tracking your activities for analytics or advertising purposes, but others have more sinister and intrusive motives.


In this article, we take a closer look at exactly who’s watching you on the web and explain how you can use the latest tricks and tools to put a stop to this unauthorised and unwarranted spying.

Over the following six pages we’ll reveal what the spies behind each of the methods want, how they spy on you, what they do with the information they collect and the best ways to thwart them. We’ll also name and shame 10 of the worst offenders for spying on your online activities – the list may well surprise you.

SOCIAL NETWORKS


What do they want?
Social networks such as Facebook, Twitter and Google+ want to know your likes (and dislikes), who you know and where you go on the web.

How do they spy on you?
As well as cookies, social networks use buttons scattered across the internet to track your browsing. These function in the same way as web bugs, telling those services where you’ve been. Worryingly, you don’t have to click a button (by ‘liking’ a page, for example) for it to register your arrival and report back to the network.

What do they do with it?
Social networks are forever seeking to build up a profile on you, to ensure you see content relevant to your interests and – of course – tailor their advertising accordingly. Facebook also uses various tracking methods to recommend people you might know, but haven’t yet connected with on the social network. So if you’ve ever wondered why someone you bumped into at an angling convention appears in your potential friend suggestions, now you know.

How you can stop them
The brilliant browser add-on Privacy Badger (bit.ly/badger393) from non-profit organisation the EFF (Electronic Frontier Foundation) automatically blocks spying ads and invisible trackers. Socialnetworking buttons are replaced with alternative buttons that still work, but don’t track you (unless you choose to click them), which means you don’t get left with big empty spaces on the page. The way these replacement buttons works depends on how the original widgets were implemented. Typically, clicking them will either take you to the relevant sharing page or enable and load the original (hidden) social widget.

Use Privacy Badger to stop sites spying on you


1 When you install Privacy Badger, it adds an icon to the top of your browser. Browse the web as normal and the add-on automatically detects all spying ads and invisible trackers found on a site. Clicking the icon displays a colour-coded list of potential trackers. These are initially all green (not blocked).

2 You can manually manage each potential tracker. Drag a slider to the centre to block cookies from it (amber) or slide it all the way to the left to fully block that ad domain (red). Over time, Privacy Badger learns which trackers to deny and which to allow, and takes action automatically.

3 Click the Settings cog to open the Filter Settings page where you can choose which action to take with trackers. You can whitelist domains you trust and enable or disable social-widget replacements, which swap social-networking buttons with non-spying versions. Privacy Badger can be disabled on any site.

ANALYTICS TOOLS


What do they want?
As Wikipedia explains: “Web analytics is the measurement, collection, analysis and reporting of web data for purposes of understanding and optimising web usage”. Essentially, website owners use analytics tools so they can understand more about the people visiting their website. The data collected by tools such as Google Analytics (www.google.co.uk/analytics) includes the location visitors are browsing from (and on what devices), which site they’ve come from, the keywords they used to find the site, which pages are most popular, the average duration of a visit, whether they’re new or returning visitors and much more.

How do they spy on you?
An embedded piece of JavaScript code is used to collect the information. Every time someone visits a website with this code, the data is (anonymously) recorded and passed to the collection server.

What do they do with it?
This varies depending on the site owner, but knowing which pages are most popular and getting an idea of the type of people that visit that website can help keep the content relevant and interesting. For example, if analytics reveals that a page about trout on your angling site is getting more views than any other, then it makes sense to add more content about trout.

How you can stop them
Google Analytics is by far the most popular source of this kind of data collection – virtually every site you visit uses the tool. If you don’t like the thought of being analysed in this way (albeit anonymously), you can use the official Google Analytics Opt-out Add-on (bit.ly/goptout393) to stop your data being collected. This works with Chrome, Firefox, Internet Explorer, Safari and Opera, and automatically blocks the Analytics JavaScript code.

MALWARE WRITERS


What do they want?
It depends on the type of malware, but usually the people behind online threats are out to make money from you in one way or another. This could be by accessing your credit card details, or by logging into your accounts with websites such as Amazon and making purchases. If they take over your PC, they could use it as part of a botnet for criminal purposes. They might just want to spy on you because they can – malware can be used to spy through mobile phones, webcams and even baby monitors.

How do they spy on you?
There are lots of different ways. Keyloggers, for example, log your keystrokes and pass them on. This gives the hacker access to anything you’ve typed, including passwords, personal information and credit card details. Remote Administration Tools (RATs) let a hacker control your PC remotely, which can include turning on a webcam. Android malware now exists that can make calls and take photos using your device, even if you shut it down (see bit.ly/avgmobile393).

What do they do with it?
Again, it depends on the type of malware and the hackers behind it. If they can make money from you in some way, then they will. Otherwise they will just invade your privacy and see what opportunities arise.

How you can stop them
Don’t open suspect email attachments or run dubious programs. Protect your PC with strong anti-malware software, and install something similar on your phone, such as Bitdefender Antivirus Free (bit.ly/bitdefender393). If you have an Android device, avoid installing apps from questionable sources.

SpyDetect Free (bit.ly/spydetect393) is a useful tool designed to detect processes on your computer that might be recording your keystrokes. Click the Check Now button and it will tell you if you’re being spied on or monitored.

OTHER WEBSITES


What do they want?
Websites linked to the one that you’re currently visiting (either visibly or invisibly) want to know more about you so they can maximise their appeal.

How do they spy on you?
Cookies are the most common method. These tiny pieces of code store information about you, which isn’t a bad thing per se because they allow the site to recognise you, so you don’t have to log in every time you visit, and your personal preferences and customised pages will be stored.

There are different types of cookie – session cookies only last for the duration of your browsing session and are cleared when you close your browser. Persistent cookies remain on your system after you’ve left the website and are sent back to the server the next time you visit. Secure cookies are served when you visit a site using an ‘https://’ address, while third-party cookies come from domains other than the one you’re visiting. Some cookies are used across multiple sites, which allows third parties to track your browsing habits.

What do they do with it?
Behaviour tracking, which involves using cookie data to build up a profile of the sites you visit and the searches you perform, is used by websites to serve up more relevant adverts.

How you can stop them
You can block unwanted cookies in your browser. In Chrome, open Settings, click the ‘Show advanced settings’ link at the bottom and click the ‘Content settings’ button under Privacy. You can manage cookies there.

In Firefox, click the three-line hamburger button in the top-right corner and select Options. Click the Privacy option on the left and manage cookies there.

Cookies are, for the most part, harmless and serve a useful purpose so you don’t want to block them all – only third-party ones. Very occasionally, you might find blocking cookies has an unforeseen negative consequence. If a website doesn’t behave as expected, you may need to re-enable its cookies.

To save time, you can use the free program CookieSpy (www.cookiespy.com) to view all the cookies across all your browsers, and delete any you don’t want.

ISPs


What do they want?
Your internet service provider likes to keep an eye on how you’re using its network, to make sure you’re not abusing it in some way – whether for criminal activity or simply because you’re using it “too much”.

How do they spy on you?
ISPs can track which websites you visit, and they can also read anything you send over the internet that’s not encrypted, because they route you to your destination. They can identify different types of traffic, too – including BitTorrent.

What do they do with it?
Probably nothing. Just because they can spy on you, doesn’t mean they are. If you do a lot of torrenting, they can impose traffic shaping (slowing down your connection), although this is less common these days. However, they can pass on information about your browsing habits to the police and the government, when requested, which is a bit of a worry if you’re up to no good.

How you can stop them
Use the secure HTTPS versions of websites where possible (look for the padlock next to the browser’s address bar). Installing HTTPS Everywhere (bit.ly/https393) for Chrome, Firefox, Opera or Android will automatically route you to the secure versions of the most popular sites.

Browsing the internet via a VPN (Virtual Private Network) will keep your activity secret from your ISP, although you then have to trust the VPN itself. Some good free choices include CyberGhost (www.cyberghostvpn.com), TunnelBear (www.tunnelbear.com) and Spotflux (spotflux.com).

ADVERTISERS


What do they want?
They want you to buy things and click their advertising across the web. An interesting offer or flashy advert isn’t always enough to draw you in, so they use all sorts of tactics to get you to click. A growing number of web users employ ad blockers these days, so advertisers have to make sure they maximise their options.

How do they spy on you?
Tracking cookies are the most common method. Advertising firms place ads across hundreds of thousands of sites. When you first visit a site containing one of these ads, a cookie from that advertiser will be saved on your PC. When you go to another site displaying an ad banner from the same advertiser, your browser returns the cookie and receives a new one. The advertiser can use this “breadcrumb” trail to track which of their adverts you’ve seen and, using this information, will know which sites you’ve visited. It doesn’t even need to be a full, visible advert that returns a cookie – a 1x1-pixel invisible GIF (better known as a web bug) works just as well.

What do they do with it?
Advertisers spy on you so they can tailor their advertising to tempt you with relevant products and services. If you’ve ever visited a website and seen ads related to an item you looked at elsewhere, you’ll know you’re being successfully tracked. Advertising firms may also pass your details to other advertisers and marketing companies.

How you can stop them
Major ad providers let you opt out of behaviour tracking. Go to the ‘Your ad choices’ section of Your Online Choices (bit.ly/adchoices393) and choose which advertisers to block cookies from. Google’s Ads Settings page (bit.ly/googleads393) shows what the search giant knows about you and lets you opt out of interest-based advertising. You can do the same kind of thing with Microsoft (choice.microsoft.com) and Yahoo (bit.ly/yahooad393).

Most web browsers have a Do Not Track option you can turn on in the settings, but this is a voluntary arrangement and websites have no obligation to honour your wishes.

Using an ad blocker such as Adblock Plus (adblockplus.org) or uBlock Origin (bit.ly/ublock393) will remove adverts from all the web pages you visit. In addition, the software can disable tracking to make you more anonymous to advertisers.

SEARCH ENGINES


What do they want?
Google and Bing want to get to know you, and spy on the sort of things you search for online so they can build up a user profile.

How do they spy on you?
Search engines use several methods to keep an eye on what you do, including using cookies, and they also record and store what you’ve searched for. If you’re logged into your Google or Microsoft account, then Google or Bing can link the details directly to you.

What do they do with it?
They use the information to better target their results and advertising. You might think that two people searching for exactly the same thing on Google will see the same results but, in fact, they probably won’t. Google weights its order of results based on all sorts of factors, but it also prioritises the sites you’ve visited previously. If you don’t believe us, try performing the same search while logged into and out of your Google account, and compare the results.

How you can stop them
Disconnect Search (disconnect.me/search) anonymises your searches to prevent any connection being made to your Google (or Microsoft) account. You can also switch to using alternative, privacy-focused search engines, such as DuckDuckGo (duckduckgo.com) and the new Oscobo (oscobo.co.uk), which don’t track you or store your searches.

Keep your browsing private using Oscobo


1 Oscobo is a new privacy-focused search engine that’s aimed at users in the UK and promises not to track you. As well as typing your query into the search box, you  can set Oscobo as your default search choice or install the extension, which adds a search box to your browser.

2 Enter some search terms and, as you would expect, Oscobo returns a list of results. We found it fast and the results (from Bing/Yahoo) were pretty good. The thumbnails show you previews of the sites before you visit them, and Oscobo displays the latest results from Twitter in a sidebar.

3 You can switch to searching for Videos, Images or News. If you’ve installed the extension, you can perform a search on Oscobo whenever you like by clicking the button and entering your terms. Scroll to the bottom of the site and click Privacy to find out more about the search engine.

GOVERNMENT AGENCIES


What do they want?
They want as much data as possible about individuals and companies, which they can use to prevent crime and acts of terror (such as the 2015 Paris attacks), and potentially for other purposes, too.

How do they spy on you?
In lots of ways, including bugging phones, tracking your location via cell towers, use of backdoors in software and services, and receiving data from ISPs and tech firms. Spying software has even been found embedded on hard drives from a number of well-known manufacturers. NSA security contractor Edward Snowden’s revelations barely scratch the surface of government spying activities.

What do they do with it?
In most cases, they just hoard it, but if you use a potential trigger word in your communications – such as “bomb”, “murder”, “assassination”, “nuclear”, “infrastructure security” or “wild trout fishing” (well okay, not that one) – you may find yourself under supervision.

How you can stop them
Use encryption. As you’ll have seen from the recent FBI vs Apple row over a terrorist’s iPhone, the government has problems cracking encrypted devices. You can encrypt content on your Windows PC using VeraCrypt (veracrypt.codeplex.com), which we had a Workshop about in our last issue. You can also use a VPN.

Interestingly, Facebook and Twitter now alert you if they suspect you’re being spied on by a government. You can also scan your computer for signs of surveillance software using Detekt (resistsurveillance.org).