Wednesday, 8 February 2017

What your browser LEAKS about you

What your browser LEAKS about you

Every time you go online, you reveal more personal info than you realise. Robert Irvine explains how to identify and plug these leaks


What you’re doing right now


To get a feel for how you’re being watched online, visit Click (clickclickclick.click), a creepy but illuminating ‘experiment’ that gives you a running commentary of everything you do from the moment you visit. This includes every click and movement of your mouse, the size and position of your browser window and the length of time you spend on and away from the site. The idea is that you unlock ‘achievements’ by performing different actions, as directed by a increasingly pushy voice (“turn on your webcam”), but Click also demonstrates how much info any website could potentially know about you. We tried browsing in private mode, disabling cookies and using a VPN and Click still kept watching us.

How to plug the leak
The team behind Click says: “basically it’s all JavaScript, which is in the hands of every web developer today”. Indeed, the only way we managed to foil Click was to disable JavaScript: in Chrome, go to Settings, ‘Show advanced settings’, ‘Content settings’ and choose ‘Do not allow any site to run JavaScript’. In Firefox, type about:config into the address bar, press Enter and click ‘I accept the risk!’. Find the preference ‘javascript .enabled’ and double-click it to change its value to ‘false’. However, disabling JavaScript will stop many sites working properly, so it’s better to use an add-on such Quick Javascript Switcher for Chrome (bit.ly/quick416) or ToggleJS for Firefox (bit.ly/toggle416) to switch it on and off as required.

Your approximate physical location


Most browsers have built-in geolocation that tells websites where you are so they can give you relevant local information, such as nearby amenities or the weather forecast. This uses your computer’s IP address to determine your country, region, city and even your street, although it’s rarely able to identify your exact location.

Other methods of pinpointing your location, such as the GPS (global positioning system) feature on your phone and the Wi-Fi hotspot you’re connected to, are significantly more accurate. You’ll also find that HTML5 geolocation, as featured at browserleaks.com/geo, gets much closer to you than the IP-based type – in our case, it located us a mere 0.6 miles away.

How to plug the leak
You can either turn off geolocation completely or make your browser ask to allow it on a site-by-site basis. In Chrome, open ‘Content settings’ and, in the Location section, select either ‘Do not allow any site to track your physical location’ or ‘Ask when a site tries to track your physical location’. Firefox always requests your permission to share your location, but if you’d prefer to disable geolocation, go to about:config, find the entry ‘geo. enabled’ and set it to ‘false’.

Which country you’re browsing from


It’s usually beneficial for the web to know you’re in the UK, so you can watch BBC iPlayer, shop at Tesco, buy your lottery ticket and other domestic activities, but not when you’re trying to access content that’s unavailable to Brits. US-only streaming services such as Hulu and Pandora automatically spot and block overseas visitors, while other sites restrict what can be played, downloaded or bought based on where your browser reveals you are.

How to plug the leak
The most reliable way to disguise your location is to use a VPN (virtual private network) such as CyberGhost (cyberghostvpn.com), which spoofs your location to show you as being in the US (or another country, if available). Opera’s built-in VPN works very well (www.opera.com) and Hola (hola.org) lets you hide your location securely using its browser add-ons, which don’t run on its controversial peer-to-peer network. As an extreme measure, you could use Tor (www.torproject.org) for total anonymity, but this isn’t as simple as a standard VPN.

Whether you’re using an ad blocker


Many websites that offer content for free – including The Telegraph, The Guardian and All 4 – are able to detect that you’re using an ad blocker and will either politely ask you disable it or stop you viewing their content if you don’t. Even if you don’t mind obliging with the request, you might feel concerned that your ad-blocking ways have been exposed when it all seemed so easy and guilt-free before.

How to plug the leak
One way to stop sites knowing you’re using an ad blocker is to install Anti-Adblock Killer (bit.ly/anti416) for Chrome, Firefox, Opera, Safari and Edge. This app disguises your installed ad blocker – including Adblock Plus, Adblock and uBlock Origin – so that sites don’t refuse you entry or pester you to disable it. For Anti-Adblock Killer to work effectively, you’ll first need to install a userscript manager such as Greasemonkey (www.greasespot.net) or Tampermonkey (tampermonkey.net). Also, be aware that it won’t work on every site that blocks ad blockers.

Your system specifications


Even if your browser is loaded with privacy tools such as Adblock Plus and Privacy Badger, it’s still leaking info about your software and hardware. Just visit anonymity-tracking tool Whoer (whoer.net) and you’ll see details of the operating system and browser you’re using; the plugins and scripts you have enabled; the name of your ISP; and even the size of your monitor. Whoer also rates your anonymity out of 100, based on the data you’re unwittingly revealing. You might not care if anyone knows you’re running Windows 7, and it helps websites display correctly on your system, but when combined with other info this data gives your computer a unique fingerprint that could be used to target you.

How to plug the leak
Whoer kindly offers advice about how to improve your anonymity – for example, by disabling dangerous plugins such as Flash, switching to a safer server and tightening your anti-tracking settings. A particular concern is the WebRTC technology used for streaming audio and video, which leaks details such as your IP address even from behind a VPN. You can prevent WebRTC leaks in Chrome, without blocking it altogether, using WebRTC Leak Prevent (bit.ly/webrtc416), which controls hidden settings in the browser. In Firefox, WebRTC can be disabled through ‘about:config’ by changing the entry ‘media.peerconnection.enabled’ to ‘false’.

FORCE WEBSITES TO USE MOBILE VERSIONS


Most websites perform a ‘user agent’ check when you visit them, which detects your browser, operating system and device so that content can be displayed accordingly. By fooling a site into thinking you’re using a phone or tablet, it may load its slimmeddown mobile version, which uses much less data and therefore loads faster. You can do this by installing User-Agent Switcher for Chrome (bit.ly/userc416) or Firefox (bit.ly/userf416). Both work by pretending that you’re using a different browser on a different device and operating system. Just click the toolbar button and select a preset from the drop-down menu. Bear in mind that although streamlined pages may load faster, certain features may not be available.