You’re never alone on the web – there’s always someone or something watching you. Jane Hoskyn, Edward Munn and Robert Irvine explain how to beat the snoopers and be completely invisible online
Spammers, scammers and other snoopers have devious ways of tracking your every online move. Google knows more about what you’ve been up to than you do, and eavesdroppers have become adept at piecing together your so-called digital ‘fingerprint’ or ‘footprint’ from even your most mundane web activity – then using it to work out who you are, what you do and even where you live.
Fortunately, there are ways to dodge these spies, without sacrificing the pleasure and convenience of life online. We’re not about to tell you to delete your Facebook account, stop using Google tools altogether or turn to the Dark Web – well, you can if you want, but these extreme measures aren’t the only ways to guard your identity.
In our complete guide to staying anonymous online, you’ll discover how to safeguard your details against even the most persistent privacy invaders, using settings, tweaks and free tools that let you go about your usual browsing business as easily and quickly as ever – but without being spied on. We also pick our nine essential browser add-ons for preserving your anonymity and reveal exactly who is watching you on the web – and how worried you should be.
SEE HOW MUCH INFO YOU’RE LEAKING
Find out how easily you can be identified
Off the top of your head, can you name your ISP (internet service provider), browser version and internet connection type? Your browser can. It also knows where you live and the configuration of your PC, such as the operating system you’re using and your screen resolution.
This information creates what’s known as your online fingerprint (or footprint). It’s available to every website you load in your browser, so it can tailor content to suit you, for example by displaying the correct language and currency. But if websites can see and use this data, so can advertisers, eavesdroppers, government agencies and hackers.
The free online tool MyBrowserInfo (mybrowserinfo.com) reveals how much fingerprint data you’re broadcasting right now. First, it displays your IP (internet protocol) address, which gives away your location. Click ‘See Detailed Location and Browser Information’ to view your connection speed, Windows version, screen resolution, which cookies and plugins you’ve enabled, and much more. The point is that if MyBrowserInfo can see this stuff, so can anyone – easily.
You become even easier to identify and track if you stay logged into online accounts all the time. Your Social Media Fingerprint (bit.ly/social418) is an open-source web tool that reveals where you’re signed in right now. When we tried it, it reminded us that we’re still logged into a Blogger account we’d forgotten about years ago.
Discover what Google knows about you
Google’s new My Activity tool (myactivity.google.com) is based on a searchable timeline of your every move, as tracked by Google. If you use Chrome, Android and Windows 10, and sign into third-party services using your Google account, your timeline will cover nearly everything you do on your computer, phone and tablet. It’s quite unsettling.
To its credit, Google has loaded My Activity with ways to limit the tracking – and to block advertisers from using the data it collects. Find out how in our Mini Workshop below.
Block Google’s trackers using My Activity
1 Go to myactivity.google.com in any browser. Sign into Google and click through the introductory screens (they won’t appear again), then scroll through your timeline. To remove any items from it, and also from Google’s servers, click the three-dots icon, then Delete. Click OK in the box that opens, then click Delete. To configure your tracking settings, click ‘Activity controls’.
2 By default, Google tracks all your ‘Web & App Activity’, which includes Chrome browsing, Android apps and even Cortana activity. To limit this tracking, untick ‘Include Chrome browsing history and activity…’, then click Pause. To switch it off completely, click the toggle so it turns grey, then click Pause. This doesn’t delete previously collected data from your timeline or from Google’s servers.
3 To manage the data Google shares with advertisers, scroll to the bottom of the ‘Activity controls’ page, then click Ads. You’ll see a list of your interests, as determined by Google. Untick any to remove them or untick ‘Also use Google Account activity…’ to remove them all. To prevent Google from using your data to ‘personalise’ its services, click the toggle to Off.
LOCK DOWN YOUR BROWSER
Enable Do Not Track
Your first line of defence against trackers is to enable Do Not Track, a kind of auto-response feature designed to fend off nosy parkers. To do this in Chrome, click the three-dots icon, then Settings, then ‘Show advanced settings’ and tick the option ‘Send a “Do Not Track” request with your browsing traffic’. In Firefox, open the menu, then select Options (or type about:preferences in the address bar), then click Privacy. Click ‘manage your Do Not Track settings’ then tick ‘Always apply Do Not Track’.
Do Not Track doesn’t slow down your browsing or stop websites working – but that’s because it’s not particularly powerful. It’s a request, not a rule. In fact, it might as well be called Do Not Track If That’s OK Oh Go On Then. A properly configured browser should be using other ways to protect your identity as well. To check if it’s doing this, run the free online test Panopticlick (panopticlick.eff.org), created by the Electronic Frontier Foundation (EFF, www.eff.org). Panopticlick reveals whether your browser blocks tracking adverts; whether it blocks invisible trackers; and whether it takes steps to protect your fingerprint data. Brace yourself for a ‘Mixed results’ verdict at best. We got just one ‘yes’, and we owe that to our ad-blocking extension.
Get rid of cookies and plugins
Cookies and plugins speed up your browsing and generally make the web work properly, but they’re also used to track you as a matter of course. If privacy is your priority, get rid of them.
In Chrome, go to Privacy in Settings and click ‘Content settings’ (or type chrome://settings/content in the address bar). Set it to keep cookies ‘until you quit your browser’ and ‘Block third-party cookies and site data’. Then click ‘All cookies and site data’ and go through the list of data-storing files downloaded to your computer by a website or advertiser. There may be hundreds. Hover over one, then click the cross to remove it, or click ‘Remove all’.
Next, scroll down the Content Settings window and disable JavaScript and Flash. You can also disable ‘Background sync’ to prevent closed tabs sending and receiving data; prevent sites from tracking your location; block all pop-ups; and block access to your webcam and microphone.
In Firefox, go to Options then Privacy. Click ‘Remember history’ then select ‘Use custom settings for history’. In the options that appear, click Always to open the drop-down menu, then select Never to block third-party cookies.
In Internet Explorer, you can manage cookies under the Privacy tab in Internet Options. In Edge, go to Settings then click ‘Choose what to clear’.
Browse in incognito mode
All the big browsers have a privatebrowsing mode. In Chrome, it’s incognito mode (press Ctrl+Shift+N to open an incognito window); in Firefox it’s Private Mode (Ctrl+Shift+P) and in Edge it’s InPrivate (also Ctrl+Shift+P).
Whatever you call it, this mode – which you can use in one window while you browse normally in another window – lets you search and visit websites without leaving a trace. No history is saved, no content is cached, and all cookies and temporary files are cleared when you close the window. Anyone using the same computer won’t know what you’ve looked at or searched for.
Well, we say “without leaving a trace”, but incognito browsing isn’t anonymous. It doesn’t hide your browsing from your ISP, the police or even the websites you visit. Snoopers and advertisers can still use trackers and other cookies; they just can’t leave them behind.
Set Firefox Private Mode to block all trackers
Firefox now enables basic Tracking Protection by default in Private Mode. This blocks advertising, analytics and social-sharing trackers included in the ‘basic protection’ list compiled by security firm Disconnect.me (disconnect.me) but it still doesn’t block all trackers, because some are necessary for websites to work.
If you want to block all known trackers, go to Options in Firefox, then Privacy, then click Change Block List. Tick ‘Disconnect.me strict protection’, click Save Changes and then click OK to restart Firefox. This means you won’t be tracked at all in Private Mode, but the trade-off is that some websites may not work properly. If this happens, you can temporarily disable Tracking Protection by clicking the shield icon on the address bar.
WHY NOT TO USE AUTO-FILL
Just below the Do Not Track tick box in your Chrome settings you’ll see a useful-sounding option, ‘Enable Auto-fill to fill in web forms in a single click.’ Don’t tick it! It recently emerged that auto-fill tools in browsers including Chrome, Safari and Opera can easily be exploited by hackers to extract your phone number, address and bank card number.
Finnish developer Viljami Kuosmanen discovered that when you use auto-fill to enter basic info such as your email address on a phishing website, other sensitive profile data stored by your browser – such as your bank card – can be made to appear automatically in hidden text boxes. Easy pickings for a hacker. See for yourself in Kuosmanen’s online demonstration (bit.ly/autofill418).
Firefox, Edge and Internet Explorer don’t suffer this problem because they don’t have built-in auto-fill, but Firefox is planning to add it soon. For your own safety and privacy, don’t enable it. If you really can’t be bothered to type your details manually, use a secure password manager-cum-digital wallet such as LastPass (lastpass.com) or Dashlane (www.dashlane.com).
USE A DISPOSABLE EMAIL ADDRESS
If you’re not happy about being asked to ‘Enter your email address,’ for no good reason, you can get an anonymous, temporary address from Guerrilla Mail (www.guerrillamail.com). Go to the site and copy the address it currently displays. It’ll display a new one every 10 seconds. Use the temporary address to confirm you’re a real person as and when needed, and then dispose of it. There’s a free Guerrilla Mail Android app, too (bit.ly/guerrilla418).
TIGHTEN YOUR FACEBOOK SETTINGS
Learn Facebook’s privacy secrets
Facebook and anonymity go together like a horse and roller skates, but that’s no reason to leave your privacy at the door – as the social network’s new Privacy Basics page (www.facebook.com/about/basics) is keen to remind you. Privacy Basics is an online user manual of slideshows containing tips about your Facebook Settings (www.facebook.com/settings) along with useful links. For example, the Manage Your Privacy section contains a dozen slideshows including Search (‘What do people who aren’t my friend see when they search for me?’) and ‘Photos & Videos I’m In’ (‘How do I control whether Facebook recognises me in photos and videos?’). The Advertising section explains how to control Facebook’s infernal targeted ads. Every slideshow ends with an invitation to ‘Take the Privacy Checkup’, which confirms just how anonymous your Facebook activity isn’t. Click the Edit links to limit the audience and choose ‘Only me’ for all personal details – your Facebook friends don’t need to know your phone number.
Stop Facebook sharing your data with advertisers
Isn’t it amazing how well Facebook’s ads seem to know you? ‘Amazing’ as in ‘creepy’. That’s because Facebook hands over details about your interests, employment and even relationship status to its business partners.
To put a stop to this nonsense, go to Settings and click Adverts. Click a section (‘Your interests’, ‘Advertisers you’ve interacted with’, ‘Your information’ and ‘Advert settings’) to see what’s being shared, then make your changes.
Some sections have on/off toggles (for example ‘Relationship status’ under ‘Your information’), while others can be edited by clicking Yes or No and selecting options from a drop-down menu. Be sure to click ‘Advert settings’ then Yes next to ‘Ads on apps and websites…’, then click the Yes button at the bottom of the small print, then click No. It’s every bit as convoluted as it sounds, but essential if you’d rather not be public property.
STOP MICROSOFT SNOOPING ON YOU
See (some of) what Microsoft knows about you
Unlike previous versions of Microsoft’s operating system, Windows 10 is as much online as your browser. Microsoft’s ‘telemetry’ technology constantly tracks your activity, showing “blatant disregard for user choice and privacy,” to quote the Electronic Frontier Foundation (bit.ly/eff418).
So Microsoft, like Google and Facebook, is playing privacy catch-up. It recently launched a web-based privacy dashboard (account.microsoft.com/privacy) that lets you see what it knows about you. Well, some of it. Officially, the dashboard includes Bing and Edge activity, and data gathered by GPS, Cortana Notebook and Microsoft Health. In practice, it doesn’t reveal much at all (“We don’t have any data associated with this Microsoft account at the moment” is its current catchphrase). Google’s My Activity timeline reveals far more about our Windows 10 activity than Microsoft’s privacy dashboard does – at the time of writing, at least. These may be teething troubles, so we’ll stay tuned for improvements.
Tweak your Windows 10 privacy settings
Microsoft tracks you far more than its privacy dashboard suggests. To limit the snooping, configure your PC settings carefully. Type privacy into Start and click ‘Privacy settings’, then click the toggles to enable and disable the options, some of which you may not realise were switched on. For example ‘Send Microsoft info about how I write’ and ‘Let websites provide locally relevant content’ are enabled by default, so switch them off. To manage targeted ads, click ‘Manage my Microsoft advertising and other personalisation info’, then click the toggle on the web page that opens.
Since the Windows 10 Anniversary Update, you can no longer remove Cortana using the native Windows settings. You can use it without signing in (click ‘Maybe later’ when asked), but if you want to remove it completely you’ll need to use a third-party tool.
Block Microsoft’s snooping using free tools
Between them, Microsoft’s privacy dashboard and your Windows 10 ‘Privacy options’ screen are frustratingly limiting. They make no mention of passwords, Wi-Fi connections, webcam data or biometrics, which are all vital chinks in your Windows 10 privacy armour.
The best tool for controlling these and umpteen more items that compromise your anonymity is O&O ShutUp10 (bit.ly/shutup418). It’s free, portable and very easy to use. The program window is far more detailed and useful than your Windows 10 settings page and uses simple on/off toggles. To quickly set all toggles to O&O ShutUp10’s recommended settings for maximum privacy without sacrificing convenience, click Actions then ‘Apply all recommended settings’. To reapply Windows 10’s default settings, click ‘Undo all changes (factory settings)’. Some settings prompt O&O ShutUp10 to suggest you save a system restore point, in case you want to roll back your Windows 10 settings; click Yes in the pop-up to go ahead.
Microsoft is not a fan of third-party tools that give you control over your own privacy, or indeed over your own PC, so it often blocks programs that give you deep system access. One great telemetry-blocking tool, Win10 SpyStop, mysteriously disappeared from the internet within days of its launch last August, even though it worked very well. Was Microsoft involved in its demise? We’ll leave you to decide.
WHY SCROOGLED SOLD OUT
“Keep calm while we steal your data” went the slogan for Scroogled, Microsoft’s anti-Google privacy campaign (you could even buy the T-shirt: bit.ly/keepcalm418).
The campaign was launched after Google claimed the right to read your Gmail messages and then “provide you with personally relevant product features”, which is still part of Google’s Terms of Service (bit.ly/gterms418). But Scroogled has now been ditched (see what happens when you go to www.scroogled.com). And guess what? Microsoft now claims the right to read users’ emails too.
Following an update in February 2017, Cortana automatically scans your private Outlook.com messages and then nags you to keep any promises you’ve made in them (bit.ly/nag418). The good news for us, at least for now, is that the new feature only applies to Cortana users in the US.
ENCRYPT EVERYTHING YOU DO
Switch to a private search site
If you’d rather not spend ages tweaking your Google settings to make your searches more private, use DuckDuckGo (duckduckgo.com) instead. Unlike many alternative search sites, it’s not connected to Google in any way and isn’t interested in tracking you at all. It doesn’t save your history or log your IP address, and there’s no such thing as a DuckDuckGo account. There are no ads, and your search results aren’t skewed according to who or where the site thinks you are. So as well as being more private, the search results it delivers are more objective.
DuckDuckGo uses HTTPS by default and SSL for extra privacy and security. To translate the jargon, HTTPS (HyperText Transfer Protocol Secure) is a standard that adds security by encrypting all data to and from some websites; and SSL (Secure Socket Layer) means that whatever you type is hidden from anyone who might be monitoring traffic between your browser and the server. You can force websites to use HTTPS by installing HTTPS Everywhere (bit.ly/https418).
Send self-destructing encrypted texts
WhatsApp (www.whatsapp.com) now uses end-to-end encryption to ensure that your messages can’t be read in transit, and it’s significantly more private than SMS. But in the privacy stakes, it’s trounced by Signal Private Messenger (Android bit.ly/sigdroid418, iOS bit.ly/sigios418). Like WhatsApp, Signal also uses end-to-end encryption, but it dispenses with privacy-invading paraphernalia such as accounts, tracking and cloud backups. It even lets you set all incoming and outgoing messages to self-destruct after a chosen number of seconds, minutes or hours. Signal now works in your browser, too – provided that browser is Chrome (bit.ly/sigchrome418).
Fake your location using a VPN
A VPN (virtual private network) such as CyberGhost (www.cyberghostvpn.com) is your private tunnel through the public internet. It spoofs your location to pretend you’re browsing from another country and encrypts all your data. As well as making you anonymous and untrackable, it also unblocks content you’d normally only be able to access in other countries, such as US Netflix. CyberGhost will try to get you to sign up for its paid-for version (from £3.74 per month), but the basic version is free and works on Android and iOS as well as Windows.
Alternatively, you could install Opera (www.opera.com) as a second browser – or just switch to it completely. Opera is completely free and comes with its own VPN and ad-blocker built in. We also like Hotspot Shield’s browser add-on VPN, which works with Firefox and Chrome.
Use Tor for complete anonymity
Tor (www.torproject.org) is the ultimate – and ultimately difficult – way to browse anonymously. This free open-source program is not just a whole new browser but a completely private network – effectively a separate operating system. It cloaks everything you do, offline as well as online.
Tor is legal to use, but there is a slightly dodgy whiff about it because it lets people access the unpoliced Dark Web and conduct criminal activities such as drug dealing and illegal pornography. But if you want total anonymity, you may decide that Tor is worth the effort. Turn to the next page to find out exactly who you’re protecting your privacy from.