
How to Avoid Leaving Tracks Around the Internet - cloudyo
https://www.nytimes.com/2019/10/04/smarter-living/10-tips-internet-privacy-crowdwise.html
======
saagarjha
> If you’re in that category, Ms. Winterton recommended Ghostery, a free plug-
> in for most web browsers that “blocks the trackers and lists them by
> category,” she wrote.

I’m not sure I can recommend Ghostery, as their business model is a bit
suspicious:
[https://en.wikipedia.org/wiki/Ghostery#Criticism](https://en.wikipedia.org/wiki/Ghostery#Criticism)

> Using websites whose addresses begin with https are also safe; they, too,
> encrypt their data before it’s sent to your browser (and vice versa).

Safe from your public Wi-Fi operator. Not from the company with a tracking
script on the page.

> You don’t sign into Apple Maps or Safari (Apple’s web browser)

You sign into the OS, though.

> You never want to tell Facebook where you were born and your date of birth.
> That’s 98 percent of someone stealing your identity!

I can literally Google this information. We need to stop treating knowledge of
public data like this as some sort of identity metric.

~~~
pteraspidomorph
I would suggest Privacy Badger nowadays (as a complement to the irreplaceable
uBlock origin).

~~~
aesh2Xa1
Does Privacy Badger do something that uBlock Origin does not?

~~~
rectang
They have different purposes. Privacy Badger is not there to block all ads; it
exists to block _trackers_.

For websites I like, I turn off uBlock Origin but leave Privacy Badger
enabled.

~~~
cassianoleal
Have you been able to compare that with latest Firefox's native tracker
blocker?

So far to me that's been pretty good to the point I stopped using Privacy
Badger (which I agree is pretty good too!).

------
not_kurt_godel
The omission of "Disable third party cookies" is fairly shocking. From my
understanding, it might be the single most effective thing you can reduce
tracking. Whenever I get the chance, I recommend the following pieces of
Internet hygiene to anyone and everyone I can:

* Disable 3rd party cookies

* uBlock Origin

* Privacy Badger

* HTTPS Everywhere

These things are all dead simple and will significantly reduce your
trackability. Of course they are far from comprehensive or perfect, but it's
the Internet equivalent of washing your hands after you go to the bathroom.

~~~
Mediterraneo10
Won’t disabling third-party cookies render certain payment gateways unusable?
While such advice may be very welcome among savvy computer users who know when
they should temporarily turn third-party cookies back on, the NYT is unlikely
to give advice that will break online shopping for large numbers of people.

~~~
not_kurt_godel
I've had 3p cookies disabled for years and never experienced an issue with
payments. But, it may be that I don't pay for things as often as others. My
recommendations will slightly break some things like embedded Twitter posts
but it's rare that I experience a site being functionally impacted in ways I
care about.

------
cloudyo
-Use a private cloud, so that your data is in your control.

We've actually developed a self-hosted private cloud solution as a substitute
to Dropbox for exactly these reasons. Basically a private Dropbox at home (no
complicated installation and no server needed)

We're currently in beta, could interest a few in this thread!
[https://www.duple.io/en/](https://www.duple.io/en/)

The point is to have a product that works just like a Dropbox, as simple and
straightforward, but that is actually private with no one interfering,
playing, accessing or reading your data.

~~~
alpaca128
Somehow I don't understand how you say Syncthing's disadvantage in comparison
is that it's a P2P system[1], but at the same time your website says duple
doesn't need a server.

Maybe I've misunderstood, but this sounds just like Syncthing with an always-
on client - except for the file versioning, that sounds like an interesting
feature to me.

[1] [https://blog.duple.io/what-is-the-point-of-
duple/](https://blog.duple.io/what-is-the-point-of-duple/)

~~~
windexh8er
Agreed.

I've been using SyncThing for over 4 years and while it has a few rough edges
(synced/shared/global file ignore would be great) still it's been fully
reliable and a generally great user experience. So if you're trying to cater
to existing SyncThing users don't mince words to make it appear that something
which you claim is a negative with SyncThing doesn't exist in your product -
which it clearly does.

SyncThing has a huge advantage: years of trust. They have been around since
2013 and continue to crank out features and builds consistently. Duple hasn't
been around for _one_ year at the time of this writing. Beyond that it's clear
from the Duple site that it's main goal is to take my data and file
replication hostage via licensing fees. I'm curious how or why I'd donate
before I've even installed the Beta (based on your click flow to even reach
the downloads page)? No thanks.

Also, let's clarify something Duple has wrong...

Duple states: "Syncthing is P2P, so you get the disadvantages along with it
e.g. all your devices need to be turned on at the same time. If not, you get a
desynchronisation between your devices and create conflict." \- This is wrong.
You _do not_ need all your devices on at the same time with SyncThing. Yes, it
is true that it's good to have a device with a consistent state, however it's
not required. The second part of the statement is FUD. When conflicts happen
it's generally around odd permissions or file updates with regard to
versioning. This was more problematic in versions prior to 1.0. At this point
in time I haven't run into this issue other than because of disparate problems
caused by file permissions which SyncThing does a great job preserving.

Duple also states SyncThing has no IOS support and yet, itself, has neither
IOS or Android. Or Windows... Or an open source repo of what I'm supposedly
using.

In my mind Duple doesn't compete with SyncThing and, really, never will. But
here's the thing... Don't pretend to compete where you don't. SyncThing users
aren't looking for Duple. You'd do yourself a better service to take that
verbiage out because all it did for me was give me the impression that Duple
is lying about competitors that they simply didn't take the time to
understand. That leaves a bad impression in my mind.

~~~
jjeaff
I'm sure what they mean by all devices needing to be on and connected, is that
if only one device is connected, there will be nothing to sync to. So if I
take some photos while on vacation, but my desktop at home is asleep, then I
can't sync my photos to it. So if I lose my phone before then, I'm sunk.

Of course this is fixed by simply having the desktop on all the time, which
would then make it similar to a client server setup.

~~~
windexh8er
Well, they don't say that so it doesn't really matter what they mean. And they
imply that by not having a device on all the time it is the cause for
synchronization issues which is completely incorrect.

If I take photos on vacation and throw them in a sync'd folder the next time
both devices are online they will resolve the new file delta between that
shared folder. That doesn't imply I _always_ need one or the other device
online. The more devices syncing the less likely it is that only one would be
online at a time, but again there's no requirement there for an always on
device.

Anyway... SyncThing is fantastic for users who are willing to invest some time
learning how the software works. Every paid for product seems to cater to the
"it just works" mentality thereby sacrificing control to me, the user, to
handle situations that can't be handled by overly simplified, cloud-first,
lock the user into our licensing model solutions. And don't get me wrong,
those are fine for many people. For users who want more control via more
responsibility - then SyncThing is great. But I don't like how they are
spreading FUD about it just to get some name association.

------
mirimir
OK, it's not horrible advice.

But there's no mention of Tor, which is arguably the best available way to
"avoid leaving tracks around the Internet". And better yet, using Whonix,
which prevents leaks around Tor.

Using multiple email addresses is good. But if you're sloppy about browser
hardening, they'll all get linked.

More generally, there's compartmentalization. Not just multiple email
addresses, but multiple VMs, connecting through different VPNs, and/or Tor
instances. Modern machines can run several Linux VMs, and switching among them
is as easy as switching among app windows.

So basically you can present online as many different personas. Even if
everything that each persona does gets linked, it won't get linked to other
personas. If you're careful, anyway.

~~~
cartoonworld
> More generally, there's compartmentalization. Not just multiple email
> addresses, but multiple VMs, connecting through different VPNs, and/or Tor
> instances. Modern machines can run several Linux VMs, and switching among
> them is as easy as switching among app windows.

Shout out to [https://www.qubes-os.org/](https://www.qubes-os.org/) Qubes OS,
an Open Source research implementation of this concept on the OS level. BYO
OPSEC.

~~~
mirimir
Yeah, love Qubes too.

The learning curve for that is steeper than for VirtualBox, however. As is,
with absolutely no doubt, the security level. In that it uses a hardened
version of the Xen hypervisor. That also means tighter hardware requirements,
however.

~~~
cartoonworld
I agree fully. I would be really interested in generalizing their security
model amongst more (probably inadequate) hardware. We can dream :)

~~~
mirimir
Some years ago, after reading beta-level posts about Qubes, I implemented as
best I could in VirtualBox. I used pfSense VMs as VPN gateways, and Linux VMs
for workspace.

While I was at it, I used multiple pfSense VMs to create nested VPN chains.
Sort of like Tor circuits, but static (so much less anonymous) but also much
faster.

Then Whonix came along. And it works very well with nested VPN chains.

------
dt3ft
Oh the irony. Reading this article requires me to give away my e-mail
address...

~~~
seriocomic
Or click the "Reader Mode" in Firefox? (YMMV).

~~~
mirimir
Yes, if you do it fast enough, before the paywall loads.

------
elorant
Install uMatrix and block all 3rd party JavaScript. It breaks functionality in
some sites that embed social networks' widgets, but other than that works like
a charm. As a bonus sites load at least 30% faster.

~~~
freedomben
Exactly my experience, going on 3 to 4 years now. Spend the time to learn
uMatrix. It's an incredible investment into yourself and your web experience.
I barely browse on mobile anymore since I don't have uMatrix, although Brave
does allow blocking scripts and some stuff quite easily. Highly recommend
Brave on mobile.

~~~
chopin
I have Firefox and uMatrix on mobile. It is not a s seamless as desktop but
bearable.

~~~
freedomben
Nice, thanks for the tip! I'll have to give it a try

------
okasaki
> Apple’s privacy website reveals many examples: You don’t sign into Apple
> Maps or Safari (Apple’s web browser), so your searches and trips aren’t
> linked to you.

Not linked... in a way visible to you.

------
hbcondo714
> Avoid unnecessary web tracking

Google is just one of 100+ ad networks that show you personalized ads. You can
turn off ads personalization from Google or any of the other participating ad
networks here at [http://optout.aboutads.info/](http://optout.aboutads.info/)

Source: [https://adssettings.google.com](https://adssettings.google.com)

~~~
joosters
Just because they no longer show you personalised ads doesn't mean they have
stopped tracking you...

~~~
TheVikingOwain
In fact I’d argue it means they have to track you. And telling them your
preference gives them another data point on you.

------
savvyraccoon
Step 1 - do not create a free account or logging to read The Times

------
semiotagonal
> Nearby patrons, using their phones or laptops, can easily see everything
> you’re sending or receiving — email and website contents, for example —
> using free “sniffer” programs.

Is the author assuming the absence of https encryption here, or is there some
widely available exploit I don't know about?

~~~
9dl
mitm for weak https exists

All "antiviruses" use it

------
known
[https://archive.is/QiBdd](https://archive.is/QiBdd)

~~~
dt3ft
Thanks for the effort, but this link does not work. The host is not
responding.

Edit: sorry, my bad, cloudflare 1.1.1.1 resolves it as 127.0.0.5. Someone
ought to check that out...

Edit2: apparently this is a deep rabbit hole:
[https://community.cloudflare.com/t/archive-is-
error-1001/182...](https://community.cloudflare.com/t/archive-is-
error-1001/18227/10)

------
codedokode
What about fingerprinting? Fingerprinting allows to track browser even in
private mode or if you anonymize your IP address. You should disable WebGL
right now because it is absolutely unnecessary, almost never used and its only
purpose is to collect information about your video card.

------
brassattax
I had to clear my NY Times cookies to read the article. The irony.

------
orangepanda
> A few more suggestions:

> “Create a different email address for every service you use,” wrote Matt
> McHenry. “Then you can tell which one has shared your info, and create
> filters to silence them if necessary.”

Obligatory mention - for gmail you can suffix your email address with a
service name by using +, e.g., johndoe+adobe@gmail.com will be delivered to
johndoe@gmail.com. So if a service leaks your data or sells your email, you’ll
know who to blame.

Although the article recommends not to use gmail, it’s a neat trick if you’re
stuck with it.

"Forget password" becomes unusable though, since you’ll probably forget what
suffix you used for each service.

~~~
inapis
Oh companies have become smarter about it! Even the scammers I suspect! Many
won’t accept + in the email address and I think now it’s well known enough
that most scammers will run a regex to detect and remove the + sign.

Useful workaround is to have unique aliases on a domain name you control.
Can’t get around that with a minute of work!

~~~
garren
fastmail supports a variation of this: if my email is me@mydomain.com, then I
can use service+me@mydomain.com, or better service@me.mydomain.com (or
anything@me.mydomain.com). It seems like it'd be a little less obvious to
scammers.

~~~
johnpowell
With fastmail you can just make a alias. My address is me@mydomain.com and in
the settings you can make a alias where you can just use something like
garbage@mydomain.com

[https://i.imgur.com/UWoU4NA.png](https://i.imgur.com/UWoU4NA.png)

~~~
atomwaffel
Fastmail also lets you use wildcards and catchall addresses, giving you
infinite email addresses whenever you need them, with no way to tell what
“base address” they resolve to internally.

For example, my Twitter address might be twitter@mydomain.com, my Google
address google@mydomain.com and so on. All of those go straight to my inbox
unless I decide to set up individual filters for them.

The downside is that I can’t easily migrate to a service that doesn’t support
this.

------
Moeg
An article about how to not leave tracks on the internet, requires me to sign
up to read the said article, magnificent.

------
vonseel
CVS receipt coupons are based upon previous purchases + like 15% randomization
in related categories (or maybe just random promotions they have going).

My CVS coupons are nearly always for an antacid, nicotine cessation, or
allergy medicine - then I usually get a few extra coupons for something that
surprises me like beauty products or facial cleanser.

There’s nothing Google involved with the CVS coupons, I’d bet money on that.

------
gorgoiler
I don’t know how one would know short of a leak if Facebook’s
track_ip_addresses.php, but is there any sense of how IPv6 is being aggregated
by trackers to track identity?

We have a /48 at home using IPv6 privacy extensions for the full address but
that isn’t a useful component of a strategy if I’m being identified by the /48
rather than the full 128-bit address.

------
oriettaxx
they forgot the best tip nowadays which is:

* declare you are from EU even if you are not

then any provider is damned scared of messing with your privacy

------
buboard
Unreadable . Does it mention E2E? It's way past time for tech to get serious
about E2E , ignoring warnings and pleas from greedy governments. People have a
right to communicate without being constantly surveilled, and it's the most
serious track they leave.

------
gocartStatue
I find this:

> Log in or create a free New York Times account to continue reading in
> private mode."

quite ironic :)

------
fonosip
For a public cloud replacement, try
[https://ba.net/privatecloudoffice](https://ba.net/privatecloudoffice)

------
MikeGale
I'm not familiar with a survey of how many know these things (and the good
suggestions made here).

My suspicion is that few know, and fewer are doing it.

An important goal? Help those who care enough become aware enough to take
action.

------
known
[https://www.torproject.org/download/](https://www.torproject.org/download/)
is the best

------
9dl
That what looks like when someone gives advises when know nothing about
industry and tech

And that is not even funny

------
leoh
No mention of using encrypted DNS. Or did I miss it?

------
tejtm
well, we can't blame it on their head of cyber security.

~~~
goatinaboat
Can you expand on this?

~~~
tejtm
NY times recently fired/made redundant their head of cyber security
[https://news.ycombinator.com/item?id=21329453](https://news.ycombinator.com/item?id=21329453)

------
soulofmischief
Is this the level of technical competency needed to work at the New York
Times? How much do they pay?

~~~
snlnspc
if you look up some info on this writer, I think you'll find competency was
not considered

~~~
saagarjha
Hey now, there's no need to attack the author like this.

~~~
fattire
"Safari’s “don’t track me” features are turned on as the factory setting."

~~~
saagarjha
I'm not sure where you're going with that comment.

------
Causality1
I think there are different categories of "tracks". One category is marketing
tracks, which include cookies, browser profiling, tracking scripts, etc. This
is the one most discussion on HN is aimed at and most people find personally
offensive but aren't materially harmed by. The second is legal tracks, which
is exposure to harm from legal authorities for activities such as piracy,
political activism, and various types of forbidden speech under different
legal/national regimes. The third type is personal tracks, which I categorize
as the ability for private individuals or groups to connect your online
presence to your real self. That is the one I'm most concerned with, as
internet users seem almost entirely unconcerned about it but it has far more
potential to harm you than Google knowing your sexual fetishes. Nobody cares
that they're exposing their real name and face to millions of people and it
only takes one lunatic who decides your activities or opinions are worth
trying to ruin your life to cause you a world of hurt.

