While this is somewhat off-topic, it is a subject of deep concern for me. I think there are enough smart people here to be able to at least put a dent in this problem.

For a variety of reasons, I do not wish to be tracked and have corporations and governments accumulate a dossier on my searches, emails and web activity. Let's assume that there is a valid reason to maintain some level of privacy and avoid the 'I have nothing to hide, do you' or 'There is nothing to do, they will get you anyway' discussion.

First line of defense is to beef up browser security. Firefox with Ghostery, self-destructing cookies and NoScript (even though I often turn it off as it interferes with too many sites) should theoretically be enough, but in practice, the browser fingerprinting information is enough to identify me. My broser is completely unique in the panopticlick database of over 3 million users https://panopticlick.eff.org/.

Avoiding the obvious sites like g**gle is not a solution. More then half websites (probably closer to 100%) out there use some form of advertising, tracking cookies, website statistics, JavaScript libraries and other junk that connects my browser directly to g**gle.

TOR network actually resolves many of these issues, but it's way too slow, and possibly draws even more attention to me. I have every reason to suspect that many TOR nodes are compromised anyway. A more general-purpose proxy is not a bad idea, but I can't reasonably trust just one of them enough, and they are pretty inconsistent (not all web pages go through, etc).

The main culprit is that each connection from my browser sends an ungodly amount of information to the server, including browser ID and version information, screen resolution, lists of extensions, etc. As I see it, the only way to deal with it is some kind of broser extension that randomly selects from a list of common strings, but not just for the browser ID, but all other parameters.

Does anyone know of an existing extension that does that kind of rotation? Does something like greasemonkey allow you to modify these string continuously while browsing? Do you have an alternate solution?

_________________
In theory, there is no difference between theory and practice. In practice, there is. ...Jan van de Snepscheut

Here is how to turn off some of the spying features of firefox

geo.enabled transmits location information
keyword.enabled sends data to google g**glle for matches while you type in the url
network.http.sendRefererHeader default(2) sends info about the site that sent you during a clickthrough

searching for google reveals dozens of references. Some may be removed, at least one (safe browsing time between updates) is hardwired directly to g**gle.

_________________
In theory, there is no difference between theory and practice. In practice, there is. ...Jan van de Snepscheut

I found a pretty good extension: Secret Agent. It randomizes the strings from a list, and it messes with all the parameters (as long as NoScript disables JavaScript).
https://www.dephormation.org.uk/?page=81

The trick is to create a large list of user-agent strings. Here is a list of almost 80000 I found:

You have to paste it in the preferences screen. I should find some accept headers (there are only 8 there)...

Try it with panopticlick. While your request is pretty much unique still, each one is different, and fingerprinting should be pretty much impossible. NoScript does have a few consistent bits of information (most people have javascript on, so not having it on is a giveaway), but it seems good enough for now...

_________________
In theory, there is no difference between theory and practice. In practice, there is. ...Jan van de Snepscheut

You cannot beef up browser security when 'they' allegedly have the ability to crack all passwords.
I feel that's a lost cause. You might as well realize that everything you see on the internet, they see too.
Support any group that fights for your country's peoples' Constitutional Rights.

_________________
65Org16:https://github.com/ElEctric-EyE/verilog-6502

As I mentioned before, I want to avoid the "they'll getcha anyways" and "why bother" branches of this discussion.

Let's assume that there is a pretty simple configuration that maximizes your privacy. Most people are too lazy to bother, so let them be tracked. I would like to at least try and remain positive here.

I've been working the 'secret agent' extension, and it's pretty good, I think. The only problem so far: it only has 2 modes - default and stealth. Stealth mode randomly selects the fingerprint every request. It would really make more sense to keep the same print for the session. Some sites (this one included) do not work well when your signature changes and keep trying to log you in again. Unfortunately, default goes back to your original system settings and there is no way to continue the session with the same settings. People don't think their ideas through far enough.

In fact, rotating every request is downright dangerous as it may attract undue attention. For instance when you go to g**gle, it presents you with a search screen and logs your data while leaving a unique url session id with your browser. You type in your search, and your browser sends the unique id while the fingerprint has changed. Now g**gle knows you are a f**cker, and is free to mess around with your results when you click to go to the next page, for instance. It probably logs your IP address on a special list to sell to various agencies at that point, especially if you do that a lot without a proxy.

_________________
In theory, there is no difference between theory and practice. In practice, there is. ...Jan van de Snepscheut

Right, respectfully, this is my last post here...
When one supports groups that protect your 'Constitutional' freedoms, they are on a higher level that your own individual needs and are more likely to succeed. In fact recently, in our country (USA), the ACLU and the NRA have both recently joined in a lawsuit against the NSA, in this egregious violation of our rights. Most unlikely partners they are/were...

_________________
65Org16:https://github.com/ElEctric-EyE/verilog-6502

I would like to add a little explanation here, or some of you may think I am a paranoid nut. Of course 'they' can break passwords when motivated enough. However this blanket surveillance is a different issue - it is designed to build a case against everyone pre-emptively, should the need arise. Storage is cheap, so why not record lists of what's on people's minds? The techinque of 'gathering dirt' on everyone has been very successful even in the simpler days, and I am sure will cause a lot of grief to many people now that dirt-gathering is an automated process. I think it's irresponsible to not at least try to avoid making it easy.

EDIT: I also don't believe that there is nothing you can do, and you should leave it to large organizations and governments. You can do a lot for yourself, and if enough people do it, things change. I don't care much for NRA or ACLU other than that I am glad they are keeping themselves and the courts busy.

_________________
In theory, there is no difference between theory and practice. In practice, there is. ...Jan van de Snepscheut

Interestingly, I noticed that an anonymizing proxy I sometimes used requires javascript, and my browser subsequently requests scripts from ajax.googleapis.com. This is a complete farce.

_________________
In theory, there is no difference between theory and practice. In practice, there is. ...Jan van de Snepscheut

All cookies disabled (not just session-only), enable them per-site as needed.
All javascript disabled with NoScript, only allow per-site scripts as needed, never disable NoScript completely.
Click-to-play for plugins.
AdBlock plus, with all blocking features enabled (you need to opt-in to many of them). Opt out of "non-intrusive advertising", which is on by default.
HTTPSEverywhere.
Use Tor for everything except sites that you need to log into, and those should all be https.
If you're going to be hosting files, put them on FreeNet.
If you're going to host a server, serve it through I2P.

Regarding all the JS libraries hosted at ajax.googleapis.com, does anybody know of a simple way to cache those locally so requests never go out, without using a proxy?

_________________
WFDis Interactive 6502 Disassembler
AcheronVM: A Reconfigurable 16-bit Virtual CPU for the 6502 Microprocessor

I used to do just that, but lately decided that using SelfDestructingCookies is better. Cookies are allowed on a per-session basis, and self-destruct 10 seconds after the page is closed. Many websites behave better with cookies, and the tracking engines are polluted by new cookies every session. Let them eat cookies, I say.

I've been meaning to check NoScript about ajax. It fakes certain g**gle scripts, but I don't know if there is a generic engine to replace accesses to remote sites with local fetches.

_________________
In theory, there is no difference between theory and practice. In practice, there is. ...Jan van de Snepscheut

Oh, I forgot one: Download a hosts file, to send tons of known tracking/ad/etc sites to 127.0.0.1, regardless of what they want.

That description of SelfDestructingCookies sounds like a real step backwards. From your description, you're letting anybody use cookies across site clicks, until you end up closing the browser (ie, your next page will be visited in <10 seconds (actually about 0 seconds) after the prior one closes if you click from it). Your browser should never even be making connections to tracking engines. If something does connect, any cookies should be rejected outright.


Regarding my opinion on such things, I'm just really, really sick of the panoptic direction of the internet, and am seeing how workable it is to take a 100% approach against it. It's not bad, but it's also self-defeating to the experiment to make any allowance for tracking.

_________________
WFDis Interactive 6502 Disassembler
AcheronVM: A Reconfigurable 16-bit Virtual CPU for the 6502 Microprocessor

Perhaps you are right. I was under the assumption that third party cookies are blocked and only site-local cookies stay for the session, but if you are correct, it is indeed bad. Receiving local tracking cookies does not seem to be that much of a problem - allowing the site to track a session is not necessarily evil and may often be neccessary. Although I do see your point.

The browser should really isolate cookie sessions between different pages. I don't know if it does or if it just dumps everything into one cookie pile.

It is perhaps good to contain your browsing to sites that just don't require that. This site does not work if your request strings change, for instance, and I am not ready to give it up. I find myself needing the darned g**gle maps every so often, which really irks me as it releases way too much information.

My hosts file is definitely useful, although some hosts files on the net go way too far and block all torrent search engines. Although, it is probably a good idea to avoid these to be honest.

Don't forget the safe browsing issue with firefox. Also, it is an eye-opening experience to search the about:config page for google...

_________________
In theory, there is no difference between theory and practice. In practice, there is. ...Jan van de Snepscheut

Secure Connection Failed

An error occurred during a connection to panopticlick.eff.org.

The OCSP server has no status for the certificate.

(Error code: sec_error_ocsp_unknown_cert)

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.Please contact the website owners to inform them of this problem.

_________________
x86?  We ain't got no x86.  We don't NEED no stinking x86!

If I were running the surveillance program, I'd look for people running Tor, avoiding google, and running browser extensions to enhance privacy. And then I'd get all their internet traffic at packet level and examine that instead.

There are very good reasons to block tracking which has nothing to do with NSA monitoring. It's about advertising. On Android, if you use the stock browser and all the stock tools everything you do is tracked. This results in "targeted" advertisements on web sites you visit. I find this extremely annoying.

It's easy to see the difference - on my desktop that tracking doesn't really happen, I use noscript which permanently blocks most of the g. ad-api tracking, and the firewall blocks most of the rest, Privoxy fixes more, and I use several different accounts and lots of browsers at the same time so that I can both be logged in to a gmail account without being logged in if I do something else (and there are other reasons to use different browsers and different accounts - can't start different instances of the same browser without different accounts. Not even on a different computer). IP address doesn't really matter - I VPN it through work which NATs everything to the same address as everyone else is using.

Anyway, on my desktop the advertisement pattern (to the extent that it slips through Privoxy, or when I don't use Privoxy) is completely different from my Android experience. No "targeted", super-annoying ads. Just generic stuff.

(Obviously on Android I don't use my desktop gmail account - the one they're tracking for their ad-pushing is a different entity not used elsewhere.)

I have been fighting advertisements all the time since the graphical browser was invented and the first advertisements appeared. I don't mind generic, non-dominating, static advertisement pictures, or textual advertisements, but since (at first) moving banner ads, and now flash-based ads, and, worst of all, "targeted" ads appeared I've been applying every possible trick I can think of to get rid of it. I can't stand it. From what I can tell advertisers are not very intelligent. They don't seem to understand a lot of their supposed audience. It doesn't help to shout louder to get their message over. As for TV, whenever a particular channel started to get very intrusive with their ads (first starting to appear in the middle of shows, then several times per show, then for longer) I simply stopped watching that channel. Most of them are pay channels anyway so now I don't even have to pay them. Too intrusive advertisement? I'm out of there and won't see it ever again.

-Tor