Is your browser a spy?

"You can be traced on the Internet through Facebook and new web technologies—but there are still things you can do in such cases."

Your browser is a constant companion online: it knows what news sites you read, where you shop and in which communities you spend hours participating in. Your browser probably knows you better than your best friend. But Firefox and its friends don’t keep this information to themselves; they disclose private and even juicy tidbits about your life to those who have the right kind of access. We will show you where and how you reveal more about yourself than you’d think, and how you can protect yourself from such software

Social networks lead the assault

The fact that online communities contain a lot of information about a person is not new. But one leaves traces behind not only on Facebook, but also on the rest of the Web. The reason for that is the ‘Like’ button on Facebook, which can be found on hundreds of websites outside of the actual social network. Facebook provides website owners with the option of integrating the button on any site on the Internet, and it’s remarkably easy to do. Users can then click on it and inform their friends on Facebook that they like the particular site. This is done voluntarily of course, but what many don’t know is that if one is logged in as a Facebook user in one tab and simultaneously surfs on a site with the ‘Like’ button in another tab, Facebook can track the surfing behaviour—irrespective of whether one clicks the button or not. Professor Dr Mario Fischer, editor of the magazine ‘Website Boosting’ says "It is not known if Facebook traces the surfing behavior, but this can be expected in light of the settings announced by its founder."

             Other social networks have their own quirky behaviors. Users of Xing, a professional networking site, can be tracked easily. A simple trick can help members fi nd out which other logged-in Xing users have visited their profi les. To do this, they have to embed the bogus HTML line

<img.src="http://www.xing.com/

profi le/Firstname _ Lastname">

in their website, which essentially pings their own profile page. The person whose profile was specified now sees the name, profession and further information about surfers who have visited the site, under the ‘Visitors’ log. 

             To save yourself from this kind of tracking by networks that you are a member of (including mail, chat, social networks etc), always specifically log out of them. It’s not enough even to close the respective browser tab. This is often easier said than done, since many users prefer staying permanently signed in to their communities, but it ensures that your surfing behaviour cannot be linked to your profiles. Firefox users can use an add-on called Prism that loads websites like self-contained applications that run in parallel to the actual browser. Not only is this convenient, but it also protects your privacy, since you are eff ectively using a different Firefox profile. Even the new IE9 comes with this function; an add-on is not required. You only have to pin the site’s shortcut to the taskbar using drag and drop.

Finger print The site panopticlick.eff.org shows that your browser is as
 unique as a fingerprint—and you can be identified through it.

Supercookies act as homing devices

If, for example, you are currently searching for information about a new hard drive on an electronics store’s website, chances are that the entire web will soon know about it. In the most intrusive situations, the item in question is suddenly advertised with alarming frequency no matter which other websites you visit. Cookies left behind by the shop on your computer make this possible. You will notice that the advertising pattern goes back to normal once you rid your browser of these cookies—at least in a normal scenario. However, hacker Samy Kamkar wants to prove that this supposition is outdated. Kamkar is not an unfamiliar name in

security circles; he caused quite a stir in 2005 by publicizing a MySpace bug, using which he cheated a million other users in just 18 hours. 

           This time he has caused turmoil with a bit of JavaScript code that he calls Evercookie. The snippet is supposed to be able to set a persistent cookie that the user cannot easily detect or remove. Kamkar's trick uses 13 individual components that are saved in diff erent locations using diff erent protocols and storage techniques, including everything from  standard HTTP to Flash to HTML5 storage data. Each piece of the puzzle is enough to completely restore Evercookie. If you delete all cookies from the PC, there is still information embedded in an additional PNG file that Kamkar (or anyone with the right knowhow) can read using HTML5 techniques. Kamkar provides Evercookie’s technology for free to anyone who wants it, on his site www.samy.pl. He is not scared of companies using it. The hacker tells CHIP "I am not afraid that programmers will use Evercookie. What worries me most is that many companies have been using similar techniques for a long time. I only want to expose what many companies try to hide." Tracking occurs without anything being noticed, without installation, and across all browsers, so long as Flash is installed. The new HTML5, which is already being used on some sites, makes anonymous surfing even less easy (see box). If you really want to surf incognito on the web, use a portable browser (such as Portable Firefox), even on your own computer. Designed for USB pen drives which can be moved anywhere, these browsers do not retain information from websites, and don’t save anything to the computer’s hard drive. In our tests, evercookie could not restore any user data here. According to Kamkar, even Safari in private mode leaves no traces behind.

Browsers in Private Mode are still untrustworthy

The private mode, which is now available in all browsers, does not provide any magic guarantees that you can’t be snooped on. Though the browser leaves behind fewer tracks, Flash and other plugins such as Adblock Plus are not affected by such settings, and continue to divulge more information than most people realize. While browsers delete HTTP cookies, history and search queries in private mode, they have no control over Flash, which also collects its own cookies which remain on the PC. To make it even worse, these files cannot be managed by the browser; only the Flash plugin itself has access to them, and that too only via Adobe’s own website. If you surf through a site with Flash content in private mode, anyone with access to the same computer can read the history through Adobe's ‘Website Storage Settings’ panel. You can find the web tool at Adobe’s website and delete any Flash cookies that might be tracking you.  Adobehas released a new version of its Flash plugin; version 10.1, which now supports private browsing. However, not everyone upgrades to the latest version in time!

         Even the Firefox ad blocker Adblock Plus needs to be patched. If one allows a site to display ads in private mode, they can be tracked in the normal mode at all times: the filter lists, in which these exceptions are entered, can be accessed in both the modes. To stay safe, always update Flash player; this will improve your privacy. In Adblock Plus, it helps to disallow all sites from showing ads in the private mode. Alternatively, under ‘Tools | Adblock Plus – Settings’ in Firefox, check the list to see if it contains sites that you don’t want seen, and then delete these manually.