Google takes sole stand on privacy, rejects new rules for fear of 'authoritarian' review Google has blocked a proposed revision of the charter of the Privacy Interest Group (PING), a part of the W3C web standards body, over concerns that establishing an unchecked "authoritarian review group" will create "significant unnecessary chaos in the development of the web platform." The PING's job is to ensure that …
I hear China et al. are great at suppressing, erm, unnecessary chaos and are very good at creating stable and supportive environment for development. I hear some call it "stabilised society". There is apparently plenty to learn from them.
(tl;dr post)
I figure I'll be down voted for saying this, but true privacy cannot be accomplished on the internet unless one does all of the following:
1. (Most important) Use a VPN or Proxy server.
2. Use an ad blocker.
3. Disable 3rd party cookies.
4. Disable JavaScript.
5. Use a good browser like Firefox or Opera (Not the Google Chrome spyware).
I'm sure there are other things, but that's what comes to mind right now. Using a VPN or proxy server is very important because servers log connections. In those logs, you see what address was connecting, time/date of the request, what was requested, possibly even the user-agent string of the browser if the server is configured for it. What Apache logs (the web server software that I use) can be fully configured. Logging the IP address and the time/date is important in case legal action needs to be taken. With an IP address, you can find out what ISP someone is using. In some cases, if there is a reverse lookup record, a general geographical location can be deduced as well. So with some basic log analysis, you can tell which IP addresses requested which pages, and how long people stayed on those pages as well. And this is from just what the server software logs.
Many websites today make money by showing advertisements to us. Unlike the server logs which can only track what users do on the site or sites that the server controls, advertisers can track users from page to page, site to site, and server to server. Many websites use the same set of advertisers, so they will set a cookie on your browser and use that cookie to track you around the internet. Since your browser is connecting to the advertiser's servers, they are logging everything they can. So they can tie IP address, user-agent, and cookies together to create a unique identifier they use to accumulate information about you. This is why you should block 3rd party cookies. Although they can still track you via IP address and user-agent string, it may not be as unique. And let us not forget about the do-not-track setting in most browsers. I don't know of anyone who actually honors that, so it's basically a non-functioning feature. Most, if not all browsers, have a setting that disables the browser's ability to save cookies between browsing sessions (aka allow only session cookies). So closing the browser causes all cookies to disappear. Opening the browser again gives you a clean slate, cookie wise.
Although I did mention disable JavaScript, in this day and age, disabling JavaScript will break much of the internet. Many sites today utilize things like Ajax, jQuery, Bootstrap, etc... which requires JavaScript to function. Additionally, the current trend in web development is to not send HTML from the server, but to send JSON objects and offload everything to the client. This reduces processing on the server so more clients can be handled with the same hardware. When you request a page, you get an HTML document that the browser interprets. That will be the only HTML that the server will send. It tells the browser to go and download a bunch of style sheets and script files. From there, all document rendering data is sent via JSON and is processed on the client side. It used to be XML, but now JSON is king because it's easier for the client to process. No need for an XML interpreter.
Google Chrome is a very popular browser, but it reports everything back to Google. However, I did a forensic analysis of Chrome's incognito mode, and it is very good. Nothing is reported to Google, nothing is saved on the machine. No cookies, no history, nothing. The only thing you might find is some memory artifacts that have been saved to swap space. If your system is setup to clear swap on shutdown, or you are using an encrypted swap file, there won't be anything on the machine. So if you just use Chrome's incognito mode, then go ahead. It won't track you.
My final point though is this: Google does not want privacy on the internet because that will directly impact their revenue stream. Google built itself on advertisement. It charges those advertisers a lot of money for access to their platform. Additionally, Google also makes money by selling your data to those same advertisers. The same is true for Facebook, Twitter, Instagram, etc.... It's all about marketing and getting you to buy something from one of their sponsors. So as you browse the internet, the data that is being collected on you is sold. But it's not just that, you are being monetized and sold as well. So it is in the best interest of these companies to keep privacy away from the internet for as long as possible.
Even with all that, there are other things which can give you away, such as HTML5 canvas, timing of video/audio drivers responses (yes its a thing and workable) and one of my biggest bug bears as among all the tricks I do to stay anonymous is screen resolution.
Obviously the site needs it to display but it would be nice if sites didn't get that info and pages could be rendered to your screen resolution without the site knowing what yours actually is.
On top of those methods, I use a fake Browser User agent which changes every 5 minutes. Also help sites that want to send you malware as you get a nice .DMG file when they think you are using Safari on a Mac rather than Firefox on Linux for example. This is where it would be nice again for the site not to know screen resolution so if I fake my browser as Chrome on Android, a screen res of 4k wouldn't give that away + make my http fingerprint so unique.
I'm often telling people a VPN only gives you some privacy from your ISP (who generally won't MITM your connection to remove that protection) and in the UK from the police & 20 odd other services who can see your ICR/Internet connection record for the last 2 years but there is nothing to stop them submitting a request to google for your email account, your search history and probably sites you visited anyway because they had ad-trackers on most of the sites on the internet.
Google are going to fight anything privacy related that stops them tracking you and making money from us so its a surprise they are in an organisation where their single veto can block everything so they can make a privacy groups manifesto less private for citizens. Yes money makes the world go around but just because a company has monetised the internet with adverts, which was created for sharing information, should we structure it so they can continue to profit by stripping our privacy away? I think not.
I'm often telling people a VPN only gives you some privacy from your ISP (who generally won't MITM your connection to remove that protection) and in the UK from the police & 20 odd other services who can see your ICR/Internet connection record for the last 2 years but there is nothing to stop them submitting a request to google for your email account, your search history and probably sites you visited anyway because they had ad-trackers on most of the sites on the internet.
That is if they can tie your browsing/search history to you. Besides the ISP cannot MITM your connection to a VPN if you are using SSL certificates of at least 2048 bits. They can record it, but it's encrypted between you and the VPN provider. And on top of that, make sure the VPN provider is outside of your country and not on friendly terms. Makes investigations much harder.
I realize that you guys in the UK have something where the police can demand you to show them your encryption keys, or force you to decrypt something, with a two year jail sentence if your refuse. But what if you can't? I always thought it unfair to put someone in jail for not being able to decrypt internet traffic because the keys are not available to the user, and are automatically generated.
Why is Google even allowed to vote on Privacy-related proposal when they are exactly the kind of organization we need privacy from?
I'm assuming that its because they make a browser, but their other activities create a massive conflict of interest and they should either abstain or be kicked from the group altogether.
In other words, a formerly cordial group has become adversarial.
Google must be slipping so these groups are waking up and pushing back against the influence google has discretely exerted in the past. I only hope that the WWW does get better in protecting privacy or at least gets better at giving us, the end user, more control over what data is available to the megacorps.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
