Reading Time: 8 minutes

I have pretty simple technical needs when it comes to my work computer. I like to think I’m relatively low maintenance for our IT team. I make a couple of minor interface tweaks—I tend to like my taskbar at the top of the screen, for example, something I picked up from Ubuntu—but I don’t really fuss much beyond that. I do most of my work within web browsers and that’s where I apply the most effort. Which had the potential to trip up a colleague and a visiting speaker who used my laptop.

It was my colleague’s experience that really brought this to awareness for me. They were sitting next to me and giving a presentation to our Board, and my laptop was the presentation laptop for the meeting. It was only as she was starting her browser-based presentation in Canva that I realized that some things might not work quite the way they expected. I use Edge, not Chrome. My taskbar is at the top, not the bottom. My web browsers (I use Firefox too) are locked up with extensions. Fortunately, my colleague did not venture too far on the internet and everything else went smoothly.

The visiting speaker was a bit different. It was last minute and was because they hadn’t wanted to use their own computer. But I had mentioned to my colleague that I use adversarial tools and knew that would definitely be a problem for the visitor. I ended up downloading and installing a clean copy of Google Chrome, a web browser I no longer use or keep installed, so that the visitor would have a pristine experience. But it’s what the speaker used on their Mac and would act the most like what they were accustomed to.

Someone Is Always Watching

That’s a good starting point, though, for why I tend to have what is a particularly adversarial experience with websites. I once tried the Lightbeam extension, which has now been forked into Thunderbeam-Lightbeam. It gives you a visual of your online experience, including all of the sites that are sharing your information and tracking you.

After the speaker finished, I wiped and re-installed a clean copy of Google Chrome and walked through a bunch of websites with Thunderbeam turned on. Some government, lots of social media and news. I made no changes to the ad settings or other privacy changes you should make on Chrome.

This is what it looked like:

A black image with white dots and triangles.  The dots and triangles are interconnected with lines.  The image is dense with triangles, which show the trackers and servers that are used by the dots, the sites that are actually visited.  The image is dense with triangles, tracker sites.
A screenshot of Thunderbeam data. Circles are visited sites. Triangles are everything else and the lines show interconnectedness, as your movements are tracked from site to site.

This would never be my normal experience. But I am always a bit disappointed to see how these sites interconnect, even the government ones. My ideal is for as many of the sites to either be islands—entirely unconnected—or connected by only one or two links, depending on the site.

It was a disturbing experience for someone who never sees ads on the internet. Imagine my surprise when I went to the Supreme Court of California’s opinions site, which is powered by LexisNexis. Then I jumped by typing in the URL for the Canadian media site The National Post, and I was shown LexisNexis display ads … selling California law titles! Not cool. I use the National Post as an example site because it’s among the most egregious tracking media sites I’ve ever visited. As you can see below, news isn’t really their strength.

A screenshot of the National Post media web site.  At the top is a LexisNexis bundle advertisement.  Below it are 4 random calls to action that aren't news.  Then there is a larger LexisNexis advertisement showing California legal publications.  Then there is the hint of news with a heading that says Local Spotlight.
A screenshot of the National Post (CA) media site. It’s littered with LexisNexis (US) content promotions, even though it’s a Canadian media site.

Remember, this was a 100% brand new Chrome install. I wasn’t signed in, I hadn’t gone anywhere other than the test sites. It still was showing me things based on where I’d been. I don’t know how people stand it.

I popped open the Google Chrome history, then switched to Microsoft Edge which is my primary web browser, and visited the same list of sites and pages. News (CNN, Washington Post, National Post), social media (AALL’s Facebook page, Twitter), the California Supreme Court, the San Diego County site and the District Attorney’s site.

Same pages, different experience (zero ads):

A black image with white dots and triangles.  The dots and triangles are interconnected with lines.  The image is dense with triangles, which show the trackers and servers that are used by the dots, the sites that are actually visited.  The image is pretty bare, with lots of sites completely isolated from other sites.
A screenshot of Thunderbeam data. Circles are visited sites. Triangles are everything else and the lines show interconnectedness, as your movements are tracked from site to site.

Some links where I clicked from one page to another. Lots of islands. Very little tracking, most of it apparently internal. For example, I have analytics running on this site but they’re isolated to this site. Your visitor data isn’t shared anywhere (I use Matomo).

The difference? It’s not the web browser. Microsoft Edge and Google Chrome share the same basic software engine. It’s why extensions you find in the Google Chrome webstore work on Edge too.

Your Browser Won’t Provide Enough Security

The difference is the extensions. I run NoScript (blocks javascript), the Electronic Frontier Foundation’s Privacy Badger (tracker blocker that complements NoScript), uBlock Origin (ad blocker with customizable block lists that can be stricter or looser or include sites you specifically select) and Stylus (style blocker). In addition, I use strict browser settings:

  • Tracking prevention: strict (blocks a majority of trackers)
  • Send do not track requests (this is window dressing but I turn it on anyway)
  • Force automatic HTTPS (which I hope will hinder some advertising and tracking sites that are still using http)
  • Use secure DNS (I use Cloudflare in the browser and I use their anti-malware DNS (1.1.1.2) on my devices and network hardware when I can)
  • Security enhancements: strict (security mitigation, parts of sites won’t work, blocks security threats)

I tend not to do much research or browsing on mobile devices. They often do not support extensions and so you are really at the mercy of the website owners. I tend to use AdAway, a VPN that acts as an ad blocker. In addition, though, you can have it block other sites. I load it with a broad, pre-populated block list and then expand it over time as I find new trackers. You can set it to log activity, and then use that log to block offending resources.

But the reality is your web browser isn’t going to catch everything and I like using extensions to make sure that I have to opt in to the garbage that some websites offer up.

Here’s what I mean. If I go to Vice.com and have NoScript activated, my web browser reports that there are no trackers. I have not yet blocked anything. I just haven’t allowed Vice.com to fully load.

A screenshot of the Location bar security information (click on the lock next to the location URL). At the bottom, it says "Trackers (0 blocked)".
A screenshot of the Location bar security information (click on the lock next to the location URL). At the bottom, it says “Trackers (0 blocked)”.

If I now activate NoScript and temporarily trust Vice.com, that screen will change to say that 1 tracker has been blocked, a tracker from New Relic. But in fact, if I look at my NoScript screen, I can see that Vice is trying to load a bunch of other stuff:

A screenshot of a web browser with the NoScript menu toggled, showing a list of 8 resources that Vice.com wants to load, most of which do not provide content.
A screenshot of a web browser with the NoScript menu toggled, showing a list of 8 resources that Vice.com wants to load, most of which do not provide content.

It wants to load Google Analytics (usually the Google Tag Manager or Doubleclick). It wants to load HTL Bid, which says its for A/B testing but I don’t trust anything that might do ad bidding. GoogleAPIs? NPT Tech? Privacy-Mgmt? I don’t think so. If I’m looking for Vice.com content, it better be on the vice.com domain or thereabouts.

Here’s the thing. Even when you block all of the unnecessary trackers and sub-sites, you can still access information. The National Post is a great example. I don’t avoid its content, I just don’t allow it to engage all of its cruddy trackers (including Amazon ads, Google ads, questionable AI, etc.).

A screenshot of the National Post (CA) media site, showing 10 trackers and content providers. Note that National Post is blocked but the content on the site will still appear.

NoScript still isn’t catching everything. On the National Post site, another tracker that NoScript didn’t see got flagged because it’s not using Javascript (NoScript caught everything that Privacy Badger did on Vice.com). The one it missed is an image that is loaded from an unknown source. In some cases, especially with email, this is a tracking image for those who are otherwise blocking or can’t use Javascript.

Trust No One!

It’s one reason I work almost entirely out of a web browser. Someone sends you an email to Outlook with a tracker in it? If you are checking your email within your web browser, your adversarial extensions can inhibit the tracker in the email. I use web versions of Microsoft Word, SharePoint, Outlook, Teams. Most of the time I can avoid the full app and I can use those deliberately.

I expect the commercial sites to try to throw out a ton of trackers. I’m always surprised at the government ones. Even if they are only loading Google Analytics (via DoubleClick or Tag Manager), you are aggregating that data as you move from site to site. California Governor? Google Analytics. California Courts? Google Analytics (and something called Granicus). U.S. House of Representatives? Google Analytics. Congress? Adobe Analytics. Library of Congress? Adobe.

Really, if you want to throw a wrench into analytics, you can block a lot by merely blocking Google Tag Manager, Adobe DTM, and Doubleclick.

Some publishers are responding. Some publishers now block your access if you have what they determine to be an ad-blocker to be running. First, it is rare for there to be a single source of truth for any information on the internet. Second, there are so many archival tools running now that an extension like Web Archives will help you find a backup copy.

Google has gone perhaps the furthest with its ads on YouTube, where it says ad blocking is violating the terms of service for the site. I find that my setup actually blocks those as well but they trigger the slow loading that Google has put in place and I still have to load Google properties (there are three: YouTube, Google Video, and YouTube images) to get it to show content.

I’ve started to use the Brave web browser solely to visit YouTube. I don’t trust it enough for all of my web browsing. But it allows me to load YouTube without any extensions and still get ad blocking. And it isolates my YouTube browsing from all my other web browsing.

Once I’ve set a site, I can usually forget it. Most sites don’t add or drop trackers that often or, if I’ve blocked it one place, it will be blocked everywhere. NoScript, Privacy Badger, and uBlock all allow you to export your settings. So if you’re working on more than one PC or on more than one Chromium-based browser that can also run the extensions, you can keep your settings up to date pretty easily. This is also helpful if you just want to keep a backup, in case you have a device upgrade or something happens to your web browser settings or extensions.

Sure, it may seem paranoid but that doesn’t mean they’re not out to get you! As one of my kids has told me, so much of our private data has already been harvested and placed into public records database, and sold by brokers. I get that. Particularly in the United States, there has been a certain amount of acceptance at citizens allowing themselves to be monetized.

But I think it’s important not to comply any more than I have to. And I hope that the inability for sites to track me will mean that, when I use them, I am only seeing the content as it exists. Not as the site thinks I want to see it, with LexisNexis ads emblazoned across the screen.