Sunday, April 23, 2017

The Sorry State of Browser Privacy

Every one of the estimated 3.7 billion Internet users should be concerned that the vast majority of their searches, the contents of their shopping baskets both on and off line,  often their location, and, by careful statistical analysis, their associates are exposed to the corporate desires of the likes of Google, Microsoft, and Facebook. This information, once collected, is available to law enforcement agencies in many international jurisdictions. Some governments additionally collect information directly to spy on their citizens. One might also consider that logs of private information are also ripe for hackers, paid by organized crime or governments, who break into notionally "secure" systems.

Our mobile devices are also directly inspectable by customs agents when we cross international borders, and in some jurisdictions by police on the street.

Those who say that they have no care for privacy on the Internet have seemingly no idea of the abuse to which such information may be put. The Holocaust was perpetrated by a vicious regime primarily on the basis of household religious indications from a century of national census collection. No government of the past has ever had access to the amount of information available about the location and habits of individual citizens.

How can we possibly protect ourselves from a technically savvy authoritarian government that is willing to abuse this treasure trove of data?

Our browsers, those critical tools for our daily lives, are not currently our friends. They are the portal by which our personal information flees to corporate and government interests.

There are two fundamental approaches to securing our personal information in browsers. The first and easiest is to avoid recording your history from your local device. This is the primary tool behind browsers' privacy modes such as Firefox's private mode or Safari's incognito mode. No having local data will provide some level of protection if your phone or computer is seized.

Removing or avoiding local data storage does nothing to protect you from Web analytics companies who use data your browser happily sends to them during an online session. Advertising companies install trackers into their ads that are implemented in the JavaScript language understood by each browser. That computer code can and does read as much information as it can find, and combine it into a full picture of your individual browser through a process known as browser fingerprinting. It is this fingerprint, good perhaps to identify one person in tens of millions, that your browser happily passes back to the companies that asked for it.

The Electronic Frontier Foundation (EFF) has made a useful tool called Panopticlick to test browsers vulnerability to online tracking. The odd but fitting name is a reference to the Panopticon, a type of jail designed in 1787 by English philosopher Jeremy Bentham. A single jailer could see a large number of prisoners in the Panopticon.

This post reports on a series of Panopticlick tests on a variety of browsers. Desktop browsers were tested on a MacBook Pro. Mobile browsers were tested on an Apple iPhone 6 and a Sony tablet running Android Marshmallow.

Panopticlick asks four questions of browsers:
  • Is your browser blocking tracking ads?
  • Is your browser blocking invisible trackers?
  • Does your browser unblock 3rd parties that promise to honor Do Not Track?
  • Does your browser protect from fingerprinting?
A perfect browser would respond in the affirmative to each question, and a report might look like this:

Ads Trackers DNT Fingerprints
My good browser yes yes yes yes

A browser that failed all four tests would have a negative report. The last question would be answered by noting that a unique fingerprint could be calculated:

Ads Trackers DNT Fingerprints
A terrible browser no no no unique

It is naturally possible for some browsers to provide partial implementations to block tracking ads or other trackers. Partial implementations are marked in yellow.

Desktop Browser Tests

Tests were performed on an Apple MacBook Pro, running MacOS Sierra version 10.12.4.

Safari version 10.1 (12603.1.30.0.34)

Ads Trackers DNT Fingerprints
Safari (Mac, default) partial partial no unique
Safari (Mac, private browsing, default) partial partial no unique
Safari (Mac, private browsing, block cookies and website data) partial partial no unique

Chrome version 57.0.2987.133 (64-bit)

Ads Trackers DNT Fingerprints
Chrome (Mac, default) yes no no unique
Chrome (Mac, EFF Privacy Badger installed) yes yes no unique
Chrome (Mac, incognito mode, default) partial partial no unique
Chrome (Mac, incognito mode, block cookies and website data) yes yes no unique

Blocking all sites entirely using manual control of Privacy Badger yielded the same results as having Privacy Badger installed.

Safari’s incognito mode blocks plugins including Privacy Badger, so using plugins is ineffective to increase privacy on Safari.

Firefox version 52.0.2

Ads Trackers DNT Fingerprints
Firefox (Mac, default) no no no unique
Firefox (Mac, EFF Privacy Badger installed) yes yes yes unique
Firefox (Mac, NoScript installed) yes yes yes yes
Firefox (Mac, private mode, EFF Privacy Badger installed) yes yes yes unique
Firefox (Mac, private mode, NoScript installed) yes yes yes yes

Firefox’s private mode does not block plugins, so Privacy Badger could be used with private mode. 

NB: JavaScript was disallowed for panopticlick.eff.org with NoScript; disabling JavaScript is a key way to avoid trackers. Unfortunately, it is also a key way to break modern Web pages.

NoScript maintains a white list of common sites to minimize the breakage of legitimate JavaScript functionality. It blocks all others, but gives a useful user interface to allow exceptions. As shown in Figure 1 below, most sites are analytics trackers such as Google Analytics, Facebook, and Doubleclick.

Figure 1. NoScript's list of recently blocked sites

Mobile Browser Tests on iOS

Tests on iOS were performed on an Apple iPhone 6, running iOS version 10.3.1.

Safari iOS version 10.3.1

Ads Trackers DNT Fingerprints
Safari (iOS, default) partial partial no unique
Safari (iOS, private browsing, default) partial partial no unique
Safari (iOS, private browsing, block cookies and website data) partial partial no unique
Safari (iOS, Disconnect Privacy Pro installed and VPN active) yes yes no unique

Firefox iOS version 7.1 (2565)

Ads Trackers DNT Fingerprints
Firefox (iOS, default) no no no unique
Firefox (iOS, private mode, default) partial partial no unique
Firefox (iOS, Disconnect Privacy Pro installed and VPN active) yes yes no unique

Firefox Focus iOS version (current as of 17 April 2017)

Ads Trackers DNT Fingerprints
Firefox Focus (iOS, default) yes yes no unique
Firefox Focus (iOS, “Block other content trackers” option on) yes yes no unique
Firefox Focus (iOS, Disconnect Privacy Pro installed and VPN active) yes yes no unique

The motto for Firefox Focus is “Browse, erase, repeat”, which shows its focus on erasing local history.

Chrome iOS version 57.0.2987.137

Ads Trackers DNT Fingerprints
Chrome (iOS, default) no no no unique
Chrome (iOS, incognito mode, default) no no no unique
Chrome (iOS, Disconnect Privacy Pro installed and VPN active) yes yes no unique

Opera Mini iOS version 14.0.0.104835

Ads Trackers DNT Fingerprints
Opera Mini (iOS, default) no no no unique
Opera Mini (iOS, “Accept Cookies” turned off and “Block Pop-ups” turned on) no no no unique

EFF suggests rather concerningly, “switching to another browser or OS that offers better protections.”

Mobile Browser Tests on Android

Tests on Android were performed on a Sony Xperia Z2 Tablet SGP511, Android version 6.0.1 (Marshmallow), kernel 3.4.0-perf-gc14c2d5

Chrome Android version 57.0.2987.132

Ads Trackers DNT Fingerprints
Chrome (Android, default) no no no unique
Chrome (Android, incognito mode, default) no no no unique

Firefox Android version 52.2

Ads Trackers DNT Fingerprints
Firefox (Android, default) no no no unique
Firefox (Android, private mode, default) yes yes no unique

Opera Mini Android version 24.0.2254.115784

Ads Trackers DNT Fingerprints
Opera Mini (Android, default) yes yes no unique
Opera Mini (Android, private tab, default) yes yes no unique

NB: Opera Mini tested “no” in all categories last week, but Opera seems to be adding an effective ad blocking technology, which seems to have come to Android before iOS.

Disconnect free edition for Android (no version number, as of 23 April 2017)

Ads Trackers DNT Fingerprints
Disconnect in-app browser(Android, default) partial partial no unique

NB: Disconnect Pro/Premium versions were not tested on Android because I was borrowing the device and didn't want to buy my friend a $50 subscription.

Conclusions

One clearly needs to shop around to find a browser that will protect your privacy. That is easier on a computer than on a mobile device.

The combination of Firefox and the NoScript plugin was the only way discovered to pass all EFF tests, and that combination is only available on desktop and laptop computers. That is a shame given the power performance of Safari, or the Google app integration with Chrome.

There is no apparent way to avoid browser fingerprinting on iOS or Android.

Apple users seem to have a choice between the new Firefox Focus and installing (and using!) Disconnect Privacy Pro. It is easy to forget to turn on Disconnect's VPN. There is a cost, of course, but that should be nothing new to Apple users. Better privacy is part of what we pay for with Apple. It is surprising that Apple hasn't done with browser privacy what they have done with server-side encryption of user data.

Android users fare reasonably well using either Firefox's private mode or (surprise!) the new Opera Mini. Both browsers have decent blockers for ad trackers and other online trackers. Unfortunately, neither option does a thing to stop browser fingerprinting. In 2017 and beyond, blocking direct tracking is just not good enough. One cannot help but wonder why one needs to use Firefox's private mode to access apparently built-in functionality.

In summary, be careful. Practice safe computing to avoid infections of one form or another. It might be wise to both use a browser with good privacy support and also to check the status of updates once in a while.

We remain with poor tradeoffs. Should we increase privacy and suffer inconvenience, or opt for convenience? Unfortunately, I am sure I know what most people will do. Browser vendors, especially the Mozilla Foundation, should ensure that privacy protection is enabled by default. Action against browser fingerprinting is urgently needed.

Your privacy is in your hands.