Online privacy: Best browsers, settings, and tips
“You have zero privacy anyway. Get over it,” Scott McNealy said of online privacy back in 1999, a view the former CEO of the now-defunct Sun Microsystems reiterated in 2015. Despite the hue and cry his initial remarks caused, he’s been proven largely correct.
Cookies, beacons, digital signatures, trackers, and other technologies on websites and in apps let advertisers, businesses, governments, and even criminals build a profile about what you do, who you know, and who you are at very intimate levels of detail. Remember that 2012 story about how Target could tell a teenager was pregnant before her parents knew, based on her online activities? That is the norm today. Google and Facebook are the most notorious commercial internet spies, and among the most pervasive, but they are hardly alone.
The technology to monitor everything you do has only gotten better. And there are many new ways to monitor you that didn’t exist in 1999: always-listening agents like Amazon Alexa and Apple Siri, Bluetooth beacons in smartphones, cross-device syncing of browsers to provide a full picture of your activities from every device you use, and of course social media platforms like Facebook that thrive because they are designed for you to share everything about yourself and your connections so you can be monetized. Trackers are the latest silent way to spy on you in your browser. CNN, for example, had 36 running when I checked recently.
Apple’s Safari 14 browser introduced the built-in Privacy Monitor that really shows how much your privacy is under attack today. It is pretty disconcerting to use, as it reveals just how many tracking attempts it thwarted in the last 30 days, and exactly which sites are trying to track you and how often. On my most-used computer, I’m averaging about 80 tracking deflections per week — a number that has happily decreased from about 150 a year ago.
Safari’s Privacy Monitor feature shows you how many trackers the browser has blocked, and who exactly is trying to track you. It’s not a comforting report! (Click any image in this story to enlarge it.)
When speaking of online privacy, it’s important to understand what is typically tracked. Most websites and services don’t actually know it’s you at their site, just a browser associated with a lot of characteristics that can then be turned into a profile. Marketers and advertisers are looking for certain kinds of people, and they use profiles to do so. For that need, they don’t care who the person actually is. Neither do criminals and organizations seeking to commit fraud or manipulate an election.
When companies do want that personal information — your name, gender, age, address, phone number, company, titles, and more — they will have you sign up. They can then correlate all the data they have from your devices to you specifically, and use that to target you individually. That’s common for business-oriented websites whose advertisers want to reach specific people with purchasing power.
Criminals may want that data too. So may insurers and healthcare organizations seeking to filter out undesirable customers. (Over the years, laws have tried to prevent such redlining, but there are creative ways around it, such as installing a tracking device in your car “to save you money” and identify those who may be higher risks but haven’t had the accidents yet to prove it.) Certainly, governments want that personal data, in the name of control or security.
You should be most worried about when you are personally identifiable. But it’s also worrying to be profiled extensively, which is what browser privacy seeks to reduce.
The browser has been the focal point of self-protection online, with options to block cookies, purge your browsing history or not record it in the first place, and turn off ad tracking. But these are fairly weak tools, easily bypassed. For example, the incognito or private browsing mode that turns off browser history on your local computer doesn’t stop Google, your IT department, or your internet service provider from knowing what sites you visited; it just keeps someone else with access to your computer from looking at that history on your browser.
The “Do Not Track” ad settings in browsers are largely ignored, and in fact the World Wide Web Consortium standards body abandoned the effort in 2019, even if some browsers still include the setting. And blocking cookies doesn’t stop Google, Facebook, and others from monitoring your behavior through other means such as looking at your unique device identifiers (called fingerprinting) as well as noting if you sign in to any of their services — and then linking your devices through that common sign-in.
Because the browser is a main access point to internet services that track you (apps are the other), the browser is where you have the most centralized controls. Even though there are ways for websites to get around them, you should still use the tools you have to reduce the privacy invasion.
The place to start is the browser itself. Some are more privacy-oriented than others. Many IT organizations force you to use a specific browser on your company computer, so you may have no real choice at work. But if you do have a choice, exercise it. And definitely exercise it for the computers under your control.
Here’s how I rank the mainstream desktop browsers in order of privacy support, from most to least — assuming you use their privacy settings to the max.
Safari and Edge offer different sets of privacy protections, so depending on which privacy aspects concern you the most, you may view Edge as the better choice for the Mac, and of course Safari isn’t an option in Windows, so Edge wins there. Likewise, Chrome and Opera are nearly tied for poor privacy, with differences that can reverse their positions based on what matters to you — but both should be avoided if privacy matters to you.
The following table shows the privacy settings available in the major desktop browsers. (Thanks to Computerworld’s Windows expert Preston Gralla for verifying and updating the Windows information.)
A note about supercookies: Over the years, as browsers have provided controls to block third-party cookies and implemented controls to block tracking, website developers began using other technologies to circumvent those controls and surreptitiously continue to track users across websites. In 2013, Safari began disabling one such technique, called supercookies, that hide in browser cache or other locations so they remain active even as you switch sites. Starting in 2021, Firefox 85 and later automatically disabled supercookies, and Google added a similar feature in Chrome 88.
In your browser’s privacy settings, be sure to do the following:
Additionally, take these precautions when browsing:
You can supplement a desktop browser’s built-in security settings with additional tools.
Mozilla has a pair of Firefox extensions (a.k.a. add-ons) that further protect you from Facebook and others that monitor you across websites. The Facebook Container extension opens a new, isolated browser tab for any site you access that has embedded Facebook tracking, such as when signing into a site via a Facebook login. This container keeps Facebook from seeing the browser activities in other tabs. And the Multi-Account Containers extension lets you open separate, isolated tabs for various services that each can have a separate identity, making it harder for cookies, trackers, and other techniques to correlate all of your activity across tabs.
The DuckDuckGo search engine’s Privacy Essentials extension for Chrome, Edge, Firefox, Opera, and Safari provides a modest privacy boost, blocking trackers (something Chrome doesn’t do natively but the others do) and automatically opening encrypted versions of websites when available.
While most browsers now let you block tracking software, you can go beyond what the browsers do with an antitracking extension such as Privacy Badger from the Electronic Frontier Foundation, a long-established privacy advocacy organization. Privacy Badger is available for Chrome, Edge, Firefox, and Opera (but not Safari, which aggressively blocks trackers on its own).
The EFF also has a tool called Cover Your Tracks (formerly known as Panopticlick) that will analyze your browser and report on its privacy level under the settings you have set up. Sadly, the latest version is less useful than in the past. It still does show whether your browser settings block tracking ads, block invisible trackers, and protect you from fingerprinting. But the detailed report now focuses almost exclusively on your browser fingerprint, which is the set of configuration data for your browser and computer that can be used to identify you even with maximum privacy controls enabled. But the data is complex to interpret, with little you can act on. Still, you can use EFF Cover Your Tracks to verify whether your browser’s specific settings (once you adjust them) do block those trackers.
The bottom line: Don’t rely on your browser’s default settings but instead adjust its settings to maximize your privacy.
Content and ad blocking tools take a heavy approach, suppressing whole sections of a website’s code to prevent widgets and other code from operating and some site modules (typically ads) from displaying, which also suppresses any trackers embedded in them. Ad blockers try to target ads specifically, whereas content blockers look for JavaScript and other code modules that may be unwelcome.
Because these blocker tools cripple parts of sites based on what their creators think are indicators of unwelcome site behaviors, they often damage the functionality of the site you are trying to use. Some are more surgical than others, so the results vary widely. If a site isn’t running as you expect, try putting the site on your browser’s “allow” list or disabling the content blocker for that site in your browser.
I’ve long been skeptical of content and ad blockers, not only because they kill the revenue that legitimate publishers need to stay in business but also because extortion is the business model for many: These services often charge a fee to publishers to allow their ads to go through, and they block those ads if a publisher doesn’t pay them. They promote themselves as aiding user privacy, but it’s hardly in your privacy interest to only see ads that paid to get through.
Of course, desperate and unscrupulous publishers let ads get to the point where users wanted ad blockers in the first place, so it’s a cesspool all around. But modern browsers like Safari, Chrome, and Firefox increasingly block “bad” ads (however defined, and typically quite limited) without that extortion business in the background. Firefox has recently gone beyond blocking bad ads to offering stricter content blocking options, more akin to what extensions have long done. What you really want is tracker blocking, which nowadays is handled by many browsers themselves or with the help of an anti-tracking extension.
Mobile browsers typically offer fewer privacy settings even though they do the same basic spying on you as their desktop siblings do. Still, you should use the privacy controls they do offer.
In terms of privacy capabilities, Android and iOS browsers have diverged in recent years. All browsers in iOS use a common core based on Apple’s Safari, whereas all Android browsers use their own core (as is the case in Windows and macOS). That means iOS both standardizes and limits some privacy features. That is also why Safari’s privacy settings are all in the Settings app, and the other browsers manage cross-site tracking privacy in the Settings app and implement other privacy features in the browser itself.
Here’s how I rank the mainstream iOS browsers in order of privacy support, from most to least — assuming you use their privacy settings to the max.
And here’s how I rank the mainstream Android browsers in order of privacy support, from most to least — also assuming you use their privacy settings to the max.
The following two tables show the privacy settings available in the major iOS and Android browsers, respectively, as of September 28, 2022 (version numbers aren’t often shown for mobile apps). (Thanks to Computerworld’s Android expert JR Raphael for verifying and updating the Android information.)
Note: Controls over location, microphone, and camera privacy are handled by the mobile operating system, so use the Settings app in iOS or Android for these. Some Android browsers apps provide these controls directly on a per-site basis as well.
A few years ago, when ad blockers became a popular way to combat abusive websites, there came a set of alternative browsers meant to strongly protect user privacy, appealing to the paranoid. Brave Browser and Epic Privacy Browser are the most well-known of the new breed of browsers. An older privacy-oriented browser is Tor Browser; it was developed in 2008 by the Tor Project, a nonprofit founded on the principle that “internet users should have private access to an uncensored web.”
All these browsers take a highly aggressive approach of excising whole chunks of websites’ code to prevent all sorts of functionality from operating, not just ads. They often block features to sign up for or sign into websites, social media plug-ins, and JavaScripts just in case they might collect personal information.
Today, you can get strong privacy protection from mainstream browsers, so the need for Brave, Epic, and Tor is quite small. Even their biggest claim to fame — blocking ads and other annoying content — is increasingly handled in mainstream browsers.
One alterative browser, Brave, seems to use ad blocking not for user privacy protection but to take revenues away from publishers. Brave has its own ad network and wants publishers to use that instead of competing ad networks like Google AdSense or Yahoo Media.net. So it tries to force them to use its ad service to reach users who choose the Brave browser. That feels like racketeering to me; it’d be like telling a store that if people want to shop with a specific credit card that the store can sell them only goods that the credit card company supplied.
Still, there are reasons to consider these alternative browsers beyond ad blocking: