Block online tracking with Privacy Badger for Firefox and Chrome
Privacy Badger is a new browser extension for Firefox and Chrome by the EFF that can block spying ads and trackers on websites.
Tracking users is essential to online marketing today. Tracking occurs on the Internet in many forms, from third-party cookies that are set by advertising or tracking scripts to social media buttons and sophisticated tracking via Flash cookies, fingerprinting and other means.
Good news is that it is relatively easy to block many of the different tracking methods in web browsers. This is especially true for third-party tracking methods.
Think of first-party as the company or individual running the domain you are on, e.g. ghacks.net, and third-parties as everything that is loaded from other web servers and sites when you visit the site.
Updates:
- Privacy Badger 1.0 ships with super-cookie and fingerprinting detection
- Anti-Tracking extension Privacy Badger 2.0 is out
- Latest Privacy Badger removes Facebook's link tracking
Privacy Badger
The Privacy Badger extension has been designed to analyze websites that you visit in the browser it is installed in to detect and block contents that track you in"an objectionable, non-consensual manner".
The extension adds an icon to the browser which you can click on to display all detected tracking urls and scripts. For each url or script, it offers three states that you can change easily in the interface.
- Allow the script to run.
- Block cookies set by the script but allow it to run.
- Block the script so that it cannot set cookies.
Privacy Badger will block scripts automatically if they appear to track without permission, for instance by using cookies with unique identifiers.
If a script identified this way is used for site functionality, e.g. the display of a map or fonts, then only its cookies will be blocked while the script continues to run.
According to the EFF, some advertisers and third-party domains will not be blocked by the extension if they make a "strong commitment" to respect Do Not Track.
While the extension works automatically, you can make changes to what is allowed to run and what is blocked manually at all times. These changes are remembered , so that the script or domain is still handled this way on consecutive visits and on other domains it is loaded on as well.
The page is automatically reloaded when you make a change to the configuration.
Note that the alpha release of Privacy Badger concentrates solely on third-party tracking. While you may be able to use it to block some first-party tracking attempts as well, for instance if a script is loaded from a subdomain, it is usually not possible to block all tracking on first-party sites using extensions.
Comparison to other blocking extensions
- Disconnect 2 for Chrome - The browser extension blocks third-parties from tracking you. It blocks over 2000 third-party sites this way including major social networking scripts, and allows you to whitelist sites or individual scripts.
- Do Not Disturb for Chrome - This extension concentrates on annoyances such as data miners and surveys rather than third-party scripts or domains. It is less likely to break a website while running as a consequence.
- Ghostery - blocks trackers automatically and gives you control over what is allowed to run and what is not.
- NoScript for Firefox - The Firefox extension blocks all third-party connections by default which in turn blocks the majority of ads and all third-party tracking attempts by default.
Closing Words
Privacy Badger does not display all third-party domains that a website connects to on load. Only those that it has identified as trackers are displayed by it so that you can block or allow them in the interface.
While that is a limitation, especially if you are used to work with NoScript which puts you in full control, it is easier to handle and maintain on the other hand.
The developers plan to integrate new features in future versions, including one that prevents browser fingerprinting. Definitely one to keep an eye on.
I don’t really understand the difference between using a tracker blocker like Privacy Badger or Ghostery when you can just use Adblock Plus and the numerous subscription lists dedicated to protecting privacy.
See this comparison chart for more info:
http://www.areweprivateyet.com/
Disclaimer: That site is made by the guys that made Ghostery. However, that site shows that Adblock Plus with a few optimal subscription lists beats a ton of tracker-blocking addons.
Ray, I guess some users don’t mind ads but still want their privacy protected. If you want full protection, NoScript is the way to go anyway.
And when you need to temp disable NS on a page, Sandboxie* does a great job of containing & eradicating the flotsam.
*Sandboxie is under new management. Congrats to Ronen, he earned his payout! Time will tell if the new owners ruin it, however.
How about comparison to this?
http://operacustomizations.wordpress.com/2013/04/23/scriptkeeper/
I tried this immediately, but it only got one tracker when Ghostery got 12
Well not everything that Ghostery recognizes needs to be a tracker.
But you can whitelist certain things in Ghostery. So you can manage that. :-)
How does this compare to DoNotTrackMe?
DoNotTrackMe is limited to 600 tracking companies, this one seems to support more than that.
And how does this compare to disconnect?
Comparative benchmarks against widely used blockers (HTTP Switchboard vs ABP vs Ghostery vs Disconnect vs Privacy Badger)
https://github.com/gorhill/httpswitchboard/wiki/Comparative-benchmarks-against-widely-used-blockers:-Top-15-Most-Popular-News-Websites#may-2-2014
Interesting. Would love to see NoScript in that list.
> Would love to see NoScript in that list
I suppose I could set up HTTPSB to mimic pretty well NoScript, i.e.:
– Remove all preset blocked hosts
– Add all preset whitelist hostnames in NoScript to HTTPSB’s ubiquitous whitelist rules
– Allow all from everywhere
– Blacklist scripts from everywhere
– Blacklist frames from everywhere (is this default in NoScript?)
– Ensure plugins are set to click-to-play
This way, results should pretty much reflect what one would get with NoScript.
@Martin I tried the above setup, and these are the results — allowing for the fact that the sites benchmark may have had their content changed since I released the results earlier:
NoScript-like setup
Domains: 47 / 48
Hosts: 76 / 109
Scripts: 0 / 0
Outbound cookies: 21 / 29
Net requests: 724 / 1,289
Thanks, I appreciate it!
Actually the result above for NoScript-like setup is not correct, I forgot to factor in the built-in whitelist of hostnames in NoScript. Now I am too lazy to redo the benchmark, so the above results are what one would get with NoScript *without* any whitelisting, so I expect the real life results would show more hits to 3rd-party domains.
Adblock /Plus will only block ad related junk and in some cases it can’t block some types of ads. Ghostery on the other hand does more than just ads. It also blocks: Analytics, Beacons, Privacy, and Widgets. As of current Ghostery blocks over 1930 types of trackers. Not all of them are bad and some you must turn off (uncheck) to allow some sites to work, but at least it shows you what type of components are on the sites you visit and more information on the type component.
NoScript is the ultimate blocker but I personally find the GUI confusing at best because they don’t break the components down by name/company but instead break them down by type/function. I found them to block ads on my 256b encrypted account pages but also block the account login widgets. There seemed to be no way to block just the ad type tracker but no way to let the login widget to work. Or it would block the online chat function on some sites but also block the shopping cart check out widgets. Ghostery to the rescue. Ghostery identifies what component is active, what each does and gives me the option to whitelist, block, temporary, one time access the individual component or the whole site and more.
These kind of extensions always seem to slow down browsing and break web pages.
Used to use HTTPS Everywhere, Disconnect, DoNotTrackMe etc but disabled it due to those reasons.
The advanced stuff is too destructive and I don’t want to tinker with them all the time to find some compromise.
Now I only have ABP on.
Now I’m not bashing Badger here … and clearly the average everyday user is a different breed of human to me (and probably most of us who frequent ghacks) .. but
1. Big Ugly Arsed Icon (no small icon) :)
2. It hasn’t (for me, so far) added ANY extra protection. Although I am not sure of the exact order in which my extensions apply, here’s an approximation (and none of my extensions seem to interfere with each other)
a) my local privoxy has rules (you name it, it’s in there and activated .. tighter than a nun’s ass)
b) note: ALL cookies are denied. About 10 sites are allowed a 1st party cookie, another few sites are allowed a session cookie. And nothing is allowed DOM storage.
c) RequestPolicy (rules that govern origin, destination and origin-destination of sites .. i.e domain-3rdparty)
d) RefControl (although referrals are not scripts or cookies, it is/can be tracking – set to forge except about 5 sites)
e) NoScript
f) AdBlock Plus
g) Ghostery
h) DoNotTrackMe
And I won’t mention any other extensions, measures for now. Now I’m not your everyday average user, so I can work around ALL of these in order to get a website I regularly visit to function (eg Disqus comments on Torrentfreak, or images to display at Discogs etc) .. suffice to say, that if anything gets past my proxy, it has to deal with RequestPolicy, if I let it thru there, it has to deal with NoScript, then Ghostery and DoNotTrackMe (Adblock is more about adverts than other tracking reasons). And some sites I have special greasemonkey scripts (not to mention 100s of custom userstyles just to hide cr*p).
Badger does nothing for me (yet). However, from experience, I know just how much sites can break with a blanket approach, and if the EFF can make it easier for most people and also help change developers’ behaviour – it’s all good.
Privacy Badger refuses to block “wikia-beacon.com” for some reason. I slide it to red and it snaps back to yellow?
I refuse to use Ghostery for this reason.
http://www.technologyreview.com/news/516156/a-popular-ad-blocker-also-helps-the-ad-industry/
Seems like a real pain in the ass. I guess it’s easiest to just walk away and leave your data. I kind of think that all the fuss and actviity of covering up creates it’s own new data set somehow, so it’s counter-intuitive. But I like that going through all of that effort feels like some sort of 21st century Situationist art project. Also, how does anyone know that this hard-way strategy can even be successful? It seems like it might be some kind of masochistic and absurd joke, and even after all that effort there could still be a crumb somewhere. It also really relates to the Borges story the Library of Babel, where nuggets of meaning are absolutely lost in this almost infinite sea of disinformation.