This is how mass surveillance works. Or: Why you need a privacy-focused browser.

Why do you need a privacy-focused browser? To answer that question, we must at first establish a baseline for online privacy and answer these questions: Who are they, the ones that violate your privacy? Who are the big data collectors, your unwanted and often unknown followers? And what tricks and techniques do they use to collect your data?

Big tech. The surveillance capitalists.

First up (and let’s be honest, they truly deserve the first mention) are the big tech companies. They have built their business model on gathering as much data as possible, to be able to predict your future behavior and make money from it. Shoshana Zuboff, Harvard professor and author of the book The Age of Surveillance Capitalism, explain it best: “right from the start, they [the big tech companies] understood that these mechanisms had to be hidden. They had to observe through a one-way mirror. That’s what makes it surveillance.” The big tech companies don’t need any longer introduction from us. Facebook has 52,000 unique attributes to classify users. Enough said.

Data brokers. You don’t know them. They definitely know you.

On to the next offender: the data brokers. You’ve probably never heard of most of them, but they know a lot about you. For example, one data broker brags they have 1,500 pieces of information on more than 200 million Americans. Their whole existence (the name itself is quite revealing) is all about gathering data, packaging it and selling it. You can (for almost no money at all) buy all sorts of information. You can buy lists of people with alcohol problems or information related to visits to clinics that provide abortions, including Planned Parenthood facilities.

On a macro level, ‘we need to track everyone everywhere for advertising‘ translates into ‘the government being able to track everyone everywhere.’

Chris Hoofnagle

Nation states and authorities. With access to everything.

Finally, we have mass surveillance conducted by states and authorities. We have, among others, countries like the UK with their Tempora program tapping into fiber-optic cables, we have China with their great firewall of China and different social score systems, and of course, the USA with their (revealed by Edward Snowden) surveillance programs Upstream and Prism, where they have access to both the internet providers‘ traffic and the big tech companies‘ databases. As Chris Hoofnagle, lecturer at UC Berkeley Law puts it: “On a macro level, ‘we need to track everyone everywhere for advertising’ translates into ‘the government being able to track everyone everywhere. ’

So we have identified big tech, data brokers, and government authorities as parties collecting your data. But how do they collect all these absurd amounts of personal information every day? Disclaimer: the following sections ‘only’ deal with the possibilities that exist just by having you access a webpage (another note: this list is not exhaustive, but contains the most important parts), without you even logging into social media, using apps, sharing data by yourself or being tracked by mobile location data. The thing is, the big tech and social media companies doesn’t even need all the obvious tricks for collecting data to collect data. The data that you accept and opt to share voluntarily by yourself is just the tip of the iceberg.

Your personal IP address: the first and most widely used unique identifier.

As soon as you connect to the internet, you receive a personally assigned IP (internet protocol) address from your ISP (internet service provider). The IP address identifies you so that the internet knows where to send the traffic. This is a good thing (you want the internet to work, right?), but it also means that your IP address is like a digital passport that your internet provider can use to log all the websites you visit. In several countries, they have to do that by law. Depending on which country you live in, it’s more or less likely that your ISP will sell that information to whomever may be interested in it (advertisers, data brokers, etc.) and/or disclose it to government authorities.

There are also multilateral agreements between countries (like the 14 eyes alliance, also revealed by Snowden), which quite obviously means that internet traffic crossing international borders is intercepted and shared between several nations. And yes, in this case too, your traffic is tied to you personally thanks to your IP address.

Furthermore, your IP address can be collected by third-party actors on websites to identify and track you as you go from one website to another. And the only way to get rid of the IP address as a unique identifier is to use a trustworthy VPN (or use the Tor Network). We cannot stress this enough: your IP address is the easiest identifier for tracking you and the one most likely to be used. That’s why we started Mullvad.

Third-party cookies: unique identifiers that you accept (because you don’t have a choice, really).

Cookies are used for websites to remember some things about you so that the website can function. For example, when you put an item in a shopping cart, it’s a cookie that remembers it. When you’re staying logged in on a page, it’s thanks to a cookie working. When you choose a language on a site, it’s the small text file that is saved locally on your device (which is what a cookie is) that remembers it. This offers benefits and makes the internet a nice place to visit. These kinds of cookies are called first-party cookies, and they’re placed on the website by the website owner. And this isn’t really the issue. These cookies make it possible to identify you, but they aren’t the kind of cookies that are being used to track you all over the internet. Those are the ones called third-party-cookies.

Third-party cookies are cookies placed by someone other than the site owner. Specifically, it’s the site owner’s decision, but the cookies are connected to the third party. These cookies are placed by big tech companies, data brokers, and others who want to register your visit to the page to build a profile on you. How? Well, these cookies might appear on the next site you visit, and the next one, and the next one, because most sites you visit have an advertising network or something else that contains third-party cookies. And this is how they track you across the internet. It’s third-party cookies that cause you to receive ads based on how you have searched and clicked.

You can click no thanks to cookies. But sometimes that doesn’t help. Some cookies are not optional. These are called ‘essential cookies’. Among them are third-party cookies from big tech.

You can say no to cookies. We all know you have to accept, manage or reject cookies when you enter a site for the first time. This means you can reject cookies that aren’t necessary (like third-party cookies). But given how the infrastructure currently works, it’s not a free choice. There’s a cookie fatigue among most internet users, which means that almost no one takes the time to read through the never-ending terms and conditions (some are longer than Shakespeare’s dramas). Most cookie warnings are also presented with dark patterns, which means that the user journey is built to make people hit accept; the ‘manage cookies’ or ‘reject cookies’ options are more or less hidden, or exhausting to get through. These are reasons why the vast majority of internet users just press Accept every time.

Reminder: even if you click ‘manage cookies’ or ‘reject cookies’, there are some cookies named ‘essential’ that aren’t optional (you can’t click them away). You might think these would just be first-party cookies. But no. These essential cookies often include those placed by the big tech companies.

Since cookies are stored locally on your device, they are a unique identifier that is used to build a profile on you and your internet behavior. The easiest way to get rid of them is to run a privacy-focused browser. Sure, you can run a non-privacy-focused browser and delete your cookies and cache after every session, and surf the web in incognito mode – and there are plenty of browser extensions blocking third-party cookies that you can use. The problem is, even if you get rid of the cookies and hide your IP address, it’s still possible to track you through an ordinary browser. How? Well, let us introduce browser fingerprinting.

What makes fingerprinting a threat to online privacy? It’s pretty simple. First, there is no need to ask for permissions to collect all this information.

The Tor Project

Browser fingerprinting: identifiers they don’t even ask you about.

When you enter a webpage, scripts on the webpage will ask your browser a series of questions: which version of the browser do you run, are you using mobile or desktop, which language have you chosen, which time zone are you in, which plugins and fonts have you installed, what resolution do you have on your screen, which graphics card does your device use? It will also ask your browser questions about your hardware, to create device fingerprints. The number of questions and the combination of answers makes it possible to create your unique fingerprint. In a time of cookies being under legal pressure, browser fingerprinting plays by different rules. As the Tor Project describes it: “there is no need to ask for permission to collect all this information.”

Third-party trackers: using scripts to find out exactly what you’re doing online.

A vast majority of the sites on the web use scripts (small pieces of JavaScript code) to function. This provides great benefits, but scripts can also be used by third parties to track you. For example, if a site uses Google Analytics, there is a script from Google on the site. If the site uses a font from a font developer, there is a script from that developer. If the site you are visiting has a Facebook Pixel to maximize its social media ads, there is a script from Facebook. If the page wants to interact with you at all, there is most probably a JavaScript on the site. And when there is a script on the site, that’s how they can find out exactly what you’re doing on the site.

While the other techniques are all about identifying you and which sites you visit, it’s through the scripts that it becomes possible to know which videos you are watching on YouTube, how long you look at a given picture, if you read the whole article or if you left halfway through. For example, The Guardian reported that Facebook collected what people had written in comment boxes before they erased the text, changed their minds and never posted it. They called the unposted thoughts for ‘self-censorship’. Finally, by using scripts it’s possible to check your browser fingerprints; scripts are used to ask your computer to give away information or do stuff to identify it.

It’s important to remember and emphasize this: when data collectors gather internet activities through scripts, they need unique identifiers to link the activity to specific users. They can do this by registering your IP address, they can do it by placing cookies on your device, and they can use browser fingerprints to try to identify you. If they have access to these identifiers, they can form a comprehensive internet persona of you. But if you cut their paths to identification, they can’t do much with the behavioral data gathered by scripts. Note: even if all your identifiers are gone, it could be a good idea to block scripts, since they could contain malicious code designed to do you harm.

The big problem with big data: the amount is too big to keep anonymous.

Maybe this is an idea of yours: all the data collectors say they anonymize the data, they have all these patterns and structures, but they aren’t connected to you. But that’s not true. The amount of data collected makes it impossible to keep it anonymous. For example, it has been repeatedly proven that four location-specific measurement points are enough to uniquely identify 95 percent of individuals. Then consider those 1,500 measurement points that data brokers have on you, not to mention big tech or the fact that they buy and sell to each other on a very poorly regulated market.

Mullvad VPN + Mullvad Browser is how we contribute to making it really hard for those big data collectors out there, to make mass surveillance impractical. It is our contribution to a free internet.

A VPN takes care of your IP address. The Mullvad Browser helps with the next step.

A trustworthy VPN masks your IP address. It means your internet provider can’t see which sites you’re visiting. It also means: one less unique identifier to worry about. If you also run the Mullvad Browser, it blocks and clears cookies between each session, unwanted scripts are blocked, and the browser is developed in a way that means all users will have the same browser fingerprint. The result: all the unique identifiers we have mentioned above, that can be used to track you, are gone and there are no easy ways for data collectors to track you (once again: provided you don’t open the door and let them in through the main entrance; via apps, by being logged into social media, sharing stuff etc.).

It’s impossible to be 100 percent anonymous all the time. But Mullvad VPN + Mullvad Browser is how we contribute to making it harder for those big data collectors out there, to make mass surveillance impractical. It is our contribution to a free internet.

Want to dive deeper into browser fingerprinting? Take a look here.

Considering hiding your IP address after reading this? That’s understandable. Get Mullvad VPN here.

Think it’s a good idea to put an end to browser fingerprinting? Read more about the Mullvad Browser.