Internet Browsers and Privacy

I came across some articles around the web on the rise of user tracking on the Internet and how some web companies achieve that. While I could see a whole bunch of addons for firefox / chrome around privacy, the arms chest for web companies is growing as well. They now use very long term cookies, flash cookies, DOM storage and all kinds of tricks with Javascript to track users. For eg. under certain circumstances (using an embedded iframe in a web page) it is possible for a website (say a news website) to read cookies which were created by another website (say a social networking website). If the news website embeds a page from the social network in an iframe the social network iframe will have the user’s context information from the social website’s cookie available in the same context as the news website’s page that the user is currently viewing. Essentially, the social network website will have knowledge of the actual news pages the user is reading. Such embedding if fairly common place (facebook like button is an example) and the current browsers fail to give a choice to the user till the extent they want to be tracked. Firefox sends a Do Not Track hint to websites but its only up to the sites to honor them.

To make matters worse, most of these websites are providing us with services we really want, but we would not like them to track what else we do on the internet, or what have we been doing on the internet over long periods of time. So blocking cookies altogether is really not an option. What we really need is a way to isolate different web apps from one another and across their usage at large timescales (weeks / months). If we are able to achieve good isolation, we really don’t care how bonkers do these websites go with cookies (at short timescales).

I tried to find a reasonable workaround for web tracking and have come to the following which works reasonably well. It doesn’t use any special addons for browsers:

Most browsers support multiple user profiles. Besides flash cookies (which needs to be dealt separately), the profile carries the “cookie jar” and the persistent DOM storage for which contains all tracking information. Thus, we should be able to create multiple profiles and run independent instances of the browser for most websites we visit. Very importantly, we can run multiple instances of the browser simultaneously each having their own cookie jars and DOM storage so that there is no chance of cross site cookie sniffing.

So, the idea is to keep a master copy of a profile with all your preferred browser settings and, using a script, copy it over to a temporary profile before the browser is launched (with the temporary profile). Once the browser is closed, the temporary profile is deleted. If multiple browsers instances are launched, each will be launched in their own temporary profiles so that you can have as many isolated independent instances as you need.

So far, I haven’t been able to figure out a good UI convention for the user to communicate this isolation. The best I have now is that a browser window is a unit of isolation and all tabs in the browser are in the same temporary profile. The solution above using browser profiles doesn’t limit you from opening multiple windows though, I personally manage it using multiple virtual desktops. However, this is still an open problem and once I have it I will probably go forward and try implementing it for a browser. If you have a suggestion for a UI convention for browser session isolation please leave a comment.

I implemented the above idea for chrome (chromium actually) and firefox. Chrome supports profiles using a user-data directory which can be specified on the command line. Firefox supports command line options to create a new profile. Thus, my chromium launching script in bash looks like

tmpProfileName=`date | md5sum | cut -d " " -f 1`
cp -a <location of master profile> <prefix of temprorary profiles>/$tmpProfileName
chromium --user-data-dir=<prefix of temprorary profles>/$tmpProfileName
rm -r <prefix of temprorary profiles>/$tmpProfileName

and my Firefox launching script looks like:

tmpProfileName=`date | md5sum | cut -d " " f 1`
firefox -no-remote -CreateProfile $tmpProfileName
cp -a $HOME/.mozilla/firefox/<master profile folder>/* $HOME/.mozilla/firefox/*.$tmpProfileName/
firefox -no-remote -P $tmpProfileName
rm -r $HOME/.mozilla/firefox/*.$tmpProfileName

Opera should be similar to chrome as it has a user-data directory for profiles similar to chrome.

This will also help you log in using multiple accounts for the same website in different browser windows simultaneously. Essentially, its like having many simultaneous active but independent instances of the “incognito” or “private browsing” modes.

Note that, if you do need persistent cookies for some reason, you can always launch the browser without the above script. It will store the cookies and other data in the default profile (separate from the master profile which is used to copy over settings to temporary profiles). However, I don’t think you will ever need that… if you do, just keep the browser window open indefinitely.

Update: The windows cmd script to achieve the same with firefox is below.

set profileDir=C:\Users\<username>\AppData\Roaming\Mozilla\Firefox\Profiles\
set profileId=%random%
"C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -no-remote -createprofile %profileId%
for /D %%i in (%profileDir%\*.master) do set masterProfileDir=%%i
for /D %%i in (%profileDir%\*.%profileId%) do set newProfileDir=%%i
xcopy /Q /E /Y %masterProfileDir% %newProfileDir%
start /wait "Starting Firefox..." "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -no-remote -P %profileId%
rmdir /S /Q %newProfileDir%

The above includes some rather ugly hacks to determine the profile dirs… but it works. Please use the correct path to firefox.exe in the above script. The location of firefox.exe can be determined by (Right Click on Firefox icon)->Properties.

Advertisements
This entry was posted in Internet. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s