“You have zero privacy anyway. Get over it,” Scott McNealy said of online privacy back in 1999, a view the former CEO of the now-defunct Sun Microsystems reiterated in 2015. Despite the hue and cry his initial remarks caused, he’s been proven largely correct.
Cookies, beacons, digital signatures, trackers, and other technologies on websites and in apps let advertisers, businesses, governments, and even criminals build a profile about what you do, who you know, and who you are at very intimate levels of detail. Remember that 2012 story about how Target could tell a teenager was pregnant before her parents knew, based on her online activities? That is the norm today. Google and Facebook are the most notorious commercial internet spies, and among the most pervasive, but they are hardly alone.
The technology to monitor everything you do has only gotten better. And there are many new ways to monitor you that didn’t exist in 1999: always-listening agents like Amazon Alexa and Apple Siri, Bluetooth beacons in smartphones, cross-device syncing of browsers to provide a full picture of your activities from every device you use, and of course social media platforms like Facebook that thrive because they are designed for you to share everything about yourself and your connections so you can be monetized. Trackers are the latest silent way to spy on you in your browser. CNN, for example, had 36 running when I checked recently.
Apple’s Safari 14 browser introduced the built-in Privacy Monitor that really shows how much your privacy is under attack today. It is pretty disconcerting to use, as it reveals just how many tracking attempts it thwarted in the last 30 days, and exactly which sites are trying to track you and how often. On my most-used computer, I’m averaging about 80 tracking deflections per week — a number that has happily decreased from about 150 a year ago.
Understanding online privacy
When speaking of online privacy, it’s important to understand what is typically tracked. Most websites and services don’t actually know it’s you at their site, just a browser associated with a lot of characteristics that can then be turned into a profile. Marketers and advertisers are looking for certain kinds of people, and they use profiles to do so. For that need, they don’t care who the person actually is. Neither do criminals and organizations seeking to commit fraud or manipulate an election.
When companies do want that personal information — your name, gender, age, address, phone number, company, titles, and more — they will have you sign up. They can then correlate all the data they have from your devices to you specifically, and use that to target you individually. That’s common for business-oriented websites whose advertisers want to reach specific people with purchasing power.
Criminals may want that data too. So may insurers and healthcare organizations seeking to filter out undesirable customers. (Over the years, laws have tried to prevent such redlining, but there are creative ways around it, such as installing a tracking device in your car “to save you money” and identify those who may be higher risks but haven’t had the accidents yet to prove it.) Certainly, governments want that personal data, in the name of control or security.
You should be most worried about when you are personally identifiable. But it’s also worrying to be profiled extensively, which is what browser privacy seeks to reduce.
Browsers and privacy: The best options, and how they can help
The browser has been the focal point of self-protection online, with options to block cookies, purge your browsing history or not record it in the first place, and turn off ad tracking. But these are fairly weak tools, easily bypassed. For example, the incognito or private browsing mode that turns off browser history on your local computer doesn’t stop Google, your IT department, or your internet service provider from knowing what sites you visited; it just keeps someone else with access to your computer from looking at that history on your browser.
The “Do Not Track” ad settings in browsers are largely ignored, and in fact the World Wide Web Consortium standards body abandoned the effort in 2019, even if some browsers still include the setting. And blocking cookies doesn’t stop Google, Facebook, and others from monitoring your behavior through other means such as looking at your unique device identifiers (called fingerprinting) as well as noting if you sign in to any of their services — and then linking your devices through that common sign-in.
Because the browser is a main access point to internet services that track you (apps are the other), the browser is where you have the most centralized controls. Even though there are ways for websites to get around them, you should still use the tools you have to reduce the privacy invasion.
Where mainstream desktop browsers differ in privacy settings
The place to start is the browser itself. Some are more privacy-oriented than others. Many IT organizations force you to use a specific browser on your company computer, so you may have no real choice at work. But if you do have a choice, exercise it. And definitely exercise it for the computers under your control.
Here’s how I rank the mainstream desktop browsers in order of privacy support, from most to least — assuming you use their privacy settings to the max.
- Apple Safari (macOS only)
- Microsoft Edge
- Mozilla Firefox
- Google Chrome
Safari and Edge offer different sets of privacy protections, so depending on which privacy aspects concern you the most, you may view Edge as the better choice for the Mac, and of course Safari isn’t an option in Windows, so Edge wins there. Likewise, Chrome and Opera are nearly tied for poor privacy, with differences that can reverse their positions based on what matters to you — but both should be avoided if privacy matters to you.
The following table shows the privacy settings available in the major desktop browsers. (Thanks to Computerworld’s Windows expert Preston Gralla for verifying and updating the Windows information.)
Windows and macOS browser privacy settings
A note about supercookies: Over the years, as browsers have provided controls to block third-party cookies and implemented controls to block tracking, website developers began using other technologies to circumvent those controls and surreptitiously continue to track users across websites. In 2013, Safari began disabling one such technique, called supercookies, that hide in browser cache or other locations so they remain active even as you switch sites. Starting in 2021, Firefox 85 and later automatically disabled supercookies, and Google added a similar feature in Chrome 88.
Browser settings and best practices for privacy
In your browser’s privacy settings, be sure to do the following:
- Block third-party cookies. To deliver functionality, a site legitimately uses first-party (its own) cookies, but third-party cookies belong to other entities (mainly advertisers) who are likely tracking you in ways you don’t want. Don’t block all cookies, as that will cause many sites to not work correctly.
- Set the default permissions for websites to access the camera, location, microphone, content blockers, auto-play, downloads, pop-up windows, and notifications to at least Ask, if not Off.
- Turn off trackers. If your browser doesn’t let you do that, switch to one that does, since trackers are becoming the preferred way to monitor users over old techniques like cookies. Plus, blocking trackers is less likely to render websites only partially functional, as using a content blocker often does. Note: Like many web services, social media services use trackers on their sites and partner sites to track you. But they also use social media widgets (such as sign in, like, and share buttons), which many websites embed, to give the social media services even more access to your online activities.
Additionally, take these precautions when browsing:
- Use DuckDuckGo as your default search engine, because it is more private than Google or Bing. You can always go to google.com or bing.com if needed.
- Don’t use Gmail in your browser (at mail.google.com) — once you sign into Gmail (or any Google service), Google tracks your activities across every other Google service, even if you didn’t sign into the others. If you must use Gmail, do so in an email app like Microsoft Outlook or Apple Mail, where Google’s data collection is limited to just your email. (You could use a different browser just for Gmail and other Google services to make it harder for Google to track your other browser activities, but that requires a discipline that is hard to maintain — chances are that you’d start doing other work in that Google-specific browser and thus compromise more of your privacy.)
- Never use an account from Google, Facebook, or another social service to sign into other sites; create your own account instead. Using those services as a convenient sign-in service also grants them access to your personal data from the sites you sign into.
- Don’t sign in to Google, Microsoft, Facebook, etc. accounts from multiple browsers, so you’re not helping those companies build a fuller profile of your actions. If you must sign in for syncing purposes, consider using different browsers for different activities, such as Firefox for personal use and Chrome for business. Note that using multiple Google accounts won’t help you separate your activities; Google knows they’re all you and will combine your activities across them.
Browser utilities to help enhance your privacy
You can supplement a desktop browser’s built-in security settings with additional tools.
Mozilla has a pair of Firefox extensions (a.k.a. add-ons) that further protect you from Facebook and others that monitor you across websites. The Facebook Container extension opens a new, isolated browser tab for any site you access that has embedded Facebook tracking, such as when signing into a site via a Facebook login. This container keeps Facebook from seeing the browser activities in other tabs. And the Multi-Account Containers extension lets you open separate, isolated tabs for various services that each can have a separate identity, making it harder for cookies, trackers, and other techniques to correlate all of your activity across tabs.
The DuckDuckGo search engine’s Privacy Essentials extension for Chrome, Edge, Firefox, Opera, and Safari provides a modest privacy boost, blocking trackers (something Chrome doesn’t do natively but the others do) and automatically opening encrypted versions of websites when available.
While most browsers now let you block tracking software, you can go beyond what the browsers do with an antitracking extension such as Privacy Badger from the Electronic Frontier Foundation, a long-established privacy advocacy organization. Privacy Badger is available for Chrome, Edge, Firefox, and Opera (but not Safari, which aggressively blocks trackers on its own).
The EFF also has a tool called Cover Your Tracks (formerly known as Panopticlick) that will analyze your browser and report on its privacy level under the settings you have set up. Sadly, the latest version is less useful than in the past. It still does show whether your browser settings block tracking ads, block invisible trackers, and protect you from fingerprinting. But the detailed report now focuses almost exclusively on your browser fingerprint, which is the set of configuration data for your browser and computer that can be used to identify you even with maximum privacy controls enabled. But the data is complex to interpret, with little you can act on. Still, you can use EFF Cover Your Tracks to verify whether your browser’s specific settings (once you adjust them) do block those trackers.
The bottom line: Don’t rely on your browser’s default settings but instead adjust its settings to maximize your privacy.
What about ad blockers?
Because these blocker tools cripple parts of sites based on what their creators think are indicators of unwelcome site behaviors, they often damage the functionality of the site you are trying to use. Some are more surgical than others, so the results vary widely. If a site isn’t running as you expect, try putting the site on your browser’s “allow” list or disabling the content blocker for that site in your browser.
I’ve long been skeptical of content and ad blockers, not only because they kill the revenue that legitimate publishers need to stay in business but also because extortion is the business model for many: These services often charge a fee to publishers to allow their ads to go through, and they block those ads if a publisher doesn’t pay them. They promote themselves as aiding user privacy, but it’s hardly in your privacy interest to only see ads that paid to get through.
Of course, desperate and unscrupulous publishers let ads get to the point where users wanted ad blockers in the first place, so it’s a cesspool all around. But modern browsers like Safari, Chrome, and Firefox increasingly block “bad” ads (however defined, and typically quite limited) without that extortion business in the background. Firefox has recently gone beyond blocking bad ads to offering stricter content blocking options, more akin to what extensions have long done. What you really want is tracker blocking, which nowadays is handled by many browsers themselves or with the help of an anti-tracking extension.
Where mainstream mobile browsers differ in privacy settings
Mobile browsers typically offer fewer privacy settings even though they do the same basic spying on you as their desktop siblings do. Still, you should use the privacy controls they do offer.
In terms of privacy capabilities, Android and iOS browsers have diverged in recent years. All browsers in iOS use a common core based on Apple’s Safari, whereas all Android browsers use their own core (as is the case in Windows and macOS). That means iOS both standardizes and limits some privacy features. That is also why Safari’s privacy settings are all in the Settings app, and the other browsers manage cross-site tracking privacy in the Settings app and implement other privacy features in the browser itself.
Here’s how I rank the mainstream iOS browsers in order of privacy support, from most to least — assuming you use their privacy settings to the max.
- Apple Safari
- Microsoft Edge
- Mozilla Firefox
- Opera Browser (formerly named Opera Touch)
- Google Chrome
And here’s how I rank the mainstream Android browsers in order of privacy support, from most to least — also assuming you use their privacy settings to the max.
- Microsoft Edge
- Opera Browser
- Mozilla Firefox
- Google Chrome
The following two tables show the privacy settings available in the major iOS and Android browsers, respectively, as of September 28, 2022 (version numbers aren’t often shown for mobile apps). (Thanks to Computerworld’s Android expert JR Raphael for verifying and updating the Android information.)
Note: Controls over location, microphone, and camera privacy are handled by the mobile operating system, so use the Settings app in iOS or Android for these. Some Android browsers apps provide these controls directly on a per-site basis as well.
iOS browser privacy settings
Android browser privacy settings
Browsers for the paranoid: Brave, Epic, and Tor
A few years ago, when ad blockers became a popular way to combat abusive websites, there came a set of alternative browsers meant to strongly protect user privacy, appealing to the paranoid. Brave Browser and Epic Privacy Browser are the most well-known of the new breed of browsers. An older privacy-oriented browser is Tor Browser; it was developed in 2008 by the Tor Project, a nonprofit founded on the principle that “internet users should have private access to an uncensored web.”
Today, you can get strong privacy protection from mainstream browsers, so the need for Brave, Epic, and Tor is quite small. Even their biggest claim to fame — blocking ads and other annoying content — is increasingly handled in mainstream browsers.
One alterative browser, Brave, seems to use ad blocking not for user privacy protection but to take revenues away from publishers. Brave has its own ad network and wants publishers to use that instead of competing ad networks like Google AdSense or Yahoo Media.net. So it tries to force them to use its ad service to reach users who choose the Brave browser. That feels like racketeering to me; it’d be like telling a store that if people want to shop with a specific credit card that the store can sell them only goods that the credit card company supplied.
Still, there are reasons to consider these alternative browsers beyond ad blocking:
- Brave Browser can suppress social media integrations on websites, so you can’t use plug-ins from Facebook, Twitter, LinkedIn, Instagram, and so on. The social media firms collect huge amounts of personal data from people who use those services on websites. Do note that Brave does not honor Do Not Track settings at websites, treating all sites as if they track ads.
- The Epic browser’s privacy controls are similar to Firefox’s, but under the hood it does one thing very differently: It keeps you away from Google servers, so your information doesn’t travel to Google for its collection. Many browsers (especially Chrome-based Chromium ones) use Google servers by default, so you don’t realize how much Google actually is involved in your web activities. But if you sign into a Google account through a service like Google Search or Gmail, Epic can’t stop Google from tracking you in the browser.
- Epic also provides a proxy server meant to keep your internet traffic away from your internet service provider’s data collection; the 126.96.36.199 service from CloudFlare offers a similar facility for any browser, as described later. (Google Chrome and Microsoft Edge let you choose to use a third-party secure DNS provider if desired, but they don’t provide their own as Epic does.)
- Tor Browser is an essential tool for journalists, whistleblowers, and activists likely to be targeted by governments and corporations, as well as for people in countries that censor or monitor the internet. It uses the Tor network to hide you and your activities from such entities. It also lets you publish websites called onions that require highly authenticated access, for very private information distribution.