The protection of privacy and one’s own data is becoming more and more important with increasing digitization. For this reason, it is becoming more and more important for end users to deal with the security of their data and privacy. The article on the topic of “Protecting private data” is intended to give a brief insight into current methods of tracking on the Internet and suggest various measures to ensure security, privacy and to improve data protection of the end user on the Internet.
Protecting private data: tracking on the Internet
In order to understand how to better protect one’s own private data, it is helpful to know the different methods of tracking individual providers.
Cookies
Probably the best-known variant of tracking is now implemented using cookies. When the user visits a page, the respective provider stores a cookie with a unique identifier. If the user returns to the page later, the provider can now read out the cookies and recognize that the user has already been to the page and identify them using the identifier. The cookie can also be used to track which sub-pages the user was active on. Further information can also be stored in cookies.
Tracking Pixel
In order to protect your private data, you should deal with tracking pixels in addition to cookies. In contrast to cookies, tracking pixels incorporate a 1×1 pixel on the page that is loaded from another server. This pixel is not visible to the visitor, but ensures that a corresponding call is made to the web server from which the pixel is loaded. The operator of the web server receives information about the IP address from which the page was accessed.
In this way, it can also be checked whether an advertising email has been opened, since in these cases the web server is called up. This method can also be used by spammers or in phishing attacks in order to be able to detect whether spam mails have been opened by the recipient and thus determine that it is a valid email address. Many mail clients meanwhile prevent the reloading of further web content. However, this may not apply to direct calls from the browser.
Device Fingerprinting
In order to be able to protect your private information, it is important to determine how you can be tracked yourself. Every time a page is called up via the Internet, information about the visitor is transmitted to the server. This affects, among other things, the browser used, the screen resolution, installed plug-ins, the color depth, the installed fonts, settings for language and time zone and the operating system used with patch status. The operator of a site can now try to distinguish individual users from one another on the basis of this information. Practice shows that such a differentiation is error-prone, but in principle possible. How easily you can be tracked using fingerprinting shows the following page: panopticlick.eff.org/
Security and anti-tracking measures to protect your private data
General security recommendations to protect your private data
Many application providers now offer configuration options to increase the security of their own data and to give the user a higher degree of privacy.
Insecure passwords are a common reason for taking over user accounts. Regardless of the application, 2-factor authentication should therefore be used as far as possible. In addition, make sure to use a separate password for each service – a password manager provide good support.
In order to protect your private data, you should also regularly check where you use social logins. As a rule, every provider such as Facebook, Instagram and Google offers such an overview.
Configuration of applications and social media accounts
Many settings to improve privacy protection can be set up in the Google account in the data and personalization area. For example, you can set the extent to which your search history is saved on YouTube and when it should be deleted.
If you use Google Maps, your geodata may also be saved on Google. You can also view and deactivate this in your Google account.
Google also stores data for your Google account for other services – for these services too – in order to protect your private data – you can choose whether and after what time interval it should be deleted.
Protect private data on Facebook
Every user has the option of quickly checking their own settings in their Facebook account and identifying opportunities for improvement. These can be found in your own profile in the “Settings and privacy” area under “Privacy check”.
In the “Who can see what you post” area, you should check whether the settings correspond to your own wishes in order to protect your private data.
Under the section “How others can find you on Facebook” there is also the option of configuring the account so that your own Facebook account can no longer be found using Google search.
Protect private data on Instagram
Some settings can also be made on Instagram. It is possible to decide in the privacy settings whether other users can see when you were last active on Instagram or whether other people can share their own messages.
Protect private data on WhatsApp
In the security area off the settings you can activate 2-factor authentication, for the case that this account is set up on another device.
Under the “WhatsApp privacy” tab, it is also possible to provide the app with additional authentication, e.g. FaceID. This can prevent other people who are given the phone from accessing your messages. In addition, in the Privacy section, you can define which people get to see information about WhatsApp at all.
None of this helps against the fact that WhatsApp, as a company itself, has the ability to track metadata about communications, i.e. which people communicate with each other on a regular basis. Since 2018, the company has also shared some of its data with its parent company Facebook.
Data protection-friendly messenger alternatives are Signal or Threema, but you often have to convince your own circle of acquaintances.
Protecting private data: use of browsers and browser extensions
In some areas, the GDPR has led to users being given more choices about how providers handle their own data. Unfortunately, this also means that users are confronted with a wide range of setting options in cookie banners when visiting pages. Providers try to “steer” the user toward allowing as much tracking as possible through color design or intuitive click paths. In today’s discussion, this is now known as “dark patterns”.
This can be remedied by browser extensions that automatically block tracking tools on pages – regardless of what is selected in the banner. Meanwhile, there are also extensions that automatically select the least invasive setting directly in the cookie banners of common providers and confirm this. This can achieve an enormous gain in comfort and better protect privacy. Well-known examples of such extensions are Ghostery, uBlock or the Cookie Popup Blocker.
Also worth mentioning at this point is the browser Cliqz, which is based on FireFox and convinces with privacy-by-default. However, the project was discontinued in May 2020.
In the meantime, the common browser manufacturers also show developments in the direction of privacy-by-design and default directly on the browser side. For example, the new version of Apple’s Safari browser has already integrated tracking protection.
TOR
Introduction: Protecting private data in the TOR network
The TOR network is a well-known way to move anonymously on the Internet. This is primarily used by data protectionists, political persecutees, but also criminals to move around the Internet without being recognized. The TOR network is also the “door” to the darknet, since many pages in the darknet can only be accessed via the TOR browser or similar networks, so-called onion networks.
Short overview of TOR
The TOR network consists of a meshed network of so-called onion routers. The onion routers themselves know the other onion routers in the network. Each router stores only its predecessor and its successor for each connection to enable communication, forming a so-called circuit.
If the end user establishes a connection to a service, the connection is routed through the TOR network and a connection is established. To do this, he must use a proxy himself, which serves as an entry point into the TOR network. Each connection through the TOR network passes through an entry node via a relay node to an exit node. After the exit node, the connection is routed through the Internet via the normal path.
As data is routed through the TOR network, it is encrypted with the individual keys of the nodes. A node can only see from whom it has received a packet as well as determine the next recipient of that packet. This also ensures that if a single node is compromised, its operator cannot draw any conclusions about the participants in a communication.
The illustration shows a connection between Alice and Bob via Charly and David as well as the individual “shells” with the different keys that are used in the course of communication. It is a simplified representation to illustrate the principle of nested encryption.
The use of TOR can lead to performance problems because the packet size is set to 509 bytes of user data (a “normal” TCP / IP or TLS packet usually has up to 1400 bytes available for data transport) and each packet in addition still has to be routed through the Onion network for the “normal” route.
Notes on using the TOR to optimally protect private data
Even though the TOR network generally offers protection against traceability, there are two essential points that you should keep in mind in order to protect your own private data.
On the one hand, anonymity can only be guaranteed if the user is not logged into Facebook or Google via the TOR network at the same time. If so, it is of course still possible for the respective operator to identify the user.
The user should also be aware that the security of the connection can only be guaranteed if the service itself also offers encryption of the connection via TLS. Otherwise, the data can be read in plain text by everyone from the point of departure from the TOR network at the latest – including the operators of the corresponding exit nodes.
Attacks on TOR
As already indicated in the previous section, the operator of exit nodes can basically view the data traffic of end users if they communicate with an unencrypted page (no TLS). Since the beginning of 2020, a group has been trying to exploit this circumstance by attempting to gain control of the majority of exit nodes in the network. In the meantime, the group is said to have controlled over 1/4 of the exit nodes worldwide. (Source: https: //www.zdnet.com/article/a-mysterious-group-has-hijacked-tor-exit-nodes-to-perform-ssl-stripping-attacks/ )
In combination with other attacks, such as SSL stripping, it is thus possible for the attackers to read the traffic from the users of the TOR network. For example, attempts were made to capture passwords to bitcoin accounts.
A “side project” by security researcher Edin Jusupovic from 2019 shows how easy it is to control many exit nodes ( https://twitter.com/oasace/status/1135473233925296129).
The scenario becomes even more dangerous if the group controls not only exit but also entry nodes. In these cases, it is possible to determine which parties are communicating with each other purely by analyzing the incoming and outgoing traffic. This is done by comparing the frequency of incoming packets and their sizes, for example. Knowledge of the meta data is therefore sufficient.
A list of the current TOR exit nodes can be viewed at any time on the TOR project page.
Summary of the topic "Protecting private data"
As the previous illustrations show, the use of the TOR browser can also help private users to move around the Internet undetected and limit the possibilities of surveillance by companies. However, the user cannot completely avoid this if he needs log-ins for individual pages.
Users should take particular care to always ensure TLS encryption of the pages despite using TOR, as otherwise attackers in particular will be able to read targeted data traffic at the exit nodes.
Conclusion: This is how you can protect your private data
There are many ways for users to improve the protection of their own data and privacy on the Internet, some of which require little time investment. The use of TOR can be a suitable measure for protecting privacy, but it is no guarantee that you will be completely anonymous on the Internet.