Everything that people do today in the internet is being tracked by social networks, news websites, advertisement services and many others. Do journalists have to worry about that? Probably not in the first place. The purpose of this kind of data collection is a commercial one, which may not stand in conflict with the personal threat model of a journalist who want to protect investigations and the identity of sources. However, this is short-sighted.
Commercial surveillance does not work in an isolated silo, but is in constant interrelation with other data collection measures in the internet. A web tracking company may sell data to others or is legally obliged to hand over sets of data to state investigators. There are a lot of ways in which commercial data can find their way to entities that want to compromise journalists security. Does it really? Due to the secrecy of the interchanges, journalists would probably get to know it for sure. They lose control about their data, and that matters.
Tracking methods and countermeasures
It might be impossible nowadays to avoid tracking completely. However, there are some very invasive methods that journalists should take care of – and use countermeasures if possible.
HTTP Connection
A connection over http does not have any kind of encryption. Everything a user sends and receives is readable in plain text. This information can be used to analyse user’s behaviour and record sensitive information. Encryption in transport is only done over https.
A countermeasure is to install an extension (also known as plug-in or add-on) in a web browser such as https everywhere. It enables https on all websites that offer it technically. However, a user always relies on the availability of https on a website, but cannot technically force it to do that.
Cookies
A cookie is a small text file that is stored by websites in a user’s web browser. It can contain useful and essential information such as the login data, but is often also used for tracking purposes.
A countermeasure is to use the incognito mode of a browser. It deletes cookies at least after every session, every time if a user closes the browser entirely.
IP Address
An IP address is essential to use the internet at all. Using the internet without an IP address is impossible. However, as an IP address is mostly provided by an Internet Service Provider (ISP), it regularly knows the identity of the user “behind” an IP address – and also, what this user does on the internet. Furthermore, an IP address offers some geographical information about a user, for example the country.
A countermeasure is to use anonymisation tools such as VPN or Tor browser.
DNS Records
The Domain Name System (DNS) is kind of a database that translates names of websites into IP addresses that can be used by computers. While humans can better remember URLs such as www.example.com, a computer always needs an IP address to connect users with websites. This problem is solved through a DNS database that stores both names of websites as well as their corresponding IP addresses. This means, however, that the one who operates the database also knows both the IP address of users and the websites they want to access. Recording this means that the DNS operator maintains a log about users’ browsing behaviour.
A countermeasure is to manually change the DNS of a computer, which can either be done in the web browser or in the system settings.
Trackers
Many websites integrate web trackers to record users’ behaviour. They can operate this by themselves or through the external tracking companies, the so-called 3rd parties. Many websites have hundreds of different trackers that make detailed records of every user.
A countermeasure is to install an extension (also known as plug-in or add-on) in a web browser that stops illegitimate tracking, such as the Privacy Badger.
Browser fingerprinting
Every web browser sends a lot of technical information about itself in every connection, for example its version, language settings, time and date, screen size, system information and much more. In combination, this information creates a so-called fingerprint and may make a user unique among the mass of users.
A countermeasure is to install an extension (also know as plug-in or add-on) in a web browser that modifies a fingerprint in sending various information, such as the User-Agent Switcher. Please note that this only makes sense if a user activates a random mode to get different fingerprints over time. Another countermeasure is to use the Tor browser without changing the screen size.
Data collections on services with a log in
When a user logs in to a service, it enters the “universe” of this service: everything is created and controlled by the service. This is for example true for social networks, search engines or collaborative working platforms. Their business model often is the data collection itself. A user is not a user, but the product.
There is no real countermeasure against this kind of tracking. Users should read the privacy policy of a service and reduce giving data to the service as much as possible. On Google, Facebook and Twitter, for example, a lot of data collection methods are enabled by default, but can be disabled. Journalists should be aware that these services are legally especially obliged to hand over the data provided by the user, e.g. chats, posts, photos or the uploaded files to governments. The best way to prevent these problems is not to even share the sensitive data on these services.
English