Sophos Cloud Optix
Do you really know where your browser goes when you type a URI into its address bar? Do you realise that your browser not only accesses the site you intended but may also have visited 3rd party websites running connected services?
For many of us this revelation is nothing new but to a lot of surfers this type of activity is news – for the simple reason that it happens behind the scenes.
Sometimes, but by no means always, you can see the end results of this behind the scenes traffic on the website you’re visiting; it’s essential for delivering features like Google AdSense, Facebook Likes or Pinterest ‘Pin it’ buttons for example.
What’s happening is that when you type a URL into your browser it fetches the web page you asked for and then it fetches anything else that web page says it needs.
Typically a page will contain instructions to fetch things like stylesheets that control the layout of the page, graphics and photographs to illustrate it and scripts to create functionality.
Those things might come from the same website as the page you asked for but they don’t have to, the web page can also ask for things from 3rd party websites.
To both the web browser and the 3rd party websites involved these unseen secondary requests are indistinguishable from a user just typing a URL into the address bar.
This is an extremely useful feature, one that is essential to the operation of a lot of web services, but it allows the 3rd parties involved to do things you might not expect such as track your ‘visit’ or set cookies on your browser.
This isn’t a secret but it isn’t obvious either. Web browsers have ways of showing you this traffic if you want to see it but it’s not visible in a form that would make sense to a non-technical user.
Recently, Mozilla released a new add-on for Firefox called Lightbeam. The primary purpose of Lightbeam is to help people better understand how the web works and to shine a light on the realities of data tracking.
Released at this year’s MozFest, Lightbeam builds on existing technology called Collusion to give users more control over their surfing activities and how they are being monitored on the web.
In a blog post announcing Lightbeam, Mozilla’s Alex Fowler stated, “we believe that everyone should be in control of their user data and privacy”.
I thought this sounded like a great tool for those of us who seek more transparency in the way our online activities are tracked so I gave Lightbeam a quick test drive.
I picked a handful of social media and news sites (including Naked Security) to see how connected they all were and to see if I could learn about some of the 3rd party connections that I hadn’t known existed.
In all, I visited 12 sites which connected me with 127 3rd party sites.
For example, a visit to Naked Security yielded 21 3rd party connections. Some of these connections are to services like Facebook, LinkedIn, Reddit and Twitter which we use to make it easier for our readers to share content.
Some are to services that provide additional content, like Sophos videos on YouTube, and some are analytics services which help us understand which articles are popular.
Lightbeam allows you to filter by visited and 3rd party sites. Visited sites are the sites that you either typed the URI in the browser yourself or explicitly clicked on a link to access the content.
3rd party sites are sites that are connected to the sites you visited that might collect information about you without any explicit interaction.
Lightbeam also gives you the ability to drill down into these site interactions and optionally block or watch certain sites of your choosing.
To be clear 3rd party services and 3rd party cookies are not intrinsically bad and can be employed for many useful purposes that don’t involve tracking.
Even those 3rd parties that are involved in tracking might be putting their data to uses that at least some of their users will agree with and benefit from.
For example Twitter monitors the websites its users visit with its tweet buttons and then uses the data to personalise its Trends.
Some Twitter users will feel this improves the site, others will be ambivalent and some will see it as unwelcome and invasive (if you’re one of those people you can disable the feature by enabling Do Not Track in your browser or through your Twitter security settings).
Fowler makes a good point when he says:
When we’re unable to understand the value these companies provide and make informed choices about their data collection practices, the result is a steady erosion of trust for all stakeholders.
For most privacy advocates this translates to transparency. If we know who is tracking us and what they’re doing with our data we can decide what level of trust and risk we’re willing to undertake.
Tools like Lightbeam give us greater visibility and control over which websites we are really visiting and allow us to make better decisions about who we transact with. A more open web means a better experience for everyone involved.
Chrome users can still download the Collusion add-on from the Chrome Web Store which will provide similar information and functionality.
If you’d like to know more about the 3rd party connections we use on Naked Security then take a look at our Cookies and Scripts page. You’ll find a list of cookies, their domains and who sets them as well as links to privacy policies and vendor opt-outs.
You use "analytics services which help us understand which articles are popular." while others "track your 'visit' or set cookies on your browser."
ummmmmm….
So "Analytics Services" don't set cookies or track users?
John was describing a 3rd party service we use having already explained that 3rd party services can set cookies and track your visit.
If you'd like more detail on those services and the cookies they set a full list is provided on the Cookies and Scripts page which John links to from the end of the article.
Thank, I'm not disagreeing with the content just the manner it’s stated in, it sounds weasel. I’m only pointing this out because I don’t want to see you slip into the type of cheap “their bad, we’re great” posts that some other AV firms come out with.
You’re a great news source, please stay that way.
Pretty pictures but no selective blocking? Prefer NoScript—no pictures but has blocking, and also works on older versions of Firefox.
Well you can selectively block 3rd parties from the "list view"
NoScript blocks scripts; it does not stop your browser from visiting various other sites behind the scenes. For that you’ll need something like RequestPolicy – which is what I use (I also use NoScript too). This new “LightBeam” sounds similar to RequestPolicy.
The link to the Collusion add-on is incorrect. It brings up another Naked Security article instead of the Chrome Web Store.
Fixed, thanks.
Lightbeam sounds like an interesting idea, but it doesn't seem to work with SeaMonkey (yet)…at least not as of Lightbeam 1.02 and SeaMonkey 2.22. In fact, I can't even get it to work with Firefox 25.0.
But even if/when it becomes compatible with SeaMonkey, it's one thing to know what all the 3rd party websites are, and another thing entirely to be able to control which ones can set cookies or run scripts.
NoScript already gives me that control (plus much more), so it's not clear exactly what advantage Lightbeam would provide.
One thing that is never mentioned in either your article or the documentation from the LightBeam homepage is that once it is installed you need to look for a wee icon stuck on the bottom right corner of your browser. Perhaps it is supposed to be intuitive. I find that when an extension is not documented sufficiently for the average user, it is pretty much left to the cognosetti who might have a clue as to how to use it or explain it to others.
In partial reply to Nigel, the only advantage that I see that LightBeam may provide is the graphic representation of the tracking.
I have been using Lightbeam for a while .. and I have allowed it to send data about 3rd party sites. Obviously that wouldn't work if I disabled browser access to those sites. … "You can choose to contribute your Lightbeam data to us. Data from Lightbeam can help us and others to understand third party relationships on the web and promote further research in the field of online tracking and privacy." .. "If you do contribute Lightbeam data to us, your browser will send us your Lightbeam data in a manner which we believe minimizes your risk of being re-identified. We will post your data along with data from others in an aggregated and open database."
Isn’t this what some free programs, (like Ghostery), already do?
I'll try this program out. I've used Ghostery, but the only issue I have with it is that it ALWAYS updates. It wants to update to so frequently it has become a hindrance. And I've tried to find the option where I can control when an update wants to take place. Hopefully Lightbeam offers update options.
How is this any diffrent than the disconnect me plugin. It also shows you all the sites that the page you are on is sending data to in a neat little animation and blocks them.