Lightbeam shines a light on which websites you’re really visiting


LightbeamDo you really know where your browser goes when you type a URI into its address bar? Do you realise that your browser not only accesses the site you intended but may also have visited 3rd party websites running connected services?

For many of us this revelation is nothing new but to a lot of surfers this type of activity is news – for the simple reason that it happens behind the scenes.

Sometimes, but by no means always, you can see the end results of this behind the scenes traffic on the website you’re visiting; it’s essential for delivering features like Google AdSense, Facebook Likes or Pinterest ‘Pin it’ buttons for example.

What’s happening is that when you type a URL into your browser it fetches the web page you asked for and then it fetches anything else that web page says it needs.

Typically a page will contain instructions to fetch things like stylesheets that control the layout of the page, graphics and photographs to illustrate it and scripts to create functionality.

Those things might come from the same website as the page you asked for but they don’t have to, the web page can also ask for things from 3rd party websites.

To both the web browser and the 3rd party websites involved these unseen secondary requests are indistinguishable from a user just typing a URL into the address bar.

This is an extremely useful feature, one that is essential to the operation of a lot of web services, but it allows the 3rd parties involved to do things you might not expect such as track your ‘visit’ or set cookies on your browser.

This isn’t a secret but it isn’t obvious either. Web browsers have ways of showing you this traffic if you want to see it but it’s not visible in a form that would make sense to a non-technical user.

Recently, Mozilla released a new add-on for Firefox called Lightbeam. The primary purpose of Lightbeam is to help people better understand how the web works and to shine a light on the realities of data tracking.

Released at this year’s MozFest, Lightbeam builds on existing technology called Collusion to give users more control over their surfing activities and how they are being monitored on the web.

In a blog post announcing Lightbeam, Mozilla’s Alex Fowler stated, “we believe that everyone should be in control of their user data and privacy”.

I thought this sounded like a great tool for those of us who seek more transparency in the way our online activities are tracked so I gave Lightbeam a quick test drive.

I picked a handful of social media and news sites (including Naked Security) to see how connected they all were and to see if I could learn about some of the 3rd party connections that I hadn’t known existed.

In all, I visited 12 sites which connected me with 127 3rd party sites.

For example, a visit to Naked Security yielded 21 3rd party connections. Some of these connections are to services like Facebook, LinkedIn, Reddit and Twitter which we use to make it easier for our readers to share content.

Some are to services that provide additional content, like Sophos videos on YouTube, and some are analytics services which help us understand which articles are popular.

Lightbeam allows you to filter by visited and 3rd party sites. Visited sites are the sites that you either typed the URI in the browser yourself or explicitly clicked on a link to access the content.

3rd party sites are sites that are connected to the sites you visited that might collect information about you without any explicit interaction.

Lightbeam also gives you the ability to drill down into these site interactions and optionally block or watch certain sites of your choosing.

To be clear 3rd party services and 3rd party cookies are not intrinsically bad and can be employed for many useful purposes that don’t involve tracking.

Even those 3rd parties that are involved in tracking might be putting their data to uses that at least some of their users will agree with and benefit from.

For example Twitter monitors the websites its users visit with its tweet buttons and then uses the data to personalise its Trends.

Some Twitter users will feel this improves the site, others will be ambivalent and some will see it as unwelcome and invasive (if you’re one of those people you can disable the feature by enabling Do Not Track in your browser or through your Twitter security settings).

Fowler makes a good point when he says:

When we’re unable to understand the value these companies provide and make informed choices about their data collection practices, the result is a steady erosion of trust for all stakeholders.

For most privacy advocates this translates to transparency. If we know who is tracking us and what they’re doing with our data we can decide what level of trust and risk we’re willing to undertake.

Tools like Lightbeam give us greater visibility and control over which websites we are really visiting and allow us to make better decisions about who we transact with. A more open web means a better experience for everyone involved.

Chrome users can still download the Collusion add-on from the Chrome Web Store which will provide similar information and functionality.

If you’d like to know more about the 3rd party connections we use on Naked Security then take a look at our Cookies and Scripts page. You’ll find a list of cookies, their domains and who sets them as well as links to privacy policies and vendor opt-outs.