Protecting your LiveJournal privacy with Firefox

[ciphergoth]

This journal entry describes ways in which people you know may be monitoring the way you use LJ. How often you read their journal, what friends groups you define, and so on.

It's done with what are called "web bugs" - tiny images served from special servers that record this information. You can block the servers that serve the web bugs, but they can always create more servers, so it's a game of "whack-a-mole".

Today I found out about a setting in Firefox that blocks *all* web-bug based tracking, from all websites to all websites, permanently. No longer will people be able to monitor you in this way.

Go to the URL bar and type "about:config". Select the setting "network.http.sendRefererHeader". If it has the value "2", change it to "1". That's it.

Technical details

I'll be setting this on all my browsers ASAP.

Comments

[zeke-hubris.livejournal.com]

Any idea what sort of things the "loss of functionality on some websites" mentioned in your link might actually entail?

[ciphergoth.livejournal.com]

The only example I can think of is that some websites, in order to prevent image "stealing", will check the Referer header on an image before serving it to make sure it matches the serving site, otherwise they substitute an image that says "don't steal my images". However, most such sites default to providing the correct image if you don't supply a Referer at all, so for the most part they will work better, not worse, after this change.

[dennyd.livejournal.com]

I'm not actually bothered about the LJ web-bugs - I just think they're a bit inane - but I'll be setting this anyway, to annoy the legions of commercially-motivated buggery (um) that I've noticed over the last few months.

[http://users.livejournal.com/puzzle_/]

How very cool! (She says as she view your post through her friend friend's page)

[arkady.livejournal.com]

Thank you. Duly done - how very useful. Yet one more reason why I am heartily glad the only reason I ever use other web browsers other than Firefox is purely to test my websites on.

[cairmen.livejournal.com]

Speaking as one of the people trying to track statistics for my sites, I'd really rather you didn't do this, actually.

Referrer data is one of the most valuable ways for any webmaster - even the, you know, not evil ones - to learn about what's going on with their site, who's linking to it, and so on. For BloodSpell, it would be absolutely crippling not to be able to tell where our hits were coming from, and would mean I couldn't easily respond to blogs mentioning the film, couldn't correct errors (like people saying I'm not using Creative Commons correctly), and generally couldn't manage my website.

It's going to be a real pain in the arse trying to figure out why people are viewing my websites and where they came from without referrer data. So unless people have a *really* strong need to turn this off, I'd kinda plead with them not to.

[feorag.livejournal.com]

Following ciphergoth's instructions means that the browser still sends referrer information when a link is clicked on, but does not when downloading an image. You shouldn't lose any information about where your hits come from.

[ciphergoth.livejournal.com]

I also *heart* my referrer logs, which is why I've asked people to set this to "1" rather than "0". See the "technical details" article. I've just tested this on my own website.

[zz]

i use privoxy, which has an option to forge referers, either to a specific address, or to the destination site's root. means that sites that check referers always assume one is coming from their own site :>

[ciphergoth.livejournal.com]

But privoxy can't reliably tell in general what's embedded and what's a link, which Firefox can.

[sjmurdoch.livejournal.com]

From a quick glance, this doesn't appear to stop Javascript based web-bugs, e.g. the Xanga Anti-Stalker Module. Feel free to correct me if I am wrong.

[nikolasco.livejournal.com]

Correct. You can use the NoScript (http://www.noscript.net/whats) extension for Firefox to prevent that sort of thing. It's mentioned a bit farther down (http://ciphergoth.livejournal.com/264451.html?thread=2286339#t2286339) as well.

[oedipamaas49.livejournal.com]

When you say "blocks *all* web-bug based tracking", that is very different from "blocks all tracking", no?

i.e. you might block these particular tools, but your IP address will still be sent, and (as you say in the comments) you'll still send a referer header when you click on a link. So the people who really want to tell who's reading will still basically be able to, just with a little more work.

[ciphergoth.livejournal.com]

It will frustrate certain kinds of tracking and thus increase your privacy.

[felishumanus.livejournal.com]

it seemed to disrupt a forum i use..so reset it..may have just beena glitch ont eh forum though..while check again another night

[pooloftrees.livejournal.com]

As someone running my own web server, this change will probably mess up some peoples visitor web stats (which are usually used for general statistal analysis, not for tracking individuals). For instance, when I visit my site this gets logged by the server:

firefalcon.plus.com - - [26/Apr/2006:23:09:35 +0100] "GET /images/get-ff-sm.gif HTTP/1.1" 200 1786 "http://www.solutium.co.uk/index.shtml" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.3"

The GET is the web browser asking for a file, in this case an image "get-ff-sm.gif" in the "images" directory. After the HTTP/1.1 and two numeric fields, it has a string: "http://www.solutium.co.uk/index.shtml" - this is the referring page. Without that, files appear to be being requested randomly, some sites will block access to images without referers to prevent them being accessed except through a web page.

However, applying the suggested change should hopefully not break most sites people use every day, and, in the face of this paranoid tracking of individuals, is one way to get around this.

Personally I use AdBlock Plus (http://adblockplus.mozdev.org/) and NoScript (http://www.noscript.net/whats) with Firefox (http://www.mozilla-europe.org/en/products/firefox/) - that and changing the Options -> Privacy -> Cookies Tab to "for the originating site only" (e.g. only allow a cookie from mysite.com, not advertisers-site-with-banner-on-mysite.com).

I'm not actually bothered if people know I'm reading their journal (although generally I read from my friend's page, so they would potentially get hits every time I open that page, not necessarily actually read it).

(This is mirrored as a comment on KissyCat's post (http://kissycat1000.livejournal.com/486249.html))

[pooloftrees.livejournal.com]

And in case anyone thinks I'm trying to do some tracking myself, I'll add this warning: Unless you've turned off your referer entirely (0 in network.http.sendRefererHeader in Firefox), clicking on the link to solutium.co.uk (the link was unintentionally created by LiveJournal interpreting the http://... when I posted) will appear in my server logs showing that you came from http://ciphergoth.livejournal.com/264451.html.

Not that I'm that bothered where...

[mskala.livejournal.com]

I should have included this in my other comment, but:

Be careful with forging (as opposed to just not sending) referrer headers. I block visitors who send referrer headers for pages that do not actually point to my site (there's a probabilistic thing that checks them when they occur often enough) because until I started doing that, I was getting a significant fraction of my traffic (over 10%) apparently from zombies visiting just for the purpose of putting advertising into my referrer log. I also block the referrer set by "Outpost Firewall", because as well as being syntactically invalid, it consists of an advertisement for the product, so from my point of view, that's spam too.

[lovingboth]

I hadn't noticed the 1 setting. Thanks.

I don't think you need to use these sort of tricks to see what friends groups exist though.

[nikolasco.livejournal.com]

I think you do. You can add filter=number to use a particular bitmask (individual groups are 1, 2, 4, 8, 16, etc), this only works for yourself. On other people's pages, the group needs to be marked public (private is the default) and you need to know the name. I guess you could use a dictionary attack if you reallllly want to know and think the person has marked them all public.

Maybe you have a different trick in mind, but that's the only one I can think of.

[countess-sophia.livejournal.com]

Useful. Will set that ASAP.

Soph x

[kimble.livejournal.com]

Hmm, this appears to break Keenspace comics. Anyone got a good idea for doing this on a per-site basis?

[nikolasco.livejournal.com]

I was hoping someone would know of an extension that would do this. I'll just note that it's possible to write one. Whether or not I'll ever get around to it is another matter. If someone else is interested, I can point them in the right direction in the Mozilla jungle.

[funky-firelord.livejournal.com]

Nice tip Thanks ciphergoth :-)

Firelord

[nickys.livejournal.com]

Cool.
Will give it a try, thanks.

[ladycat.livejournal.com]

Thank you! So simply and elegantly phrased evenI could manage it :-)

Will I still be able to read the posts that I've stopped from monitoring me?

[ciphergoth.livejournal.com]

Yes, should be fine!

Parcel arrived safely, thanks.

[louis_mallow]

Parcel arrived safely, thanks.

[hooverpig.livejournal.com]

Sorry to jump into this topic when it's so old, but I'm in need of blocking LJ-Toys out of my journal. I really don't like the idea anymore. However, after following your instructions and testing it with my old LJ-Toys account, my hits are still being recorded. Any ideas why this might be?

[ciphergoth.livejournal.com]

No, sorry. All I can suggest is that you double-check everything again. If that doesn't work, you'll need packet capture or log analysis or something to diagnose further.

[wintrmute.livejournal.com]

or alternatively, use the "Exceptions.." option in Firefox's Content tab to block loading of images from icon.pretentiousasfuck.co.uk and mocko.org.uk..

[lotuspath.livejournal.com]

THANK YOU!

[secrets-n-lies.livejournal.com]

Thank you. So, this will be able to stop someone from spying on my activities via LJ Toys, yes?

[ciphergoth.livejournal.com]

It means that LJ toys will have a lot less information to chew on.