Protecting your LiveJournal privacy with Firefox

[ciphergoth]

This journal entry describes ways in which people you know may be monitoring the way you use LJ. How often you read their journal, what friends groups you define, and so on.

It's done with what are called "web bugs" - tiny images served from special servers that record this information. You can block the servers that serve the web bugs, but they can always create more servers, so it's a game of "whack-a-mole".

Today I found out about a setting in Firefox that blocks *all* web-bug based tracking, from all websites to all websites, permanently. No longer will people be able to monitor you in this way.

Go to the URL bar and type "about:config". Select the setting "network.http.sendRefererHeader". If it has the value "2", change it to "1". That's it.

Technical details

I'll be setting this on all my browsers ASAP.

Comments

[zeke-hubris.livejournal.com]

Any idea what sort of things the "loss of functionality on some websites" mentioned in your link might actually entail?

[ciphergoth.livejournal.com]

The only example I can think of is that some websites, in order to prevent image "stealing", will check the Referer header on an image before serving it to make sure it matches the serving site, otherwise they substitute an image that says "don't steal my images". However, most such sites default to providing the correct image if you don't supply a Referer at all, so for the most part they will work better, not worse, after this change.

[zeke-hubris.livejournal.com]

Wonderful. Thanks for clearing that up :-)

[dennyd.livejournal.com]

I'm not actually bothered about the LJ web-bugs - I just think they're a bit inane - but I'll be setting this anyway, to annoy the legions of commercially-motivated buggery (um) that I've noticed over the last few months.

[http://users.livejournal.com/puzzle_/]

How very cool! (She says as she view your post through her friend friend's page)

[arkady.livejournal.com]

Thank you. Duly done - how very useful. Yet one more reason why I am heartily glad the only reason I ever use other web browsers other than Firefox is purely to test my websites on.

[cairmen.livejournal.com]

Speaking as one of the people trying to track statistics for my sites, I'd really rather you didn't do this, actually.

Referrer data is one of the most valuable ways for any webmaster - even the, you know, not evil ones - to learn about what's going on with their site, who's linking to it, and so on. For BloodSpell, it would be absolutely crippling not to be able to tell where our hits were coming from, and would mean I couldn't easily respond to blogs mentioning the film, couldn't correct errors (like people saying I'm not using Creative Commons correctly), and generally couldn't manage my website.

It's going to be a real pain in the arse trying to figure out why people are viewing my websites and where they came from without referrer data. So unless people have a *really* strong need to turn this off, I'd kinda plead with them not to.

[feorag.livejournal.com]

Following ciphergoth's instructions means that the browser still sends referrer information when a link is clicked on, but does not when downloading an image. You shouldn't lose any information about where your hits come from.

[ciphergoth.livejournal.com]

I also *heart* my referrer logs, which is why I've asked people to set this to "1" rather than "0". See the "technical details" article. I've just tested this on my own website.

[zz]

i use privoxy, which has an option to forge referers, either to a specific address, or to the destination site's root. means that sites that check referers always assume one is coming from their own site :>

[azekeil.livejournal.com]

In response to this comment and the main post, I'm not certain that they get their information *just* from the referrer URL. I may have to do some tests with images hosted on my home server to confirm/deny this.

In response to just this comment - setting the value of the item to 1 simply stops the referrer information being sent to servers when the browser is retrieving an image - when visiting a site, FireFox will still issue a referrer URL back to the server, so all should not be lost.

[ciphergoth.livejournal.com]

But privoxy can't reliably tell in general what's embedded and what's a link, which Firefox can.

[cairmen.livejournal.com]

Ah, right, cool. I clearly didn't read the article thoroughly enough.

[zz]

...which is why I have privoxy do it for every request. referer logs can be useful, but sites i visit can get that information from people who don't know any better.

[sjmurdoch.livejournal.com]

From a quick glance, this doesn't appear to stop Javascript based web-bugs, e.g. the Xanga Anti-Stalker Module. Feel free to correct me if I am wrong.

[oedipamaas49.livejournal.com]

When you say "blocks *all* web-bug based tracking", that is very different from "blocks all tracking", no?

i.e. you might block these particular tools, but your IP address will still be sent, and (as you say in the comments) you'll still send a referer header when you click on a link. So the people who really want to tell who's reading will still basically be able to, just with a little more work.

[felishumanus.livejournal.com]

it seemed to disrupt a forum i use..so reset it..may have just beena glitch ont eh forum though..while check again another night

[pooloftrees.livejournal.com]

As someone running my own web server, this change will probably mess up some peoples visitor web stats (which are usually used for general statistal analysis, not for tracking individuals). For instance, when I visit my site this gets logged by the server:

firefalcon.plus.com - - [26/Apr/2006:23:09:35 +0100] "GET /images/get-ff-sm.gif HTTP/1.1" 200 1786 "http://www.solutium.co.uk/index.shtml" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.3"

The GET is the web browser asking for a file, in this case an image "get-ff-sm.gif" in the "images" directory. After the HTTP/1.1 and two numeric fields, it has a string: "http://www.solutium.co.uk/index.shtml" - this is the referring page. Without that, files appear to be being requested randomly, some sites will block access to images without referers to prevent them being accessed except through a web page.

However, applying the suggested change should hopefully not break most sites people use every day, and, in the face of this paranoid tracking of individuals, is one way to get around this.

Personally I use AdBlock Plus (http://adblockplus.mozdev.org/) and NoScript (http://www.noscript.net/whats) with Firefox (http://www.mozilla-europe.org/en/products/firefox/) - that and changing the Options -> Privacy -> Cookies Tab to "for the originating site only" (e.g. only allow a cookie from mysite.com, not advertisers-site-with-banner-on-mysite.com).

I'm not actually bothered if people know I'm reading their journal (although generally I read from my friend's page, so they would potentially get hits every time I open that page, not necessarily actually read it).

(This is mirrored as a comment on KissyCat's post (http://kissycat1000.livejournal.com/486249.html))

[mskala.livejournal.com]

For images I post in Livejournal, a valid referrer header is required - with no referrer, you get a redirect to tubcat.com. That's because any image that appears in a public Livejournal posting takes a massive hit from the "show the last N pictures posted on all of Livejournal" scripts. Here's an example:



With a referrer from my site or Livejournal, you'll see Hällo Kitti. With some other, or no, referrer, you'll see tubcat.

[pooloftrees.livejournal.com]

And in case anyone thinks I'm trying to do some tracking myself, I'll add this warning: Unless you've turned off your referer entirely (0 in network.http.sendRefererHeader in Firefox), clicking on the link to solutium.co.uk (the link was unintentionally created by LiveJournal interpreting the http://... when I posted) will appear in my server logs showing that you came from http://ciphergoth.livejournal.com/264451.html.

Not that I'm that bothered where...

[mskala.livejournal.com]

I should have included this in my other comment, but:

Be careful with forging (as opposed to just not sending) referrer headers. I block visitors who send referrer headers for pages that do not actually point to my site (there's a probabilistic thing that checks them when they occur often enough) because until I started doing that, I was getting a significant fraction of my traffic (over 10%) apparently from zombies visiting just for the purpose of putting advertising into my referrer log. I also block the referrer set by "Outpost Firewall", because as well as being syntactically invalid, it consists of an advertisement for the product, so from my point of view, that's spam too.

[lovingboth]

I hadn't noticed the 1 setting. Thanks.

I don't think you need to use these sort of tricks to see what friends groups exist though.

[nikolasco.livejournal.com]

The ovious thoughts:
You can still log IPs to track what spots are viewing and how often, of course. Using cookies would probably help a bit.

Sites that provide services (like LJ Toys) have an advantage in discovering username-IP/cookie mappings. With Referer headers, they just collect more data. If you use a meme on the same site, then you often enter your username and it's almost always your own first. LJ Toys apparently has a field for putting in your LJ username, so that helps too. On the other hand, these same sites are easy to keep a list of and block.

[countess-sophia.livejournal.com]

Useful. Will set that ASAP.

Soph x

[ciphergoth.livejournal.com]

It will frustrate certain kinds of tracking and thus increase your privacy.