(A Beginners’ Guide To Reclaiming Online Privacy)
[Last Updated: 2021.12.05]
There were problems that arose with the original post of this, because … at something over forty-one thousand words … every time I made edits and saved it, my account would get suspended whilst under investigation, because it kept getting picked up by Medium’s spam filters and, seemingly, they can’t put a permanent exception on an article, only unblock it until the next time it trips the filters and the whole miserable rigmarole of saying “Oi! Medium! NO!” has to be restarted.
So, I got fed up with correcting typos only to have my account locked out for another day or three and stopped correcting or otherwise editing it.
The fundamentals are still the same for now — the reasons for taking the approach(es) and the ways to do them remain unchanged (for now).
But note that Firefox on Android is currently a hot mess: most of the recommended extensions are unavailable (or do not function correctly), about:config has been removed and, it looks like Mozilla’s developers aren’t terribly interested in responding to users’ in a way that suggests they are going to act upon objections to loss of functionality any time soon.
As a result, if you do opt for it on your Android device then you’ll need to make use of uBlock Origin instead of AdNauseam, HTTPS Everywhere instead of HTTPZ and, well, those and (thank goodness) NoScript are the only things I can recommend right now, but I hesitate to recommend even NoScript at this stage because it doesn’t offer any of the customisation options of the desktop version and doesn’t sanitise XSS by default either — and, no matter how many times I tell it to do that latter, the next time I launch Firefox it has forgotten my choice.
P̶e̶r̶s̶o̶n̶a̶l̶l̶y̶,̶ ̶I̶’̶v̶e̶ ̶b̶e̶e̶n̶ ̶u̶s̶i̶n̶g̶ ̶T̶o̶r̶b̶r̶o̶w̶s̶e̶r̶ ̶i̶n̶ ̶t̶h̶e̶ ̶m̶e̶a̶n̶t̶i̶m̶e̶ ̶(̶t̶h̶e̶ ̶m̶o̶b̶i̶l̶e̶ ̶v̶e̶r̶s̶i̶o̶n̶ ̶o̶f̶ ̶w̶h̶i̶c̶h̶ ̶s̶e̶e̶m̶s̶ ̶t̶o̶ ̶h̶a̶v̶e̶ ̶N̶o̶S̶c̶r̶i̶p̶t̶ ̶e̶n̶a̶b̶l̶e̶d̶ ̶b̶y̶ ̶d̶e̶f̶a̶u̶l̶t̶)̶ ̶s̶i̶m̶p̶l̶y̶ ̶b̶e̶c̶a̶u̶s̶e̶ ̶i̶t̶ ̶a̶t̶ ̶l̶e̶a̶s̶t̶ ̶o̶b̶f̶u̶s̶c̶a̶t̶e̶s̶ ̶t̶h̶e̶ ̶o̶r̶i̶g̶i̶n̶ ̶o̶f̶ ̶m̶y̶ ̶t̶r̶a̶c̶e̶s̶,̶ ̶w̶h̶i̶c̶h̶ ̶i̶s̶ ̶b̶e̶t̶t̶e̶r̶ ̶t̶h̶a̶n̶ ̶n̶o̶t̶h̶i̶n̶g̶ ̶-̶ ̶b̶u̶t̶ ̶I̶’̶m̶ ̶f̶a̶r̶ ̶f̶r̶o̶m̶ ̶h̶a̶p̶p̶y̶ ̶a̶b̶o̶u̶t̶ ̶i̶t̶ ̶a̶n̶d̶,̶ ̶a̶s̶ ̶a̶ ̶r̶e̶s̶u̶l̶t̶,̶ ̶a̶v̶o̶i̶d̶ ̶b̶r̶o̶w̶s̶i̶n̶g̶ ̶o̶n̶ ̶m̶y̶ ̶p̶h̶o̶n̶e̶ ̶i̶f̶ ̶I̶ ̶c̶a̶n̶. ¹.
I have switched to Firefox Nightly on Android. It’s a bit of a faff, but, by creating an account at https://addons.mozilla.org and then creating a collection of the relevant extensions, it is then possible to add them to Firefox Nightly after enabling the ‘secret’ developer options in it ².
In any event, the original WWW.rong article can be found here and, I’ll post any addenda here.
[N.B. the size, and number of images, mean the original article might slow or (seemingly) even freeze your browser. Just be patient — it will eventually load, … even if you’re faking your canvas 😀]
The Noscript element appears to have been visibly removed from uMatrix but remains as a setting in the preferences, so it’s probably still doing the same job, even though it is now a less flexible option and (possibly/probably) worse for privacy as a result, but, if you were previously enabling it in the preferences rather than on a case-by-case basis, there’s no change as far as you are concerned.
Google appear to have rejigged things a little and the source of the video content on YouTube is obfuscated compared to the previous discussion — you’ll need to look for the alphanumeric strings (note the fact that there is frequently more than one of them) containing <alphanumeric>aig<alphanumeric> (but, for now at least, it’s still only the ones containing the ‘aig’ string, which helps).
*** DEVELOPMENT OF uMATRIX HAS ̶ ̶̶C̶̶̶̶̶̶̶E̶̶̶̶̶̶̶A̶̶̶̶̶̶̶S̶̶̶̶̶̶̶E̶̶̶̶̶̶̶D̶̶̶̶̶̶̶ RECOMMENCED ***
This is ̶t̶e̶r̶r̶i̶b̶l̶e̶ terrific news.
̶Y̶o̶u̶ ̶c̶a̶n̶ ̶a̶p̶p̶r̶o̶x̶i̶m̶a̶t̶e̶ ̶s̶o̶m̶e̶ ̶o̶f̶ ̶i̶t̶s̶ ̶f̶u̶n̶c̶t̶i̶o̶n̶a̶l̶i̶t̶y̶ ̶w̶i̶t̶h̶ ̶u̶B̶l̶o̶c̶k̶ ̶O̶r̶i̶g̶i̶n̶,̶ ̶u̶s̶i̶n̶g̶ ̶y̶o̶u̶r̶ ̶o̶w̶n̶ ̶s̶t̶a̶t̶i̶c̶ ̶f̶i̶l̶t̶e̶r̶s̶ ̶a̶n̶d̶ ̶d̶y̶n̶a̶m̶i̶c̶ ̶r̶u̶l̶e̶s̶ ̶-̶ ̶r̶e̶a̶d̶ ̶t̶h̶e̶ ̶d̶o̶c̶u̶m̶e̶n̶t̶a̶t̶i̶o̶n̶ ̶o̶n̶ ̶u̶s̶i̶n̶g̶ ̶u̶B̶O̶ ̶i̶n̶ ̶M̶e̶d̶i̶u̶m̶ ̶o̶r̶ ̶H̶a̶r̶d̶ ̶m̶o̶d̶e̶.̶
̶H̶o̶w̶e̶v̶e̶r̶,̶ ̶u̶B̶O̶ ̶i̶s̶ ̶n̶o̶t̶ ̶a̶s̶ ̶f̶l̶e̶x̶i̶b̶l̶e̶ ̶a̶n̶d̶ ̶r̶e̶l̶i̶e̶s̶ ̶u̶p̶o̶n̶ ̶b̶l̶o̶c̶k̶l̶i̶s̶t̶s̶ ̶r̶a̶t̶h̶e̶r̶ ̶t̶h̶a̶n̶ ̶y̶o̶u̶r̶ ̶w̶h̶i̶t̶e̶l̶i̶s̶t̶i̶n̶g̶ ̶t̶h̶o̶s̶e̶ ̶e̶l̶e̶m̶e̶n̶t̶s̶ ̶y̶o̶u̶ ̶w̶a̶n̶t̶ ̶t̶o̶ ̶a̶l̶l̶o̶w̶.̶ ̶T̶h̶i̶s̶ ̶i̶s̶ ̶n̶o̶w̶h̶e̶r̶e̶ ̶n̶e̶a̶r̶ ̶a̶s̶ ̶g̶o̶o̶d̶,̶ ̶b̶e̶c̶a̶u̶s̶e̶ ̶t̶h̶e̶r̶e̶ ̶a̶r̶e̶ ̶c̶o̶n̶s̶t̶a̶n̶t̶l̶y̶ ̶n̶e̶w̶ ̶a̶d̶d̶i̶t̶i̶o̶n̶s̶ ̶t̶o̶ ̶t̶h̶e̶ ̶l̶i̶s̶t̶ ̶o̶f̶ ̶p̶o̶t̶e̶n̶t̶i̶a̶l̶l̶y̶ ̶n̶e̶f̶a̶r̶i̶o̶u̶s̶ ̶s̶o̶u̶r̶c̶e̶s̶ ̶…̶ ̶m̶e̶a̶n̶i̶n̶g̶ ̶t̶h̶a̶t̶ ̶i̶t̶ ̶i̶s̶n̶’̶t̶ ̶e̶v̶e̶n̶ ̶a̶ ̶g̶a̶m̶e̶ ̶o̶f̶ ̶w̶h̶a̶c̶k̶-̶a̶-̶m̶o̶l̶e̶ ̶(̶e̶v̶e̶n̶ ̶t̶h̶e̶ ̶l̶e̶g̶i̶o̶n̶s̶ ̶o̶f̶ ̶l̶i̶s̶t̶ ̶m̶a̶i̶n̶t̶a̶i̶n̶e̶r̶s̶ ̶a̶r̶e̶ ̶n̶e̶v̶e̶r̶ ̶g̶o̶i̶n̶g̶ ̶t̶o̶ ̶b̶e̶ ̶a̶b̶l̶e̶ ̶t̶o̶ ̶k̶e̶e̶p̶ ̶u̶p̶ ̶w̶i̶t̶h̶ ̶t̶h̶e̶m̶ ̶a̶l̶l̶)̶.̶
̶M̶o̶r̶e̶o̶v̶e̶r̶,̶ ̶u̶B̶l̶o̶c̶k̶ ̶O̶r̶i̶g̶i̶n̶ ̶i̶n̶ ̶i̶t̶’̶s̶ ̶d̶e̶f̶a̶u̶l̶t̶ ̶c̶o̶n̶f̶i̶g̶u̶r̶a̶t̶i̶o̶n̶ ̶i̶s̶ ̶i̶n̶f̶e̶r̶i̶o̶r̶ ̶t̶o̶ ̶u̶M̶a̶t̶r̶i̶x̶ ̶f̶o̶r̶ ̶f̶i̶l̶t̶e̶r̶i̶n̶g̶ ̶w̶e̶b̶ ̶c̶o̶n̶t̶e̶n̶t̶ ̶b̶y̶ ̶t̶y̶p̶e̶.̶ ̶A̶p̶p̶a̶r̶e̶n̶t̶l̶y̶ ̶y̶o̶u̶ ̶c̶a̶n̶ ̶c̶o̶n̶t̶r̶o̶l̶ ̶a̶l̶l̶ ̶w̶e̶b̶s̶i̶t̶e̶ ̶c̶o̶n̶t̶e̶n̶t̶ ̶(̶e̶x̶c̶e̶p̶t̶ ̶H̶T̶M̶L̶)̶ ̶o̶n̶ ̶a̶ ̶p̶e̶r̶ ̶D̶o̶m̶a̶i̶n̶ ̶b̶a̶s̶e̶ ̶w̶i̶t̶h̶ ̶u̶B̶O̶,̶ ̶b̶u̶t̶ ̶I̶’̶m̶ ̶g̶o̶i̶n̶g̶ ̶t̶o̶ ̶h̶a̶v̶e̶ ̶t̶o̶ ̶l̶o̶o̶k̶ ̶i̶n̶t̶o̶ ̶i̶t̶ ̶b̶e̶f̶o̶r̶e̶ ̶m̶a̶k̶i̶n̶g̶ ̶a̶n̶y̶ ̶r̶e̶c̶o̶m̶m̶e̶n̶d̶a̶t̶i̶o̶n̶s̶.̶
̶W̶e̶b̶E̶x̶t̶e̶n̶s̶i̶o̶n̶s̶ ̶d̶o̶n̶’̶t̶ ̶b̶r̶e̶a̶k̶ ̶e̶a̶s̶i̶l̶y̶ ̶w̶i̶t̶h̶ ̶F̶i̶r̶e̶f̶o̶x̶ ̶u̶p̶d̶a̶t̶e̶s̶,̶ ̶h̶o̶w̶e̶v̶e̶r̶ ̶…̶ ̶(̶n̶o̶t̶ ̶s̶o̶ ̶f̶a̶r̶ ̶a̶t̶ ̶l̶e̶a̶s̶t̶ ̶o̶n̶ ̶t̶h̶e̶ ̶d̶e̶s̶k̶t̶o̶p̶ ̶v̶e̶r̶s̶i̶o̶n̶ ̶a̶n̶y̶w̶a̶y̶)̶ ̶…̶ ̶s̶o̶ ̶u̶M̶a̶t̶r̶i̶x̶ ̶h̶a̶s̶ ̶b̶e̶e̶n̶ ̶a̶b̶l̶e̶ ̶t̶o̶ ̶k̶e̶e̶p̶ ̶w̶o̶r̶k̶i̶n̶g̶ ̶w̶i̶t̶h̶o̶u̶t̶ ̶u̶p̶d̶a̶t̶e̶s̶ ̶a̶n̶d̶ ̶m̶y̶ ̶r̶e̶c̶o̶m̶m̶e̶n̶d̶a̶t̶i̶o̶n̶ ̶i̶s̶ ̶t̶o̶ ̶k̶e̶e̶p̶ ̶u̶s̶i̶n̶g̶ ̶i̶t̶ ̶u̶n̶t̶i̶l̶ ̶i̶t̶ ̶b̶r̶e̶a̶k̶s̶,̶ ̶b̶u̶t̶ ̶s̶t̶a̶r̶t̶ ̶i̶n̶v̶e̶s̶t̶i̶g̶a̶t̶i̶n̶g̶ ̶a̶l̶t̶e̶r̶n̶a̶t̶i̶v̶e̶ ̶s̶o̶l̶u̶t̶i̶o̶n̶s̶ ̶w̶i̶t̶h̶ ̶a̶n̶ ̶e̶y̶e̶ ̶t̶o̶ ̶t̶h̶e̶ ̶a̶b̶o̶v̶e̶ ̶c̶a̶v̶e̶a̶t̶s̶.̶ ̶G̶o̶o̶g̶l̶e̶ ̶a̶r̶e̶ ̶d̶o̶i̶n̶g̶ ̶a̶w̶a̶y̶ ̶w̶i̶t̶h̶ ̶t̶h̶i̶r̶d̶ ̶p̶a̶r̶t̶y̶ ̶c̶o̶o̶k̶i̶e̶s̶ ̶i̶n̶ ̶t̶h̶e̶ ̶n̶e̶a̶r̶ ̶f̶u̶t̶u̶r̶e̶ ̶a̶n̶d̶,̶ ̶a̶s̶ ̶F̶i̶r̶e̶f̶o̶x̶ ̶i̶s̶ ̶t̶h̶e̶ ̶o̶n̶l̶y̶ ̶s̶e̶r̶i̶o̶u̶s̶ ̶n̶o̶n̶-̶C̶h̶r̶o̶m̶i̶u̶m̶ ̶b̶a̶s̶e̶d̶ ̶b̶r̶o̶w̶s̶e̶r̶,̶ ̶t̶h̶i̶s̶ ̶w̶i̶l̶l̶ ̶f̶i̶l̶t̶e̶r̶ ̶t̶h̶r̶o̶u̶g̶h̶ ̶t̶o̶ ̶t̶h̶e̶ ̶a̶l̶t̶e̶r̶n̶a̶t̶i̶v̶e̶s̶ ̶a̶s̶ ̶w̶e̶l̶l̶,̶ ̶b̶u̶t̶ ̶t̶h̶a̶t̶ ̶d̶o̶e̶s̶n̶’̶t̶ ̶c̶o̶m̶p̶e̶n̶s̶a̶t̶e̶ ̶f̶o̶r̶ ̶a̶l̶l̶ ̶t̶h̶e̶ ̶o̶t̶h̶e̶r̶ ̶t̶r̶a̶c̶k̶i̶n̶g̶ ̶m̶e̶t̶h̶o̶d̶s̶,̶ ̶s̶o̶ ̶d̶o̶n̶’̶t̶ ̶l̶e̶t̶ ̶p̶e̶o̶p̶l̶e̶ ̶t̶e̶l̶l̶ ̶y̶o̶u̶ ̶t̶h̶e̶ ̶l̶o̶s̶s̶ ̶o̶f̶ ̶u̶M̶a̶t̶r̶i̶x̶ ̶i̶s̶ ̶c̶o̶u̶n̶t̶e̶r̶e̶d̶ ̶b̶y̶ ̶t̶h̶a̶t̶ ̶f̶a̶c̶t̶ ̶-̶ ̶i̶t̶ ̶i̶s̶n̶’̶t̶ ̶…̶ ̶n̶o̶t̶ ̶b̶y̶ ̶a̶ ̶l̶o̶n̶g̶ ̶c̶h̶a̶l̶k̶.̶
Previously, thanks to the other addons/extensions, the chances of malvertising being able to do any significant harm were mitigated against. Recent developments, however, make it simply too risky to use Adnauseam as anything other than a simple blocker any longer and I recommend, therefore, switching the CLICK ADS button to the off/disabled position.
Be sure to change the network.IDN_show_punycode setting to true in about:config.
What is Punycode? Fake domains that deceive the human eye
Punycode Unicode that converts words that cannot be written in ASCII, like the Greek word for thank you 'ευχαριστώ'…
Open a new tab.
Types ‘about:config’ (without the quotes) in the URL/URI/address-bar.
type ‘punycode’ (without the quotes).
If the value of network.IDN_show_punycode is not already true, double-click it.
This will then display non-Latin unicode characters in the address, providing a way to notice if a link takes you to a hijacked site — you should already be checking for this before you click on any links anyway but, if you do accidentally click on one and it is, therefore, too late, at least you will have a warning that your session has potentially been hijacked and you should immediately close the browser and scan your machine for malware).
Likewise, you don’t want PDF files running scripts in your browser, so eliminate that risk by entering pdfjs.enablescripting in the about:config dialogue and set it to false.
In fact, you can make your life easier (at least until the Mozilla do away with it, as they are threatening), by creating a file (user.js), in your Firefox profile folder, with the following entries:
user.pref(“network.IDN_show_punycode, true”, true);
Favicons are another potential point of failure, so (if you can live without them) add the following as well:
For good measure, after closing Firefox, open your Firefox profile folder and delete the favicons cache (favicons.sqlite).
Quit Firefox again, and in the profile folder set the properties for this newly recreated favicons.sqlite file to read-only.
After this, bookmarks will show a generic globe icon for every address and tabs will show no favicons at all. Furthermore, no more favicons will be saved either.
To wrap things up tidily, once you’ve competed the above mentioned steps:
CTRL+SHIFT+O will show all bookmarks
Click on Import and Backup and then Backup to backup all bookmarks but not favicons to a .json file.
Close Firefox then delete places.sqlite.
CTRL+SHIFT+O, Import and Backup, Restore, Choose File.
Choose the .json file you previously saved.
NOW WOULD BE A GOOD TIME TO CONSIDER NOT USING TOR, if you are a person of interest under an oppressive regime.
I’ve been rebuilding my system and got as far as launching Torbrowser, whereupon I was confronted with an alert:
Needless to say, at that point, I did not avail myself of the dubious ‘opportunity’ to download it via the very same potentially compromised channel, but investigated instead.
A mysterious threat actor is running hundreds of malicious Tor relays
Security researcher claims to have identified threat actor running thousands of malicious servers. Researchers claims…
In fact, you should probably pause for thought, even if you’re ‘nobody’.
I was never entirely happy about Tor for various reasons, but … on the basis that ̶f̶o̶r̶e̶w̶a̶r̶n̶e̶d̶ forearmed is forearmed and you never know when needs will must when the Devil drives, so having it available (before it isn’t) is a not entirely foolish approach ³ … I always kept the Torbrowser as a backup (just in case).
I’ve uninstalled it for now, however — whilst I’ve nothing to hide, (somewhat ironically) I don’t want my data for sale on the Darkweb (which was the whole point of the original article) … and it’s a bad idea to have things installed that you don’t use (in the event your system gets compromised, what isn’t there can’t be used against you).
¹ Remember (as observed here), it is important to use uMatrix rather than simply an ad blocker and NoScript, because it blocks elements at the domain level … preventing them from ever being requested, rather than simply preventing them from being loaded/rendered/executed in the browser.
̶A̶n̶d̶,̶ ̶i̶f̶ ̶y̶o̶u̶ ̶o̶p̶t̶ ̶t̶o̶ ̶u̶s̶e̶ ̶T̶o̶r̶b̶r̶o̶w̶s̶e̶r̶ ̶w̶h̶i̶l̶s̶t̶ ̶y̶o̶u̶ ̶w̶a̶i̶t̶ ̶f̶o̶r̶ ̶u̶M̶a̶t̶r̶i̶x̶ ̶t̶o̶ ̶b̶e̶c̶o̶m̶e̶ ̶a̶v̶a̶i̶l̶a̶b̶l̶e̶ ̶o̶n̶ ̶F̶i̶r̶e̶f̶o̶x̶ ̶a̶g̶a̶i̶n̶ ̶…̶ ̶o̶n̶c̶e̶ ̶i̶t̶’̶s̶ ̶l̶a̶u̶n̶c̶h̶e̶d̶,̶ ̶b̶e̶f̶o̶r̶e̶ ̶y̶o̶u̶ ̶g̶o̶ ̶a̶n̶y̶w̶h̶e̶r̶e̶ ̶e̶l̶s̶e̶,̶ ̶g̶o̶ ̶t̶o̶ ̶h̶t̶t̶p̶:̶/̶/̶c̶h̶e̶c̶k̶.̶t̶o̶r̶b̶r̶o̶w̶s̶e̶r̶.̶o̶r̶g̶,̶ ̶t̶o̶ ̶m̶a̶k̶e̶ ̶s̶u̶r̶e̶ ̶y̶o̶u̶ ̶a̶r̶e̶ ̶a̶c̶t̶u̶a̶l̶l̶y̶ ̶c̶o̶n̶n̶e̶c̶t̶e̶d̶ ̶t̶o̶ ̶T̶o̶r̶.̶
Don’t use it … see the 2021.12.05 update above.
² The sensible thing to do is to create an email account (somewhere like Protonmail) related to your Android account for that purpose, thus limiting what Google can discern about your use of your Mozilla account — if your Android account is Joe Bloggs, your Mozilla account for this purpose is Joe Bloggs and the email account you created for your Mozilla account is Joe Bloggs then it’s all tied up neatly into a single package.
Obviously, I don’t need to explain to you why you should have
- bought your phone for cash over the counter
- never registered it with the OEM or any service provider
- never purchased a service contract but, instead, use a Pay As You Go SIM
- created a pseudonym for your Android account
- never used your Android account’s Gmail account to communicate with anyone other than Google themselves or the developers/providers of the (extremely few and only strictly necessary) apps you use on your phone
- only ever topped up your phone credit with cash
- only ever purchased apps with ‘gift card’ purchased with cash
³ Like having recovery software ready to use on a bootable USB key or CD/DVD — even if it’s not impossible to download and install it onto your computer once disaster has struck, doing so might very well overwrite the data you want to recover in the first place (so, it’s a bit late now) … and, if you can’t even boot the thing then you’re really screwed without something you can boot that has recovery tools on them ⁴.
⁴ N.B. Choose your tools wisely: https://whereangelsfeartotread.medium.com/rejection-letter-573d3393a642
(https://alternativeto.net/ is a good place to go for a look at what alternatives are available to whatever you learn about in the first instance — read the reviews and comments, avoid anything without any or that are unmaintained/outdated).