Tracker Blocking with NoScript and Privacy Badger

There are lots of reasons to avoid trackers in your web browser. Notorious companies like Facebook are compiling profiles of non-users, impacting privacy. For researchers, though, tracking has additional impacts and can throw off the types of results you see. It’s one reason I try to force Google to bypass personalized (location, private results) search, so that past searches don’t impact future searches. You can use NoScript and EFF’s Privacy Badger add-ons to reduce tracking.

I have used NoScript for a while in Firefox (there are alternatives for Chrome, but I haven’t used any). It’s sole purpose is to stop Javascript from running. Since most trackers – like the Google Analytics script on this post – are written in javascript and web browsers support javascript by default, using a javascript-blocking add-on can prohibit those trackers from running. Just installing an anti-tracking add-on will highlight that, although you’ve arrived at what looks like a single web page, you’re actually connecting to multiple servers. The National Post (a Canadian news site) is a good example, loading dozens of other domains.

A screenshot of Noscript listing all of javascripts called on the National Post news site
National Post home page javascript calls, as listed by Noscript. You can select which ones to always, sometimes, or never trust.

Some are mandatory. National Post runs on WordPress, so any blocking of a wp.com URL may impact site functionality. Some are built for speed – usually a domain that has cdn in its URL is a content domain network. Some are javascript libraries, so the web page just grabs it from a remote, fast server, rather than a local server. Others are capturing your activity. Some self-hosted analytics programs, like Piwik / Matomo, will have a tracker URL that comes fromt the host site.

You don’t need to actively ban every site; by default, NoScript will assume you don’t want a script to run. Once you’ve trained it, it will remember the next time you return to the site.

But as web developers know, not all web browsers have javascript turned on. Either they don’t support it, the user has turned off javascript in the browser, or they are using an add-on like Noscript. For those people, there is a noscript HTML tag, which will display something in lieu of whatever the javascript was going to display.

A javascript error message screenshot from BestBuy.ca to show the site has detected javascript blocking

That’s what a visual alternative, when javascript is disabled, might look like. But the trackers are invisible. If you go to the National Post site with javascript blocked, it will load this noscript:

<noscript>
<img src="https://pixel.wp.com/b.gif?v=noscript" 
style="height:0px;width:0px;overflow:hidden" alt="" />
</noscript>

For those of you who don’t read HTML, this will display an image –

http://pixel.wp.com/b.gif – which is white and 1 pixel by 1 pixel. This is what that looks like, that dot in the middle:

And if you were looking at it on a normal web site, which uses a white background, see if you can spot it now:

To be on the safe side, the National Post has made their copy of this image 0 pixels high and 0 pixels wide, so it doesn’t really appear on your screen. The alternate text alt tag is blank to avoid accidental mouseover text appearing. When the image loads on the page, that action is recorded on the remote server, with a web analytics program. It’s a way of seeing activity even when other analytics tools are blocked.

And I’m not trying to call the National Post out because it is a common and very old technique. I assume that every marketing e-mail I receive and many web sites I visit use this decades-old tracking concept. You can avoid them in e-mail by not accepting HTML email. On the web, you need to block the source.

This is where EFF’s Privacy Badger and other trackers can fill the gap. NoScript, the extension, may not block <noscript> the tag. But Privacy Badger will see this leak and give you the opportunity to block that source as well. You can download Privacy Badger from EFF’s site but if your corporate security blocks it, they also keep a copy in the browser add-on stores. I found that the store version installed fine (although if you install a copy from EFF on one browser, and from the store on another browser, and sync, you’ll get 2 versions).

I find Privacy Badger more cumbersome to use, because you can’t have it block whole domains – like facebook.com – because it treats each sub domain – a.facebook.com, b.facebook.com – separately. So you have to repeat the training you did with NoScript, and it may feel as though you’re blocking the same site over and over.

This isn’t going to make your entire online experience private. For one thing, you’re going to need to allow some scripts to run. But using NoScript to capture most of the javascripts before they run, and Privacy Badger to block remaining sources, makes me feel as though activity on one part of the web or on one project won’t color or impact other activities.