Cookies: It's well known that cookies can reduce your privacy by allowing a web site to track your identity across multiple visits, separated by minutes, days or years (Google cookies last until 2038, see here for issues with this and a workaround). In theory cookies are only accessible by the web-site that created them (so yahoo.com can't access a cookie for google.com), but some techniques (like Jookies and link-colour spying, see below) do allow one site to spy on your activity on another site.
IP Address monitoring: Every computer connected to the internet has a unique IP address. A web site can easily store this address and use it to track your activity. You get some privacy from the fact that:
- your address may change over time (depending on your Internet provider and any DHCP settings), and
- organisations almost always have an edge router or proxy, which is typically all that a web-site can see
Cache timestamp spy: A slightly more complex technique is to use the date-stamp on files in your cache. When a web site serves your browser a file, it can choose to give the file an expiry date. Then when your browser requests that file, it passes that value using the If-modified-since header property. If the web site constructs an arbitrary unique date (say differing only by a second) for each user, this value may be used to identify you.
Cross-site cookies: Internet Explorer and Firefox both employ partial techniques to prevent a web-site from accssing cookies created by another web-site, but they each have different weaknesses:
- Conversely, Firefox will let any site set a cookie, but wil only allow the web page's main site to read a cookie
- what media-types you accept (effectively, what plug-ins you have installed)
- what language(s) you accept (e.g. en-US means English US)
- (potentially, but few if any current browser do this) your mail address
- what kind of browser ("user agent") you are running; for example, my browser reveals the following: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:18.104.22.168) Gecko/20060909 Firefox/22.214.171.124
- Block spurious cookies: From Martin Pool: "There may be more fine-grained controls, such as only accepting cookies from the same server as the top-level page currently viewed and not from servers for subsidiary requests such as images or frames.". In my view, this feature should be an option that is integrated directly into each browser's cookie control mechanism rather than provided via an extension.
- Don't send the referer URL: when you access a web page, your browser sends the referrer URL to tell the site what page you clicked from; in the case of search engines, this will also pass the keywords you searched for. Although there are many legitimate uses for this information (web site maintainers and bloggers use this to find out what their readers were looking for so that they can try to provide more of that), it can also reduce privacy. If the browser allowed the user to not send the referrer URL for specific sites (e.g. http://www.google.com), this would immediately provide greater privacy. Extensions like RefControl (and others) for Firefox can do this for you.
- Block certain data: most web sites don't need precise details of the browser you are running (because they generate at most 2 or 3 flavours of HTML); the user agent http header could be generalised to just provide Internet Explorer or Mozilla. Suggested extension name: PrivacyBlock.
- Specifically disable the :visited CSS class: this could be handled by a general-purpose (future) extension like ScriptBlock, but you can get some benefit using Stanford SafeHistory: "offsite visited links [are] marked only if the browser's history database contains a record of the link being followed from the current site"; this means that a web site can't spy on your accesses to other web-site unless the page is in your history (which means that some spying is still possible, unless you keep deleting down your history). I suggest that a specific feature to disable :visited would be safer.
- Consider using an anonymizing proxy: There are several implementations of anonymising proxies such as Tor; one downside is that some sites block such proxies because of potential abuses (e.g. spamming via mail, blogs or wikis).
- Use Internet Explorer and Firefox: This is simple but powerful technique that I came up with; if you access different sites using different browsers, you have multiple independent caches and sets of cookies; for example, you could use Google search and your Blogger blog via Firefox but access other Google services like Mail and Calendar via Internet Explorer. While using the two browsers, you effectively have two independent identities (athough sites can still track your IP address, and multi-sites like Google can cooperate behind the scenes to "merge" the identity information into a common picture). This might seem difficult or onerous for you to do, however Firefox has extensi0ns like IE Tab and IE View which will do this automatically for you, providing you access the site originally within Firefox
Finally, be cautious about using web privacy or safety features from big companies unless you know how they work. Google's Toolbar includes an anti-phishing "safebrowsing" feature that could send your personal or financial details in a visible way (cleartext) across the internet. I'm not sure I want Google to have this information, I certainly don't want anyone else to.