Saturday, 20 April 2013

Stop Google, Facebook, and other Big Brothers from tracking everything you do on your Android gadget


Big Brother is watching you. For real.

Your supermarket doesn't need to know that you watch online porn, your bank doesn't need to know who you vote for, and your health insurance doesn't need to know what you smoked during that stag party in Amsterdam last weekend. So why should Google know what you see on CNN.com, and why should Facebook know what you read on android underground? And how can you stop them from following you around wherever you go?

Let's assume you avoided Google and found this site through Yahoo or Bing instead. And then you clicked through to the xda forums (a great Android forum, make sure you have a look). God doesn't have a clue what you did, but Google knows where you were and how you got there. There are two reasons why Google knows more than God: Google exists and Google has cookies.

And that's why your screen fills up with ads for Android stuff.

Even if you don't use Gmail and tell your browser to block "third party cookies," Google still tracks you. They don't need cookies for that. They just send out tiny invisible images ("web beacons" in Googlespeak). When those things hit your computer Google knows your IP address, among other things. And you probably watch a YouTube clip or two. That's Google too. This blog is hosted on blogspot, bought by Google ten years ago. And both xda and android underground have ads from Google. So does eBay. And a hundred million other sites. If you block Google's ads they still stalk you with Google Analytics, which is used by countless sites to generate visitor stats.

Facebook knows when you visit sites like xda, because their "Like" button is served straight from Facebooks own servers. I can't stop Google from seeing you here (because this blog is hosted on their servers), but Facebook and Twitter don't see you on my site unless you click the "share" and "tweet" buttons yourself. Same goes for Digg and Reddit. Their buttons down below don't come from their own servers, so if you don't click digg or reddit they'll never know you were here.

But just about every site you visit has Google ads, Google Analytics, a +1 button, and buttons to like and share and digg and tweet. Most sites load 'em straight from the source, which makes it pretty hard to stop the big brothers from watching you. Even tinfoil hats won't help. But you can still keep a lot of your web history private. Not only on your computer, but on your Android phone or tablet too.

Why not let the advertisers play and have it their way? Allowing advertisers to build a detailed profile of you may sound innocent, and you get free apps and websites in return, right? But does your crystal ball rule out scenarios like the one painted by DuckDuckGo?

The big internet phone book and its little brother

AdBlock can keep most ads out of Firefox and Chrome, but what about your other web browsers? And your email, feed reader, games, and apps?

Enter the hosts file. This text file counts the days in the dungeons of your Windows system folder, and you can tell it to keep uninvited visitors out of your computer.

How does this work? Whenever your computer stumbles upon URLs like google.com or obnoxious.adspammer.net it has to look up an IP address. Think of the URL as the name, and the IP address as its phone number. Your computer asks a DNS server to match the name to the IP address. Those DNS servers are really big phonebooks for websites and all other internet content. When the DNS server hands over the IP address, your computer dials it to pull in the ads, cookies, Tweet buttons, and whatnot...

...unless the domain name is written in your hosts file. Then your computer skips the DNS lookup and calls the IP address from your own little phonebook instead.

And guess what? Windows isn't the only operating system with a hosts file. Your Android gadget has one too. And you can use it to stop Facebook and Google from tracking every step you take.

Your hosts file as a bouncer

If your hosts file has an IP address for a website, your Windows computer dials the IP from your hosts file and waits for the other end to pick up.

But you can make sure the other end never picks up. Just make sure that any unwanted domain name is tied to a fake phone number and you're done. That's how the hosts file keeps the unwanted out, and that's how you can stop Facebook and Google Analytics and Twitter from following you around.

For example, my Windows hosts file has a lot of entries like this one:
127.0.0.1     pagead2.googlesyndication.com
This tiny little line tells my computers, phones, and tablets to ask Google for their annoying Adsense banners by calling 127.0.0.1. Guess what? That's not Google's IP address! It's the"loopback" address of my own computer, and it's the loopback address of your computer too. And your Android phone, and your Android tablet.

When your device asks 127.0.0.1 for ads or tracking cookies it never gets them, because you're smart enough not to run a webserver full of Google ads on your own hardware. You're not hosting any Facebook Like buttons either. So your computer just answers with "nothing to see here, keep moving" and that's exactly what your web browser, app, or game does. No ad banner, no share button, just some empty space. Smart web browsers won't even show the empty space, they just display the useful content as if the ad was never there.

Your Windows hosts file sits in "C:\windows\system32\drivers\etc\hosts" if you've installed Windows on drive letter C. The hosts file doesn't have an extension, so Windows won't know what to do if you doubleclick it. But make a shortcut to %windir%\notepad.exe %windir%\system32\drivers\etc\hosts and your hosts file opens in your text editor whenever you click it. Copy/paste one of the many blocklists that are floating around on the web into your hosts file and most bannerfarms will no longer pollute your computer with their ads. Their tracking cookies won't make it to your computer either.

Your Android hosts file lives in /system/etc/hosts (sometimes in /data/data/hosts). If you have root access you can open it in text editors like Jota and fill it with all the sites you want to keep away. But there's no need to fight with your hosts file in a text editor. There's an app for that.

Lock out Facebook

Many "Like" buttons are pulled in straight from facebook.com. If you block that domain you'll lock yourself out of your own Facebook account, right?

Wrong.

If you block facebook.com most "Like" buttons will stay away from you, but you can still go to www.facebook.com to post pictures of your cat and read what your friends are drinking. Those three letters make a world of difference as far as your hosts file is concerned. Don't forget to block ads.facebook.com, ads.ak.facebook.com, and creative.ak.facebook.com too.

You don't need to feel sorry for those hungry employees at Facebook HQ. When you visit www.facebook.com you'll still see their ads over there, so they'll get something out of your visit. Not as much as they would like, but you don't need to maximise their profits. They can still make money when you visit their site without following you around all over the web. If you don't have a Facebook account they won't even know that you exist. And that's how it should be, because why should Facebook collect your private data if you don't use their services?

Lock out Google

Taming the unwanted bits of Google is a bit harder, because they attack from many different hangouts.

If you don't want to see Google ads on sites other than Google.com or Gmail, start by feeding this list into your hosts file:
127.0.0.1    googleads.g.doubleclick.net
127.0.0.1    googleads2.g.doubleclick.net
127.0.0.1    googleads.g.doubleclick.net
127.0.0.1    googleads2.g.doubleclick.net
127.0.0.1    googlesyndication.com
127.0.0.1    www.googlesyndication.com
127.0.0.1    pagead.googlesyndication.com
127.0.0.1    pagead1.googlesyndication.com
127.0.0.1    pagead2.googlesyndication.com
127.0.0.1    domains.googlesyndication.com
127.0.0.1    tcp.googlesyndication.com
127.0.0.1    googleadservices.com
127.0.0.1    www.googleadservices.com
127.0.0.1    partner.googleadservices.com
127.0.0.1    pagead2.googleadservices.com
127.0.0.1    partnerad.l.google.com
127.0.0.1    4.afs.googleadservices.com
Restart your browser, reload this site, and see android underground without Google ads. No problem, you're still welcome here. I don't make this site for the money (and those ads don't pay much anyway). Surf a few other sites and notice they have way less advertising than before. The pagead2.googlesyndication.com line is the most important of the blacklist, because it houses almost all Google ad banners that pop up in your web browser.

Want an ad-free YouTube?
127.0.0.1    ads.youtube.com
Ads in your Android apps? Sure, their developers need to pay the rent too, but there are other ways to make money. They could sell a version of their app with more features than its free cousin, or throw in a PayPal donate button. If you're a small developer without millions of downloads a donate link probably pays more than the ad banners. To keep AdMob (the mobile version of Adsense) out of your Android:
127.0.0.1    admob.com
127.0.0.1    a.admob.com
127.0.0.1    analytics.admob.com
127.0.0.1    c.admob.com
127.0.0.1    jp.admob.com
127.0.0.1    media.admob.com
127.0.0.1    mm.admob.com
127.0.0.1    mmv.admob.com
127.0.0.1    mm1.vip.sc1.admob.com
127.0.0.1    p.admob.com
127.0.0.1    r.admob.com
By keeping AdMob banners out of your apps they can't beam your location to the mothership. Whoever thought it was a good idea to poll your GPS location to tell advertisers exactly where you are deserves a weekend in the scorpion pit.

Websites may have good reasons to know a little bit about their audience, but why should they tell Google about your visit? If you don't want Google looking over your shoulder when you read your online newspaper, smile at your hosts file and ask it to block:
127.0.0.1    video-stats.video.google.com
127.0.0.1    google-analytics.com
127.0.0.1    analytics-api-samples.googlecode.com
127.0.0.1    wintricksbanner.googlepages.com
127.0.0.1    www.google-analytics.com
127.0.0.1    www-google-analytics.l.google.com
127.0.0.1    ssl.google-analytics.com
127.0.0.1    googletagservices.com
127.0.0.1    www.googletagservices.com
Almost done now. If you don't use Google+, why have +1 buttons on your screen? Those nosy buttons tell Google what you do online, so:
127.0.0.1    plusone.google.com
Now most "+1" buttons will be gone. Those that survive are hosted outside Google, so they won't tell where you've been as long as you don't click 'em.

Of course Google still records your visits to Google Search, YouTube, and Blogspot. And Gmail will still display its ads in your web browser. Fair enough. If you use their mail service they deserve something in return. But there's no reason why Google should connect your email with your visits to all the non-Google sites on the web. Gmail and YouTube may be worth a finger, but not your entire hand.

There's an app for that

You can keep a lot of junk away without editing your hosts file. AdBlock Plus can keep most ads out of Firefox and Chrome, even if your phone is not rooted. This makes websites look a lot better, and stops many advertisers from poisoning your phone with tracking cookies or worse.

But if you want to reap the full benefits of Android you should root your phone or tablet. There's a reason you didn't buy an iPhone or one of those Windows thingies with tiles, right?

Rooted your phone but still afraid of the hosts file? Get a firewall. Firewalled apps can't download ads. Did I already tell you that ads that don't load don't send your location or your phone number out to the marketers?

AFWall+ is my favourite Android firewall, but the firewall built into avast is also very good. I told AFWall+ to keep all my apps away from the web by default, except those apps that really need internet to work. Apps that break without internet go on my whitelist, apps that work offline stay offline.

But what about apps that can only do their job online and return with a boatload of stowaway ads? Music streaming without internet just doesn't work, a web browser that can't pass your firewall is as dead as an electronic paperweight. If you firewall everything offline your smartphone won't be smart anymore.

Time to call my favourite hosts file assistant: AdAway. It can feed blocklists from many different places to your hosts file with just a tap on your screen. This keeps most ads out of your phone. Not only from websites, but from your apps too. Good for you, because psychologists agree that too much advertising causes stress and anxiety. Those banner ads are the digital equivalent of LDL, the bad version of cholesterol. Some ads even infect your phone with really bad malware! Need any more reason to block 'em? Ads and LDL should only be consumed in very limited quantities to keep you and your Android healthy.

AdAway can do more than download prefab blocklists. You can build your own, which is a good way to stop popular apps like Dolphin from leaking information that should stay aboard your phone.

If you believe that ad blockers kill all free apps and make the internet go up in smoke, just build a catflap for advertisers that don't chase you like a stalker. Should one of AdAways blacklists block an advertiser that you like, you can easily put it on the whitelist. It's up to you to block the bad banners with bad manners (that's most of 'em) and only let in ads that behave well and don't trace all your online footsteps. Your Android, your choice.

AdAway
AdBlock Plus
AFWall+
avast

DuckDuckGo Doomsday Scenario


tweet this reddit digg this StumbleUpon digg this digg this

2 comments:

  1. The hosts trick is great.
    The problem with blocking everything is that many sites uses Facebook comments. I think it was a setting in Do Not Track Plus FF plugin that caused this.

    ReplyDelete
  2. For linux there is pup-advert-blocker
    http://murga-linux.com/puppy/viewtopic.php?t=59290

    ReplyDelete