Online privacy: Best browsers, settings, and tips

Everything you do online is tracked when you use your browser. But you can fight back.

data protection / security / risk management / data privacy / GDPR
Anya Berkut / Getty Images

“You have zero privacy anyway. Get over it,” Scott McNealy said of online privacy back in 1999, a view the former CEO of the now-defunct Sun Microsystems reiterated in 2015. Despite the hue and cry his initial remarks caused, he’s been proven largely correct.

Cookies, beacons, digital signatures, trackers, and other technologies on websites and in apps let advertisers, businesses, governments, and even criminals build a profile about what you do, who you know, and who you are at very intimate levels of detail. Remember that 2012 story about how Target could tell a teenager was pregnant before her parents knew, based on her online activities? That is the norm today. Google and Facebook are the most notorious commercial internet spies, and among the most pervasive, but they are hardly alone.

The technology to monitor everything you do has only gotten better. And there are many new ways to monitor you that didn’t exist in 1999: always-listening agents like Amazon Alexa and Apple Siri, Bluetooth beacons in smartphones, cross-device syncing of browsers to provide a full picture of your activities from every device you use, and of course social media platforms like Facebook that thrive because they are designed for you to share everything about yourself and your connections so you can be monetized. Trackers are the latest silent way to spy on you in your browser. CNN, for example, had 60 running when I checked recently.

Apple’s Safari 14 browser features the built-in Privacy Monitor that really shows how much your privacy is under attack today. It is pretty disconcerting to use, as it reveals just how many tracking attempts it thwarted in the last 30 days, and exactly which sites are trying to track you and how often. On my most-used computer, I’m averaging about 150 tracking deflections per week — a number that has increased from about 125 six months ago.

browser privacy 01 safari 14 trackers IDG

Safari 14’s Privacy Monitor feature shows you how many trackers the browser has blocked, and who exactly is trying to track you. It’s not a comforting report! (Click any image in this story to enlarge it.)

Understanding online privacy

When speaking of online privacy, it’s important to understand what is typically tracked. Most websites and services don’t actually know it’s you at their site, just a browser associated with a lot of characteristics that can then be turned into a profile. Marketers and advertisers are looking for certain kinds of people, and they use profiles to do so. For that need, they don’t care who the person actually is. Neither do criminals and organizations seeking to commit fraud or manipulate an election.

When companies do want that personal information — your name, gender, age, address, phone number, company, titles, and more — they will have you sign up. They can then correlate all the data they have from your devices to you specifically, and use that to target you individually. That’s common for business-oriented websites whose advertisers want to reach specific people with purchasing power.

Criminals may want that data too. So may insurers and healthcare organizations seeking to filter out undesirable customers. (Over the years, laws have tried to prevent such redlining, but there are creative ways around it, such as installing a tracking device in your car “to save you money” and identify those who may be higher risks but haven’t had the accidents yet to prove it.) Certainly, governments want that personal data, in the name of control or security.

You should be most worried about when you are personally identifiable. But it’s also worrying to be profiled extensively, which is what browser privacy seeks to reduce.

Browsers and privacy: The best options, and how they can help

The browser has been the focal point of self-protection online, with options to block cookies, purge your browsing history or not record it in the first place, and turn off ad tracking. But these are fairly weak tools, easily bypassed. For example, the incognito or private browsing mode that turns off browser history on your local computer doesn’t stop Google, your IT department, or your internet service provider from knowing what sites you visited; it just keeps someone else with access to your computer from looking that history on your browser.

The “Do Not Track” ad settings in browsers are largely ignored. And blocking cookies doesn’t stop Google, Facebook, and others from monitoring your behavior through other means such as looking at your unique device identifier and noting if you sign in to any of their services — and then linking your devices through that common sign-in.

Because the browser is a main access point to internet services that track you (apps are the other), the browser is where you have the most centralized controls. Even though there are ways for websites to get around them, you should still use the tools you have to reduce the privacy invasion.

Where mainstream desktop browsers differ in privacy settings

The place to start is the browser itself. Some are more privacy-oriented than others. Many IT organizations force you to use a specific browser on your company computer, so you may have no real choice at work. But if you do have a choice, exercise it. And definitely exercise it for the computers under your control.

Here’s how I rank the mainstream desktop browsers in order of privacy support, from most to least — assuming you use their privacy settings to the max.

  1. Apple Safari
  2. Microsoft Edge
  3. Mozilla Firefox
  4. Google Chrome
  5. Opera (as noted later, its performance doesn’t live up to what its settings suggest)

Safari and Edge offer different sets of privacy protections, so depending on which privacy aspects concern you the most, you may view Edge as the better choice for the Mac, and of course Safari isn't an option in Windows, so Edge wins there. Likewise, Chrome and Opera are nearly tied for poor privacy, with differences that can reverse their positions based on what matters to you — but both should be avoided if privacy matters to you.

(I’m not even ranking Internet Explorer here. It is notoriously outdated and insecure, and Microsoft plans to retire it in June 2022. You shouldn’t use it, period.)

The following table shows the privacy settings available in the major desktop browsers.

Desktop browser privacy settings

A note about Adobe Flash: As of January 12, 2021, Adobe disabled the playback of Flash media in its Adobe Flash plugins, as part of killing the highly insecure but widely used multimedia player. All major browsers have now removed Flash support, as well as the controls over it.

A note about supercookies: Over the years, as browsers have provided controls to block third-party cookies and implemented controls to block tracking, website developers began using other technologies to circumvent those controls and surreptitiously continue to track users across websites. In 2013, Safari began disabling one such technique, called supercookies, that hide in browser cache or other locations so they remain active even as you switch sites. Now, in 2021, Firefox 85 and later automatically disable supercookies, and Google added a similar feature in Chrome 88.

Browser settings and best practices for privacy

In your browser’s privacy settings, be sure to do the following:

  • Turn on the Do Not Track feature. Although it is often ignored, turn it on it for those sites that do honor it.
  • Block third-party cookies. To deliver functionality, a site legitimately uses first-party (its own) cookies, but third-party cookies belong to other entities (mainly advertisers) who are likely tracking you in ways you don’t want. Don’t block all cookies, as that will cause many sites to not work correctly.
  • Set the default permissions for websites to access the camera, location, microphone, content blockers, auto-play, downloads, pop-up windows, and notifications to at least Ask, if not Off.
  • Turn off trackers. If your browser doesn’t let you do that, switch to one that does, since trackers are becoming the preferred way to monitor users over old techniques like cookies. Plus, blocking trackers is less likely to render websites only partially functional, as using a content blocker often does.

Additionally, take these precautions when browsing:

  • Use DuckDuckGo as your default search engine, because it is more private than Google or Bing. You can always go to google.com or bing.com if needed.
  • Don’t use Gmail in your browser (at mail.google.com) — once you sign into Gmail (or any Google service), Google tracks your activities across every other Google service, even if you didn’t sign into the others. If you must use Gmail, do so in an email app like Microsoft Outlook or Apple Mail, where Google’s data collection is limited to just your email. (You could use a different browser just for Gmail and other Google services to make it harder for Google to track your other browser activities, but that requires a discipline that is hard to maintain — chances are that you’d start doing other work in that Google-specific browser and thus compromise more of your privacy.)
  • Never use an account from Google, Facebook, or another social service to sign into other sites; create your own account instead. Using those services as a convenient sign-in service also grants them access to your personal data from the sites you sign into.
  • Don’t sign in to Google, Microsoft, Facebook, etc. accounts from multiple browsers, so you’re not helping those companies build a fuller profile of your actions. If you must sign in for syncing purposes, consider using different browsers for different activities, such as Firefox for personal use and Chrome for business. Note that using multiple Google accounts won’t help you separate your activities; Google knows they’re all you and will combine your activities across them.

Browser utilities to help enhance your privacy

You can supplement a desktop browser’s built-in security settings with additional tools.

Mozilla has a pair of Firefox extensions (a.k.a. add-ons) that further protect you from Facebook and others that monitor you across websites. The Facebook Container extension opens a new, isolated browser tab for any site you access that has embedded Facebook tracking, such as when signing into a site via a Facebook login. This container keeps Facebook from seeing the browser activities in other tabs. And the Multi-Account Containers extension lets you open separate, isolated tabs for various services that each can have a separate identity, making it harder for cookies, trackers, and other techniques to correlate all of your activity across tabs.

The DuckDuckGo search engine’s Privacy Essentials extension for Chrome, Edge, Firefox, Opera, and Safari provides a modest privacy boost, blocking trackers (something Chrome doesn’t do natively but the others do) and automatically opening encrypted versions of websites when available.

While most browsers — Chrome is currently the only major exception — now let you block tracking software, you can go beyond what the browsers do with an anti-tracking extension such as Privacy Badger from the Electronic Frontier Foundation, a long-established privacy advocacy organization. Privacy Badger is available for Firefox, Chrome, Opera and Edge (but not Safari, which aggressively blocks trackers on its own).

The EFF also has a very useful tool called Panopticlick that will analyze your browser and report on its privacy level under the settings you have set up. Use it!

I used Panopticlick to show how the standard settings differ across browsers, and the results reinforce why you should adjust those settings in the browser you use, not depend on the defaults. For mainstream desktop browsers running under their default settings, Panopticlick revealed that:

  • All the browsers block sites that honor Do Not Track, providing a disincentive for sites to pay attention to the Do Not Track signal.
  • Chrome 92, Edge 92, and Firefox 90 by default offer little privacy protection: They block only some trackers, and their unique fingerprints ensure you can be monitored as you traverse the web.
  • Opera 77 offers no real privacy protection by default: It doesn’t block trackers, and its unique fingerprint ensures you can be monitored as you traverse the web.
  • Safari 14’s default protection against tracking ads and invisible trackers is partial, and there are no settings to improve them. Its nearly unique fingerprint makes it easier for you to be monitored as you traverse the web, though not as easy as the other browsers do.

The bottom line: Don’t rely on your browser’s default settings but instead adjust its settings to maximize your privacy. You can see that in Edge: It’s very weak on privacy protection in its default settings but quite strong if you adjust those settings. (Too bad its fingerprint remains unique.) Likewise, Firefox strongly protects your privacy if you change from its default settings to its Strict mode.

What about ad blockers?

Content and ad blocking tools take a heavy approach, suppressing whole sections of a website’s code to prevent widgets and other code from operating and some site modules (typically ads) from displaying, which also suppresses any trackers embedded in them. Ad blockers try to target ads specifically, whereas content blockers look for JavaScript and other code modules that may be unwelcome.

Because these blocker tools cripple parts of sites based on what their creators think are indicators of unwelcome site behaviors, they often damage the functionality of the site you are trying to use. Some are more surgical than others, so the results vary widely. If a site isn’t running as you expect, try whitelisting the site or disabling the content blocker for that site in your browser.

I’ve long been skeptical of content and ad blockers, not only because they kill the revenue that legitimate publishers need to stay in business but also because extortion is the business model for many: These services often charge a fee to publishers to allow their ads to go through, and they block the ads if a publisher doesn’t pay them. They promote themselves as aiding user privacy, but it’s hardly in your privacy interest to only see ads that paid to get through.

Of course, desperate and unscrupulous publishers let ads get to the point where users wanted ad blockers in the first place, so it’s a cesspool all around. But modern browsers like Safari, Chrome, and Firefox increasingly block “bad” ads (however defined, and typically quite limited) without that extortion business in the background. Firefox has recently gone beyond blocking bad ads to offering stricter content blocking options, more akin to what extensions have long done. What you really want is tracker blocking, which nowadays is handled by many browsers themselves or with the help of an anti-tracking extension.

Where mainstream mobile browsers differ in privacy settings

Mobile browsers typically offer fewer privacy settings even though they do the same basic spying on you as their desktop siblings do. Still, you should use the privacy controls they do offer.

Here’s how I rank the mainstream mobile browsers in order of privacy support, from most to least — assuming you use their privacy settings to the max.

  1. Microsoft Edge
  2. Mozilla Firefox
  3. Apple Safari
  4. Opera Touch
  5. Google Chrome

The following table shows the privacy settings available in the major mobile browsers as of July 27, 2021 (version numbers aren’t often shown for mobile apps). Note that Safari is available only for iOS.

Note that both iOS and Android disabled Flash years ago, so you don’t need to worry about that technology in your mobile browsing. And the controls over location, microphone, and camera usage are handled by the mobile operating system, so use the Settings app in iOS or Android for these. (Some apps also provide these controls directly as a convenience.)

Mobile browser privacy settings

Browsers for the paranoid: Brave, Epic, and Tor

A few years ago, when ad blockers became a popular way to combat abusive websites, there came a set of alternative browsers meant to strongly protect user privacy, appealing to the paranoid. Brave Browser and Epic Privacy Browser are the most well-known of the new breed of browsers. An older privacy-oriented browser is Tor Browser; it was developed in 2008 by the Tor Project, a nonprofit founded on the principle that “internet users should have private access to an uncensored web.”

All these browsers take a highly aggressive approach of excising whole chunks of websites’ code to prevent all sorts of functionality from operating, not just ads. They often block features to sign up for or sign into websites, social media plug-ins, and JavaScripts just in case they might collect personal information.

Today, you can get strong privacy protection from mainstream browsers (Chrome being the major exception), so the need for Brave, Epic, and Tor is quite small. Even their biggest claim to fame — blocking ads and other annoying content — is increasingly handled in mainstream browsers.

One alterative browser, Brave, seems to use ad blocking not for user privacy protection but to take revenues away from publishers. Brave has its own ad network and wants publishers to use that instead of competing ad networks like Google AdSense or Yahoo Media.net. So it tries to force them to use its ad service to reach users who choose the Brave browser. That feels like racketeering to me; it’d be like telling a store that if people want to shop with a specific credit card that the store can sell them only goods that the credit card company supplied.

Still, there are reasons to consider these alternative browsers beyond ad blocking:

  • Brave Browser can suppress social media integrations on websites, so you can’t use plug-ins from Facebook, Twitter, LinkedIn, Instagram, and so on. The social media firms collect huge amounts of personal data from people who use those services on websites. Do note that Brave does not honor Do Not Track settings at websites, treating all sites as if they track ads.
  • The Epic browser’s privacy controls are similar to Firefox’s, but under the hood it does one thing very differently: It keeps you away from Google servers, so your information doesn’t travel to Google for its collection. Many browsers (especially Chrome-based Chromium ones) use Google servers by default, so you don’t realize how much Google actually is involved in your web activities. But if you sign into a Google account through a service like Google Search or Gmail, Epic can’t stop Google from tracking you in the browser.
  • Epic also provides a proxy server meant to keep your internet traffic away from your internet service provider’s data collection; the 1.1.1.1 service from CloudFlare offers a similar facility for any browser, as described later. (Google Chrome and Microsoft Edge let you choose to use a third-party secure DNS provider if desired, but they don’t provide their own as Epic does.)
  • Tor Browser is an essential tool for journalists, whistleblowers, and activists likely to be targeted by governments and corporations, as well as for people in countries that censor or monitor the internet. It uses the Tor network to hide you and your activities from such entities. It also lets you publish websites called onions that require highly authenticated access, for very private information distribution.
1 2 Page 1
Page 1 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon