How to minimize your private data footprint on the Web

published Feb 01, 2022, last modified Oct 09, 2022

Here is a summary of what knowledgeable people do in order to browse the Web while minimizing data leakage and cross-site correlation / tracking.

How to minimize your private data footprint on the Web

What this guide is, and is not

This guide will help you minimize the huge footprint you inadvertently leave with Big Tech, as you browse the Web on a day-to-day basis.

This guide cannot help you be fully anonymous on the Web, or masquerade your IP address, or prevent all forms of tracking.

On mobile Android

As main browser, use Vanadium (included by default in GrapheneOS) or Chromium.

First setup

  • Upon first run, turn off JavaScript and cookies before your first browsing.
  • Then set up DuckDuckGo or Startpage as the default search engines.
  • Then access the browser's settings to clear all private data.

You're off to a good start now.

Browsing the Web casually

When browsing the Web, use the browser as usual.  Many Web pages work correctly.  Others, which sport the the dumb-as-rocks cookies popups, can still be used even with the popups open — if not, it usually suffices to enable JavaScript for that site, and then reload.  Should the site still not work, enabling cookies just for that site usually fixes it (but see below for a better alternative).

DuckDuckGo with JavaScript and cookies turned off — Vanadium browser bar.

Working like this prevents other sites from loading tracking cookies and JavaScript programs for sites you have already logged into.  Why should Twitter know you visited the Washington Compost?  It turns out that, with your browser's default settings, that's exactly what happens when you read the Washington Compost.  If you stick to the settings recommended here, you have largely prevented that sleazy deal from happening.

Furthermore, without JavaScript and cookies on, sites cannot meaningfully fingerprint you; they will be able to know you're riding the surf without JavaScript, and they will be able to know that you're using a formidably rare browser — which can be enough to identify you as a repeat visitor — but they won't be able to set supercookies, or form unique identifiers from your browsing profile, or let Big Tech oligopolies cross-correlate your visits to different sites.

Thus this change in settings alone cuts 90% of the tracking junk.

For sites you want to stay logged onto

For sites you absolutely must log onto, you can enable both cookies and JavaScript from the browser bar, then refresh the page.

For one-off sites, or sites that malfunction with your Vanadium settings

Of course, not every site will be happy with JavaScript off, or even cookies off.

Farm those sites off to Firefox Focus — you can share the link to the privacy-resistant Web page directly from Vanadium into Focus, using the share item in the browser's menu.  Focus is great — it will automatically erase everything about a browsing session once you're done, and is pretty fingerprint-resistant.

On your desktop or laptop computer

Don't use Chrome.  Don't use Microsoft Edge.  Avoid Firefox if you can, as its sandboxing (and therefore protection against targeted malware) is not very good compared to the competition.

Use Chromium or Brave.

First setup

The first thing you should do, is switch your default search engine to DuckDuckGo or Startpage.

Then, install the famous uMatrix extension (source code).

Note that uMatrix is currently unmaintained but people are working double time on a fork called ηMatrix.

Upon first run with the extension installed, go to a blank page, then access the extension's global settings scope

  1. Click on the extension's button,
  2. then click on the asterisk (you should see it turn to black). 

Once that's loaded, you can define the defaults using the top column headers — I strongly recommend you only allow loading CSS and images.

uMatrix global scope, defaulting to minimal permission settings.

Once you have set up the defaults, click the padlock to save your changes.

Now clear your browser private data completely.

You are now ready to go.

Browsing the Web with uMatrix protecting you

From this point on, you will be browsing the Web in what amounts to a crippled mode.  This is deliberate, it's not a problem, and it makes many sites much faster due to the lack of loading of media and ads.  Sites won't be permitted to load third-party cookies and JavaScript — the primary mechanisms used to track you on the Web, and the "secret sauce" used by tech oligopolies to build their creepy profiles about you.

Dealing with difficult pages

If you need to get some crappy Web page to load which refuses to work with your default uMatrix settings, simply click on the uMatrix icon, and activate (set to green) all the resources you think the Web page needs, then hit the reload button.  You can also push the all setting to turn off all protections — this enables third-party JS and cookies, so you should seldom resort to this.  If you still can't get the site to work, perhaps prefer an incognito window instead — uMatrix will not be active on incognito windows.

However you use uMatrix, it will be enlightening to see its colorful squares on each site, as you'll be able to take a direct look into what absolute junk Web pages want to load, that have absolutely nothing whatsoever to do with what they want to show you (goodbye Google Analytics and Facebook tracking!).

For sites you will stay logged onto

uMatrix will by default forget this settings change when you restart your browser.  Thus, for any sites you must absolutely be logged on, you can make uMatrix more permissive by using the same instructions, and then click the padlock to remember those settings for the site.

Downloads with uMatrix enabled

Sometimes, uMatrix will block downloads from Web sites — which is awesome because it prevents drive-by viruses from being accidentally downloaded to your machine.  However, sometimes you do want downloads.  What you want to enable on uMatrix to permit a download, is the entire other column on the site you're visiting, then attempt the download again (possibly reloading the page first).  Presto, it works!