Twitter recently abandoned their longstanding support for the Do Not Track (DNT) signal, disregarding the privacy preferences of millions of their users. Twitter can see when you visit other sites where its code is present through Tweet/Follow buttons and embedded tweets (like tweets you see quoted in a forum or an article). Embedded Twitter content is so widespread that Twitter can likely reconstruct a significant portion of your browsing history. Twitter's rejection of DNT leaves users’ browsing activity vulnerable to monitoring and logging. Once collected, this information can be passed to corporate affiliates and other third parties.
In a companion post, we look at Twitter's increasing tracking of its user base. Here, we look at new features that EFF is adding to Privacy Badger to help you fight back. Twitter has earned a reputation for standing up for users against government surveillance and law enforcement demands, but user privacy is coming off second-best when it collides with their advertising business. Twitter's abandonment of the promise to respect DNT is evidence of this.
While Twitter has removed the ability for website visitors to opt in to DNT, it has left intact the option for website publishers to opt in to Twitter's DNT policy on their site. (Website administrators can find the documentation for this feature here.) For example, a website administrator Alice might run a website for aggregating political propaganda in various forms, including Tweets. Even if a user Bob uses DNT and visits Alice's website, now Twitter will ignore Bob's request not to be tracked. However, if Alice embeds a special code in her website, Twitter will apply DNT to Bob and everyone else who visits her site.
Privacy Badger is able to transparently enable this website-side DNT setting on sites that include Twitter content. This way, whether the website publisher has opted in to the DNT policy or not, Twitter thinks and acts as if they have. The next release of Privacy Badger will include this feature.
To minimize Twitter's capacity and reach in monitoring its user activity, Privacy Badger also includes some protections that apply when you are visiting twitter.com itself. You might already recognize Twitter's "t.co" URL shortener, which is used not only to shorten URLs in Tweets, but also to track traffic to links embedded in Tweets. Normally when you click on the link in a tweet, you go to the t.co domain first so Twitter can record your visit. Only after that are you redirected to your final destination. With Privacy Badger, when you visit twitter.com, Privacy Badger will unwrap t.co URLs into their destination URL to circumvent this tracking. For example, a normal tweet about an EFF post might include a URL that looks like https://t.co/NlIbfFwFqO. Privacy Badger will transparently transform this into https://www.eff.org/deeplinks/2017/07/stupid-patent-month-hp-patents-reminder-messages, thereby circumventing Twitter's tracking.
Privacy Badger does more than just block Twitter tracking. It blocks all kinds of third-party trackers that collect information about you in various ways as you venture across the Internet. Some sell this data on opaque unregulated exchanges or make agreements to share it with other companies. Twitter receives data through such deals and from their corporate affiliates.
Along with the new blocking of Twitter's tracking widgets, Privacy Badger replaces other tracking widgets whenever possible. Trackers also come in the form of social widgets including Twitter's "Tweet" buttons, Facebook's "Like" and "Share" buttons, LinkedIn's buttons, etc. on other websites. Twitter, Facebook, LinkedIn, and other social networks all use these widgets to gather tracking data. Privacy Badger replaces these widgets whenever possible. And of course, Privacy Badger includes heuristics for detecting tracking in several forms, including cookie tracking, browser fingerprinting, and supercookies.
When tracking is detected, Privacy Badger blocks it.