Online privacy: Best browsers, settings, and tips

“You have zero privacy anyway. Get over it,” Scott McNealy said of online privacy back in 1999, a view the former CEO of the now-defunct Sun Microsystems reiterated in 2015. Despite the hue and cry his initial remarks caused, he’s been proven largely correct.

Cookies, beacons, digital signatures, trackers, and other technologies on websites and in apps let advertisers, businesses, governments, and even criminals build a profile about what you do, who you know, and who you are at very intimate levels of detail. Remember that 2012 story about how Target could tell a teenager was pregnant before her parents knew, based on her online activities? That is the norm today. Google and Facebook are the most notorious commercial internet spies, and among the most pervasive, but they are hardly alone.

The technology to monitor everything you do has only gotten better. And there are many new ways to monitor you that didn’t exist in 1999: always-listening agents like Amazon Alexa and Apple Siri, Bluetooth beacons in smartphones, cross-device syncing of browsers to provide a full picture of your activities from every device you use, and of course social media platforms like Facebook that thrive because they are designed for you to share everything about yourself and your connections so you can be monetized. Trackers are the latest silent way to spy on you in your browser. CNN, for example, had 36 running when I checked recently.

Apple’s Safari 14 browser introduced the built-in Privacy Monitor that really shows how much your privacy is under attack today. It is pretty disconcerting to use, as it reveals just how many tracking attempts it thwarted in the last 30 days, and exactly which sites are trying to track you and how often. On my most-used computer, I’m averaging about 80 tracking deflections per week — a number that has happily decreased from about 150 a year ago.

IDG

Understanding online privacy

When speaking of online privacy, it’s important to understand what is typically tracked. Most websites and services don’t actually know it’s you at their site, just a browser associated with a lot of characteristics that can then be turned into a profile. Marketers and advertisers are looking for certain kinds of people, and they use profiles to do so. For that need, they don’t care who the person actually is. Neither do criminals and organizations seeking to commit fraud or manipulate an election.

When companies do want that personal information — your name, gender, age, address, phone number, company, titles, and more — they will have you sign up. They can then correlate all the data they have from your devices to you specifically, and use that to target you individually. That’s common for business-oriented websites whose advertisers want to reach specific people with purchasing power.

Criminals may want that data too. So may insurers and healthcare organizations seeking to filter out undesirable customers. (Over the years, laws have tried to prevent such redlining, but there are creative ways around it, such as installing a tracking device in your car “to save you money” and identify those who may be higher risks but haven’t had the accidents yet to prove it.) Certainly, governments want that personal data, in the name of control or security.

You should be most worried about when you are personally identifiable. But it’s also worrying to be profiled extensively, which is what browser privacy seeks to reduce.

Browsers and privacy: The best options, and how they can help

The browser has been the focal point of self-protection online, with options to block cookies, purge your browsing history or not record it in the first place, and turn off ad tracking. But these are fairly weak tools, easily bypassed. For example, the incognito or private browsing mode that turns off browser history on your local computer doesn’t stop Google, your IT department, or your internet service provider from knowing what sites you visited; it just keeps someone else with access to your computer from looking at that history on your browser.

The “Do Not Track” ad settings in browsers are largely ignored, and in fact the World Wide Web Consortium standards body abandoned the effort in 2019, even if some browsers still include the setting. And blocking cookies doesn’t stop Google, Facebook, and others from monitoring your behavior through other means such as looking at your unique device identifiers (called fingerprinting) as well as noting if you sign in to any of their services — and then linking your devices through that common sign-in.

Because the browser is a main access point to internet services that track you (apps are the other), the browser is where you have the most centralized controls. Even though there are ways for websites to get around them, you should still use the tools you have to reduce the privacy invasion.

Where mainstream desktop browsers differ in privacy settings

The place to start is the browser itself. Some are more privacy-oriented than others. Many IT organizations force you to use a specific browser on your company computer, so you may have no real choice at work. But if you do have a choice, exercise it. And definitely exercise it for the computers under your control.

Here’s how I rank the mainstream desktop browsers in order of privacy support, from most to least — assuming you use their privacy settings to the max.

1. Apple Safari (macOS only)
2. Microsoft Edge
3. Mozilla Firefox
4. Google Chrome
5. Opera

Safari and Edge offer different sets of privacy protections, so depending on which privacy aspects concern you the most, you may view Edge as the better choice for the Mac, and of course Safari isn’t an option in Windows, so Edge wins there. Likewise, Chrome and Opera are nearly tied for poor privacy, with differences that can reverse their positions based on what matters to you — but both should be avoided if privacy matters to you.

The following table shows the privacy settings available in the major desktop browsers. (Thanks to Computerworld’s Windows expert Preston Gralla for verifying and updating the Windows information.)

Windows and macOS browser privacy settings

A note about supercookies: Over the years, as browsers have provided controls to block third-party cookies and implemented controls to block tracking, website developers began using other technologies to circumvent those controls and surreptitiously continue to track users across websites. In 2013, Safari began disabling one such technique, called supercookies, that hide in browser cache or other locations so they remain active even as you switch sites. Starting in 2021, Firefox 85 and later automatically disabled supercookies, and Google added a similar feature in Chrome 88.

Browser settings and best practices for privacy

In your browser’s privacy settings, be sure to do the following:

• Block third-party cookies. To deliver functionality, a site legitimately uses first-party (its own) cookies, but third-party cookies belong to other entities (mainly advertisers) who are likely tracking you in ways you don’t want. Don’t block all cookies, as that will cause many sites to not work correctly.
• Set the default permissions for websites to access the camera, location, microphone, content blockers, auto-play, downloads, pop-up windows, and notifications to at least Ask, if not Off.
• Turn off trackers. If your browser doesn’t let you do that, switch to one that does, since trackers are becoming the preferred way to monitor users over old techniques like cookies. Plus, blocking trackers is less likely to render websites only partially functional, as using a content blocker often does. Note: Like many web services, social media services use trackers on their sites and partner sites to track you. But they also use social media widgets (such as sign in, like, and share buttons), which many websites embed, to give the social media services even more access to your online activities.

Additionally, take these precautions when browsing:

• Use DuckDuckGo as your default search engine, because it is more private than Google or Bing. You can always go to google.com or bing.com if needed.
• Don’t use Gmail in your browser (at mail.google.com) — once you sign into Gmail (or any Google service), Google tracks your activities across every other Google service, even if you didn’t sign into the others. If you must use Gmail, do so in an email app like Microsoft Outlook or Apple Mail, where Google’s data collection is limited to just your email. (You could use a different browser just for Gmail and other Google services to make it harder for Google to track your other browser activities, but that requires a discipline that is hard to maintain — chances are that you’d start doing other work in that Google-specific browser and thus compromise more of your privacy.)
• Never use an account from Google, Facebook, or another social service to sign into other sites; create your own account instead. Using those services as a convenient sign-in service also grants them access to your personal data from the sites you sign into.
• Don’t sign in to Google, Microsoft, Facebook, etc. accounts from multiple browsers, so you’re not helping those companies build a fuller profile of your actions. If you must sign in for syncing purposes, consider using different browsers for different activities, such as Firefox for personal use and Chrome for business. Note that using multiple Google accounts won’t help you separate your activities; Google knows they’re all you and will combine your activities across them.

Browser utilities to help enhance your privacy

You can supplement a desktop browser’s built-in security settings with additional tools.

Mozilla has a pair of Firefox extensions (a.k.a. add-ons) that further protect you from Facebook and others that monitor you across websites. The Facebook Container extension opens a new, isolated browser tab for any site you access that has embedded Facebook tracking, such as when signing into a site via a Facebook login. This container keeps Facebook from seeing the browser activities in other tabs. And the Multi-Account Containers extension lets you open separate, isolated tabs for various services that each can have a separate identity, making it harder for cookies, trackers, and other techniques to correlate all of your activity across tabs.

The DuckDuckGo search engine’s Privacy Essentials extension for Chrome, Edge, Firefox, Opera, and Safari provides a modest privacy boost, blocking trackers (something Chrome doesn’t do natively but the others do) and automatically opening encrypted versions of websites when available.

While most browsers now let you block tracking software, you can go beyond what the browsers do with an antitracking extension such as Privacy Badger from the Electronic Frontier Foundation, a long-established privacy advocacy organization. Privacy Badger is available for Chrome, Edge, Firefox, and Opera (but not Safari, which aggressively blocks trackers on its own).

The EFF also has a tool called Cover Your Tracks (formerly known as Panopticlick) that will analyze your browser and report on its privacy level under the settings you have set up. Sadly, the latest version is less useful than in the past. It still does show whether your browser settings block tracking ads, block invisible trackers, and protect you from fingerprinting. But the detailed report now focuses almost exclusively on your browser fingerprint, which is the set of configuration data for your browser and computer that can be used to identify you even with maximum privacy controls enabled. But the data is complex to interpret, with little you can act on. Still, you can use EFF Cover Your Tracks to verify whether your browser’s specific settings (once you adjust them) do block those trackers.

The bottom line: Don’t rely on your browser’s default settings but instead adjust its settings to maximize your privacy.

What about ad blockers?

Content and ad blocking tools take a heavy approach, suppressing whole sections of a website’s code to prevent widgets and other code from operating and some site modules (typically ads) from displaying, which also suppresses any trackers embedded in them. Ad blockers try to target ads specifically, whereas content blockers look for JavaScript and other code modules that may be unwelcome.

Because these blocker tools cripple parts of sites based on what their creators think are indicators of unwelcome site behaviors, they often damage the functionality of the site you are trying to use. Some are more surgical than others, so the results vary widely. If a site isn’t running as you expect, try putting the site on your browser’s “allow” list or disabling the content blocker for that site in your browser.

I’ve long been skeptical of content and ad blockers, not only because they kill the revenue that legitimate publishers need to stay in business but also because extortion is the business model for many: These services often charge a fee to publishers to allow their ads to go through, and they block those ads if a publisher doesn’t pay them. They promote themselves as aiding user privacy, but it’s hardly in your privacy interest to only see ads that paid to get through.

Of course, desperate and unscrupulous publishers let ads get to the point where users wanted ad blockers in the first place, so it’s a cesspool all around. But modern browsers like Safari, Chrome, and Firefox increasingly block “bad” ads (however defined, and typically quite limited) without that extortion business in the background. Firefox has recently gone beyond blocking bad ads to offering stricter content blocking options, more akin to what extensions have long done. What you really want is tracker blocking, which nowadays is handled by many browsers themselves or with the help of an anti-tracking extension.

Where mainstream mobile browsers differ in privacy settings

Mobile browsers typically offer fewer privacy settings even though they do the same basic spying on you as their desktop siblings do. Still, you should use the privacy controls they do offer.

In terms of privacy capabilities, Android and iOS browsers have diverged in recent years. All browsers in iOS use a common core based on Apple’s Safari, whereas all Android browsers use their own core (as is the case in Windows and macOS). That means iOS both standardizes and limits some privacy features. That is also why Safari’s privacy settings are all in the Settings app, and the other browsers manage cross-site tracking privacy in the Settings app and implement other privacy features in the browser itself.

Here’s how I rank the mainstream iOS browsers in order of privacy support, from most to least — assuming you use their privacy settings to the max.

1. Apple Safari
2. Microsoft Edge
3. Mozilla Firefox
4. Opera Browser (formerly named Opera Touch)
5. Google Chrome

And here’s how I rank the mainstream Android browsers in order of privacy support, from most to least — also assuming you use their privacy settings to the max.

1. Microsoft Edge
2. Opera Browser
3. Mozilla Firefox
4. Google Chrome

The following two tables show the privacy settings available in the major iOS and Android browsers, respectively, as of September 28, 2022 (version numbers aren’t often shown for mobile apps). (Thanks to Computerworld’s Android expert JR Raphael for verifying and updating the Android information.)

Note: Controls over location, microphone, and camera privacy are handled by the mobile operating system, so use the Settings app in iOS or Android for these. Some Android browsers apps provide these controls directly on a per-site basis as well.

iOS browser privacy settings

Android browser privacy settings

Browsers for the paranoid: Brave, Epic, and Tor

A few years ago, when ad blockers became a popular way to combat abusive websites, there came a set of alternative browsers meant to strongly protect user privacy, appealing to the paranoid. Brave Browser and Epic Privacy Browser are the most well-known of the new breed of browsers. An older privacy-oriented browser is Tor Browser; it was developed in 2008 by the Tor Project, a nonprofit founded on the principle that “internet users should have private access to an uncensored web.”

All these browsers take a highly aggressive approach of excising whole chunks of websites’ code to prevent all sorts of functionality from operating, not just ads. They often block features to sign up for or sign into websites, social media plug-ins, and JavaScripts just in case they might collect personal information.

Today, you can get strong privacy protection from mainstream browsers, so the need for Brave, Epic, and Tor is quite small. Even their biggest claim to fame — blocking ads and other annoying content — is increasingly handled in mainstream browsers.

One alterative browser, Brave, seems to use ad blocking not for user privacy protection but to take revenues away from publishers. Brave has its own ad network and wants publishers to use that instead of competing ad networks like Google AdSense or Yahoo Media.net. So it tries to force them to use its ad service to reach users who choose the Brave browser. That feels like racketeering to me; it’d be like telling a store that if people want to shop with a specific credit card that the store can sell them only goods that the credit card company supplied.

Still, there are reasons to consider these alternative browsers beyond ad blocking:

• Brave Browser can suppress social media integrations on websites, so you can’t use plug-ins from Facebook, Twitter, LinkedIn, Instagram, and so on. The social media firms collect huge amounts of personal data from people who use those services on websites. Do note that Brave does not honor Do Not Track settings at websites, treating all sites as if they track ads.
• The Epic browser’s privacy controls are similar to Firefox’s, but under the hood it does one thing very differently: It keeps you away from Google servers, so your information doesn’t travel to Google for its collection. Many browsers (especially Chrome-based Chromium ones) use Google servers by default, so you don’t realize how much Google actually is involved in your web activities. But if you sign into a Google account through a service like Google Search or Gmail, Epic can’t stop Google from tracking you in the browser.
• Epic also provides a proxy server meant to keep your internet traffic away from your internet service provider’s data collection; the 1.1.1.1 service from CloudFlare offers a similar facility for any browser, as described later. (Google Chrome and Microsoft Edge let you choose to use a third-party secure DNS provider if desired, but they don’t provide their own as Epic does.)
• Tor Browser is an essential tool for journalists, whistleblowers, and activists likely to be targeted by governments and corporations, as well as for people in countries that censor or monitor the internet. It uses the Tor network to hide you and your activities from such entities. It also lets you publish websites called onions that require highly authenticated access, for very private information distribution.

Other ways to protect yourself on the web: GDPR, CCPA, and AdChoices

Because of regulations like Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), more and more websites have been forced to let visitors control the use of cookies and other trackers at each site. Many multinational companies provide the same options to users outside the GDPR and CCPA jurisdictions for simplicity’s sake. Because blocking cookies in a browser is typically an all-or-nothing proposition, it’s often not a realistic option — after all, some websites need cookies to function in the ways you want, such as to sign you in automatically when you come back.

That’s where using the cookie controls mandated by GDPR and CCPA can help, if available to you. If you go to a European website, you will almost certainly get a GDPR consent pop-up, and there you can see the cookies that the site wants to use. The marketing cookies are the ones to pay attention to; often, there will be dozens even hundreds of cookies listed from companies you’ve never heard of.

Note: Ad blockers, content blockers, and other such privacy tools ironically can suppress the consent forms needed to use CCPA or GDPR on various sites. Also, if your browser is set to block third-party cookies (the unchangeable default in Safari 14 and later), it often won’t save your privacy cookie settings on sites (because typically a third party is used to manage such cookies) — that’s why you may be asked to set privacy settings every time you visit a site. Ironically, that can lead to permission fatigue, where you just click OK or Accept rather than go through all the settings each time.

IDG

IDG

Some cookies “follow” you from site to site, so they can display the same ads wherever you go based on your purported interest in something, such as what you searched for in Amazon or in a search engine. Other cookies go further, tracking your behavior and interests as you surf the web to help build a profile of you.

A lot of these cookies come from the ad networks that websites use, so the website publisher itself has no idea who these cookies come from either. Ad networks also link to other ad networks, so no one may really understand who is tracking users on a given site. You can easily have dozens, even hundreds of advertisers on a given site trying to silently install cookies in your browser.

Rather than decide individually which to allow, just block them all. If enough people did that, maybe publishers and ad networks would actually manage these “partners” and remove the nefarious ones. Look for controls over such cookies, such as from an AdChoices link or Cookie Policy link. And even blocking them all per site is arduous, as you must go to each site you visit to set the controls, assuming it even offers them — there’s no universal way to set advertiser privacy settings, other than the heavy-handed approach of using ad blockers.

IDG

Privacy steps to take outside the browser

If you really want to stay private, you shouldn’t use the internet. But of course that is not possible. So what can you do beyond what your browser allows? Here are the steps you can take for your other internet activities, both web-based and app-based — those other internet tools are more powerful spies than your browser itself.

The goal is to limit what you share and make it harder for those tracking companies to get a full view of your activities.

• Don’t use social networks. If you must use them, share as little as possible. Use their privacy settings, but don’t think for a minute that means you’re no longer tracked. Facebook is particularly notorious for unsavory, unacknowledged use of user data — even if you don’t have an account and simply visit a Facebook page.
• Don’t use voice assistants like Alexa or Siri. They collect a lot of data about you. (Apple has long promoted its privacy focus, and it does appear that Apple largely doesn’t resell the massive data it collects on you. But recent versions of macOS and iOS introduced a service called Siri Suggestions that analyze your activities to make recommendations — the kinds of things Google, Facebook, and others have done for years. That data is all going to Apple, and that’s discomforting. We’ve seen Apple bows to anti-privacy requests in some countries, so even if Apple is more respectful of your privacy than most data-gathering tech giants, there is a risk.)
• Turn off “helpful” tracking features like Google Assistant, Siri Suggestions, and their equivalents from Facebook, Microsoft, Amazon, and anyone else on your mobile devices, web services, and computers (and don’t forget to turn off the advertising ID in the General privacy settings in Windows 10 and 11). 
• Turn off location services for any app or website that doesn’t truly need it. For apps like browsers, do so in Settings > Privacy in Windows 10 and 11, macOS’s Privacy & Settings system preference, iOS’s Location Services controls in Settings, and Android’s Location control in Settings. If you need location services enabled for some websites, use the per-site controls when available in that browser to do so, leaving location services disabled for the rest by default.
• Go through the other privacy settings as well on each device you have, and limit access to your activities and information as much as you can.
• Avoid signing in at online stores when researching products in a browser or shopping app; sign in only when you’ve decided what to buy, so the retailer can’t track your research activities.
• Take advantage of laws like California’s CCPA or Europe’s GDPR when you can, to delete your data or restrict its use, not just manage cookies. Likewise, regularly purge your data at Google and other services that extensively track you.
• Consider using a virtual private network, but be careful. The free ones are making money somehow, and your data is almost certainly that “somehow.”
• Consider using CloudFlare’s 1.1.1.1 service, which is a proxy DNS server that directs your web traffic through CloudFlare rather than through your internet service provider. ISPs often collect your search traffic and sell the resulting profiles to advertisers and other commercial interests. CloudFlare is a business, of course — it manages internet traffic for publishers, vendors, government agencies, and more — but it seems to have less troublesome uses for the data it collects than the ISPs do. And I’m more comfortable with 1.1.1.1 than with free VPNs. Remember: Nothing is truly free, it’s just what the actual payment is.
• If you use 1.1.1.1, set it up in your router so all your networked devices are automatically protected; just set your primary DNS to 1.1.1.1 and secondary DNS to 1.0.0.1). Doing so also means on mobile devices you don’t have to disable the 1.1.1.1 pseudo-VPN to use a corporate VPN. On desktop computers, 1.1.1.1 doesn’t use a pseudo-VPN, so there’s no conflict with corporate VPNs there. Still, for when you are traveling and away from your protected router, you may want to set up 1.1.1 1 on your computers and mobile devices, too. On a computer, configure the primary DNS to 1.1 1.1 and secondary DNS to 1.0.0.1 in the operating system’s network settings. (Once set, you can leave it as is.) On a mobile device, install the 1.1.1.1 app from the App Store, and turn it on when traveling — just remember you must turn off the app to use a corporate VPN, if your device doesn’t do that automatically when you try to switch VPNs.

They might still be able to track you through other means, of course, but why make it easy? You can’t be completely private, but you can create some shadows around yourself.

This article was originally published in November 2020 and most recently updated in October 2022.

More privacy tips

• How to protect your privacy in Windows 10
• How to stay as private as possible on the Mac
• The ultimate guide to privacy on Android
• How to stay as private as possible on Apple’s iPad and iPhone
• How to go incognito in Chrome, Edge, Firefox, and Safari