[0] I spy with my little eye...

We get tracked, profiled and observed at every step we make online. Well, not only online, but I will focus in this post on our online lives. Whether we are aware of that or not is irrelevant, it is still happening. It is so widespread that I know a lot of people who have simply given up, and they live with the awareness that every app, every site and every device they have at home is collecting unknown amount of data and sending it to unknown places. I am aware of this painful truth too. However, I like to fight back because fighting back is still possible.

This text came from a compilation of advices I’ve given to various friends and from the things I’ve done myself to get rid of as many trackers, ads and prying eyes as I could.

Why bother?

Visual annoyance

I am a visual person. There is a high chance that you are one too. I like websites that are pleasing to look at but I even more appreciate websites that share their content in a way that is clear and not an attack on my eyes. When a website dedicates 1/3 of its space to all sorts of adds I move along and look for some other place. However, I am seeing a lot of people using their devices, visiting their favourite websites all the while scrolling through pages and pages of ads that they don’t really care for. They are used to it. I guess they have developed a filter in their minds that allows them to scroll through all that web garbage and look at what they are interested in. Or so I’d like to think. I don’t have such a power. I don’t care for even the smallest of the small ads on a web page. I consider it garbage and I want it gone.

Fight the future

You see, neither you nor I can predict the future. We can make some educated guesses, more or less. Those who have studied a lot of history can make out some patterns in human behaviour and somewhat accurately guess what is to happen, but as things stand right now, we can not predict the future. That means that neither of us can see in what ways will the data collected about us be used in some distant(or not so) future. Those thinking that evil regimes of the past can not come again and use our modern technology to repeat the horrors of the past are very naive. There are such regimes today. Now. And they are using digital footprints of their citizens to commit all sorts of atrocities. You think it can’t happen in your country? Think again.

With the awareness that the future is an unknown and that there is a lot of data collected about our shopping habits, watching habits, talking habits, reading habits… you get the point… we may rightfully assume that if in a not so distant future we too end up living under a regime that will try to suppress any and all descent. Such a regime, armed with all the data, will have an easy time filtering out all the “others” that need to be “re-educated” and “corrected”. And the thing is, we can’t know what will put one person among the “others” in such a place. It may be that sex toy that you were looking at 4 years ago on that website. Or perhaps a trip that you have booked. Maybe a photo that you have taken long ago and uploaded to your vanity platform of choice.

Don’t think that it can’t happen to you.

Solutions

When it comes to the solutions I would like to rate them on a scale from “Nah, it’ll be fine!” to “Off the grid is the only true way” and then look somewhere in between. I enjoy technology and I enjoy using modern devices and services. I try to narrow the field a bit in my life but above all, I try to understand what those devices and services are doing and to turn off behaviours I am not comfortable with.

There are many ways to achieve that. The easiest one is to install one of many adblockers into your browser and be done with it. By doing that you will reduce the noise on the websites you are visiting and get a peace of mind. I will cover those tools in a different post.

However, browsers are not the only thing that sends data about your behaviour. Each one of us has a dozen or a few dozens of applications on our phones and tablets. Add to that all sorts of smart-home devices, TVs, gaming consoles… Yes, every single one of those is guilty of tracking and spying. The only question is how far do they go and do they give you an option to opt out.

My first recommendation is not to be lazy when it comes to the devices and apps that you are using. When you install an app or bring a new device into your home, open up Settings on it and see what it has in there. Quite a few will give you an option to opt out of various data collection. Of course, that will not be enough. Some devices/apps offer opting out for some things, but not for all. Be mindful that even some that are widely considered to be “the good guys” still do a lot of data gathering (looking at you Mozilla).

So, how does it all actually work and what can you do? When I say “data gathering” and “telemetry” I mean the information that a piece of software within your device, that connects to a remote computer, gathers and sends about your device usage. That can be something very benign, such as information about software performance or any issues that it may have had. Such things help developers fix issues when they happen. However, a lot of devices will upload data that goes beyond the need to make software/device better. Sometimes that data is made anonymous, and sometimes it isn’t. Don’t count on the companies to know what they are doing or to even care. In a lot of cases they don’t.

Nerd intermission

This section is for those who want to understand the technology that is behind all of this. Feel free to skip it if you already know or don’t care. In the next section I will talk about the main subject of today’s post.

Whenever you try to open up a website a multitude of things happen. They are, usually, so fast that you don’t notice any of them. One of the most important is the way your computer figures out that when you type in your browser https://nightmareartist.com it should connect to a specific server at Hetzner Cloud. This process is called domain name resolution. Domain name is this address that you have typed in your browser. That address is made for humans. Computers talk to each other using something called IP address, short for, Internet Protocol. Each computer on your local network and on the Internet has this address. That’s how they talk to each other. [Yes, I know that this is super simplistic… I told you to skip this if you already know how it works.] So, when you type in the address of my website, your computer will first talk to something called Domain Name Server (DNS) which will tell it the IP address of the computer that actually has the text that you are reading. Your browser will then connect to my server which in turn will deliver the content I am presenting to the world.

This same process is what happens when your phone, TV or gaming console are calling back home and sending data about your doings. That can happen a few times a day or every few seconds. For example, while I’m using Firefox to go to specific websites it also calls back home and sends data about my browser usage to Mozilla by contacting incoming.telemetry.mozilla.org. That happens every ~30 minutes.

The end of nerd intermission

I hear you saying: “Well, if we know all this that means that we can simply block those domain names and be done with it.” Yes, that is exactly what we can do. The problem is that there are millions of them out there. Unless you want to spend your life hunting them all down and blocking them on your firewall we need a better solution.

I present to you - NextDNS.

With the knowledge of how our computers use DNS to decide where to look for a website, we can rightfully assume that if we were to set up a DNS server to which our computer would connect, which would in turn know about all these bad domain names, we would be able to block them with ease. We can run such a service ourselves in the form of Pi-Hole. I had one running on a Raspberry Pi on my desk for a long time. However, that requires maintenance and keeping an eye on the various lists of malicious and annoying domains that change every day. It is also not that great when I’m not at home. And I’d like to keep blocking things when I’m out too.

This is why some 2+ years ago I decided to try something that is basically hosted Pi-Hole. And after 2+ years I am still their paying customer and very happy with the service. There are other services out there, such as AdGuard and ControlD. I have tried both but I liked NextDNS the most so I stuck with it. I keep an eye on all these services so I might give them a go again sometime in the future.

So, what is NextDNS?

It is a DNS service with a privacy twist. Instead of just helping your computer figure out where the servers you are trying to reach are located, it also can block any and all ads and trackers.

I will assume here that you have just opened up an account at NextDNS. They offer a free account that allows 300.000 DNS queries per month. That may be enough for you. Pro account costs just ~24EU a year. Nothing for such an amazing and useful service.

Once you log in you will be presented with a dashboard and multiple tabs. The main one is Setup, where you will be given various parameters that you can use on your devices. From here on you may go and install NextDNS app on all your devices, put your NextDNS ID in them, and you are done. However, I want to protect my whole network at the same time. Plus, I have devices that can’t have NextDNS app installed.

For this step you need to access admin panel of your network router. In its connection setting you will see an option to add DNS servers. This differs from device to device, so, please, consult documentation for your router before doing anything. If you have a more modern device those servers can come in the form of DNS-over-TLS/QUIC or DNS-over-HTTPS addresses, all of which you can see on your Setup page. These two types of DNS services will make it so that not even DNS provider is able to see what you are requesting. I use a UniFi Dream Machine which doesn’t have that. So I will copy over two IP addresses given in the DNS Servers section. And that’s it. From here on, every single device that connects to my Internet will be using NextDNS servers. If you have UniFi device too feel free to look into installing NextDNS client via SSH, that too works really nice. However, this text is not for those accessing their Wi-Fi router using SSH. I have actually setup NextDNS using SSH so that I get all the benefits of encrypted DNS.

From here on all the changes that you will be making will happen in the NextDNS dashboard. Feel free to explore it a little. Most of the options are clearly explained. Their user interface is very intuitive and clean [ha!]. Under Privacy, you will be able to decide which of the many blocking lists to use and how to deal with common threats. What are blocking lists, you ask? To put it simply, long text files containing collections of the bad domain names out there. All of these lists are maintained by various projects or individuals. NextDNS makes it easy to see all the lists and turn them on or off as needed.

I can’t tell you what is the best combination of lists to use. You will have to enable them one at a time and see how they affect your day-to-day usage. For example, I have a very restrictive list of blockers:

  • NextDNS Ads & Trackers Blocklist
  • AdGuard DNS filter
  • Steven Black
  • EasyList
  • AdGuard Mobile Ads filter
  • Fanboy’s Annoyance List
  • oisd
  • AdGuard Tracking Protection filter
  • EasyPrivacy
  • Disconnect (Tracking)
  • Disconnect (Ads)
  • AdGuard Social Media filter
  • Frellwit’s Swedish Hosts File
  • notracking
  • NoTrack Tracker Blocklist
  • Goodbye Ads
  • AdGuard Base filter
  • WindowsSpyBlocker (Spy)
  • AdAway
  • Fanboy’s Enhanced Tracking List
  • Energized Basic
  • 1Hosts (Pro)
  • Energized Ultimate
  • someonewhocares.org (Dan Pollock)
  • Lightswitch05 - Ads & Tracking

And there are many more available. This list means that I effectively block millions of domains that are known to serve ads and/or are used by trackers. Furthermore, under Native Tracking Protection I have: Samsung, Windows, Xiaomi, Huawei and Apple. Yes, I do use Apple devices, but that doesn’t mean I won’t block Apple from tracking us whenever possible. I have also added: Porn, Gambling and Dating under Parental Control section.

With all this in place NextDNS started blocking. A lot. Really a lot! On an average 17-20% of all our traffic at home gets blocked every day. That means that 17-20% of everything that happens on our network is either an ad, a tracking or something malicious. Not in that particular order. That is depressing. It just goes to show how much of a junkyard the Internet has become.

You will notice how all of a sudden your browsing becomes cleaner, your mobile apps no longer show all sorts of crappy ads… or they no longer work. Yes, that is something you will have to deal with. With all the blocking lists above in place some things will go under the bus. However, all is not lost. The good people of NextDNS have made it possible to see under Logs all the queries made from your devices. You can filter out all the blocked ones and then decide if you want to whitelist them in the Allowlist. I had to add some 30 domains to that list. Bear in mind that things added to that whitelist take a few minutes to come into effect. Be patient. Sometimes sites that you know to be bad players are not being blocked, you can add them to your own block list under Denylist.

NextDNS comes with a pretty straight forward privacy policy. You can even disable logs completely, but then you may have a hard time figuring our false positives. You will also miss on all the statistics as the source of depression about the state of the Internet. If you decide to keep the logs for a while you can pick the location where you want your data stored. Those of you thinking that the EU is a bastion of [online] privacy can choose to keep the logs there.

As noted earlier, you can set up NextDNS app on all your mobile devices so that you get the full protection when not at home. One really neat feature that app has is to pause blocking when you are on home turf - all you need is to put your home Wi-Fi SSID(name) on the whitelist and the app will pause itself when connected to said Wi-Fi.

Final thoughts

I would argue that this solution is not how it’s supposed to be. We shouldn’t be fighting for a non-polluted and non-spying Internet. It should be the default. Yet, it is not and here we are. Perhaps one day our politicians will find some spare time to address these issues for real. Until such day comes we will keep finding tools like NextDNS to fight the grim future that we are living today.