TechTok #8. Knowing your enemy

We decided not to spread ourselves over too many questions and instead focus on just two this time. The first one comes from Влад:

How many trackers are there on popular websites and how does AdGuard block them?

This is one of those questions that sound very simple, but are in fact not-so-easy to answer. Of course, there are countless websites, and the amount of trackers on them varies greatly — not to mention that the exact number will depend on the method you use to count them. But you did not come here to read non-answers, and we didn’t start TechTok to give such. So we will try to come up with some cold hard numbers.

The first thing that comes to mind is “why not just simply open a website and count the darn things?” And indeed, why not? Let’s open a random website, say, nytimes.com, and check out AdGuard Browser Extension’s filtering log to see how many trackers it blocks. And we will count all blocked ads as trackers too — because in today’s Web any ad pretty much tracks you anyway.

After visiting the website we saw that there were 7 blocked requests on the page. Every one of them corresponds to a tracker, and sometimes more than one. If you don’t block a tracking request it is often followed by more of them. We did the math on so-called hidden trackers, and it is safe to say that on average each initial tracking request brings over 2 of its ‘friends’ if not blocked. So that gives us over 20 trackers already. There are more records in AdGuard’s filtering log, but they don’t necessarily all correspond to blocked tracker requests, so we won’t count them here. But we’re not finished yet.

It is impractical and, honestly, almost impossible to manually check every single website you visit. There are other ways to estimate just how many tracking scripts lurk on websites. In one of our research studies, which we’re yet to publish — stay tuned! — we counted, among other things, how many requests it takes to load a website with and without an ad blocker. Without diving into details (we’ll do that in the dedicated article once we publish the research), we loaded 119 news websites and counted in total 35,603 requests without an ad blocker and 17,249 requests with it. It means that on average the ad blocker cut the number of requests required to load a website from 299 to 145 per website — more than in half. For each website, 154 requests were blocked because they triggered one of the filtering rules. Granted, the setup wasn’t as spartan as in our little experiment with nytimes.com, there were more filters involved and the methodology differed, but it shows that our initial estimate of 20 blocked trackers is probably much closer to the lower bar than to the upper one.

To be honest, aside from monitoring your traffic and meticulously analyzing every single request there isn’t a 100% accurate method of telling how many trackers are there on each individual website. But it isn’t necessary — you can probably already tell from our estimations above that there are enough of them that you should really think about how to protect yourself. And this is where we get to the second part of the question: How does AdGuard block those trackers?

In all honesty, this topic could easily take not just a separate question, but its own separate TechTok issue, if not several. So we’ll cover the very basics and leave you with some breadcrumbs to continue the research on your own if you are interested.

Your web traffic consists of many, many requests that your browser (and apps too, but let’s stick with browsers for simplicity’s sake) sends to web servers in order to load everything it needs to display a page — text, fonts, images, videos. AdGuard, just like any other web filtering tool, analyzes these requests for any hints of ads and trackers. Usually, requests to ad servers look differently from requests to, let’s say, a content delivery network. AdGuard has filters (also called filter lists) that contain thousands of rules written in special syntax, and whenever a request matches one of the active rules AdGuard knows that it’s time to act and block that request before it reaches the servers and loads an ad or a tracker on your device. These filters need to be maintained and constantly updated in order to stay relevant, and an entire team of filter developers work on that task in AdGuard, not to mention countless other professionals and community contributors who do the same.

This is the very gist of it — the rabbit hole goes much, much deeper than that. If you’re interested in learning more, check out this Knowledge base article. And if you still crave more ad-blocking wisdom after that, you can delve into the nuances of HTTPS filtering, DNS filtering, or even learn how to create your own filtering rules.

Onto the next one! A user named Виталий wonders how your phone can be tracked. We took the liberty of paraphrasing the question a little without distorting its meaning:

What are the ways your phone can be exploited to gather information about you, what information specifically can be gathered, and how to protect yourself against it?

This is a quite broad question, and we would like to cover it in more detail in the future TechTok issues, but now let’s try something a little different and do this one in bullet style. We’re going to make a list of threats to your phone’s privacy that you may encounter, roughly from most to least common, and for each threat on that list we’ll try to give some advice on how to deal with it. We won’t be able to cover every single one here, but hopefully you can get some actionable advice from those we do.

1. Tracking and advertising

This is a base level threat that you already know about from the first question of today’s TechTok. Apps and websites often use ad trackers and analytics tools to track your behavior and build profiles based on your activities, leading to unwanted targeted ads or privacy violations.

How to protect yourself:

Use ad blockers and anti-tracking tools such as AdGuard, opt for privacy-oriented browsers. In that regard mobile devices aren’t much different from desktops. Note, however, that both on Android (and especially on iOS) ad blockers’ capabilities are limited compared to Windows and Mac when it comes to filtering non-browser applications’ traffic. This means that you should be extra careful when choosing to install any app — research the developer and their reputation, read the privacy policy. Don’t trust the apps that look suspicious in any way and always err on the side of caution when deciding whether to install anything or not.

2. App permissions abuse

This threat is closely tied to the previous one on the list. Many apps request permissions that aren’t necessary for their core functionality (e.g. camera, microphone, contacts) and could expose your data.

How to protect yourself:

Don’t just click through the permission requests whenever you install a new app. Yes, we all know that feeling when you find a new app and want to try it out ASAP, but taking a minute or two to review its permissions will potentially save you much more time and nerves in the future. If your new note-taking app wants to access the microphone, something isn’t quite right. You may even consider using app permission management tools for convenience (such as App Ops on Android).

3. Malware and spyware

Mostly spread via phishing emails and websites, malicious apps or spyware can be discreetly installed on your phone to monitor your activities, steal personal information, or remotely control your device. Some may consider this threat trivial but “only fools and older folks fall for something like that” are famous last words. You can never be too careful.

How to protect yourself:

Rules to follow to shield yourself from malware aren’t too complicated, but you really need to follow them. Making any exceptions is a surefire way to end up with unwanted malware on your device. Download apps only from trusted app stores (Google Play, App Store, etc.), don’t download any apps directly from a website unless you have researched the vendor and trust him. Keep your phone’s operating system up to date to patch known vulnerabilities, don’t postpone the system update till later because you really want to finish watching this one YouTube video about squids’ social behavior. Avoid visiting dubious websites and clicking on suspicious links or opening attachments in emails, especially from unknown senders.

4. SIM card swapping (SIM jacking)

SIM swapping is a form of identity theft where a hacker manages to switch your phone number to a new SIM card that they control, either through social engineering or by accessing your accounts. Once they have access to your phone number, they can receive calls, texts, and two-factor authentication (2FA) codes sent to your phone. This gives them access to your banking and social media accounts that rely on SMS-based 2FA.

How to protect yourself:

Unlike with something like malware or app permissions abuse, you can’t passively protect yourself from SIM swapping by just staying vigilant. You need to take active preemptive measures: set up a PIN or password with your mobile carrier to prevent unauthorized SIM swaps. Some provide additional security features, like multi-factor authentication, so you should ask them about it.

Another way to prevent — or at least mitigate — the damage done by a SIM swap is by using an authenticator app for your 2FA needs, rather than rely on SMS. There is no shortage of tried and trusted authenticator apps that you can choose from.

5. Data collection by mobile carrier

It’s not a secret that mobile carriers have capabilities to collect data about your call history, text messages, and location, and many of them do. This data then can be shared with or sold to third parties to be used for marketing purposes. There is also a looming threat of a data breach that could happen at any time and would expose all stored data about you to hackers.

How to protect yourself:

The first step is research. Find out what data your carrier collects and what you can opt out from. You would be surprised how deep the opt-out checkbox may be buried, but there usually is one.

But not everything can be solved with an opt-out, and even then, better safe than sorry, so arm yourself with a VPN. A VPN will encrypt your internet traffic and hide your real IP address and your location not only from the ISP, but from everyone else who becomes too curious about your online activities.

Finally, configure your device to use a custom DNS server by a privacy-oriented DNS provider (like AdGuard DNS). This is a step that even tech-savvy users often forget, but it’s becoming increasingly important, as DNS-based TrustPid becomes the likely future of ad-tracking in Europe.

6. Wi-Fi and Bluetooth snooping

Public Wi-Fi networks and unprotected Bluetooth connections can be exploited by hackers to intercept your data or gain access to your device.

How to protect yourself:

Luckily, this is a rather straightforward one: avoid using public Wi-Fi at all, if possible, and especially for sensitive activities like banking. And if you have to, always use a VPN to encrypt your internet traffic.

As for Bluetooth snooping, the advice is self-evident: turn Bluetooth off when you don’t need it and avoid pairing with any unknown devices.

7. Cell tower location tracking

Now we’re officially entering conspiracy theory territory. Mobile carriers can triangulate your rough location based on the signal strength and proximity to nearby base stations (i.e. cell towers), even if your device’s GPS is disabled.

How to protect yourself:

Unfortunately, there is not much you can do here, unless you are willing to go completely off grid by disconnecting from the network or enabling Airplane Mode on your device. As we already mentioned, merely disabling GPS will have no effect here. Technically, encasing your phone in a Faraday bag would work, but that’s not a very practical solution.

On the bright side, you probably shouldn’t worry too much about getting tracked based on your phone signal unless you are a high-profile individual that crossed paths with the government. Regular users should focus their efforts on protecting themselves from tracking and other more common and more easily preventable threats.

We hope that you’ve found today’s questions relevant and answers helpful. Send your new questions over through this form, and you might see them answered in the next TechTok edition!