What (If Anything) Can We Do To Prevent Tracking Online? (Premium)

In addition to being the year of AI, 2024 may also be the year in which we finally learned the true cost of online tracking, thanks largely—but not exclusively—to new EU regulations.

As I wrote in Put Up or Shut Up (Premium), I was shocked to see Microsoft almost fully implement its Copilot strategy in just the first two weeks of 2024. But I’m equally surprised—and, frankly, delighted—by the equally shocking online tracking revelations we’ve received in just the past few days. Both the new Outlook, a Microsoft product, and Facebook have now been outed for their nefarious ways.

Some will claim this is not surprising. After all, we know we’re being tracked online, and if one more person spouts the throwaway adage that “if you’re not paying for the product, then you are the product,” I’m going to scream. Those are just words. As I noted on Windows Weekly yesterday, there’s a big difference between being vaguely aware of something and being smacked in the face with the full truth of it. I compared it to “knowing” that having your first child would be difficult and the real-world difficulty of actually doing so.

And wow.

Look, I’m not a privacy “nut” or whatever, and I approach this topic pragmatically, much as I do with security. And I recognize that even without knowing the full scope of the tracking we endure, and the full size of the secret cabal that has amassed to victimize us, we all make compromises and trade-offs. We choose Google Maps, say, because of its solid record of getting us there on time and avoiding accidents and construction, but we also know that Google is sucking up our location history and other activities en route. What we don’t know—what most of us just don’t care enough about—is what Google then does with that data. We’re not really educated on this topic at all.

I’m not a privacy expert, just as I’m not a security expert. But I have at least been on the right side of history when it comes to this topic. When Windows 10 wouldn’t let us turn off tracking and then Microsoft went through a series of promotional gyrations that generated plenty of words but little or nothing in the way of actual privacy, I coined the term “privacy theater.” When Windows 11 escalated that enshittification by forcing customers to use Edge even when they chose a different browser, I added an extra chapter to the Windows 11 Field Guide specifically to help readers avoid as many of its privacy invasions as possible. This past year, I complained about OneDrive’s incessant pushiness and inability to honor my choices until I made a major configuration change and then finally switched to Google Drive, which I now love and recommend. And I likewise switched away from Microsoft Word after years of Microsoft disrespecting my configuration choices in that app.

And yet. Like you, I had no idea of the scope of the tracking and other privacy invasions, no true understanding of the forces allied against us all. My appreciation of the EU’s recent Big Tech regulations is broad and deep, but I never expected them to generate any real change here in the U.S., where consumers routinely cough up their privacy unthinkingly and can’t even seem to accept facts, let alone details. But now I wonder. This is almost certainly just the tip of the disclosure iceberg. We’re going to learn more.

And that’s terrific: We’ll be sure to cover whatever happens along those lines, just as we’ll cover whatever AI machinations occur this year at Microsoft and elsewhere. But my mind naturally wanders to the same place that I suspect yours does. And what I’m thinking about now is, what can we do about this?

The most obvious solution is to use a Pi Hole or a service like NextDNS. These and other similar products and services are often promoted as allowing house- or device-wide ad blocking, but they’re more useful than that: They can also help prevent tracking, whether the methods used involve ads (as they often do) or not.

Many readers will recall that I started using NextDNS on my smartphones and tablets in August 2022 after I had finally had it with all the advertisements in the mobile apps I use. I still do so, and I’ve never looked back or regretted this decision, despite a few issues we’ll get to. But I also never made the move to put NextDNS on my PCs, in part because the Wi-Fi solution I was using at the time (Google WiFi) didn’t allow me to configure NextDNS for the entire house: Because I use so many different PCs, manually configuring each of them for this service would have been too tedious. Plus, I use Brave, a privacy-focused web browser with effective built-in tracker and ad blockers anyway.

But a few things have changed since then.

I upgraded to an Eero Pro 6E mesh wireless system in late 2022, and that can be configured with NextDNS to protect every device in my home. There’s also a NextDNS client for Windows that I’m not sure I was aware of previously. But this can help me test NextDNS on my PCs ahead of potentially switching over the entire home in one fell configuration change. So I’m actively testing this solution now on three PCs so far and will report back when and if anything changes.

The problem with NextDNS, a Pi Hole, and similar solutions is that these things are not “set-it-and-forget-it”-type answers to the problem. They require constant care and feeding and a bit of experience and expertise. Early on, when something doesn’t work, you may automatically assume that it’s your Internet connection or whatever. But as you use this type of thing more, you will come to understand that products that block trackers can also break things. And you will want those things to work.

Let me give you two examples.

When using NextDNS on a PC or mobile device, I can’t access the OpenWeb comments moderation console that I use every single day. Likewise, you (and I) can’t see the comments on Thurrott.com at all, let alone respond to any. Researching this, I discovered that we need to add OpenWeb’s domain (*.spot.im) to the allow list in NextDNS (or whatever product or service you’re using). When you do so, everything works normally.

The second one: I read the Google Discovery feed in Android (and in the Google app on the iPhone) every day, oftentimes multiple times each day. But some of the posts that show up in that feed aren’t linked using an explicit URL at the source, they instead use a middleman service like www.googleservices.com so that Google, them, or some third party can track my interests and activities. And so when I click on some links in this feed, I get a ERR_CONNECTION_REFUSED error: NextDNS is preventing it from tracking me. In this case, I didn’t add the domain to my allow list. If the article is that important to me, I’ll share it with Pocket, the read-later service I use and recommend. If it isn’t, I just move on.

But that’s me. I also convinced my wife to put NextDNS on her phone, and she is more bothered by these interruptions in her normal browsing. To date, she’s disabled NextDNS when this happens, and she needs to get through. But based on a recent conversation I had with my Windows Weekly cohost Richard Campbell—who uses a Pi Hole at home and runs into similar issues with his wife—I’ve asked her to show me when this happens when possible, so I can consider adding more domains to the allow list.

The problem, in case it’s not obvious, is that this isn’t a war of attrition, it’s an eternal, never-ending war: Once you go down this path, you either must keep making these configuration changes as needed, or you will simply give up in frustration and just rationalize that your convenience is more important than your privacy and, probably, your security. I get it: As I wrote recently in Passwordless Password Manager Problems (Premium), no one is going to adopt a security solution that’s too difficult to use. This is why security keys have failed with consumers, and why password managers, authenticator apps, and passkeys are still fringe cases despite their advantages.

I guess the question here is, how radical do you want to get? And are you willing to keep it going? Or will you simply give up once the indignation and outrage over these recent disclosures gives way to some other big news story? As they will, inevitably.

I’m going to find out. I will keep testing NextDNS on my PCs, and if that works out, I’ll ask my wife to do so as well. Should it pass that admittedly high bar, then maybe I’ll take the nuclear option and put the service right on my router. (I will still need to install it on my mobile devices and on PCs that leave the house, of course.) Maybe. But I’m human too. And I suspect that the effort required will prove too onerous, and that I will go skulking back to our current reality, secure in the knowledge that I am not at all secure, and that my privacy is being invaded every single freaking day.

But I’m going to try.