This guide contains updated recommendations and privacy tweaks for Firefox, revised to reflect the latest version and new features (October 2019).
Mozilla Firefox is arguably the best browser available that combines strong privacy protection features, good security, active development, and regular updates. The newest version of Firefox is fast, light-weight, and packed full of privacy and security features.
It is for this reason that I consider Firefox to be the best all-around browser for privacy and security. It remains a solid alternative to some of the other options, such as Google Chrome, Microsoft Edge, and Safari.
Another great aspect of Firefox is that it is highly customizable, which is the point of this guide. Below we will go over how you can customize Firefox to give you the security and privacy you desire, while still working well for day-to-day browsing.
But before we jump in, let’s cover some important details.
Important considerations
There are many factors to consider when configuring Firefox to meet your needs, including your threat model and browsing preferences. In other words, there is no “one-size-fits-all” configuration that will work for everyone. This guide is a basic overview covering some of the different configurations options.
Before you start modifying Firefox and installing a bunch of add-ons, it’s important to consider browser fingerprinting.
Browser fingerprinting
The issue of browser fingerprinting (or device fingerprinting) is a big topic that covers all the different ways you can be tracked and identified by your system and various settings. All of the different add-ons you install and preference modifications you make to Firefox are inputs that can potentially be used to identify and track you.
Herein lies the catch-22: the more browser add-ons you install and settings you modify, the more likely you will stand out from the crowd and be easier to track. There are solutions for this and the latest version of Firefox does offer some fingerprinting protection. I discuss this problem and also provide solutions in the browser fingerprinting guide.
And that leads us to the next point that…
More is not always better
When it comes to browser add-ons and modifications, you don’t want to be like that kid who puts every topping imaginable on his ice cream. Similarly, more is not always better with Firefox browser add-ons.
Aside from the issue of browser fingerprinting, having too many add-ons may slow down performance and break things. Many of the popular Firefox add-ons also fulfill the same functions and are redundant when used together.
Therefore it is best to strike a balanced approach. Install and modify only what you think will be useful and necessary for your specific situation.
Proceed with caution
Modifying some of these settings may interfere with your browsing experience and break some websites (they won’t load properly). Therefore taking an incremental approach may be the best way to proceed. You can continue to install add-ons and adjust your settings as you see what works best for your needs.
This allows you to modify the settings, create exceptions, or add sites to a whitelist.
Firefox privacy settings
Before you get going with Firefox you may want to adjust the following settings for better privacy.
Note: if you are a Mac OS user, you will see the word “Preferences” in your menu rather than “Options” as it is listed below.
Disable telemetry
With the latest version of Firefox, it is configured to share “technical and interaction data” with Mozilla. This includes the ability to “install and run studies” on your computer. You can learn more about these studies and data collection practices, but I’d recommend disabling these settings.
To disable go to Open Menu (three bars at the top right corner of the browser) > Options > Privacy & Security > Firefox Data Collection and Use and then uncheck the boxes as you see below:
You can also disable data sharing with Firefox for Android by going to Menu > Options > Privacy > Data Choices and then uncheck all three categories for Telemetry, Crash Reporter, and Mozilla Location Service.
Note: You can also disable this in the About:Config settings with toolkit.telemetry.enabled set to false.
Change default search engine
Firefox now uses Google as the default search engine, but there are other private search engines you can use instead.
To do this, go to Menu > Options > Search > Default Search Engine. Firefox does not provide you with too many alternatives directly in the settings area. However, you can view more options by going down to One-Click Search Engines and then click Find more search engines to see the other alternatives.
See our guide on private search engines to dive into this topic more.
Firefox also has a guide on modifying your search engine preferences.
Firefox Content Blocking
Another great new feature with Firefox is Content Blocking. This customizable feature will automatically block “content that tracks the sites you visit and profiles you.” You can choose between Standard, Strict, and Custom modes, which allow you to block:
- Trackers
- Cookies
- Cyrptominers
- Fingerprinters
To adjust the Firefox Content Blocking settings, go to Menu > Options > Privacy and Security > Content Blocking and then select which mode you want to use.
The Standard setting may be the best balance for regular users. Firefox warns that Strict mode may “cause some websites to break.” However, you can still…
Disable content blocking for specific sites
It’s easy to disable content blocking for certain trusted sites. Simply enter the website URL, then click the “i” icon to the left of the address bar, then click the grey button to “Turn off Blocking for This Site.”
Another benefit of Firefox’s Content Blocking feature is that it can save your data and improve page load speeds.
The “Do Not Track” request
Firefox also has an option to request that websites “do not track” you online. This is simply an HTTP header field that you can easily enable. However, the key word here is request, because this is not actually blocking anything. We have also learned that many websites simply ignore these requests.
In addition to being ignored by most sites, this is also a value that can be used for browser fingerprinting purposes, as explained here. Therefore I no longer recommend enabling or modifying the Do Not Track settings, which you’ll find in the Content Blocking settings area.
You can learn more about the Do Not Track feature here.
Firefox About:Config settings
Aside from the general Menu settings we used above, you can also make a number of different modifications using about:config.
Note: If you made all of the changes above, you may notice that some of these settings are already updated in about:config. We will still cover the different about:config since some people prefer to modify settings in this area, rather than through the general Menu.
To access these configuration settings, simply enter about:config into the URL bar and hit enter. You will then be prompted with a warning screen stating “This might void your warranty.” Just click “I accept the risk” to continue.
After proceeding, you will see a large list of preferences, which each include a status, type, and value.
These preferences will be listed in alphabetical order and are easily searchable from the search bar near the top.
Modifying preferences – You can modify any of these Firefox preferences by simply double clicking the preference name. If the preference is a “boolean” type, then double clicking will change the value to true or false. If the preference is an “integer” or “string” type, double clicking will open a box to change the value.
Here are my recommended changes:
media.peerconnection.enabled (WebRTC) = false
WebRTC stands for “Web Real-Time Communication” and it allows for voice, video chat, and P2P sharing through your browser. Unfortunately, this capability can also expose your real IP address through browser STUN requests, even if you are using a good VPN service. (This is called a WebRTC leak.)
To disable WebRTC in Firefox simply enter media.peerconnection.enabled into the search bar and then double click the value to change it to false.
Aside from Firefox, the WebRTC vulnerability also affects Chrome, Opera, Brave, and other Chromium-based browsers. Safari is also in the process of implementing WebRTC.
privacy.resistFingerprinting = true
Changing this preference to true will help to make Firefox more resistant to browser fingerprinting.
Note: There are many factors that go into browser fingerprinting and the ability of an adversary to identify you. See the browser fingerprinting guide for additional details.
privacy.trackingprotection.fingerprinting.enabled = true
This is a new preference with Firefox 67+ to block fingerprinting.
privacy.trackingprotection.cryptomining.enabled = true
Another new preference with Firefox 67+, this will block cryptominers.
privacy.firstparty.isolate = true
Changing this to true will isolate cookies to the first party domain, which prevents tracking across multiple domains. First party isolation also does much more than isolating cookies, it affects: cookies, cache, HTTP Authentication, DOM Storage, Flash cookies, SSL and TLS session resumption, Shared Workers, blob URIs, SPDY and HTTP/2, automated cross-origin redirects, window.name, auto-form fill, HSTS and HPKP supercookies, broadcast channels, OCSP, favicons, mediasource URIs and Mediastream, speculative and prefetched connections.
This preference was added in late 2017 as part of the Tor Uplift Project.
-
privacy.trackingprotection.enabled = true
Another new update, this is Mozilla’s built-in tracking protection feature. This will use a Disconnect.me filter list, but may be redundant if you are using uBlock Origin 3rd party filters.
geo.enabled = false
Setting this to false will disable geolocation tracking, which may be requested by a site you are visiting. As explained by Mozilla, this preference is enabled by default and utilizes Google Location Services to pinpoint your location. In order to do that, Firefox sends Google:
- your computer’s IP address
- information about nearby wireless access points
- a random client identifier, which is assigned by Google (expires every two weeks)
Before this data is sent to Google, you would first get a request by the site you are visiting. Therefore you do have control over this, even if geo remains enabled.
media.navigator.enabled = false
Setting this preference to false will block websites from being able to track the microphone and camera status of your device.
network.cookie.cookieBehavior
This is an integer type preference with different values. Here are the cookie preference options:
- 0 = Accept all cookies by default
- 1 = Only accept from the originating site (block third-party cookies)
- 2 = Block all cookies by default
- 3 = Block cookies from unvisited sites
- 4 = New Cookie Jar policy (prevent storage access to trackers)
Any selection between 1 and 4 would improve privacy. The New Cookie Jar policy (value 4) offers more protection, but it may also break the functionality of some websites. Ghacks has a discussion of the New Cookie Jar policy here.
network.cookie.lifetimePolicy = 2
This is another integer type preference that you should set to a value of 2. This preference determines when cookies are deleted. Here are the different options:
- 0 = Accept cookies normally
- 1 = Prompt for each cookie
- 2 = Accept for current session only
- 3 = Accept for N days
With a value of 2, websites you visit should work without any problems, and all cookies will be automatically deleted at the end of the session.
network.dns.disablePrefetch = true
Setting this preference to true will disable Firefox from “prefetching” DNS requests. While advanced domain name resolution may slightly improve page load speeds, this also comes with some risks, as described in this paper.
network.prefetch-next = false
Similar to prefetching DNS requests above, setting this preference to false will prevent pages from being prefetched by Firefox. Mozilla has deployed this feature to speed up web pages that you might visit. However, it will use up resources and poses a risk to privacy. This is another example of performance at the price of privacy.
webgl.disabled = true
WebGL is a potential security risk, which is why it is best disabled by setting webgl.disabled to true. Another issue with WebGL is that it can be used to fingerprint your device.
You can get more information on the WebGL issue here and here.
dom.event.clipboardevents.enabled = false
This prevents websites from getting notifications if you copy, paste, or cut something from the page.
media.eme.enabled = false
This disables the playback of DRM-controlled HTML5 content. See details here.
Firefox “safe browsing” preferences
There are many recommendations to disable the Safe Browsing feature in Firefox due to privacy concerns and potential Google tracking. However, these concerns are based on an older version of the Safe Browsing feature, which would utilize “real-time lookup” of website URLs. This method has not been in use since 2011 – explained further here.
If a URL is needed, Firefox takes the following precautions to protect user privacy, as explained by François Marier, a security engineer for Mozilla:
- Query string parameters are stripped from URLs we check as part of the download protection feature.
- Cookies set by the Safe Browsing servers to protect the service from abuse are stored in a separate cookie jar so that they are not mixed with regular browsing/session cookies.
- When requesting complete hashes for a 32-bit prefix, Firefox throws in a number of extra “noise” entries to obfuscate the original URL further.
Therefore I would conclude that disabling Safe Browsing would give you no tangible privacy benefits, while also being a security risk. That being said, if you still want to disable this feature, here’s how in the about:config area:
- browser.safebrowsing.phishing.enabled = false
- browser.safebrowsing.malware.enabled = false
Firefox privacy and security add-ons
There are some great Firefox browser add-ons that will give you more privacy and security.
Note: When looking for Firefox add-ons, be sure to consider what you need in relation to the preferences you modified above. Some add-ons will be redundant and not necessary depending on your Firefox preferences and the other add-ons you are using.
In combination with the preference changes above, my top three recommendations for privacy add-ons would be:
- uBlock Origin
- HTTPS Everywhere
- Decentraleyes
All three of these add-ons complement the preferences listed above, are easy to use, and will probably not break websites you visit.
Another great add-on is Cookie AutoDelete. However, if you have already modified your cookie preferences in about:config as described above, then this add-on is not necessary.
uBlock Origin
uBlock Origin is an efficient, light-weight blocker that filters both ads and tracking. It has risen to popularity as a powerful alternative to Adblock Plus, which allows “acceptable ads” that many users disdain. One added benefit of uBlock Origin is that it can significantly improve performance and page load speed.
Another great feature with uBlock Origin is the ability to whitelist certain websites. Given that many sites will block access if they detect an ad-blocker, the ability to whitelist will come in handy. uBlock Origin is free and entirely open source.
HTTPS Everywhere
HTTPS Everywhere is a good Firefox add-on that basically forces an HTTPS connection with the websites you visit, provided HTTPS is available for the site.
Fortunately, more and more websites are implementing HTTPS, so this is becoming less of an issue. Nonetheless, HTTPS Everywhere is still a good add-on to use with Firefox.
You can get more information on HTTPS from Electronic Frontier Foundation, which is behind the creation of this add-on.
Decentraleyes
Decentraleyes is an interesting Firefox add-on that protects you against tracking via content delivery networks that are operated by third parties. While CDNs do help improve website load time and performance, they are usually offered for free by third-parties that will use the CDN to track your browsing. These third parties include Google, Microsoft, Facebook, Cloudflare, Yandex, Baidu, MaxCDN, and others.
Decentraleyes solves this problem by hosting CDN resources locally. As described on their self-hosted GitLab repository, Decentraleyes “intercepts traffic, finds supported resources locally, and injects them into the environment” thereby preventing CDNs from tracking users.
Cookie AutoDelete
This browser add-on may not be necessary with Firefox if you have made the changes above to preferences, which will automatically erase cookies that are no longer needed for the website you are viewing.
However, if you’d rather use an add-on instead of making these about:config changes, then Cookie AutoDelete is the way to go. It erases cookies that are no longer needed, thereby protecting you from tracking.
Privacy Badger
Privacy Badger is another add-on from Electronic Frontier Foundation that blocks spying ads and trackers. One drawback with Privacy Badger is that it only blocks third-party sites. Because it considers Google Analytics first-party site, it will not be blocked. Another drawback is that it does not actually use a filter list. Instead, it basically learns as you use it.
On a positive note, Privacy badger is very easy to use and will go a long way to giving you more privacy with general browsing. It can be used in combination with uBlock Origin, although there will be some overlap in terms of functionality.
uMatrix
uMatrix is an advanced add-on that gives you control over requests that may be tracking you on the websites you visit. It is made by the same people behind uBlock Origin. One advantage with uMatrix is that it is very customizable.
One drawback with uMatrix is that it can be difficult and time-consuming to get it configured for regular, day-to-day browsing. However, if you want a powerful blocker, and you don’t mind having to tinker with this plugin, then give uMatrix a shot.
NoScript
NoScript is a script-blocker that allows you to identify/block scripts running on websites. While it does give you control, NoScript can be a pain to get configured properly. It breaks many websites, which requires you to tweak and configure the options. If you are already using uBlock Origin, or uMatrix, then you probably don’t need to be using NoScript.
This is definitely not an add-on for the casual user or those who don’t have the patience to devote some time into configuration.
New Firefox privacy features
Over the past year, Firefox has been launching some new privacy features. We already discussed the Content Blocking features above and how these are a huge advantage for privacy-conscious users.
In recent months, Firefox has introduced two other features: DNS over HTTPS (DoH) and also a Firefox proxy extension (Firefox Private Network). Interestingly, both of these new features rely on Cloudflare infrastructure, which is a large US-based company that provides CDN services.
Firefox VPN
Firefox officially launched a browser proxy extension called Firefox Private Network, which many refer to as Firefox VPN. While this may be good for some users, I also identified a few drawbacks in the Firefox VPN guide:
- Browser-only encryption: Only traffic through the Firefox browser is getting encrypted. (It’s a proxy, not a VPN.)
- Cloudflare: All traffic is being routed through Cloudflare.
- Data collection (logs): As disclosed in the respective privacy policies, Cloudflare will be logging your source IP address and the sites you visit. Mozilla is also recording technical, interaction, and registration data.
- No location selection: Unlike other browser-based proxies, Firefox Private Network does not offer any location selection. (It’s either on or off.)
With Cloudflare and Mozilla based in the United States (Five Eyes), there is also concern about government demands for user data, as we’ve seen before with Lavabit and also Riseup. Firefox Private Network remains in beta and only available to US users, but with plans to role it out to all users.
Firefox DNS over HTTPS (DoH)
Just like with Firefox Private Network, the implementation of DNS over HTTPS also relies on Cloudflare infrastructure. In fact, it makes Cloudflare the central processing point for all DNS requests in the Firefox browser by default.
While DNS over HTTPS may sound advantageous in some respects, there are also potential concerns. Rather than going over why, you can read the article, Centralised DoH is bad for privacy, in 2019 and beyond, which concludes:
Centralised DoH is currently a privacy net negative since anyone that could see your metadata can still see your metadata when DNS is moved to a third party. Additionally, that third party then gets a complete log per device of all DNS queries, in a way that can even be tracked across IP addresses.
Even if further privacy leaks are plugged, DoH to a third party remains at best a partial solution, one that should not be relied upon as a serious security layer, since it will be hard to plug everything, especially if non-CDN content providers survive.
Encrypting DNS is good, but if this could be done without involving additional parties, that would be better.
And for actual privacy on untrusted networks, nothing beats a VPN, except possibly not using hostile networks.
Many people also assume that encrypted third-party DNS will somehow offer privacy and anonymity. This is a false assumption. Your IP address and location remains exposed with everything you do online, while your ISP will still be able to see the websites you visit (IP addresses) even if it’s no longer handling DNS requests. In conclusion, a good VPN will offer much more protection than DoH through Cloudflare.
To disable DNS over HTTPS (DoH) in Firefox go to Menu > Options > General and then scroll down to Network Settings and click the Settings button. In the box that opens, scroll down to Enable DNS over HTTPS, where it can be enabled or disabled.
Additional resources
Below are some additional resources for configuring Firefox to give you more privacy and security:
- user.js Firefox hardening – As explained on their GitHub page, this is a “configuration file that can control hundreds of Firefox settings. For a more technical breakdown and explanation, you can read more on the overview wiki page.” Their Wiki page is also full of great information.
- Privacy Settings – This is a Firefox add-on to give you easy access and control of the built-in privacy settings in your browser.
- Firefox Profilemaker – FFprofile helps you to create your own Firefox profile with the default privacy and security settings to fit your needs.
Firefox privacy conclusion
In my opinion, Firefox remains the best all-around, mainstream browser on the market for privacy when it is modified as recommended above.
While many of the configurations and add-ons discussed in this guide will go a long way to giving you more privacy, there is one issue that remains: concealing your IP address and location. To do this, a good VPN service is necessary. The Tor network also achieves this end, but it comes with the drawbacks of slow speeds, risks, and limitations (only works in a browser).
For more options in addition to Firefox, see the secure browser guide.
Updated and revised on October 14, 2019.
Hi Sven from PEI in Atlantic Canada,
I run MX-Linux and Openbsd on our two home laptops. I use Firefox on both laptops, security hardened (using some changes from Vikingvpn guide) and your recommendations for fingerprinting avoidance. I use HTTPS everywhere, ublock origin, privacy badger, Disconnect and Decentraleyes. Occasionally, a web site needs Ublock origin to be tweaked a little, for display purposes. On Openbsd, firefox is also “tweaked” for security, and it runs with “Unveil” enabled. The configured Openbsd firewall “pf” takes care of “peculiar” IP addresses that pop up. The only file accessible to the Web, is the Downloads folder. I wnat to thank you for your evaluations of serach engines, and I use SEARX on both laptops. I run the “searx.neocities.org” instance, which is the random redirector, and it takes a second or two to load, but the results are spot on, and opening a web page form the search results is extremely fast. I am in the process of setting up a new email account, using mailbox.org. I look forward to reading your future articles.
BTW, searx only missed one request, and that was due to Google rejecting the search, for whatever reason. It also seems resaonable from a tracking perspective, to use different instances for each search.
Regards from PEI
Richard
Thank you. Very helpful. Appreciate you.
@Sven,
What do you think of the Dissenter browser?
It looks to be a fork of Brave but without the adds.
Seems pretty solid to me as I see.
Yep, looks good.
Thanks.
UBlock Origins new update now requires access to IP addresses.
I know to use a VPN but I have to turn it off to print.
Any other suggestions to replace this? Different browser?
Do a bit more research before you state what some permissions pop-up in Firefox asked you to confirm.
dns etc
read the code of ublock.
lazy.
What about Pale Moon (a fork from Firefox long ago)? Many of the add-ons from Firefox still work, many more do not. But it has it’s own plug-ins too. I just can’t believe that nobody on this infinitely long page mentioned it even once!
I discuss Pale Moon in the secure browser guide, along with other browsers.
Thank you for the prompt reply, and yes I read that guide already. I just couldn’t figure out how it did not show up on this page as an option, at least in the comments.
Sorry to say but Palemoon can’t be considered a secure alternative.
It’s due to how they distribute their end-product by having external libraries (e.g. SSL) bundled in their specific version that it works in their ecosystem. Some of them are outdated, some may contain bugs, some are patched to work for them but who knows what these patches break.
Can you not spread FUD?
https://forum.palemoon.org/viewtopic.php?f=5&t=23706
Pale Moonie cultists beg to disagree.
Good old fashioned blabbering :shrug:
I noticed with version 72, that the ´about:config´ menu looks different
when applying settings for ´privacy.resistFingerprinting =´.
I now see ´Boolean´, ´Number´ and ´String´ in the options to the right.
Once you click on the ´toggle´, they disappear however,
– and only ´false´ and ´true´ is offered.
Which should I choose, and why does the initial menu with extra options disappear?
If you get the “Boolean”, “Number” and “string” options in the new about:config screen, that means whatever you entered in the search bar does not exist in the list, and you can create it by clicking on one of those options.
But since it does exist, are you sure you didn’t have a typo?
This is very not enough. The settings needing changes are largely not exposed in about config.
Mozilla can no more be trusted than google or Wladimir plant (eyeo).
I do have some questions that i seek clarification on due to conflicting opinions and at times lack of concise information.
Disabling javascript seems to block some forms of fingerprinting but in the long run will it help or hinder efforts to make the browser less unique when fingerprinted? Why?
Does the Resist Fingerprinting option also take into account the most popular operating system or does it neglect this by setting a static value in the browser fingerprint?
A random user agent switcher set to only use user agents that do not break or cause weird things with web sites: In the long run, is this a good idea or bad idea? Why?
You can set the browser to remember logins so you can login without having to type anything even if cookies are deleted…in the long run, is this a worse security risk than allowing cookies or would doing this and installing the cookie autodelete extension be the better option?
Are there any cross browser fingerprinting tests that I can try on mobile devices? I found a couple of them but they did not work when testing on mobile devices.
Fingerprinting lifts information about your HOST SYSTEM because the browser shares far too much information.
The way to hide is for as many people as possible to all look identical.
Stephen Mohos
Sven, what is your opinion of the privacy features in the current version of Ublock Origin? In terms of combating browser fingerprinting, which options make fingerprinting easier and which make it harder?
I haven’t tested this yet, but there are browser fingerprinting tests you can run after experimenting with the settings.
Mozilla just released Firefox 72 with protection against fingerprinting and it will also block notifications from websites. Very nice update.
Yep, looking good.
Privacy Browser (on F-Droid).
Features include;
1. Javascript disabled by default.
2. Ability to toggle first & third party cookies.
3. Useragent spoofer: spoof a unique browser fingerptint. Requires manual activation and toggling.
4. Incognito mode: clear the history and cache after each webpage finishes loading. Disables back-button, requires manual activation.
5. Blocklists. Blocks ads. Full implementation requires manual activation, may break some websites.
6. Automatically remove url code modifications such as from; Google Analytics, Facebook Click IDs, and Twitter AMP redirects.
7. Option to Proxy through Orbot (not reccomended bc TOR is backdoored and dns leaks)
8. Fullscreen browsing, hide the app bar that contains the URL.
9.Option to clear everything after you exit the browser. This includes; cookies, DOM storage,and android system webview’s cache. Then executes a manual deletion of the entire ‘app_webview’ and ‘cache ‘directories.
10. Open intents in a new tab, swipe to refresh(breaks websites).
11. Dark theme
12. Nightmode (requires Javascript).
13. Desktop site mode.
14. Wide viewport displays images larger like a desktop site.
15. Toggle Display webpage images to conserve bandwidth.
Can use improvements. I can confirm Ive used this myself. Check it out and share your thoughts Sven. Thanks!
We are legion.
Sven I second investigating Privacy Browser on the F-Droid store. I believe at a cost, it’s also available on the Google Play store.
It seems to be particularly more privacy sensitive than any other browser I’ve seen on mobile. I think if anyone is using Android and disables all Google related apps and uses this as the primary browser it seems to be more secure and offers a lot more optionality. I believe the owner of this has also open-sourced the code (though maybe I’m misremembering). Please comment if you can and give it a try… though I know from your past comments you are not a big phone user.
Disabling some Google apps is just the tip of the iceberg if you want to improve privacy.
NOTE: THIS IS NOT A GUIDE! It is a collection of ideas I tried and was able to implement while experimenting with my devices which i hope will be useful for stimulating conversation.
Here is what little I learned about making android more private and less creepy if you are trying to go that route (All corrections welcome and happily appreciated, I am not an expert):
This is just what i learned messing around with two cell phones and I do not claim to know much. I am not responsible for anything that goes wrong and can not guarantee that things can not go wrong trying this stuff out. However, if it all works out at least the device will be more private.
Before I get into this, I will say this a couple of times, MAKE SURE YOU BACK UP YOUR DATA AND CAN REFLASH THE STOCK ROM IF THINGS GO WRONG! Some of these ideas can potentially cause issues and brick your device but if you prepare in advance you can prevent any damage from being permanent and have things back to normal in just minutes.
If you are going to root your device then I recommend buying Autostarts from Google Play Store. You can use this app after rooting your device to block auto starting of various apps.
First of all, the only way to disable all google related apps is to install linage os because various required apps for Android made by Google (including the default phone app, chrome or webview (depending on whether or not Webview was included on your device by the manufacturer) and package installer) lack alternatives.
Second, if you want to disable system apps, back up your data because there could be a chance of disabling and later reenabling some system apps causing issues requiring a factory reset.
Also, be sure to check default applications in settings and if an app you wnat to remove is set as default you should install an alternative to it and set that as a default in order to avoid any weird behavior and eliminate the potential to cause issues that can cripple functionality later on when you try to use an app in that category. (You can choose to switch between Chrome and Webview as the default in Developer Options and choose the default TTS engine in Accessibility options if you want to try an alternative).
That being said, as long as you do not delete package installer or anything storage related and do not delete a default app before setting an alternative as default, you should be ok.
Your phone does not need a google account to function. Of course, if you choose to delete your google account the phone will likely delete your contacts and messages and other information (likely to discourage doing so) so back those up first.
Your phone does not need google services framework/google play services except for gaming or using some google apps (well, 99% of apps do not need it as far as I could tell). Those apps that complain by spamming notifications when you disable google play services do not do so if it is deleted from your phone and most will work fine without it. You can block notifications from those apps and turn on do not disturb mode (of course, set to still be able to ring when phone calls come in and such) to shut it up.
Most if not all apps can be downloaded online so you do not need google play store. However, only download from trusted web sites. Ask around in android forums and security related forums to find out which web sites can be trusted.
Consider getting an android gaming device for gaming, preferably one with mappable physical controls. Not only will it give you a better gaming experience, it will also keep the trackers in the games from accessing sensitive data without compromising on the ability to play them. of course, most android game systems still have microphones, so turning it off completely when not playing games would be better overall.
If you plan on rooting your device, keep in mind that the manufacturer will most likely not support your device starting at the moment you do the first step which is unlock the boot loader. This means no more updates and that includes security updates. Consider the pros and cons of this before making that decision. yes, you can use software that can make your device more private to protect it from surveillance by corporations, but by the time you hear about the latest security issues governments are already exploiting them so this will not protect you from government agencies as effectively.
If you want better protection against spyware, root your phone. Install and configure afwall+. Be sure to block everything that has no business accessing the internet (but leave the group of apps in the listing that contains Settings able to access the internet, for some reason that is required to access the internet). if you are not sure of an app, test internet access both before and after blocking it. Also install adaway. Just hear me out on this one. You can manually enable dns logging (must do so every time you restart your device) and then run an app and block dns requests from it. You can then block any DNS requests you do not want in the log the app displays (Note: This does not take effect unless you restart) It is a lot more effective if you also set your internet connection to ipv4 only in access point names.
Need to deal with suspected spyware apps? Install Shelter and use it to create a work profile to reduce data collection. Put the apps you installed and suspect of being spyware but can not live without in the work profile, swipe down from teh top to display icons and then tap the edit option and use it to add a work profile button so you can turn the work profile on and off, turning it off disables the apps in the work profile and stops them from running. This will keep those apps from accessing internal data outside the work profile but does not block portable storage access.
The sad truth about Android is Google and other tracking companies and data brokers have third party tracking code in almost everything. One way to check for this third party code is to use the Classyshark 3xodus app. This app contains the data from the Exodus Privacy web site at the time of its last update and can be used offline. You can also choose to use this app from a browser or file manager to scan apk files before installing them (If you do that, whatever you do, do not click on Always Use). But, keep in mind that apps would not need third party code to track you.
Just because you use the recent apps screen to close an app does not always mean the app is not running in the background.
Need a map program? Well, there is no fully functional option that does not track you.
An app you use needs your location? Most phones can do fine with having wifi scanning and bluetooth scanning turned off.
Disable bluetooth when you are not using it. Location services makes a note of any detected bluetooth devices and where they are located and, well, almost everybody carries a cell phone with location services enabled. Of course, that information is sent to Google and most phones are using all Google apps with nothing blocked.
if you want to really be sure, check the system apps on your device. BACK UP YOUR DATA FIRST AND MAKE SURE YOU CAN REFLASH THE STOCK ANDROID ROM TO YOUR PHONE USING WINDOWS SOFTWARE OR TWRP BEFORE YOU DO THIS! If you do not know what an app is, type “What is (app name) Android” in a search engine. I suggest using ES File Explorer for this because it has an option for listing all of the system apps, you can back up the apps and read generated files in the backup directory using its text editor option to find the app locations and delete them manually if uninstalling them fails. Remember to mount “/” as read/write to improve chances of success in uninstalling or deleting system apps. If you can not uninstall or delete a system app, make sure you turn on airplane mode just to keep potential hackers from taking advantage of the temporary openness of the fil system, and BE SURE TO SET IT BACK TO READ ONLY WHEN DONE! Also, ONLY REMOVE A SYSTEM APP IF YOU ARE SURE THAT YOU KNOW WHAT IT IS AND DO NOT NEED IT! And did you take the advice to make sure you can reflash the stock rom if you screw up? Seriously, if you can not do so then DO NOT ATTEMPT THIS. Or, as stated earlier, if you can install lineage OS this hassle may not be required.
GFoogle’s idea of an antivirus program is scanning any apps on your device and making sur ethey match the apps in play store. Of course, Google is a bit lax when it comes to screening apps that end up on play store for malware. Unfortunately, all of the antibirus apps that are effective have Google tracking code in them according to tests done with Classyshark 3xodus. This can be an issue if you download apps from third party web sites and app stores so make sure you know a web site or app store is safe by asking around before using it to reduce the likelihood of installing malware.
I have tested the browser fingerprinting on amiunique.org to verify the fingerprinting portion of this after reading this question.
Privacy Browser vs. a Firefox version that was configured according to this guide and with javascript blocked by default in the ublock origin plugin, the test revealed that Privacy Browser had more identifying traits.
My first sugguestion is that you should have a section dedicated to android, as nowadays thats where most of the data collection is being done nowadays. Anywho.. honestly Mozilla is a data collection company who’s target audience is the privacy community. Theyve been increasing collection capabilities with every update all in the name of convience. Ontop of this, DHS (Dept of Homeland Security) has most likely convinced them years ago to install backdoors in their browsers. In the same fashion they did to Tor Browser(Firefox ESR). Obviously better than Chrome, but still. At this point, Mozilla has gotten too big for its own good.
A user commented that Decentraleyes can read all input, including passwords.
Is this true?
made that changes but now each time I launch firefox i am automatically being logged out of gmail, youtube, soundcloud, etc. how to fix it?
You can change your cookie preferences back to what you had before if you want to remain logged in to these sites, but then they’ll also be tracking you.
Sven, can you confirm that ‘privacy.firstparty.isolate’ cleans ‘window.name’?
i’m looking for info on this and from what i see cleaning ‘window.name’ was planned (12 years ago) but never addressed…
444222 – window.name can be used as an XSS attack vector
https://bugzilla.mozilla.org/show_bug.cgi?id=444222
Hello, I’m not sure about this.
hi peoples!
i left a comment on this article before but, you know, it’s a very dynamic environment and all … a few things i would personally recommend (i’m no expert, so there’s that)
in the interest of noob-friendliness and simplicity (install-it-and-forget-it)
* ClearURLs by Kevin R.
https://addons.mozilla.org/en-US/firefox/addon/clearurls/
strips unnecessary junk (think tracking) parameters from URLs, but unlike other link cleaners, it never (virtually) breaks any website and no user interaction is required
* CSS Exfil Protection by Mike Gualtieri
https://addons.mozilla.org/en-US/firefox/addon/css-exfil-protection/
tries to prevent some CSS exploits
* Site Bleacher by wooque
https://addons.mozilla.org/en-US/firefox/addon/site-bleacher/
it’s the only storage cleaner i use because it’s the only one that can automatically clean indexed db storage dynamically – due to a limitation in the WebExt API, no other “cookie” cleaners can address iDB other than at browser start or exit – if this limitation is ever addressed, i might recommend the Forget Me Not cleaner
* ETag Stoppa by claustromaniac
https://addons.mozilla.org/en-US/firefox/addon/etag-stoppa/
prevents caching of e-tags
* HTTPZ by claustromaniac
https://addons.mozilla.org/en-US/firefox/addon/httpz/
personally i prefer this over HTTPS Everywhere because it doesn’t rely on a database or rules or humans and it doesn’t use nearly as much memory – it simply attempts to upgrade every http connection to https and will fall back gracefully with or without a warning (your choice)
* Privacy-Oriented Origin Policy (yes, POOP!) by claustromaniac
https://addons.mozilla.org/en-US/firefox/addon/privacy-oriented-origin-policy/
strips origin headers
last 3 are all from ‘claustromaniac’, a super great guy(?) who contributes heavily to the ‘ghacks’ user js project and you know you can trust him because he uses a kitty as an avatar 🙂
Great guide, Sven. Thanks a lot for this. One problem I am facing is that every time Firefox updates, I need to set the preferences all over again in the new version. Why doesn’t it carry forward the settings? Do I have to create a Firefox account and login from two devices to make them permanent? Is there any risk with using a gmail ID as login ID for the firefox account for this purpose?
Thank you for asking this, Aamod. This has been a problem for me recently, as well.
Another apparently related annoyance is that installing a new version of Firefox also installs a new profile, so everything from the past is lost.
Startpage was bought by System1 – http://techrights.org/2019/10/16/startpage-is-surveillance
Great article. Going forward, I’ll be updating all references to Startpage and my private search recommendations based on this new info. Thanks for sharing.
Hi Sven, your website is awesome and I love you and your mission! Regarding the Startpage issue, you’ve also done a great job updating your pages. The only (tiny) part left is in this article here where you state “Startpage seems to be a pretty good option that gives you good results (from Google) but still respects your privacy”. I don’t know whether you want to edit this or not, but in case you have missed it, here is your reminder. 🙂
Please keep up your great work! You’re inspiring and very helpful to me and my peers. Expect some donations in the upcoming weeks. 😉
Hi Zwave, yes I’ll revise this with the next update based on the System1 and Startpage situation.
Hello, a lot of interesting features, thank you for that, I’m more concerbed about browsing privacy, but as for Google Maps, wich I use professionally, it slow downwith a lot of lags, and suppress the 3D satellite view, how to recover that feature only?
open in chrome
Got it. Maybe u can add this line in ur mozilla privacy page.
media.peerconnection.enabled | set to false to disbale webrtc.
All ur lines works perfect on mozilla android 😁
Thanx
What about webrtc? Can i adjust that in about:config also?
Sven- hi.
trackers
Block list 1 or Block list 2
which one do you recommend to avoid fingerprinting. 1 appears to be default behavior of strict content blockng
Sven replied on a new article (I had the gall to ask a second time on an unrelated article) answer below:
–
Sven Taylor OCTOBER 22, 2019
With blacklists, Level 2 is better from a privacy standpoint, Level 1 may be better for convenience (sites not breaking).
Thanks for the great guide!
My only issue is that all the logged in sites (deviantart, etc.) log out upon restart.
Can you please let me know which setting causes this, so I can revert it?
Thank you
Best regards
Sounds like your cookie settings in about:config.
Yes, it was this one: network.cookie.cookieBehavior
Thank you!
Thanks for the tips! I have adjusted everything as you described it. But since then I have problems on Facebook. I can’t share youtube videos anymore, i.e. the preview is no longer available and only the link will be posted. If I want to post something on Facebook and make Copy-Past, nothing goes on Facebook anymore and the comment column is deactivated.
If I reset Firefox to default, everything works again. Any of your settings will cause problems on Facebook!
You’re trying to configure a browser for privacy and you’re surprised it breaks facebook?
Jack again, I told about the Jar policy, great article again.
What do you think about dom.battery.enabled? Should we set it to false, so it will hide information about the battery?
Everyone,
I just wanted to be sure that everyone who contributed on this forum in effort to restore user privacy on the web when constantly being put under a microscope by “big brother” is very much appreciated. I am new to the forum as of right now, but I wish to volunteer in any capacity to assist in continuing the movement to respect every user out there in regards to their anonymity. If anyone has any suggestions on where I should volunteer my skills, research, or just to collaborate and learn new tips – I would greatly appreciate any advice that any of you can offer. I look forward to working with you all in the near future and winning this war against unfair espionage throughout the internet. Please feel free to contact me via email at any of the addressess I have listed on this form as well as offer any suggestions as to IRC billboards / secure messaging systems that I can keep up with everyone. Thank you all greatly again and please know that each and every one of you are my heroes!
bulletproof.systems.llc@gmail.com
vicious.tech.llc@gmail.com
enigmasown@gmail.com
enigmasown@live.com
Thanks,
Jason Dixon
Well… welcome to the forum Jason Dixon!
“…please know that each and every one of you are my heroes!”
Very kind words. No doubt. Means I am one of your ‘heroes’.
That said… so what’s your skin in this game Jason? Your input is very literate and polished; super polished. Kudos for that! But I, personally, as one of you heroes, can not clock your intent.
Please clarify your back-ground intention. I’m really curious.
Self serving or altruistic? Please elaborate. Look forward to further input.
Cheers, George
@Jack
First of all, try to stop using gmail accounts… then we can talk!
@Sven,
What about the addon “Google Analytics Blocker”?
Privacy Badger doesnt block it but maybe this will?
I should say Privacy Badger doesn’t block Google. Maybe a good alternative?
uBlock Origin already blocks google analytics.
Missed this. Sorry. Thanks. I did not know this.
about:config > network.cookie.lifetimePolicy > value= 3 = Accept for N days
The Mozilla knowledge base says that if you choose 3, another config option to choose N, is enabled, Network.cookie.lifetime.days . I tried this and the option did not come up in about:config. Supposedly the default is 90 days. http://kb.mozillazine.org/Network.cookie.lifetime.days
I believe that I changed something in about:config such that I can’t copy/paste at all
Hi John, I had the same problem. See the description of the dom.event.clipboardevents.enabled setting above. Disabling it will solve the problem, but then avoid copy pasting passwords or other sensitive information during your browser sessions.
Why, on Firefox, did about:config > resist.Fingerprinting change the clock time i’m seeing when I post on a website? I’m in U.S Eastern Time Zone and it pushed me up 4 hours. Is there a way to fix this?
Clock settings are one way to be fingerprinted. Undo the change you made.