Referrer links and anonymity in private web spaces

Several times now I have revisited my current setup for personal information management and whether or not I am comfortable storing private personal hyperlinks on the web. My concern with using online services is that when I store hyperlinks on wikis, messages, emails, etc. and click, the other site will see me in their referrer logs.

This isn’t an issue for most webmail services like Gmail because it is normal for these services to obfuscate urls beyond recognition making it impossible to identify any referrers. You see urls full of hashes and hard to recognize identifiers that are meaningless to anything but the application itself. I doubt keeping urls unidentifiable like that was a primary concern in the design of webmail systems but it does provide this obvious advantage.

The concern I have is with services like Backpack, Basecamp, or any hosted blog or wiki where you have a unique and easily identifiable url associated with your data. On hosted sites like the aforementioned Backpack and Basecamp, your account is identified by a chosen subdomain which is very likely easily identifiable to you personally or to your company/organization. For example, Startup Weekend uses the domain “startupweekend.grouphub.com” — obviously identifiable. On a personal domain like say for example “zachhale.com” if I were to set up a private wiki at “wiki.zachhale.com” and do everything necessary to protect it with a robots.txt and require http authentication, if I put create a link and click on it referring to another site they will see where I came from. Even if your domain name isn’t identifiable by name to you, there is still whois information that can be dug up and tracked back to you.

I’d rather not let people know what I’m doing in those private spaces. Maybe I have a list of blogs I admire and visit frequently or maybe it’s a corporate information system with links to competitors sites. In many cases I would rather not send information to those people identifying my visits with me or my company.

There are a few solutions that I can easily see:

  • obfuscate your urls and use a domain that can’t be tracked back to you, or
  • use some sort of proxy that will spoof or remove any referrer information from your requests.

Obfuscating completely is difficult to do and often nearly impossible to do, so the only other reasonable solution now is to set up some proxy. In researching it looks like there are a number of client browser extensions/plugins for spoofing referrers, but any client side hack is tedious to enforce, especially across a large organization or with multiple platforms in the mix. The other option is to manually redirect traffic through another domain, preferably not owned by you. I found one service called referhide.com that provides this solution. Otherwise, it wouldn’t be too hard to set up a redirection script either with javascript or through passing parameters through the url. Either way, though, you now have to either manually or programatically change all your links to go through that intermediary service — sounds like a pain.

What I’d like to see is something similar to robots.txt but for referrer links. It would be impossible to enforce by strictly trusting web servers to do the ignoring since people could choose to ignore such a file without question. The only real solution I could see is standardizing this into web browsers so you could trust that anybody using a compatible web browser would know that their referrer traffic is being properly dealt with and anonymity is preserved.

Any ideas? Am I missing something major here?

2 Responses

  1. Thank you for the information!

    Perhaps your other blog visitors would be interested in http://www.referhush.com – It allows you to hide referer information. Cheers

    ReplyReply
  2. Simon B.

    The easiest solution for sites you control yourself is to add a javascript that attaches onclick-behaviour to all links, such that a click goes through referhide or similar, while right-click, copy URL still works, and your browser history, etc.

    ReplyReply

Reply

Markdown or basic HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

%s1 / %s2