This is from an exchange with a privacy and security expert friend. I am publishing his replies to my questions “as is” (no editing).

Many people ask me about tracking. What is it? Can we prevent it?

Meta/FB pixel and Google Analytics are the two most pervasive tracking tools that follow people all around the web. Vast majority of sites have either or both running silently in the background. And each can see down to the most minute detail everything a user does on a website – every link or page that gets clicked or accessed, your mouse movements, the data you enter into every form or text box or search bar, the credentials you input to sign up or register for a service, the time you spend viewing a certain piece of content on the site, and countless other things etc… (visit deviceinfo.me to see example of all the little things a site can track and recognise about your computer).

And then all that data gets recorded and associated with your identity, on either a 100% precise “deterministic” basis (meaning FB or Google know you personally are the user), or on a “probabilistic” basis (when they don’t know for a fact it is you but can infer that it is likely you based on a range of clues/patterns).

Tracking is deterministic for most internet users (i.e. those not taking precautions to prevent and block tracking). Tracking is probabilistic for the small segment that actively try to mitigate against the tracking with various techniques (someone like me).

The goal for someone who cares and is operating in the probabilistic bucket is to actively thwart the tracking to the extent where FB/Google is unable to, with a good degree of confidence, link your identity to the given activity.

But there is otherwise no way to 100% prevent such tracking, to fully escape all deterministic and probabilistic tracking of your activity, other than not owning digital devices and never accessing the internet.

The most basic + doable + minimal pain actions to take to move oneself away from being in the deterministic bucket and into the probabilistic category are:

  1. Practice “browser isolation“, meaning use one browser exclusively for Facebook/meta/Instagram + Google/Gmail things, and for nothing else. And then use another separate browser for all your other non-FB/Google internet activity. Key is to make sure you NEVER sign into your FB/Google/Gmail accounts on your non-FB/Google browser (as the moment this happens, FB/Google are able to immediately link that browser and all its future activity to your personal identity).
  1. Do NOT use Google Chrome Web browser as your non-FB/Google browser. Use Firefox or Brave Browser instead. And again, NEVER log into any FB/Google account on your Firefox/brave browser (and try to avoid as much as possible even visiting any FB/Google products or websites on that browser).
  1. Install and activate the browser extension uBlock Origin into your non-FB/Google browser.
  1. Do not use Google Search in your non-FB/Google browser, and don’t go to Google to make searches. Use privacy alternatives like DuckDuckGo (www.duckduckgo.com) or Brave Search. This preference can be toggled in the browser settings.

Of course one of the most effective actions is to fully delete your accounts with and entirely avoid using any Facebook/Meta + Google products/services, but this is too big a jump for most people and still doesn’t mitigate the tracking 100% (as even without a formal account on FB/Google, without further mitigations in place, they are still able to identify you as a unique user and track you using their created “shadow profile”).

All of this is only basic tracking mitigation for standard desktop web browser activity (i.e. just visiting websites on your computer). The many other ways our digital behaviour is tracked require their own other set of mitigations, so this only covers one part of it, but is an effective and easy start.

Can you outline a complete strategy to mitigate tracking?

I’d say overall there are a few key domains to look at:

  • Web browsing (basic mitigation as above).
  • Mobile devices because these are one of the biggest sources of privacy leakage in most people’s lives (mitigation being switching to a de-googled android device instead of iPhone or regular android + limiting installed apps to only vital ones).
  • Social media for obvious reasons (deleting and avoiding social media, or at least Facebook or generally be sparing in use and minimise data consciously shared on platform).
  • Email because all email on traditional providers is not private, all content can be and is actively read and analysed by provider (migrate away from Gmail, outlook, yahoo, apple etc and move to trustworthy privacy respecting email providers like protonmail or tutanota).
  • Cloud storage services, for the same reason as email (migrate away from Dropbox/other big tech cloud storage providers, also move to privacy friendly ones like proton).
  • Communications, because normal communications are either not private or secure or both (try to use Signal www.signal.org over WhatsApp, try to use Signal call/message over regular phone call or SMS, even WhatsApp is better for voice calls/messaging compared to traditional phone call/SMS as at least it is end to end encrypted).
  • Use unique account credentials for each of your online accounts, with different complex password for each. Avoid using the same password (or the same password with only minor variations) for all services (more for general security but still important as cannot have privacy without security, for basic use recommend Bitwarden www.bitwarden.com with a very strong master password that you keep close guard over).
  • Use multi-factor or two-factor (MFA or 2FA) authentication to secure accounts wherever possible (ideally use TOTP time based codes via an app like Aegis or enteAuthenticator).

NB: The links above are clean (i.e., not affiliated links), I do not get any reward when you subscribe to those services.