Checklist 16: 5 Ways Websites Are Tracking You
- Tracking cookies.
- Browser fingerprinting.
- Tracking scripts, widgets, and web bugs.
- IP address and referral links.
- Clickstream tracking.
When you hear about privacy and protecting your identity on the web, one of the things you’ll hear mentioned most often is “tracking.” How often have you heard that this entity or that company is “watching what you do” on the Internet? While it can sound like 1984’s Big Brother, the reality is a little bit more mundane. Even so, it’s worth thoughtful consideration. That brings us to today’s topic: web trackers. What are they, what do they do, and why do we care so much? Should you block all trackers? Is there ever any good reason for someone to track your activity on the Internet? These are all excellent questions, and today we’re going to spend some time breaking down the answers to them.
There’s no “one size fits all” answer to the question of “what are web trackers?” although they all perform the same basic function at their root. A tracker is a piece of software that, for whatever reason, creates and reports to its operator a summary of your web activity. The form this takes can vary; for example, it can be as basic as a site asking “what website did this user come from?” after someone clicks a link. However, it can be as complex as tracking every site you visit, or even where on a web page you click or highlight text.
If that sounds a little invasive — well, it is! There’s a good reason as to why tracking is a controversial subject. That’s also why there are so many efforts out there to fight back against trackers, from browser-standard “Do Not Track” options to more substantial software suites or browser extensions. With so many options out there, there must be some good reasons to want to stop tracking. So, what’s out there learning about your web behavior?
Tracking cookies. There’s no doubt you’ve already heard about cookies in some capacity before — whether it’s from the “Clear All Cookies” button in your web browser of choice or a story in the news about cookies causing problems for people. For something so innocuously named, you might never think that this was something used to track your web activity. What is a cookie? It’s a small container of data that a website creates and places on your computer which it can then access when it needs.
Not all cookies are the same. Some of them perform basic, crucial tasks like storing your password so you can quickly log in again, or telling the website that you’ve already logged in once. We’re not focusing on those types of cookies today; instead, we’re talking about tracking cookies, and by that, we mean a piece of code that contains some identifying information to allow identification across websites.
OK, let’s consider an example. You visit a news website, and while you’re reading an article, there are ads on the page. That’s normal, right? So, you don’t think about them. One of these ads might place a tracking cookie in a folder through your browser. It might contain data like your IP address and information about your browser, and it says “this user viewed our ad on this date.”
Now, online ad networks are vast — just think about how many hundreds of millions of ads Google serves up every day around the web. It’s a multi-billion-dollar industry. You’re going to run into that same advertiser again in no time. When you do, the ad this time doesn’t place a cookie — it reads the one already there. It adds your new location to the new information, such as what kind of content you’re viewing. In turn, this information can end up back in the advertiser’s hands. The goal is to tailor ads specific to your web experience. The cost, however, is that many advertisers know almost everywhere you go online.
Good reason to hit “Clear All Cookies” or browse in private mode, right? Not so fast. Have you ever heard of a “supercookie”? It’s not what you might find at a bake sale for superheroes — it’s a tracking cookie that resists your deletion efforts by creating redundant copies of the cookie data in numerous places around your computer — the common thread is they’re all cache folders used by other browser applications. While not exactly kosher, less ethical advertisers can and do use supercookies to keep serving you more ads.
Browser fingerprinting. So, what if you choose to forego using cookies entirely and you’re vigilant about using software that can help to find and delete super cookies? You might feel like you’re much less likely to be tracked overall. While that might have been true some years ago, the rise of a new type of identification has made it more probable that you can be identified in ways other than via a cookie.
How could that work? It’s all done through a process known as browser fingerprinting. We are all aware how our IP address is kind of like a digital fingerprint for our computers on the web — well, the way you configure your web browser creates that same opportunity to identify a unique signature.
When you browse the web, your browser freely communicates some information about your system as well as itself. This statistical data might seem mundane at first. It includes things such as your browser version, what plugins you might be using, and even info about the hardware inside your computer and your operating system. A recent version of Firefox disabled a battery status feature that websites were using to try and uniquely identify individual visitors based on how much power they had left in the battery for their laptop or mobile device!
Just a few of these factors might make it hard to pin down one user. As we add more and more layers, though, we quickly come to find that our browser fingerprints can be astoundingly unique! Advertisers are increasingly beginning to look at browser fingerprints to circumvent the restrictions on cookies many users now employ. It’s hard to change your fingerprint, so for now, advertisers can continue to track users from site to site via their browser’s signature.
Tracking scripts, widgets, and web bugs. This next category might seem fairly broad at first, but it all breaks down to basically the same thing: using code embedded in the web page you’re viewing to notify someone of your visit. The most basic form this kind of tracking can take is called a web bug. These “critters” are practically invisible to the average user; they often take the form of minuscule blank image files, about 1 pixel across. When you load this image, the server on which it’s hosted suddenly knows that you visited the page. This is a relatively rudimentary form of web tracking, but it’s sometimes still used on websites. You might also encounter them in emails, too, to let the sender know you’ve opened the message.
This concept has evolved into something a little different, and in some ways, it’s similar to the way tracking cookies work. How many times have you landed on a website to be greeted by the ubiquitous blue Facebook “Like” button? It’s usually in an array of similar buttons for sharing, including sites like Google Plus, Pinterest, Tumblr, and more.
If you have an account currently logged in at one of these places, visiting a page with the Like button will alert Facebook to your presence on the site. The code encapsulated inside the button “phones home” to let the company know how to target its ads better to you based on your browsing preferences. This is one of the subtlest methods of tracking on the web — you might never have even known it was happening!
Speaking of indirect methods of tracking, the last is one of the most widely used — it’s a small bit of JavaScript code called Analytics.js. Many websites incorporate this code into their web designs, in part because it gives them access to powerful tracking tools operated by Google. Don’t worry, though; analytics only track your activity on a particular web page. They don’t record your comings and goings like cookies and Facebook might. Instead, site owners often use information gathered via analytics — such as how long you spent on a page, which other pages you visited, and when you left — to enhance their design.
IP address and referral links. There are some more mundane ways of tracking users as well. These basic tracking methods are more like the foundational components of analytics rather than being bona fide tracking on their own. Nonetheless, it’s important to know about the information you’re putting out there.
We are all aware that we expose our IP address to web servers whenever we visit. Pages can track repeat visits, knowing that it’s you specifically returning based on your IP address. Products to obscure your actual IP, like VPNs, are gaining in popularity right now for this very reason. Advertisers may track your IP as well, though it can be less reliable than simply using a cookie.
Sites can track whenever you click a link, too. You might click a link that leads from one news website to another, for example. What happens when you arrive on the new website? They’ll record not only your arrival (and perhaps your IP, browser fingerprint, and so on) but also the server from which you came. Referral tracking can be used to build up a profile of your browsing habits that advertisers might like to use. It also lets webmasters know where their visitors are coming from, which can be helpful for development. Overall, though, these tracking methods operate at a very low level and are of lesser importance.
Clickstream tracking. When you’re clicking around on a website, have you ever stopped to think that those clicks might be of interest to someone? Probably not — but the truth is that many websites are tracking every click you make on their site. The technical term for this is called “clickstream” and while it is often used to optimize a website based on how users click around it, it has other purposes as well.
For example, a site might want to track which portions of text in an article users highlight to share with others. This kind of data, collected in large volumes, can ultimately affect the type of content published on the site. Based on what sort of thing you click on; the ad might change the content it chooses to suggest to you as well. While ultimately it may not be as personally identifiable as a fingerprint — and of course, clickstreams are necessarily confined to their own sites — it’s still something to consider.
Well, that’s about everything you should know about the various types of trackers you’ll find on the web. From basic analytics to clickstream to the nefarious supercookie, tons of people want to know who you are, where you’ve been, and what you’ve looked at online! Whether you choose to block that content is up to you — but the important thing is to be an informed user.
If you’re looking for ways to help mitigate the risks of online tracking, there are a number of options, including apps like MacScan and PrivacyScan, or browser extensions like Adblock Plus, Ghostery, or Privacy Badger.
That wraps things up for this episode! If you’d like more information on the topic we covered today, or if there’s a specific topic you’d like to see featured on a future episode, send us an e-mail at checklist@securemac.com!