Internet Tracking: How You're Being Monitored

Systematic surveillance isn't just something from a George Orwell novel. You are being spied on in everyday life without even realizing it, and with relative ease, thanks to the Internet. Both public and private institutions want to make money off your data, which is why they assess your online activity on a massive scale. This process is called tracking.

While this type of surveillance doesn't have much to do with Orwell's dystopian surveillance state or dictatorships, it's still worth taking seriously. This article explains what tracking is all about, why you should guard against it, and what steps you can take to protect yourself.

Plenty of people and organizations are interested in tracking, logging, and analyzing your online activity. These include:

Data collection by governments has reached unimaginable proportions. According to Open Data City, the US National Security Agency has increased its data storage capacity to 5 zettabytes (5 billion TB) in recent years. If printed out, such an amount of data would be enough to cover the entire surface of the Russian Federation—the largest country on Earth by landmass.

Companies are also diligently collecting information about their users. Google does so through Google Ads. The company provides most of its products and services free of charge. But whether you're using Chrome, Gmail, Google Drive, or Android, you're paying for it with your data, which Google sells to advertisers.

When browsing the Internet, chances are that you unintentionally reveal more information than you would like. Data collection that occurs in this way is also known as tracking, web tracking, or user tracking.

Tracking is used on many websites, especially those that generate revenue through advertising. The process entails logging and analyzing user activity.

Through tracking, website operators can determine a number of things, such as:

With this data, website operators can optimize their sites to make them more customer-friendly. For example, store operators will use the information to reduce the number of abandoned purchases. Landing pages and product pages can also be tailored more precisely to customer needs and interests.

However, the most common reason for tracking is personalized advertising. Concretely, this means ads are displayed that are tailored to you based on your data, interests, purchases, and the websites you visit, along with other factors.

Traditional tracking works via "cookies", which are ubiquitous on the Internet. Cookies are small text files that are generated whenever you visit a website and loaded by the browser on your end device. Even though some cookies are necessary for a website to function properly, most of the time, they're used purely for marketing purposes.

There are different types of cookies, including first-party and third-party cookies.

Most tracking tools, such as Google Analytics, Piwik, or Stuffed Tracker, rely on first-party cookies. Such cookies are used exclusively to exchange information between the website and the user.

The cookie set when you visit a website contains a unique number that identifies you whenever you return to that same site. For example, if you revisit an online store, the cookie contains information about the language you used and which items were most recently in your shopping cart.

Third-Party Cookies don't come from the website operator of the page you're visiting. When a third party places an advertisement or a tracking or retargeting pixel (short, invisible 1x1 files in GIF format) on a page via an ad server, your browser generates a third-party cookie for that external server.

A third-party cookie logs your behavior and notes which subpages you visited on the website where your browser loaded ads. It also measures how much time you spend on particular pages. Additional information, such as your age, gender, and location, is also collected.

Even after leaving the website and continuing on your digital way, the third-party cookie will continue to collect data about you. Later, you might wind up on a website using the same ad server as the page where the third-party cookie was initially generated. At that point, the ad server reads the cookie and can learn a lot about what you're interested in and the types of products you use.

A user profile is created using this data, which then helps to generate personalized advertising. This process is also referred to as targeting.

Targeting is about tailoring advertisements to specific groups with high precision. Only those who are really interested in the ad content—i.e., potential buyers—should see it.

The optimal way to approach customers depends on the target group. The more precisely this is defined and analyzed, the more accurately companies can address their clientele. Information necessary for this process is usually obtained from cookies. These ensure that users are shown advertising that (supposedly) suits them.

There are different types of targeting, some of which are briefly covered below.

This form of targeting is mainly used to re-present a product to customers. The goal is ultimately to prompt them to complete a previously unsuccessful purchase in an online store.

Through this, ads are shown only to users in a specific region. As such, the customer approach is customized based on the location.

This type of targeting utilizes socio-demographic characteristics such as age, gender, and social status.

Social media targeting displays ads based on the data gleaned from a user's profile. Facebook, for example, uses this method as part of its advertising program.

This type of advertising is based on the topic of the website where it's displayed. For example, if you read an article about growing tomatoes, you'll see ads about tomato soil or a special kind of fertilizer.

Third-party cookies are vital to marketers. However, their days could be numbered, which is why tracking without them is becoming increasingly important. But why has tracking with cookies become problematic?

The Court of Justice of the European Union (CJEU) ruled on the 1st of October 2019 that users need to actively consent to the use of any cookies that aren't necessary from a technical point of view. You've likely come across the manifestations of this in banners asking you to consent to cookies or a site's privacy policy when visiting a page.

Both Apple's Safari browser and Mozilla Firefox have been blocking third-party cookies by default for years. Google is also expected to follow suit with its Chrome browser in 2023, which essentially seals the fate of third-party cookies. However, that doesn't mean the end of tracking.

Website operators and corporations have a plethora of tracking methods apart from cookies at their disposal, some of which also do not comply with data protection measures. Below are some of the most common ways you can be tracked.

Every Internet-capable end device (PC, laptop, or smartphone) is assigned a unique Internet address, an IP, or Internet Protocol. This is necessary for technical reasons, as it enables your device to be identified and addressed.

Your IP also reveals your approximate location. Website operators use IP trackers to:

App tracking collects, analyzes, and evaluates data from users interacting with web or mobile apps. Among other things, this reveals how individuals behave and utilize the product; for example, it includes information regarding how often the apps are downloaded and how successfully they perform.

These insights help operators identify ways to optimize their apps. This can include crash reports (error messages in the event of crashes, etc.) or flow visualizations that show which paths users choose while navigating through the applications. These observations also reveal whether advertising campaigns are successful or if there's room for improvement.

Google Analytics offers customers with AdWords accounts a simple way to measure conversions (desired and intended "transformations" of target persons into customers, registered users, etc). For this purpose, Google generates a conversion tracking pixel, which can easily be integrated into the app code. That way, operators can correctly associate actions with conversions (e.g., in-app purchases, clicks, and installations).

In addition to Google, many other third-party providers have recognized this market's potential. Competition is fierce, with Adobe Analytics, etracker, Flurry Analytics, and many others going head-to-head with the Internet giant.

Web beacons, also known as web bugs, tags, pixel GIFs, and pixel trackers, are used on websites and in emails.

When your browser downloads a web beacon, the target page's server stores data such as your IP address and the date and time of the request. Website operators can then determine whether you have visited the page multiple times in the past, as well as where you are physically located (the latter can be prevented by utilizing a VPN).

Web beacons are also frequently used in emails to check how often an email has been opened and the number of times links in it have been clicked. This helps marketers determine the success of their advertising campaigns.

The term "evercookie" is misleading, as this tracking method doesn't have anything to do with cookies. Evercookies refer to an API JavaScript library that's integrated into a website's source code. Evercookies can be recovered even after cookies have been deleted, making them permanent—and very irritating to users.

The trick is that the API distributes the collected data to several directories in the computer, which the browser is able to access. If you delete your cookies, the evercookie simply recreates the cookie via JavaScript—without your consent. For this reason, they're also called zombie cookies, since they keep coming back to life.

Interestingly, the inventor of evercookies, Samy Kamkar, created them just to demonstrate how easy it is to aggressively track users without any concern for their privacy.

Etags assign unique strings to objects such as images. For example, if a browser were to load the image logo.jpg, the server would send data such as Etag: 8c661 in the header. The user can then be uniquely identified because the Etag 8c661 itself is one of a kind.

Etags are also very persistent. They're sent even if you've taken additional security steps, such as blocking cookies and disabling JavaScript.

Your browser has a fingerprint that is, generally speaking, globally unique. Any website operator can easily learn around 50 characteristics about you without using cookies. This can include data such as your time zone, operating system, and which browser plug-ins you use.

If you want to know what your browser fingerprint looks like, visit Cover Your Tracks:

If you're registered with companies such as Google, Xing, or Facebook, you can use your login data to access other websites and stores, as well as end devices and apps without creating new accounts.

This helps Google and others to collect heaps of data about you. Whether you realize it or not, you already consented to this arrangement when you opened your Google account and agreed to its terms and conditions.

Social plug-ins are very popular and found on numerous websites. However, there's a catch; they give Facebook, Twitter, and others the ability to track their users elsewhere.

Using this JavaScript method, the server tells the browser that valid login data is required to access the page. Typically, a window opens in which you enter a user name and password.

However, it's a trick; the server automatically sends valid login data to your browser, which results in a unique user ID. Your browser stores that data in the cache. As a result, you can be tracked until the browser cache is cleared.

Even if you don't take issue with personalized advertising, there are reasons to be critical of tracking. The truth is, that abuse can happen, and your user profile might be a bit more specific than you'd like. For example, if you Google diseases or visit adult or political websites, all of this information could be included in your profile.

Social networks also mercilessly collect your data. For instance, Facebook's algorithm searches through all the posts you've liked to create a personality profile, which often corresponds closely to real life. The following information, and more, could be revealed:

After the 2016 US election, Cambridge Analytica, a data company, was accused of electoral manipulation. It had allegedly misused 50 million Facebook records to create and sell psychographic voter profiles. According to the New York Times, there were alleged links to the Russian Federation, although many details surrounding this claim remain unclear to this day.

But not only the lack of privacy is concerning; hackers can steal your data from companies. This can have dire consequences, such as blackmail. You can read more on this in our EXPERTE.com article on data theft.

Tracking is a problem that affects every internet user. The good news: there are ways to defend yourself.

It's relatively easy to protect yourself from most tracking methods. For example: only use browsers that block third-party cookies by default (there are even special privacy browsers). Clear your browser cache regularly—preferably after each session. This also deletes your cookies and other temporary Internet files.

There are more easy steps you can take to ensure your privacy online. We've compiled a list of the best anti-tracking measures you can take.

If you're using the Internet, you're being watched. Corporations and governments are all too eager to collect as much information about you as possible. To do this, they rely on extremely sophisticated tracking methods which are constantly evolving to adapt to new technology and legislation.

Concerns arise when tracking collects too much personal data, which then helps to generate user profiles. With EXPERTE.com's comprehensive privacy check, you can find out which data you're involuntarily giving away. If you want to ensure your privacy, it's not enough to rely on laws designed to protect you. We have an article dedicated to anti-tracking measures that will help safeguard your data.