Companies have many ways to track people online. Web cookies are a common example: nearly every website you visit tracks you via these chunks of data stored on your device. But companies pull data not only via your web browser, but through smartphones and other devices as well.
As companies collect data, they often gather that data into user profiles that can then be used to track people across devices. Meanwhile, third-party ad networks also track you across different websites. Companies that collect personal data can also sell this data to other companies.
We’ll talk about all of these tracking methods and more as we dive into the uncanny world of online tracking.
An HTTP cookie is a text file stored on your web browser, used to identify your computer and remember your browsing behavior and preferences. When you visit a website, the site accesses the cookies so it can recall information about you. Cookies are the most widespread method of tracking people online; without them, a website would hardly be able to remember anything about its visitors.
Online shopping carts, for example, rely completely on cookies. When you put an item in your cart, the cookie stored on your web browser makes note of it. If not for the cookie, the site would never be able to keep track of what’s in your cart.
Some cookies are less essential than others. As a general rule, HTTP cookies serve three main purposes:
- Functional cookies help the website work. Your shopping cart is one example – without cookies, this feature of the website would be unable to function.
- Analytics cookies profile users and track their behavior, so that the website owners can make decisions to improve site experience and better serve their audience.
- Advertising cookies track users for the sake of serving up targeted advertisements.
These three buckets can also be applied to other tracking methods besides cookies. When companies track users, it’s almost always for functional, analytics, or advertising purposes.
These aren’t the only distinctions between types of cookies. Cookies can also be temporary or persistent, or first party or third party. There are even special types of cookies, with scary names like zombie cookies and super cookies.
Session Cookies vs Persistent Cookies
Not all cookies stay on your browser. Session cookies only last as long as your browsing session. When you close your web browser, these cookies are automatically deleted. If you ever come back to a website to find the items in your shopping cart aren’t there anymore, it may be because they were stored on session cookies.
Persistent cookies remain saved on your computer after you log off. If a website remembers your login info from session to session, that’s an example of a persistent cookie.
These persistent cookies don’t necessarily stick around forever. Much of the time, they’ll be deleted automatically after a certain period of time. You can always delete them yourself – and if you browse in incognito or private mode, websites will not be able to save persistent cookies to your computer.
Third-Party Cookies: Analytics and Ad Networks
Many websites also use third-party cookies, derived from companies other than the website itself.
These commonly include analytics services, such as Google Analytics. This service, owned by Google, helps webmasters track user behavior. It’s used by millions of sites across the web – and many of the rest are simply using different third-party analytics software. Website owners want to know who’s using their website and what people are doing on their site, and most would rather use an existing service than come up with their own toolset to track visitors.
Websites also deploy third-party advertising services that come with their own cookies. These ad networks, such as Google Ad Exchange, track users and then serve up targeted advertisements on any partner website. When a publisher opts in, Google displays ads on their website. These ads are targeted based on a profile developed across the ad network.
Just as with analytics, Google is far from the only company to run a digital ad network. Facebook, Apple, and plenty of other companies operate their own networks that deliver targeted advertisements across the web.
Fortunately, privacy-aware users don’t have to put up with being tracked by these ad networks. As of 2020, all major web browsers give users the option to categorically block third-party cookies. You can find this setting in Chrome by going to Settings → Privacy and Security → Cookies and other site data. From there, simply select “Block third-party cookies”.
While you’re there, you can also choose to send a “Do Not Track” request with your browsing traffic. This is a request, not an order – websites don’t have to honor it – but it doesn’t hurt to check the box.
The cookies described above are all HTTP cookies: text files stored in your web browser. Like the HTTP cookies described above, Flash cookies also store tracking information on your computer. However, Flash cookies are stored in an Adobe file and are much harder to manage and remove.
While modern web browsers enable users to manage HTTP cookies on their own terms, they offer much less control over Flash cookies.
Fortunately, Adobe Flash is no longer the web standard it once was. Chrome and Firefox now disable it by default, and as of December 2020, Adobe no longer supports Flash. The simplest way to opt out of Flash cookies is to opt out of Flash itself. And these days, that’s the default.
The term “supercookie” typically refers to internet service providers (ISPs) tracking their users via Unique Identifier Headers (UIDHs). A supercookie isn’t technically a cookie: in this case, the file is stored not on your computer, but on the ISP’s servers. That means you have no control over it. Where HTTP cookies are easy to manage and delete, you have no power whatsoever over any supercookies your ISP is keeping on you.
The legality of these supercookies is somewhat dubious. In 2016, the FCC fined Verizon $1.3 million for secretly using supercookies to track their users. But for a company that makes over $120 billion every year, that’s a slap on a wrist. For all you know, your ISP could be tracking you without your knowledge or permission.
A tracking pixel is what it sounds like: a one-pixel image coded with HTML. When your device loads the image, it sends data to the pixel’s image host. This data includes device information, such as your operating system and screen resolution, as well as limited behavioral information, such as what time you loaded the pixel. These tracking pixels are typically inserted in web pages or emails.
Almost always, tracking pixels are invisible. The image itself is either transparent or set to blend in with the background. The point isn’t to show you the image – it’s to track that your computer loaded the image, harvesting additional data about you and your device.
Unlike with HTTP cookies, there’s not much you can do to evade tracking pixels. You could set your browser not to load images, but that would severely limit your experience of the web. Because tracking pixels do not operate with consent of their users, they have drawn criticism from privacy advocates. They harvest data without web users’ knowledge or consent.
Device ID: How Companies Track You on Smartphone Apps
Every iPhone or Android smartphone comes with a unique device ID. Any installed app can access this ID and use it to identify your device. Though it’s far from the only way companies track your smartphone, the device ID is the cornerstone of smartphone tracking.
On Android, this device ID is called your Google Advertising ID, or GAID. You can view this ID by going to Settings → Services & Preferences. From there, you can also reset your ID at any time, or opt out of personalized ads.
Opting out of personalized ads doesn’t necessarily stop companies from tracking you – notably, it only asks that companies don’t use your smartphone data to serve you personalized advertisements. And in any case, companies are more than willing to use other data points, such as your IMEI number, to profile you.
On iOS, your device ID is called Identity for Advertisers, or IDFA. Apple’s privacy protection is more robust than Google’s; you can choose to set your IDFA as a string of zeroes, making it unusable for tracking purposes. However, just like on Android, companies can still use other identifiers to profile you on iOS.
Companies often try to track their users across devices. That way, if you visit their website one day on your laptop and use their app the next, they’ll know you’re the same person and track you accordingly. There are two main ways companies track users across devices:
- Deterministic tracking ties cross-device profiles to a concrete identifier, such as a login or email address. Usually, it involves the user setting up an account. If you use your Facebook account on desktop and on a mobile app, for instance, Facebook recognizes your login and knows you’re the same person. Deterministic is almost 100% accurate, but typically requires the user to consensually create a login or otherwise offer identifying information.
- Probabilistic tracking isn’t quite as clean. Without a login, the company has to guess based on other factors that might not be 100% accurate. If you check a webpage on your computer, and then visit the same web page on your mobile phone the next day, a company might guess you’re the same person based on your behavior and location.
Geolocation Data: How Companies Track Where You Are
With geolocation data, companies can track where you go and how long you spend there. This data is some of the most valuable personal data available to businesses – your comings and goings in the real world often say even more about you than your online activities.
Both Android and iOS have settings that let users limit which apps can track your location. However, these controls might be deceiving.
When you allow an app to track your location, that company may also sell your location data to other companies without your knowledge. So if one app has access to location data, they can sell that information to hundreds of other companies. To learn more about how companies covertly barter the location data of millions of Americans, you can read this 2019 New York Times investigation.
If you want to protect your privacy, I would limit which apps can access your personal data as much as possible. Any one app with your location data can sell that information far and wide. The fewer apps tracking your location, the better – best to limit location data to companies you absolutely trust.
You can also turn off location tracking on your phone altogether, though this will make some apps, such as Google Maps, far less functional. You can always turn it on when you’re using it and off when you’re not. This preserves the functionality when you need it while denying access to your location data when you’re not.
Corporate tracking isn’t limited to your computer and smartphone. With smart devices ready to take over every corner of your home, there are more ways than ever before for companies to track people.
Smart speakers, such as Amazon Alexa and Google Dot, are always listening to you. These apps also collect information based on what you say, while also tracking shopping lists, what music you listen to, and any kind of behavior you use the device for.
This data is processed not only by algorithms, but by human workers as well. Amazon, for instance, has thousands of employees in different countries looking in on their users’ recordings and videos.
Any smart device you own is probably tracking you in some way. When you watch your smart TV, your TV is also watching you, cataloguing what you watch. If you own a smart fridge, the device manufacturer is tracking what you eat. Not only do these companies track your habits, but there is nothing barring them from selling this information to third parties.
Whenever you put a camera or microphone into your home, you should assume someone’s watching or listening, unless you are absolutely certain of the company’s commitment to your privacy.
What to Make of All This?
Private companies currently gather an enormous amount of information about everyday people – enough to make the East German secret police jealous. For those unfamiliar with corporate tracking, it can be astounding just how much personal information is freely bought and sold on the surveillance marketplace.
Because so many of these tracking methods are nonconsensual by design, an individual can only do so much to protect their privacy online. Perhaps the best solution is to collectively agitate for greater regulation. As it exists, the surveillance industry is too rich and too powerful for any one person to combat it on their own.