Because of the many cyberattacks at the moment and the buzz around big tech companies that gather a lot of data, both in business and on an individual scale, I would like to take a deep dive into HTML/Web Tracking.
A lot of people are not aware that the many tracks (fingerprints) they leave on the internet are being used by organizations (both legal and illegal) for financial gain. In this post, I will show you how your digital fingerprints are left on the internet and how to get rid of a lot of these fingerprints. Covering your tracks makes it harder for both e-marketing companies and cybercriminals to take advantage of this info to use against you.
When you get on the internet, there is immediately a long line of “spies” that track every move you make. Almost every company can implement a form of web tracking technology to learn about your behavior and monetize it. Personally, I don’t mind that this is done but when it is used for criminal activities by cybercriminals (blackmailing, mail spoofing, etc.) it’s a different story. That is why I try to protect myself as much as possible. If this means that it also covers my activities for legal purposes I don’t mind.
Web tracking
With Web tracking, you can collect and share information about an individual’s activity on the internet. It helps to determine what an individual does online, giving a company or someone else a better understanding of your preferences. This helps to personalize the content they offer. For instance by personalizing advertisements that you see when you are surfing on the internet.
To do this, you can use a variety of software tools, for instance, website trackers, beacons, and other tracking files, to observe how you interact with their websites. This process is called website visitor tracking and with this, you will be followed around the internet, giving organizations and individuals the opportunity to show them exactly what you are doing. Tracking files are referred to as “cookies”, probably a term you have heard of.
Website tracking and web tracking are not the same. With website tracking, organizations and individuals monitor how a website changes over time, for example with browser tracking.
Some companies take care of their own data collection but nowadays there is a huge market in which data brokers offer dedicated packages of data at a certain price. This might be personal data but this can also be detailed corporate data of an organization. Almost always the subject (person or organization) is not aware that their data is being advertised.
First-party and third-party tracking
First-party tracking happens when you visit a website. When you visit a certain website your behavior can be monitored. Software algorithms on these websites memorize your preferences, for instance, the type of content you prefer, as well as your language settings, location, and other information you share. Most of this information is pretty basic so you don’t have to worry about first-party tracking when you just want to read a website in your own language. However, this becomes more tricky once a site decides to sell all these preferences to marketers: and they are allowed to do that. It’s not illegal.
Third-party tracking is done when parties other than the websites that you are visiting also track your activity. This software shadows every move you make on the internet. If you visit a news site and read its content, you probably don’t realize that the site also uses a lot of third-party cookies that track your behavior both on their site as well as on other sites you may visit in the future. Most of the time, these websites are even paid for this. Below example shows a wide variety of trackers that are being blocked on my blocking plugin when I go to cnn.com:
Third-party tracking is mostly used to help advertisers tailor their ads to your preferences. Fourth-party is even more removed from websites that you are visiting, putting them on your browser. Examples of this are advertising networks that use cookies that originate from other providers.
There are quite a few methods to track your moves on the internet and I will show you the most common methods.
IP address tracking
An IP address is a series of numbers that identifies the device you are using on the internet. Every single device that has access to a network (including the Internet of Things) has an IP address. IP addresses are an integral component in the structure of the internet. They ensure that web traffic gets delivered where it is meant to go.
A lot of network admins use IP tracking software to monitor the devices connected to their networks. IT trackers are also a very important weapon in fighting cybercrime. Network admins use it to continuously monitor web traffic, analyzing any form of exceptional traffic that might hint at the preparation of an attack from the outside.
Next to being used for defense purposes, commercial parties can also use IP tracking to keep tabs on where website visitors are coming from. They can also use an IP address to identify behavior patterns and determine whether or not repeated visits on specific websites originate from the same individual by pinpointing the IP address. These insights can be expanded by predicting your preferences.
Web beacons can be used to see the IP addresses of people who have opened their emails. This way, a marketing company (or the marketing department of a company) can judge the efficiency of their email marketing campaigns.
IP tracking can only be done if your IP address is available. If you hide your IP address with a proxy or a Virtual Private Network (VPN), this method of tracking will be far less effective.
HTTP cookies
Cookies are the most well-known type of browser tracking. A cookie is a tiny piece of code that is stored in your browser when you visit a website that is using cookies. A first-party cookie is created by the website that you visit. Most of the time they support the site to remember what you like and what you are doing while being on the site.
Cookies are not always a bad thing. Actually, they are indispensable when you are shopping online. If you go to a shopping site and add something to your shopping cart, a session cookie tells the e-commerce site to remember that you added a specific item to the shopping cart. This is not only important for the site but also for your own convenience. Without the cookie, you would not be able to move easily through the check-out screens to enter shipping information, payment details, etc. because the site would lose track of your items once you would move to the next page.
A first-party persistent cookie saves your longer-term preferences, such as the time zone you live in and your login credentials. Most of the time these cookies are required for site functionality or to help to improve your experience on the site.
It gets more tricky with third-party cookies. These cookies are created by parties other than the websites that you are visiting. These tracking cookies follow you as you browse from one website to the next. Website analytics and advertising are two of the most important uses for tracking cookies. Study shows that 99% of all cookies are tracking and add cookies. Some browsers block third-party cookies by default. Examples are Safari, Firefox, DuckDuckGo, and Brave. Google announced that Chrome will start to block third-party cookies by default as well in the future but they plan to do this only by the end of 2023.
Most of the browsers offer the functionality to disable third-party cookies but you have to disable it manually.
Web beacons
Websites and emails use web beacons. Most of the time these are single-pixel transparent graphic images that you don’t see. These beacons are used to log user behavior. You can compare it with a hidden camera: invisible but monitoring exactly what you are doing.
Beacons work exactly like cookies on websites. They track users for website analytics and advertising purposes. Beacons monitor how you use a page or how you navigate through a series of pages. For companies, this is very useful information that can be used to tailor their services and offerings to your behavior and preferences.
One of the best examples out there is the Facebook pixel. This beacon equips site owners with massive amounts of data to use in Facebook advertising campaigns. The beacon tracks when and how often you shop and how much you buy. The Facebook pixel helps advertisers to target specific advertisements to people who most likely buy again. In addition to this, they can also target people with similar kinds of behavior and preferences as their existing customers (Lookalike Audience). The pixel also tracks if you saw a Facebook advertisement on one device but switched to another one to visit the advertiser’s website or if you added an item to your shopping cart but then decided not to buy it in the end. The Facebook pixel is one of the most powerful beacons out there and indispensable for E-marketers and E-marketing departments.
Beacons also facilitate IP address tracking in e-mails. When you open an email that contains an embedded beacon, that beacon will log the exact time and date at which you did so, including your IP address. They can also tell if and when you click any links or download any attachments in the email.
Browser fingerprinting
A new technique that is currently used is Browser fingerprinting. It allows websites to identify a unique visitor with the support of their browsers. When I connect to a website, my browser transfers a lot of data that the website uses to optimize my experience. The data that is being transferred includes the model of my device, the resolution of my screen, the operating system (OS), the preferred language, my browsing history, the time zone, and any plugins that I am using. This is just a small sample of all the information that is transferred.
Because there is only a really tiny chance that my digital fingerprint is identical to the one of someone else, the set of parameters that I use becomes my browser fingerprint. Like a real fingerprint, it is unique. Once a browser fingerprint has been assembled by a website, a website can confidently assume that any connection in the future with my fingerprint is coming from me.
It is possible to disguise a browser fingerprint with anti-tracking software. I use for instance the Ghostery plugin on my browser to prevent this kind of tracking but there are plenty more plugins to remove your digital fingerprints while browsing the internet.
Canvas fingerprinting
With HTML5 (the latest version of the HTML coding language that is used to build websites) a “canvas” element has been included. It was originally used for drawing graphics and animations on a website but it has now been reverse-engineered into a very powerful fingerprinting tool.
When I visit a website that uses canvas fingerprinting, the website instructs my browser to draw a hidden image. Because every device is unique (hardware, graphics, and settings), my browser renders the image slightly different than someone else that is visiting the website. Because of this, a unique profile can be created (like browser fingerprinting) which gives the website a unique profile of me as a visitor.
The biggest difference to browser fingerprinting is the fact that it is hard to block Canvas fingerprinting without seriously hurting your browsing experience. The reason for this is that there are many legitimate uses of the HTML5 canvas element. Unlike cookies, which are easy to block or delete, canvas fingerprinting is not relying on adding anything to the browser that you use.
Final thoughts
I hope this post provides more insight into the tracking methods that are used to make a digital profile of you (your digital fingerprint) while browsing the internet. Tracking is not always a bad thing and can really make browsing easier and far more comfortable.
However, comfort can come at a cost: especially in relation to security. You should at least have the option to be more vigilant and choose comfort (and how much of it) over security risks now that you are aware of how you are being profiled while browsing the internet.
If you want to browse more anonymously I suggest you read my post about covering your tracks on the internet. It describes my top 5 tools I use myself to protect my privacy on the internet, hiding my digital fingerprints when I visit a website.
Feel free to contact me if you have any questions or if you have any additional advice/tips about this subject. If you want to keep in the loop if I upload a new post, don’t forget to subscribe to receive a notification by e-mail.
