When you search for something online — say, a vacation to Vegas — it’s not unusual to see adverts for cheap flights and hotel deals in Sin City on every site that you visit thereafter for the next few days. Few of us understand what’s actually happening behind the scenes for those ads to be served.
“The modern web is a mash-up, which means the content that you’re looking at on the page, which just looks like one single Web page with text and graphics, is in fact assembled from multiple different sources, sometimes dozens, and these different sources can be a variety of different companies,” explains Arvind Narayanan, Assistant Professor of Computer Science at Princeton, “When you look at a Web page, there’s content visible to you and invisible stuff purely for the purpose of tracking what you’re doing.”
Online advertising has been there since the early days of the Internet, but it has grown far more sophisticated in recent years. The ads we see now are often the product of digital stalking as companies try to track our every browsing move. But how does this happen in the first place?
Eyes in the shadows
“What this technology is really good at doing is following you from site to site, tracking your actions, and compiling them into a database, usually not by real name, but by a pseudonymous numerical identifier,” says Narayanan, “Nevertheless, it knows when you come back, and it knows to look you up, and based on what it has profiled about you in the past, it will treat you accordingly and decide which advertisements to give you, sometimes how to personalize content to you, and so on.”
There are even ways to associate two different devices belonging to the same user.
We know that companies are collecting data about us, but there’s very little transparency in terms of the techniques they use, and there are a lot of misconceptions. We don’t really know exactly what data they are collecting, or what they might use it for.
“The information that’s most useful for them to collect is your browsing history and your search history,” Narayanan explains, “This gets compiled and profiled into behavioral categories.”
Ostensibly, this data is collected, analyzed, and used to target us with relevant ads, but it can also be used in other ways.
Related: Is your smartphone being tracked?
“It’s not just tracking, but using that data to do data mining and see what you can infer about that person’s behavior and their preferences,” Narayanan says, “In some cases research has shown, data may even be used to tailor prices. Sometimes prices for the same product being subtly different, sometimes it’s different products with different price ranges being pushed to the consumer.”
Back in 2012, it was discovered that travel website Orbitz was showing Mac users pricier hotel options than PC users. Later the same year, the Wall Street Journal reported that the Staples website was tracking visitor’s locations and only applying price discounts if there was a competitor store within 20 miles of them.
How are they tracking us?
“It turns out that every device behaves in a subtly different way when the code on the web page interacts with it, in a manner that’s completely invisible to the user,” Narayanan explains, “and this can be used to derive a fingerprint of the device, so the third parties can tell when the same user of the same device is visiting again.”
This technique is known as canvas fingerprinting. When one of these scripts is running on a website you visit, it instructs your browser to draw an invisible image. Because every device does it in a unique way, it can be used to assign a number to your machine and effectively track your browsing.
If that sounds like the kind of shady thing you’d only find in the dark recesses of the Internet, then you’ll be disappointed to hear that all sorts of popular, and even well-respected sites, from Whitehouse.gov to perezhilton.com, are running these scripts. The University of Leuven, in Belgium, hosts a complete searchable list of sites with these tracking mechanisms.
Beyond the cookie jar
There are other techniques being used to collect data that are difficult to understand. Most of us have some awareness of cookies, but advertisers have developed new methods to exploit or circumvent the cookie system.
“One of the areas that concerns me the most is the data sharing that’s going on behind the scenes,” says Narayanan.
A process called cookie syncing, allows the entities that are tracking you online to share the information they’ve discovered about you and link together the IDs they’ve created to identify your device. They can compare notes and build a better profile of you. And this is all done without your knowledge or input.
Bypassing the normal cookie system altogether, there’s also something known as a super cookie.
“These are cookies that are in nooks of your web browser that allow information to be stored, but they’re not in the main cookie database,” says Narayanan, “A particularly devious type of super cookie is one that stores itself in multiple locations and uses each of these locations to respawn the others should they be deleted so, unless you delete all traces and forms of that cookie at once from all of your browsers on your computer, then that cookie is going to come back.”
There are even ways to associate two different devices belonging to the same user. Companies can establish that they’re owned by the same person, even without attaching your name to them.
“Let’s say you have a laptop and a smartphone, and you’re traveling with them, and you’re browsing the web through Wi-Fi,” says Narayanan, “The advertiser, or other company, notices that there are two particular devices that always connect to the website from the same network. The chance of this happening coincidentally is similar to the chance of two people having the same travel itinerary, so, after a period of time, if it keeps happening, they can deduce that its the same person that owns those two different devices. Now they can put your browsing behavior on one device together with your browsing behavior on the other device and use it to build a deeper profile.”
Are we really anonymous?
We’re often sold the line that companies are only collecting anonymized data. This is something that Narayanan takes exception to, for a number of reasons.
“The impact of personalization, in terms of different prices or products, is equally feasible whether or not they have your real name. It’s completely irrelevant to their calculations and the intended use of the data for targeting that is so objectionable to a lot of users,” he explains.
We also have more to worry about than just the advertisers.
“Some of our research has shown how the NSA can actually piggyback on these cookies for their own mass surveillance or targeted surveillance,” says Narayanan, “These third party services are making the NSA’s job easier.”
There’s also a real risk that the anonymized data may be exposed and linked to your actual identity.
Related: Are cookies crumbling our privacy?
“It’s possible to de-anonymize these databases in a variety of ways,” explains Narayanan, “We’ve seen accidental leakages of personal information. What one needs to keep in mind, is that if you have this anonymized dossier, it only takes one rogue employee, one time, somewhere, to associate real identities with these databases for all of those putative benefits of privacy anonymity to be lost.“
Narayanan even objects to the word anonymous. Computer scientists use the term pseudonymous, which emphasizes that you’re not really anonymous, you’ve just been assigned a pseudonym. If your identity becomes known you’ve lost your imagined privacy, and there are many ways that could happen.
These third party services are making the NSA’s job easier.
“Many of these databases in which our information is collected started out with innocuous purposes, or purposes that consumers are comfortable with, but when you combine it with the complete lack or transparency, accountability, and regulation there’s an enormous opportunity for misuse,” explains Narayanan, “What happens when the company goes bankrupt, the database gets hacked, or there’s a rogue employee?”
There’s also evidence of a growing industry that’s aiming to tie together your online tracking with your offline purchasing habits. Onboarding companies, like LiveRamp, offer ways to link this data and give companies more insight. If a store asks you for your email address at the counter when you make a purchase, they may share it with a company like LiveRamp, which can identify when you use it to sign in to certain specific websites that they’re in business with and then link it to your device. Now companies can put a real name to the data.
How do we safeguard our privacy?
“There’s not one magic bullet solution,” says Narayanan, “If someone is selling you one solution or device that claims to take care of your privacy concerns, they’re almost certainly selling you snake oil. But if you’re willing to invest a little time, it’s possible to protect your privacy.”
There are lots of browser extensions, and end-to-end encryption tools out there. Narayanan suggests starting with Tor and Ghostery. He also recommends reading the Electronic Frontier Foundation and Electronic Privacy Information Center, if you want to learn more.
“Research technology a little bit, learn about the privacy implications of the products that you’re using, learn about the privacy tools that are out there, but also the right way to use them,” suggests Narayanan, “If you’re not fully aware, you’re not going to make a fully informed choice, but for each person it’s a trade-off on where they want to be on that spectrum of convenience and privacy.”