How much do online advertisers really know about you? We asked an expert

Hidden Keyboard
Advertisers are watching your every click online, but how much do they really know, and how? Gajus/Shutterstock
When you search for something online — say, a vacation to Vegas — it’s not unusual to see adverts for cheap flights and hotel deals in Sin City on every site that you visit thereafter for the next few days. Few of us understand what’s actually happening behind the scenes for those ads to be served.

“The modern web is a mash-up, which means the content that you’re looking at on the page, which just looks like one single Web page with text and graphics, is in fact assembled from multiple different sources, sometimes dozens, and these different sources can be a variety of different companies,” explains Arvind Narayanan, Assistant Professor of Computer Science at Princeton, “When you look at a Web page, there’s content visible to you and invisible stuff purely for the purpose of tracking what you’re doing.”

Online advertising has been there since the early days of the Internet, but it has grown far more sophisticated in recent years. The ads we see now are often the product of digital stalking as companies try to track our every browsing move. But how does this happen in the first place?

Eyes in the shadows

“What this technology is really good at doing is following you from site to site, tracking your actions, and compiling them into a database, usually not by real name, but by a pseudonymous numerical identifier,” says Narayanan, “Nevertheless, it knows when you come back, and it knows to look you up, and based on what it has profiled about you in the past, it will treat you accordingly and decide which advertisements to give you, sometimes how to personalize content to you, and so on.”

There are even ways to associate two different devices belonging to the same user.

We know that companies are collecting data about us, but there’s very little transparency in terms of the techniques they use, and there are a lot of misconceptions. We don’t really know exactly what data they are collecting, or what they might use it for.

“The information that’s most useful for them to collect is your browsing history and your search history,” Narayanan explains, “This gets compiled and profiled into behavioral categories.”

Ostensibly, this data is collected, analyzed, and used to target us with relevant ads, but it can also be used in other ways.

“It’s not just tracking, but using that data to do data mining and see what you can infer about that person’s behavior and their preferences,” Narayanan says, “In some cases research has shown, data may even be used to tailor prices. Sometimes prices for the same product being subtly different, sometimes it’s different products with different price ranges being pushed to the consumer.”

Back in 2012, it was discovered that travel website Orbitz was showing Mac users pricier hotel options than PC users. Later the same year, the Wall Street Journal reported that the Staples website was tracking visitor’s locations and only applying price discounts if there was a competitor store within 20 miles of them.

How are they tracking us?

“It turns out that every device behaves in a subtly different way when the code on the web page interacts with it, in a manner that’s completely invisible to the user,” Narayanan explains, “and this can be used to derive a fingerprint of the device, so the third parties can tell when the same user of the same device is visiting again.”

Server Farm
The same servers that feed you websites are quietly tracking your browsing habits. Dabarti CGI/Shutterstock

This technique is known as canvas fingerprinting. When one of these scripts is running on a website you visit, it instructs your browser to draw an invisible image. Because every device does it in a unique way, it can be used to assign a number to your machine and effectively track your browsing.

If that sounds like the kind of shady thing you’d only find in the dark recesses of the Internet, then you’ll be disappointed to hear that all sorts of popular, and even well-respected sites, from Whitehouse.gov to perezhilton.com, are running these scripts. The University of Leuven, in Belgium, hosts a complete searchable list of sites with these tracking mechanisms.

Beyond the cookie jar

There are other techniques being used to collect data that are difficult to understand. Most of us have some awareness of cookies, but advertisers have developed new methods to exploit or circumvent the cookie system.

“One of the areas that concerns me the most is the data sharing that’s going on behind the scenes,” says Narayanan.

Arvind Narayanan
Arvind Narayanan, Assistant Professor of Computer Science at Princeton

A process called cookie syncing, allows the entities that are tracking you online to share the information they’ve discovered about you and link together the IDs they’ve created to identify your device. They can compare notes and build a better profile of you. And this is all done without your knowledge or input.

Bypassing the normal cookie system altogether, there’s also something known as a super cookie.

“These are cookies that are in nooks of your web browser that allow information to be stored, but they’re not in the main cookie database,” says Narayanan, “A particularly devious type of super cookie is one that stores itself in multiple locations and uses each of these locations to respawn the others should they be deleted so, unless you delete all traces and forms of that cookie at once from all of your browsers on your computer, then that cookie is going to come back.”

There are even ways to associate two different devices belonging to the same user. Companies can establish that they’re owned by the same person, even without attaching your name to them.

“Let’s say you have a laptop and a smartphone, and you’re traveling with them, and you’re browsing the web through Wi-Fi,” says Narayanan, “The advertiser, or other company, notices that there are two particular devices that always connect to the website from the same network. The chance of this happening coincidentally is similar to the chance of two people having the same travel itinerary, so, after a period of time, if it keeps happening, they can deduce that its the same person that owns those two different devices. Now they can put your browsing behavior on one device together with your browsing behavior on the other device and use it to build a deeper profile.”

Are we really anonymous?

We’re often sold the line that companies are only collecting anonymized data. This is something that Narayanan takes exception to, for a number of reasons.

“The impact of personalization, in terms of different prices or products, is equally feasible whether or not they have your real name. It’s completely irrelevant to their calculations and the intended use of the data for targeting that is so objectionable to a lot of users,” he explains.

We also have more to worry about than just the advertisers.

“Some of our research has shown how the NSA can actually piggyback on these cookies for their own mass surveillance or targeted surveillance,” says Narayanan, “These third party services are making the NSA’s job easier.”

There’s also a real risk that the anonymized data may be exposed and linked to your actual identity.

“It’s possible to de-anonymize these databases in a variety of ways,” explains Narayanan, “We’ve seen accidental leakages of personal information. What one needs to keep in mind, is that if you have this anonymized dossier, it only takes one rogue employee, one time, somewhere, to associate real identities with these databases for all of those putative benefits of privacy anonymity to be lost.“

Narayanan even objects to the word anonymous. Computer scientists use the term pseudonymous, which emphasizes that you’re not really anonymous, you’ve just been assigned a pseudonym. If your identity becomes known you’ve lost your imagined privacy, and there are many ways that could happen.

These third party services are making the NSA’s job easier.

“Many of these databases in which our information is collected started out with innocuous purposes, or purposes that consumers are comfortable with, but when you combine it with the complete lack or transparency, accountability, and regulation there’s an enormous opportunity for misuse,” explains Narayanan, “What happens when the company goes bankrupt, the database gets hacked, or there’s a rogue employee?”

There’s also evidence of a growing industry that’s aiming to tie together your online tracking with your offline purchasing habits. Onboarding companies, like LiveRamp, offer ways to link this data and give companies more insight. If a store asks you for your email address at the counter when you make a purchase, they may share it with a company like LiveRamp, which can identify when you use it to sign in to certain specific websites that they’re in business with and then link it to your device. Now companies can put a real name to the data.

How do we safeguard our privacy?

“There’s not one magic bullet solution,” says Narayanan, “If someone is selling you one solution or device that claims to take care of your privacy concerns, they’re almost certainly selling you snake oil. But if you’re willing to invest a little time, it’s possible to protect your privacy.”

There are lots of browser extensions, and end-to-end encryption tools out there. Narayanan suggests starting with Tor and Ghostery. He also recommends reading the Electronic Frontier Foundation and Electronic Privacy Information Center, if you want to learn more.

“Research technology a little bit, learn about the privacy implications of the products that you’re using, learn about the privacy tools that are out there, but also the right way to use them,” suggests Narayanan, “If you’re not fully aware, you’re not going to make a fully informed choice, but for each person it’s a trade-off on where they want to be on that spectrum of convenience and privacy.”

Mobile

Redesigned Google Fit uses Heart Points and Move Minutes to keep you active

Google is finally giving Google Fit a major update. It makes the health-tracking app a little more proactive in keeping users active, along with tracking what Google calls "Heart Points," and "Move Minutes."
Home Theater

The white van speaker scam explained, and how it moved to Craigslist and Facebook

The so-called white van speaker scam has been around for a long time, so why do people still get conned on a daily basis? We're here to arm you and your friends with the knowledge you need to see the hoax for what it is.
Mobile

Is your smartphone frozen? Here's how to reset your iPhone

You can do a lot with an iPhone, but if you ever run into an issue with it, the first thing you should do is restart it. In this guide, we tell you how to reset your iPhone, and explain how it differs from a factory reset.
Mobile

Google confirms it still tracks users who turn Location History off

Google is tracking your location -- even when you tell it not to. According to an investigation by the Associated Press, Google services store location data, regardless of whether privacy settings claim otherwise.
Computing

Reluctant to give your email address away? Here's how to make a disposable one

Want to sign up for something without the risk of flooding your inbox with copious amounts of spam and unwanted email? You might want to consider using disposable email addresses with one of these handy services.
Computing

Both the Razer Blade and XPS 15 are capable laptops, but which is better?

We pit the latest Dell XPS 15 against the latest Razer Blade 15 to see which machine meets the needs of most people. Both are a fast, attractive, and well-built, but they still appeal to different users.
Computing

Logitech’s distinctive new ergonomic mouse looks as good as it feels

Logitech's first true ergonomic mouse sports an interesting tilted design that encourages less muscle strain. We spent some time with the MX Vertical to see how comfortable it is and determine whether or not we'd prefer it to a standard…
Computing

Use one of these password managers to stay safe online

The internet can be a scary place, especially if you don't have a proper passcode manager. This guide will show you the best password managers you can get right now, including both premium and free options. Find the right password software…
Mobile

Airport’s low-tech solution to digital chaos involves the humble whiteboard

A U.K. airport has suffered a major computer error, caused by data connection problems, which has stopped flight boards from showing crucial passenger information. The solution is wonderfully low-tech.
Computing

Here’s how to watch Nvidia’s GeForce event at Gamescom

Today is August 20, and that means Nvidia may showcase its GeForce RTX 20 Series of add-in graphics cards for gamers. We’re sticking with that name rather than the previous GTX 11 Series brand due to today’s date.
Computing

HTC breaks down VR barriers by bringing Oculus Rift titles to Viveport

HTC's Viveport store and subscription service will be opened to Oculus Rift users in September this year, letting them buy titles directly and take advantage of the monthly game-delivery service.
Computing

Dell’s new fast-refresh Freesync display could be your next great gaming screen

Dell has debuted a pair of new gaming TN displays, each offering high refresh rates and fast response times to gamers alongside Freesync technology. There are 24- and 27-inch versions of the new screens available now.
Computing

Nvidia’s GeForce RTX 20 Series starts at $500 and features real-time ray tracing

Nvidia revealed its new GeForce RTX 2000 Series of add-in desktop graphics cards for gamers during its pre-show Gamescom press event. The new family is based on Nvidia’s new “Turing” architecture focusing on real-time ray tracing.
Computing

Nvidia GeForce RTX GPUs are coming to Alienware and Predator gaming desktops

Dell and Acer have both announced support for Nvidia's new GeForce RTX 2000 graphics cards in refreshed gaming desktops, including Predator Orion series systems and Alienware desktops.