Some forms of tracking are obvious – for example, websites know who you are if you’re logged in. But how do tracking networks build up profiles of your browsing activity across multiple websites over time?
Tracking is generally used by advertising networks to build up detailed profiles for pinpoint ad-targeting. If you’ve ever visited a business’ website and seen ads for that business on other websites later, you’ve seen it in action.
IP AddressesThe most basic way of identifying you is by your IP address. Your IP address identifies you on the Internet. These days, it’s likely that your computer shares an IP address with the other networked devices in your house or office. From your IP address, a website can determine your rough geographical location – not down to street level, but generally your city or area. If you’ve ever seen a spammy ad that tries to look legitimate by mentioning your location, this is how the ad does it.
IP addresses can change and are often used by multiple users, so they aren’t a good way of tracking a single user over time. Still, an IP address can be combined with other techniques here to track your geographical location.
HTTP ReferrerWhen you click a link, your browser loads the web page you clicked and tells the website where you came from. For example, if you clicked a link to an outside website on How-To Geek, the outside website would see the address of the How-To Geek article you came from. This information is contained in the HTTP referrer header.
The HTTP referrer is also sent when loading content on a web page. For example, if a web page includes an ad or tracking script, your browsers tells the advertiser or tracking network what page you’re viewing.
“Web bugs,” which are tiny, one-by-one pixel, invisible images, take advantage of the HTTP referrer to track you without appearing on a web page. They’re also used to track emails you open, assuming your email client loads images.
Cookies & Tracking ScriptsCookies are small pieces of information websites can store in your browser. They have plenty of legitimate uses – for example, when you sign into your online-banking website, a cookie remembers your login information. When you change a setting on a website, a cookie stores that setting so it can persist across page loads and sessions.
Cookies can also identify you and track your browsing activity across a website. This isn’t necessarily a big problem – a website might want to know what pages users visit so it can tweak the user experience. What’s really pernicious are third-party cookies.
While third-party cookies also have legitimate uses, they’re often used by advertising networks to track you across multiple websites. Many websites – if not most websites – include third-party advertising or tracking scripts. If two different websites use the same advertising or tracking network, your browsing history across both sites could be tracked and linked.
Scripts from social networks can also function as tracking scripts. For example, if you’re signed into Facebook and you visit a website that contains a Facebook “Like” button, Facebook knows you visited that website. Facebook stores a cookie to save your login state, so the Like button (which is actually part of a script) knows who you are.
Super CookiesYou can clear your browser’s cookies — in fact, we’ve got a guide to clearing your browser’s cookies. However, clearing your cookies isn’t necessarily a solution – “super cookies” are increasingly common. One such super cookie is evercookie. Super cookie solutions like evercookie store cookie data in multiple places – for example, in Flash cookies, Silverlight storage, your browsing history, and HTML5 local storage. One particularly clever tracking method is assigning a unique color value to a few pixels every time a new user visits a website. The different colors are stored in each user’s browser cache and can be loaded back – the color value of the pixels is a unique identifier that identifies the user.
When a website notices that you’ve deleted part of the super cookie, the information is repopulated from the other location. For example, you might clear your browser cookies and not your Flash cookies, so the website will copy the value of the Flash cookie to your browser cookies. Super cookies are very resilient.
User AgentYour browser also sends a user agent every time you connect to a website. This tells websites your browser and operating system, providing another piece of data that can be stored and used to target ads. For more information about user agents, check out our explanation of what a browser user agent is.
Browser FingerprintingBrowsers are actually pretty unique. Websites can determine your operating system, browser version, installed plug-ins and their versions, your operating system’s screen resolution, your installed fonts, your time zone, and other information. If you’ve disabled cookies entirely, that’s another piece of data that makes your browser unique.
The Electronic Frontier Foundation’s Panopticlick website is an example of how this information can be used. Only one in 1.1 million people have the same browser configuration I do.
There are surely other ways that websites can track you. There’s big money in it, and people are brainstorming new ways to track every day – just see evercookie above for evidence of that.