Web Tracking Technologies 101
Behind the simple act of browsing the web lies a complex world where trackers monitor every move [1]. Each time someone uses the internet, a digital trail is left behind, allowing companies to collect personal data through website tracking tools [2][3]. Despite the common use of tracker blockers, which are often compared to “using an umbrella in a hurricane,” tracking and profiling persist as routine aspects of daily online life. These practices, often justified as ways to provide “personalised experiences,” involve platforms like Facebook and Google collecting extensive data on users, including their demographics, preferences, and even political leanings [4]. But what does web tracking mean?
Web tracking is the practice of collecting, storing, and analysing information about an individual’s online activities to understand their preferences and personalise content accordingly. Various tools, such as cookies and beacons, are employed to monitor website interactions and follow users across the internet. Some people use the terms website tracking and web tracking interchangeably, but they’re not the same. In contrast to how web tracking was defined, website tracking is simply the practice of monitoring how a website changes over time, as opposed to web tracking, which involves tracking user behaviour [1][2][5].
There are different approaches to web tracking, depending on who collects the data:
- First-party tracking refers to when a website monitors a visitor’s behaviour to personalise their experience. This practice allows sites to remember user preferences, language settings, and location to enhance user interactions. Generally, first-party tracking is considered harmless since it often improves user experience by remembering preferences. However, concerns arise if the website sells this data to marketers.
- Third-party tracking by contrast, involves external companies using web trackers to monitor user activity across multiple websites, often for tailored advertising. This explains why advertisements for items previously viewed may appear on other sites.
Although first-party tracking can be beneficial, third-party tracking poses significant privacy issues as it involves additional entities accessing personal data [2][1].
Web tracking is utilised across various domains, including advertising, law enforcement, web analytics, usability testing, and Ecommerce, each serving distinct purposes [1][2][4][6]:
§ Advertising companies collect user data to create profiles for personalised advertisements, while platforms like Netflix and Google use tracking to enhance content recommendations and search relevance.
§ Law enforcement agencies may employ web tracking for surveillance and crime-solving.
§ Web analytics involves studying website performance by tracking user behaviour, such as time spent on pages and interaction patterns. This data helps website owners identify which content engages users most and where improvements are needed.
§ Usability testing employs web tracking to evaluate how easily users can navigate a website or app. By observing real users as they perform tasks, developers can identify design flaws and make adjustments to improve overall user experience.
§ Ecommerce sites heavily rely on web tracking to analyse customer behaviour, such as browsing patterns, search terms, and purchasing decisions. This data helps optimise sales strategies, personalise user experiences, and adjust site content based on factors like user location and device type. Even pricing strategies may be influenced by the data collected, although practices like price-gouging based on tracking data remain controversial.
Web tracking are generally categorised into two types: stateful and stateless. Stateful tracking stores information on the user’s device and retrieves it later to identify the user. The most common method is through third-party cookies, which can be “respawned” even after deletion. These cookies are often synchronised among various data brokers, enabling the mapping and exchange of user profiles. Research has shown that stateful trackers are widely used on popular websites. In contrast, stateless tracking identifies users without storing data on their device. An example is device fingerprinting, which gathers details about the user’s browser and operating system to create a unique identifier [5]. The following paragraphs will explore these technologies in more detail:
Cookies
Cookies are among the most recognised forms of browser tracking, first introduced by Lou Montulli in 1994. These small text files store information from a user’s web session and can be accessed by the user, the website, or third-party companies [2]. Cookies track various data, including browsing history, page clicks, and scrolling behaviour. Initially designed to remember user preferences and enhance browsing experiences, cookies can autofill login details, retain items in shopping carts, and display personalised recommendations based on past activity [2][7]. Although essential for site functionality, cookies are also used for tracking and profiling users’ behaviours [2]. Contrary to popular belief, cookies are not software and cannot install anything on a computer. They typically contain a unique identifier that helps websites recognise returning browsers. The more controversial use of cookies is in managing online advertising, especially when third-party cookies track and profile users to serve targeted ads [8].
Two types of cookies are persistent and session cookies. Persistent cookies are stored on a user’s device between browsing sessions, allowing websites to remember user preferences, actions, and even track behaviour across different sites. They are often used for remembering settings or targeting advertising. The lifespan of a persistent cookie is determined by the website operator, but users can manually delete these cookies or configure their browser to do so automatically at set intervals [9]. Session cookies, by contrast, are temporary and expire after a session ends. These ephemeral cookies serve various purposes, including maintaining user logins, tracking shopping cart contents, and storing form data temporarily. They enhance user experience by enabling seamless navigation without repeatedly entering credentials or losing selected items. Session cookies are generally considered more secure than persistent cookies as they don’t store data on the user’s device after the session ends [9][10].
While tracking cookies do not collect personal information such as names, emails, or credit card details, nor do they harm devices or spread malware, they can still raise privacy concerns when combined with other data. These cookies can reveal extensive details about your online behaviour to third parties who may exploit this data for targeted advertising or manipulation. Furthermore, they can compromise anonymity by linking your browsing activities to your identity or location, posing a risk if sensitive content is accessed. Additionally, tracking cookies may slow browsing performance by consuming bandwidth and sending frequent requests to third-party servers [7].
Pixels
Another tracking method is the use of tracking pixels, also known as web beacons or clear GIFs. These are tiny images embedded in web pages or emails that monitor online, also known as web beacons or clear GIFs, which are tiny images (usually 1x1 pixel) embedded in web pages or emails that function as invisible monitors of online activity [1][7]. These sophisticated tools, unlike cookies, are not stored in browsers but load upon page visits or email opens, enabling them to track a wide range of user interactions beyond mere web browsing. They can record email engagement, conversions, downloads, and even bypass certain cookie-blocking methods, though they remain vulnerable to image disabling and ad blockers [7]. The Meta Pixel, formerly known as the Facebook retargeting pixel, exemplifies the power of these tools in digital marketing. This ubiquitous web beacon provides website owners with extensive data for Facebook ad campaigns, allowing for precise targeting based on shopping habits, cross-device behaviour, and even abandoned cart information. It facilitates the creation of ‘Lookalike Audiences’, expanding marketing reach to potential customers with similar profiles [1][11]. In email marketing, tracking pixels can log precise opening times, IP addresses, and interaction with links or attachments, offering invaluable insights into recipient engagement [9].
Fingerprinting
Another tracking method is browser fingerprinting, which is a sophisticated and intrusive tracking technique, enabling websites to uniquely identify visitors through their web browsers’ distinctive data profiles [1]. This method surpasses traditional cookie tracking in its ability to create persistent user profiles, even when individuals clear their browser storage or employ private browsing modes [2][12]. When users connect to a website, their browsers inadvertently relay a wealth of information, including device specifications, screen resolution, operating system, language preferences, time zone, and installed plugins. The unique combination of these parameters forms a ‘browser fingerprint’, allowing websites to recognise returning visitors with remarkable accuracy. This technology serves dual purposes: although it raises privacy concerns as it builds detailed user profiles and can persist for months, it also acts as a security measure by facilitating user behaviour tracking across multiple visits, helping banks utilising it to detect potential fraudulent activities from multiple devices [1][2][12]. Despite widespread concerns among standards bodies and browser vendors regarding its invasive nature, the use of fingerprinting has steadily increased over the past decade, challenging users’ attempts to maintain privacy online [12].
To safeguard personal data and prevent browser tracking, users can employ a variety of effective strategies [2]. Opting for a non-tracking browser designed with privacy in mind serves as a fundamental step. Additionally, blocking tracking cookies can significantly enhance online privacy, with methods varying across different browsers. Utilising a Virtual Private Network (VPN) provides an extra layer of protection by concealing crucial information such as IP addresses and geographical locations, thus bolstering anonymity and thwarting IP address tracking attempts. For those sharing devices, regularly clearing browsing data at the end of each session proves invaluable in maintaining privacy [7]. These proactive measures, when implemented consistently, form a robust defence against unwanted online tracking, empowering users to navigate the digital landscape with greater confidence and control over their personal information.
References
[1] https://www.avast.com/c-web-tracking
[2] https://www.ghostery.com/blog/what-is-web-tracking-how-can-i-browse-safely
[4] https://thereader.mitpress.mit.edu/a-history-of-the-data-tracked-user/
[5] Web Tracking Technologies and Protection Mechanisms, CCS’ 17 Tutorial (https://dl.acm.org/doi/abs/10.1145/3133956.3136067)
[6] https://en.wikipedia.org/wiki/Web_tracking
[7] https://www.ghostery.com/blog/what-are-tracking-cookies
[8] https://www.theguardian.com/technology/2012/apr/23/cookies-and-web-tracking-intro
[10] https://www.aboutcookies.org.uk/session-cookies
[11] https://instapage.com/blog/meta-pixel
[12] https://www.mozilla.org/en-GB/firefox/features/block-fingerprinting/
