How do tracking companies know what you did last summer?
Trackers by third-parties in the AdTech ecosystem are now included in most apps, on most websites, online shops, email newsletters and increasingly also smart devices. In practice, this means that your behaviour on a shopping website, the fact that you’ve visited a medical website, or whether you’ve actually read your favourite newsletter is being tracked. AdTech companies have positioned themselves as middle-men, they have access to incredibly detailed data about millions of people (who will have likely never even heard of them). How does tracking work and why is it so difficult to avoid trackers?
Why websites, apps, and smart devices include trackers
There are two different ways in which websites, apps or your smart TV can track your behaviour: they can collect data themselves, or they collect data on behalf of other third-parties. The most common trackers share data with large tech companies, such as Google’s parent company Alphabet, Facebook, Twitter, LinkedIn or Amazon. However, lesser known AdTech companies also have widely spread trackers.
Websites and app developers integrate the technologies of ‘third parties’ in their website or mobile applications source code for a number of reasons: to track crash reports, measure user engagement (analytics) or to connect their app to social networks (for instance, by allowing users to share photos on Facebook from the app), and to generate revenue by monetising user data and displaying targeted ads.
Third party tracking can be useful for developers, but those very same tools often also allow third parties to collect and track user data for the third party’s use. In particular, third parties whose code is embedded in a large number of apps and websites receive data about users that could be linked and combined into a detailed profile.
Third party tracking is also problematic, because people aren’t aware and have little control that their interactions with an app or a website are being shared with third parties. First party tracking is less surprising and often necessary for many modern websites and apps to function - but it can also be excessive and invasive.
Here are the most common ways of tracking:
Cookies - little files that are stored on your computer or mobile phone when you visit a website via a browser - can have different purposes and not all of them are problematic. They can keep you logged into a service or store an item in your shopping basket even if you don’t have an account.
Cookies can also be used to track you across different websites you visit, and when different cookies are synced, they can also be used to link your behaviour across different devices and browsers. For this purpose, cookies contain a unique identifier, a short string of numbers that can uniquely identify you. This unique identifier allows AdTech companies to recognise you across the web and to consolidate your profile day after day. Entire companies are now specialising in “cookie syncing” – the practice of linking different cookies, from different browsers and devices, into a comprehensive profile of a person – and “onboarding” – the practice of merging offline data (like loyalty card or financial information).
A tracking pixel is a tiny, invisible image the size of a pixel that is embedded into websites, apps and emails (such as newsletters). Whenever you open a site or an email that contains a tracking pixel, you will automatically load this pixel, which is hosted on an external server. For instance, websites that have embedded the Facebook tracking pixel, automatically send information about you to Facebook’s servers, such as your IP address, the exact page (or part of a page) that you’re looking at and much more.
Most apps contain third-party trackers and many apps contain a large number of different trackers. What makes tracking on mobile apps uniquely challenging is that it is much easier to block or reduce tracking on both mobile and desktop web browsers than it is in apps.
The most common way third parties track your behaviour there is through Software Development Toolkits (SDKs), a set of software development tools that can be used to develop applications (Apps) for a specific operating system. Facebook, for instance, offers an SDK that allows apps to integrate their app with the Facebook service and at the same time shares data about use of the App with Facebook.
Some websites use the information that your browser automatically shares to create a unique fingerprint that identifies you. Many browsers share information with websites that can distinguish the browser from others, such as your IP address, browser version, Operating System (these two are usually referred as User Agent), Addons, Screen resolution, and so on. This way, you can be tracked across the web without using pixels or cookies.