When you search for something online — say, a vacation to Vegas — it’s not unusual to see adverts for cheap flights and hotel deals in Sin City on every site that you visit thereafter for the next few days. Few of us understand what’s actually happening behind the scenes for those ads to be served.
“The modern web is a mash-up, which means the content that you’re looking at on the page, which just looks like one single Web page with text and graphics, is in fact assembled from multiple different sources, sometimes dozens and these different sources can be a variety of different companies,” explains Arvind Narayanan, Assistant Professor of Computer Science at Princeton, “When you look at a Web page, there’s content visible to you and invisible stuff purely for the purpose of tracking what you’re doing.”
Online advertising has been there since the early days of the Internet, but it has grown far more sophisticated in recent years. The ads we see now are often the product of digital stalking as companies try to track our every browsing move. But how does this happen in the first place?
What this technology is really good at doing is following you from site to site, tracking your actions, and compiling them into a database, usually not by real name, but by a pseudonymous numerical identifier. Nevertheless, it knows when you come back, and it knows to look you up, and based on what it has profiled about you in the past, it will treat you accordingly and decide which advertisements to give you, sometimes how to personalize content to you, and so on.
We know that companies are collecting data about us, but there’s very little transparency in terms of the techniques they use, and there are a lot of misconceptions. We don’t really know exactly what data they are collecting, or what they might use it for.
“The information that’s most useful for them to collect is your browsing history and your search history,” Narayanan explains, “This gets compiled and profiled into behavioral categories.”
Ostensibly, this data is collected, analyzed, and used to target us with relevant ads, but it can also be used in other ways. It’s not just tracking, but using that data to do data mining and see what you can infer about that person’s behavior and their preferences. In some cases, research has shown, data may even be used to tailor prices. Sometimes prices for the same product being subtly different, sometimes it’s different products with different price ranges being pushed to the consumer. Back in 2012, it was discovered that travel website Orbitz was showing Mac users pricier hotel options than PC users. Later the same year, the Wall Street Journal reported that the Staples website was tracking visitor’s locations and only applying price discounts if there was a competitor store within 20 miles of them.
So how are they really tracking us?
It turns out that every device behaves in a subtly different way when the code on the web page interacts with it, in a manner that’s completely invisible to the user and this can be used to derive a fingerprint of the device, so the third parties can tell when the same user of the same device is visiting again. This technique is known as canvas fingerprinting. When one of these scripts is running on a website you visit, it instructs your browser to draw an invisible image. Because every device does it in a unique way, it can be used to assign a number to your machine and effectively track your browsing.
If that sounds like the kind of shady thing you’d only find in the dark recesses of the Internet, then you’ll be disappointed to hear that all sorts of popular, and even well-respected sites, from Whitehouse.gov to perezhilton.com, are running these scripts.
There are other techniques being used to collect data that are difficult to understand. Most of us have some awareness of cookies, but advertisers have developed new methods to exploit or circumvent the cookie system.
“One of the areas that concern me the most is the data sharing that’s going on behind the scenes,” says Narayanan. A process called cookie syncing allows the entities that are tracking you online to share the information they’ve discovered about you and link together the IDs they’ve created to identify your device. They can compare notes and build a better profile of you. And this is all done without your knowledge or input. These are cookies that are in nooks of your web browser that allow information to be stored, but they’re not in the main cookie database. A particularly devious type of super cookie is one that stores itself in multiple locations and uses each of these locations to respawn the others should they be deleted so, unless you delete all traces and forms of that cookie at once from all of your browsers on your computer, then that cookie is going to come back.
Let’s say you have a laptop and a smartphone, and you’re traveling with them, and you’re browsing the web through Wi-Fi. The advertiser, or other company, notice that there are two particular devices that always connect to the website from the same network. The chance of this happening coincidentally is similar to the chance of two people having the same travel itinerary, so, after a period of time, if it keeps happening, they can deduce that it’s the same person that owns those two different devices. Now they can put your browsing behavior on one device together with your browsing behavior on the other device and use it to build a deeper profile.
We’re often sold the line that companies are only collecting anonymized data. This is something that Narayanan takes exception to, for a number of reasons.
The impact of personalization, in terms of different prices or products, is equally feasible whether or not they have your real name. It’s completely irrelevant to their calculations and the intended use of the data for targeting that is so objectionable to a lot of users.
We also have more to worry about than just the advertisers.
There’s also a real risk that the anonymized data may be exposed and linked to your actual identity. It’s possible to de-anonymize these databases in a variety of ways. We’ve seen accidental leakages of personal information.
What one needs to keep in mind, is that if you have this anonymized dossier, it only takes one rogue employee, one time, somewhere, to associate real identities with these databases for all of those putative benefits of privacy anonymity to be lost.
There’s also evidence of a growing industry that’s aiming to tie together your online tracking with your offline purchasing habits. Onboarding companies, like LiveRamp, offer ways to link this data and give companies more insight. If a store asks you for your email address at the counter when you make a purchase, they may share it with a company like LiveRamp, which can identify when you use it to sign in to certain specific websites that they’re in business with and then link it to your device. Now companies can put a real name to the data.
How do we safeguard our privacy?
“There’s not one magic bullet solution. If someone is selling you one solution or device that claims to take care of your privacy concerns, they’re almost certainly selling you snake oil. But if you’re willing to invest a little time, it is possible to protect your privacy.
There are lots of browser extensions, and end-to-end encryption tools out there starting with Tor and Ghostery.
Research technology a little bit, learn about the privacy implications of the products that you’re using, learn about the privacy tools that are out there, but also the right way to use them. If you’re not fully aware, you’re not going to make a fully informed choice, but for each person, it’s a trade-off on where they want to be on that spectrum of convenience and privacy.