How does browser tracking work?
When you visit a website, third-party trackers (cookies, web beacons, flash cookies, pixel tags, etc) get stored on your computer.
How many trackers exist in any given website depends on how many the website owner has decided to include. Some websites will have over 60 trackers, belonging to a multitude of companies, while others might have only one - perhaps to track visitor numbers, or see where these visitors are coming from, or to enable a certain functionality. Some might have none at all.
Not all trackers are necessarily tied to companies tracking your browsing habits - but when you 'accept cookies', you're saying ok to all the trackers that are there - including those feeding information back to companies.
What is being collected, and why?
Trackers collect information about which websites you're visiting, as well as information about your devices.
One tracker might be there to give the website owner insight into her website traffic, but the rest belong to companies whose primary goal is to build up a profile of who you are: how old you are, where you live, what you read, and what you're interested in. This information can then be packaged and sold to others: advertisers, other companies, or governments.
The companies tracking you are unrelated to the website you're visiting. Called "data brokers", they tend to have stock-market sounding names like DoubleClick, ComScore, and cXense (though DoubleClick is actually owned by Google). Their entire business is built on the selling of "customer data".
They are also joined by more well-known companies. Some of these are even visible: Google's red G+ button, for example, is a tracker; Facebook's "like" thumb is a tracker; and Twitter's little blue bird is also a tracker.
How can a company track my devices across the web?
Most companies will probably fingerprint your browser, which will then enable them to identify you across the internet.
Trackers are able to collect a lot of information about your device, including Your IP address, browser history, screen size, time-zone, plug-ins, and operating system. The special constellation of all these elements is your 'browser fingerprint'.
You might be surprised to see how unique your browser is. To test your browser fingerprint, go to EFF's Panopticlick tool and click "Test Me". When we tested the browser of a random mobile phone, only one in almost 3 million other browsers had the same fingerprint, from the vast Panopticlick database of tested browsers.
If a company has trackers in lots of different websites across the internet, they can recognise you by this fingerprint.
You can also be tracked across the internet over time by way of special trackers that "stick" in your browser - instead of disappearing when you leave a website.
How do companies connect my devices to me?
It's really not so hard. If you log in to websites or your email or use social media, that's enough.
The myth of 'anonymisation'
Most companies claim that they don't identify you by name when they hand over a profile of you - but what does that really mean, when you can be identified easily through all the other information included?
All of this might look harmless if you're just browsing the internet for, say, a new jacket - but what if you went to a health website for advice on living with HIV or depression, or a forum on dealing with chronic debt? Where is this information going to end up?
SEE FOR YOURSELF WHO IS TRACKING YOU
Lightbeam is an add-on for Firefox that shows you which third parties are present when you visit a website. If you then go to a new website, Lightbeam will show you not just which third parties are active on that site, but which third parties have seen you on both sites; and so on as you visit more websites.
You can install it through Firefox's main menu, or go to Lightbeam --> add to Firefox
To start it up, click on the Lightbeam icon at the top of your browser → browse the internet for a while → check the visualisation.
Trackography (Tactical Tech project)
News websites are a great source of information about you. What newspaper you read, and which articles, can say a lot about your political views, general interests and even things like your sexuality or religious affiliations.
Trackography allows you to see who is tracking you when you read the news online - among other things, like which countries your data travels through along the way.
CAN I SEE WHAT PROFILES HAVE BEEN CREATED OF ME?
It depends on the country you live in (and it's unlikely you'll be given the full picture).
If you're in the United States, it's possible to get some information out of data brokering giant Acxiom - the “world’s largest commercial database on consumers” - through their website.
If you're in the European Union, companies have to show you this information if you ask for it, thanks to the "Right of Access" principle - part of European privacy law - which states:
“Anyone interacting with an EU company or government agency can, for any reason, request all the data that entity has about oneself, and the company or government agency must comply”. (Ars Technica)
The question of how this law should be implemented, however, has in recent years become the basis for the largest privacy class action in Europe - the legal battle that has became known as Europe vs Facebook (ongoing at the time of writing), started by Austrian student Max Schrems.
This website explains how you can get your Facebook data if you live outside the US and Canada.
There are also some country-specific websites out there. In the Netherlands, for example, the Privacy Inzage Machine takes you through the steps needed to get your data out of companies operating within the country; not just platforms like Google and Facebook, but also energy companies, banks, supermarkets, hospitals, and the secret police.
We'll be working on adding more country-specific sites to this page in the future; in the meantime, please send us an email if you know of any from your own country.
Seeing how wrong these profiles can be
Getting hold of your data allows you to see not only how much personal information - a lot of which you have assumed was private - a company is keeping on you; but it also allows you to see how innacurate their portrayals of you can be.
Researcher Eve Ahearn, for example, was surprised to discover that “they think I am my own child. Or somehow, that I have a 16-17 year old female daughter I didn’t know about”. The company she requested her profile from had tracked her over time, but recorded two people living in the same house. In fact, both were her - just her at different ages.
Note: when you request your profile, companies will ask for personal information to confirm your identity. This will give these companies more data, or confirim existing information they have about you.