Hidden trackers are bits of code that are embedded in websites and mobile apps to monitor user behavior and collect data. They allow companies to follow internet users across the web and build detailed profiles about their interests, behaviors, and preferences. Hidden trackers are used for many purposes, including targeted advertising, analytics, and personalization. However, they also raise privacy concerns because users are often unaware they are being tracked.
What are the most common types of hidden trackers?
Some of the most prevalent hidden trackers include:
- Cookies – Small text files installed on a user’s browser to identify them across websites.
- Web beacons – Invisible images embedded in webpages to monitor who views a page.
- Device fingerprinting – Collecting configuration data from a user’s device to identify it.
- Session replay scripts – Record mouse movements, clicks, and keystrokes on a webpage.
- Smart pixels – Track emails to detect if they were opened or links were clicked.
Other less common trackers include ultrasonic beacons transmitted through phone speakers, browser cache tracking, and canvas fingerprinting which extracts graphic card signatures.
How widespread are hidden trackers?
Hidden trackers are extremely pervasive on the modern web and in mobile apps. Some key statistics on their prevalence include:
- Over 80% of websites contain hidden third-party trackers according to a Princeton study.
- The average web page connects to over 70 different third-party domains according to Ghostery.
- Popular sites average over 20 tracking requests per page according to Mozilla research.
- Over 4,000 companies engage in tracking user data according to WhoTracks.me research.
This means the vast majority of web users are subject to some form of tracking on most sites they visit. The most prolific trackers are from major tech and advertising companies.
What data do hidden trackers collect?
Hidden trackers can record an extensive amount of data about users including:
- Browsing history – The sites and pages visited.
- Search queries – Terms typed into search engines.
- Clicks – Links and buttons clicked on pages.
- Location – Real-world location based on IP address or GPS.
- Tech specs – Information like device type, operating system, browser etc.
- Behavior – How visitors navigate through a site or app.
With access to so much data, trackers can infer demographics, interests, habits, political leanings, and more. This allows the creation of detailed user profiles.
How are hidden trackers used?
There are several key uses of hidden trackers on the web and in mobile apps:
Behavioral Advertising – Trackers follow users across sites to build an advertising profile. Relevant ads are shown based on sites visited.
Analytics – Trackers help site owners understand traffic sources, engagement, conversions, and user behavior.
Personalization – Trackers allow customization based on known preferences and interests. For example, product recommendations.
Fraud Prevention – Trackers can identify and blacklist devices involved in click fraud or account hijacking.
Price Discrimination – Trackers may be used to vary pricing based on user profiles, demand, and purchasing power.
Identification – Trackers can act as a form of identity management across sites and devices.
Are there any benefits of tracking for users?
There are some potential benefits users may derive from hidden trackers:
- Relevant ads – Trackers allow ads to be tailored to interests which may be more useful than irrelevant ads.
- Free web services – Behavioral ads fund free services like search, social media, and more.
- Personalization – Trackers allow customization of content and recommendations to fit preferences.
- Fraud prevention – Tracking helps identify and block malicious bots and hijacked accounts.
- Analytics – Tracking data can improve site design, performance and features.
However, many of these benefits can be achieved without invasive tracking. Overall, most experts argue the privacy risks outweigh potential upsides.
How do hidden trackers work?
Hidden web trackers use a variety of technical methods to piece together user data and profiles:
Cookies
Cookies are small text files installed on devices that remember stateful information about users. They contain a unique identifier to recognize return visits. First-party cookies are from the site domain itself while third-party cookies are from other domains like ad networks. Common cookie uses include:
- Session management – Preserve logged in state
- Personalization – Remember preferences like language
- Tracking – Record sites visited for behavioral profiles
- Analytics – Understand user engagement and traffic sources
Cookies can track activity across sites as users carry identifying cookies with them as they browse. Some last only a browser session while others persist for years.
Web Beacons
Web beacons, also called web bugs or pixel tags, are tiny invisible images embedded in web pages. When a user opens a page, the browser automatically loads the hidden image and pings back to the company server revealing information like:
- IP Address – Links activity to a location
- Time Stamp – Records when a site was visited
- Referrer – Detects how users arrived at the site
- Browser – Identifies software used
Web beacons are simple and just 1×1 pixels in size. Site owners can install their own or use third-party beacons for analytics and tracking.
Fingerprinting
Browser and device fingerprinting identifies users not through cookies but instead by collecting unique configuration data including:
- Operating system
- Software versions
- Screen resolution
- Browser settings
- Time zone
- Browser plug-ins
- Graphics card info
- Touch support
Combining multiple data points creates a distinctive identifier. Fingerprints don’t reveal personal info but allow tracking without cookies.
Session Recording
Session recording tracks detailed user interactions within a website in real-time. Scripts monitor:
- Mouse movements
- Clicks
- Scrolls
- Key presses
- Copy/paste actions
- Screenshots
Full session videos can be replayed to analyze behavior. Companies claim this improves web usability and catch bugs. But it raises privacy concerns.
Smart Pixels
Smart pixels (also known as web bugs or action tags) are tracking codes embedded in email messages. They notify when an email is opened allowing senders to monitor:
- Open rate – Did the recipient view the email?
- Click-through – Were links in the email clicked?
- Forwarding – Was the email passed on to others?
Marketers use smart pixels to gauge email campaign performance. But users cannot opt-out of tracking when images auto-load.
HTTPS Referrers
On HTTPS sites, browsers don’t pass referrer information to third parties due to security policies. However trackers can still determine the referrer from the first-party URL. For example, Facebook redirect URLs contain the original referrer site name allowing Facebook to track traffic sources after redirects.
Evercookies
Evercookies combine multiple tracking techniques like cookies, local storage, fingerprinting, and ETags to persist even after users delete standard cookies and attempt to opt-out. They resurrect unique IDs making users highly trackable. Mainly used in sketchy ads.
Browser Cache Tracking
The browser cache stores resources like images and scripts to speed up page loads. Trackers can embed uniquely shaped invisible images to create a fingerprint. When the browser requests the image from cache, this signals a repeat visit.
Canvas Fingerprinting
The HTML canvas element allows drawing graphics dynamically via scripting. By analyzing how a device renders text, shapes, and gradients, trackers can extract a fingerprint to identify it. No cookies required.
Ultrasonic Beacons
Some apps use high frequency sound signals inaudible to humans to track nearby devices and their locations. When a smart device picks up the ultrasonic beacon, data is transmitted enabling cross-device tracking. Consent cannot be obtained from users for this form of tracking since they cannot hear the signals.
What are the privacy risks of hidden trackers?
While trackers provide value to some businesses, they threaten user privacy in a number of ways:
Individual Tracking
The most basic risk is the ability to monitor individuals across the web. Browsing history reveals personal interests, beliefs, health concerns, political leanings, and other private information. Extensive profiles are built.
Identification
Although cookies themselves don’t contain personal info, trackers may link cookie IDs to real identities either directly or via inference. For example, connecting browsing activity to email addresses or analyzing writing style.
Sensitive Data Leaks
Trackers receive all site data. When sites fail to segregate sensitive data from analytics/tracking code, it can unintentionally leak private info like financial data. Facebook’s pixel has accessed medical info.
Data Sharing
Data collected by trackers may be shared, sold, or leaked to other parties like advertisers, data brokers, government agencies, or hackers. Users lose control of their data.
Discrimination
Profile data used for ad targeting can perpetuate unfair biases based on race, gender, health, and other factors. Certain groups may be denied opportunities.
Manipulation
Sophisticated behavioral profiling allows content and ads to be tailored to exploit user weaknesses. Addictive tendencies can be magnified – especially for gambling and alcohol ads.
Security Risks
Trackers increase the digital attack surface vulnerable to hackers. They provide additional vectors for injection of malware like keyloggers or intercepting network traffic via man-in-the-middle attacks.
Legal Liabilities
Certain types of data are regulated by laws like HIPAA and COPPA. Hidden trackers may unintentionally violate these laws if controls are not put in place to restrict collecting data from vulnerable groups like children.
User Autonomy
Fundamentally, many view hidden tracking without informed consent as violating personal autonomy. It takes away freedom and control.
How can users avoid and block hidden trackers?
There are several technical methods users can adopt to minimize tracking:
Browser Plugins
Specialized browser extensions like Privacy Badger, Ghostery, and uBlock Origin detect and block hidden trackers. Most work by blacklisting tracking domains. Some also purge cookies frequently.
Private Browsing
Browsers like Chrome, Firefox, and Safari offer private modes that disable cookies and site data after the session ends. This prevents activity from being linked across private windows.
VPN
Virtual Private Networks route traffic through encrypted tunnels and mask user IP addresses. This makes fingerprinting more challenging. However, most free VPNs also track usage.
Ad Blockers
Ads account for much hidden tracking. Generic ad blockers like Adblock Plus cut down on trackers by removing many ads. But whitelisting of acceptable ads reduces efficacy.
Email Client Tracking Protection
Email providers like Gmail can detect and neutralize tracking pixels in messages when images are not automatically downloaded. But webmail access often remains vulnerable.
Anti-Fingerprinting Browsers
Tor and Brave browsers use various methods like blocking JavaScript to reduce fingerprinting. Brave also blocks ads and trackers while Tor anonymizes traffic.
Search Engine DuckDuckGo
Private search engine DuckDuckGo avoids tracking search queries. It also blocks hidden third-party trackers on result pages. Not as robust as traditional engines however.
Cookie Auto-Delete
Browser extensions like Cookie AutoDelete clear cookies automatically after each browsing session or tab close. This prevents tracking across sites. Impact on logins needs to be considered.
However, blocking all cookies and trackers can cause sites to break. A balanced approach allows necessary functionality while enhancing privacy.
Should governments regulate tracking and increase privacy protections?
Arguments For Regulation
- Rampant tracking is a market failure requiring government intervention to address power imbalances.
- Sensitive data like financial, health, and location info merits legal confidentiality protections.
- Existing notice and consent mechanisms around tracking are ineffective – most users skip privacy policies and don’t understand tech.
- Children require stronger safeguards as they cannot comprehend tracking implications.
- Standardized privacy rights would simplify compliance complexities for companies.
Arguments Against Regulation
- Industry self-regulation and consumer empowerment through technology like ad blockers are more flexible solutions.
- Restricting tracking could severely impact ad revenue dependent tech companies and websites.
- Defining what constitutes sensitive data requiring protection is difficult.
- Users mostly accept tracking as a trade-off for free web services.
- Regulations stifle innovation in analytics which have benefits.
Potential Regulatory Approaches
- Do Not Track browser standards
- Requiring clear opt-in consent for tracking
- Restricting certain invasive tracking methods
- Anonymizing collected data to protect privacy
- Increased rights to access, delete and export personal data
- Security requirements for handling user data
- Mandatory privacy impact assessments for companies
Reasonable regulation tailored to user expectations represents a plausible middle ground between individual rights and necessary tracking functions.
Conclusion
Hidden trackers are deeply embedded across the modern digital landscape, with users subject to extensive monitoring as they browse. Myriad technical methods allow detailed behavioral profiles to be assembled for a wide range of purposes. While trackers provide certain benefits, few users fully grasp the privacy trade-offs. Striking the right balance between user protections and innovative uses of data poses an ongoing regulatory challenge. But increasing transparency and consent standards represent important first steps. Users also have more control than they realize through tracker blocking tools and mindful online habits.
