Featured Article : Forget Hacking, What About Tracking?

12th October 2022

In this article, we look at the many different ways we are being tracked online, plus which measures users can take to avoid being tracked.

Why Are We Being Tracked? 

Internet tracking is used for a number of reasons, including:

– Improving user browser experiences on websites.

– For analytics to improve business performance and inform/feed-into marketing content strategies, and to monitor a website’s usability.

– To enable the targeting of users with advertising, and to generate revenue by selling data about our browsing activities.

Why Should We Be Concerned About Tracking? 

Some of the risks associated with tracking include:

– Privacy and security risks, i.e. our personal data being taken and potentially falling into the wrong hands / being used by cybercriminals, and companies building profiles of users based on sensitive information gained from trackers in websites.

– Matters of transparency and losing control of personal data. For example, where user data is stored and who has access to it is difficult to ascertain, and feeds into privacy and security worries.

– The possible contravention of a user’s legal rights and matters of consent. For example, GDPR, the California Consumer Privacy Act (CCPA) and Privacy Rights Act (CPRA) and others have meant that tech companies can no longer legally track everything that users do and share that data with multiple other third parties as they wish without permission. For example, in the UK, since GDPR’s introduction, websites must display cookie consent and privacy information displayed on the home page.

Most Websites Use Tracking Tools 

Over 80 percent of websites use one or more tracking tools (Epic) and reasons for private browsing may be to avoid having your browsing history recorded, perhaps being on a shared or public computer (to avoid being tracked by your browser), or to avoid downloading cookies (to avoid being tracked by websites), or to be able to sign into multiple accounts simultaneously.

How Are We Being Tracked? 

The different ways that your browsing and free searching behaviour on the web can be tracked include:

– IP address tracking. The IP address (a string of numbers), set by the ISP, is a way for each computer using the Internet Protocol to communicate over a network. The IP address is necessary for accessing the Internet so that web servers know where to send the information that’s being requested.

– Cookies. These are text files loaded into a folder on the user’s web browser by the sites they visit. Cookies record details such as users’ preferences, and the last time they visited the website. Session cookies are used when a person is actively navigating a website but tracking cookies can be used to create long-term records of multiple visits to the same site. From the user point of view, cookies can serve a useful purpose (e.g. for logins) or can be used for targeted advertising.  Google recently announced an end to its third-party (tracking) cookies within 2 years for its Chrome browser following similar, earlier announcements by Safari (Apple), Mozilla’s Firefox (Mozilla) and Brave.

– Signed-in accounts. The accounts a user is signed-in to (e.g. Google or Facebook) can also track what a user has viewed, liked and more.

– Agent strings. When a user sends a request to a webserver to view a website, the request comes with information about the user attached to the User-Agent HTTP header. This ‘agent string’ contains information such as the browser (type and version) and operating system being used.

– Web beacons. These web bugs / tracking beacons track how a user engages with a specific webpage, including the content a user clicks on.

– Mouse tracking / cursor tracking software that records online users’ mouse movements to reveal how they interact with a website.

– Session replay scripts, i.e. programs that record a website visitor’s activity, such as mouse movements, clicks, and scrolls.

– Favicons (super cookies). These work in a similar way to cookies but are more difficult to decline or remove.

– Browser fingerprinting. This involves gathering and combining a variety of information about a user’s device to create a unique online identity which can be tracked.

– Cross-device tracking. This is the matching up of a user’s browsing habits across devices.

Tracked By Mobile Apps 

All mobile apps gather basic data, e.g. the user’s phone number and email address. Also, users are now tracked by 60 per cent of the world’s most used mobile apps (i.e. harvesting and storing data generated through private conversations). 80 per cent of mobile apps collect data on messages their users send and receive.

In addition to trying to gather data, some mobile apps also try to collect cookies, and 50 per cent of them can access a user’s photos and videos.

How To Avoid Being Tracked 

There are many ways that users can try to avoid tracking, including using:

– Incognito/private browsing mode.
– Private Browsers and Private Browser Extensions.
– VPNs.
– Other privacy tools

Incognito Mode / Private Browsing 

Different browsers have different names for private browsing mode, e.g. InPrivate browsing (Edge), ‘Private’ for Firefox (Mozilla) and Safari, and Incognito for Google Chrome.

Switching to this browser mode loads a new private window. This means that the new window is not signed to any accounts so can’t be tracked by them, cookies are not used, and any browsing is not added to the browser history. In this mode, however, the user’s IP address can still be tracked.

Private Browsers 

Neeva is a new advert- and tracker-free search engine which has just been launched in Europe by former Google executive Sridhar Ramaswamy, using funding by investors. Neeva offers free-to-use search and a password manager, and VPN (for a subscription). Neeva also stresses that its searches are free from bias / corporate influence, suggesting a more impartial experience.

For a more detailed picture of how much tracking is taking place when visiting web pages, Neeva’s Chrome browser extension lists the trackers installed on web pages visited. See https://neeva.com/.

DuckDuckGo is a privacy-centred search engine / privacy browsing app, which is available as a download for mobile devices and a Chrome extension. DuckDuckGo retains a user’s privacy by not saving the user’s browser history, forcing sites to use encrypted connections, blocking cookies and trackers (including ‘hidden trackers’ before they load), and by stopping a user’s searches being sold to third parties for profiling and advertising.

DuckDuckGo employs Smarter Encryption which utilises a list of millions of HTTPS-encrypted websites, which has been generated by continuous crawling the of the web instead of crowdsourcing, thereby keeping it current. Also, DuckDuckGo’s Smarter Encryption enables users to be extra-secure in their browsing by being able to detect unencrypted, non-secure HTTP connections to websites and then automatically upgrading them to encrypted connections. See https://duckduckgo.com/.

Epic is a privacy and security focused, Chromium-based browser that blocks ads, trackers, fingerprinting, crypto mining, ultrasound, signalling, and offers free VPN (with servers in 8 countries). See https://www.epicbrowser.com/.

The Brave privacy-focused, Chromium based browser that is free and open-source. It blocks ads and trackers and allows users to use a Tor in a tab to hide history, and masks location from the sites a user visits by routing a user’s browsing through several servers before it reaches its destination. See https://brave.com/.

The Tor browser uses a distributed network (randomly selected nodes) to anonymise a user’s IP address and encrypts traffic. This makes it incredibly difficult for a user’s web traffic to be traced and very difficult for users to be tracked unless they reveal their IP address by enabling some browser plugins, downloading torrents, or opening documents downloaded using Tor. However, Tor is also used for accessing and is associated with the ‘dark web.’ See https://www.torproject.org/download/.

Private Extensions For Browsers 

Another option for users to try and maintain private browsing is to use an additional private browsing extension/add-on. Examples include:

– Privacy Badger. This is a free extension that gradually learns to block invisible trackers.

– Ghostery. This is a free, open-source privacy and security-related browser extension and mobile browser app that blocks ads and stops trackers.

– Cookie AutoDelete. This is an extension for erasing cookies for a browser tab when it closes.

– HTTPS Everywhere. This free, open-source browser extension automatically switches thousands of sites from “http” to secure “https” thereby protecting the user from many different types of tracking/surveillance and account hijacking.

VPNs – Will Using A VPN Stop You From Being Tracked? 

The short answer is no. Although a virtual private network (VPN) routes a user’s internet through another computer (where many other users of the VPN are using the same IP address) making tracking difficult, it does not stop tracking altogether.

A VPN makes a secure connection to another network over the Internet, encrypts traffic, and hides the user’s IP address. However, VPNs do not protect a user from being tracked, from cookies, from user-agent strings, or through the accounts they are logged into (e.g. Google), or from any VPN’s that keep logs of user activity and which could sell those logs to third parties. Also, some services discourage the use of a certain VPN, and VPNs can slow down the user’s Internet connection dues to the re-routing and encrypting through the VPN server.

Other Privacy Tools 

Examples of some other privacy tools that users can choose to avoid being tracked include combination firewall, antivirus, and VPN tools like Norton 360 Deluxe or Panda Dome, or web proxy tools like Privoxy.

Third-Party Cookies Being Phased Out 

Some recent ‘good’ news in the tracking world is that last year Google announced that it was phasing out third-party cookies (over two years) and would not use other technology to replace these cookies or build features into its Chrome Browser to allow itself access to that data. Google said that it would be switching to Federated Learning of Cohorts (FLoC), a method which groups what it categorises as like-minded online users together so they can be collectively tracked.

What Does This Mean For Your Business? 

The risk of cybercrime, data breaches, and simply being targeted by advertisers mean that for most business users, the security of knowing that they’re not being tracked and that there is a high level of privacy protection by default may be an attractive and useful part of company security measures. Also, using a trusted app/extension/desktop browser may be a convenient way to get greater peace of mind and ensure that all reasonable measures are being taken to cover the many angles of security and privacy. For many businesses, it is likely to be a case of a combination of privacy solutions, e.g. VPNs, secure browsers and extensions, and other privacy tools being used as and when required in a way that is compatible with daily working practices, authorised, approved, and recommended by the company and other relevant stakeholders.