General security

Means and Methods of Web Tracking: Its effects on privacy and ways to avoid getting tracked

Ivan Dimov
July 23, 2013 by
Ivan Dimov

 1. Introduction

Below, we will discuss the reasons that incited people, businesses and governmental agencies to employ web tracking, detailed and basic methods of avoiding web tracking, and various types of cookies and their effects on privacy, and we will also examine a brief court case that concerned a particular type of cookie. Then we have included some final notes and a conclusion inferring some deductions from the context of the discussion.

2. Reasons for web tracking

Before we elucidate the means and methods of web tracking there is a simple question that ought to be answered: Why would someone want to track my web activity in the first place?

Basically, there are four reasons why websites employ web tracking or website visitor tracking.

  • Firstly, they use web tracking for advertising purposes. One option is to send the collected data to a data aggregator. A data aggregator (e.g., ChoicePoint) is a company that is responsible for extracting and bringing together bits of data dispersed in huge databases comprising information about individuals. The data, after being extracted and compiled by the data aggregator, is sold to other third parties. The data aggregator creates aggregate reports on the basis of the collected information and sells it to local, state or federal authorities or businesses. Businesses are particularly interested in such information, because such personal information substantially boosts their marketing capabilities.

Nonetheless, sending chunks of data to data aggregators is far from the only reason why websites track your activity.

Below are several tables that reveal why web tracking is utilized:

Purpose of tracking Info of interest Tracking enables Benefits of tracking

AdvertisementNB: PII* is considered as information which is not typically utilized by online advertisers for the various advertising schemes (according to the Network Advertising Initiative, amongst other sources) but it can still be used. Profile information such as age and sex (information given in registration forms, etc.). Location, purchases made online (products and services), use of social buttons to indicate what your preferences are which could expose your social media profile and in this way  businesses may collect personally identifiable information about you (social buttons are also known as a type of web bugs), information tied to profiles in social media, sites visited in the past, browsing activity, referral link, IP address, browser and device’s info (OS, display settings, device type, connection speed, etc.), sometimes income and other interests. Personalized advertisements / targeted advertising,  contextual advertising (ads connected with the content of the page you are browsing),  behavioral advertising  (categorizes ad content on the basis of the collected client or user profile which may include age, sex, location, revenue, hobbies, activities and interests, etc. and semantic advertising (whereas in contextual advertising the content of the pages is scanned for keywords, in semantic advertising the particular context of the content is examined) Advertisers:1. Better efficiency of campaign development. 2. Boosts the effectiveness of resources delegated for advertising.3. The money spent for advertising will be used to the best advantage. 4. Improved return on the investments made (it follows from the previous three reasons)

Consumers:

1. More efficient provision of desired goods and services

2. Delivery of messages that are connected with consumers interests.

PII* = Personally Identifiable Information (such as first, last or full name, email or physical addresses, cell or landline phone numbers, birth date, government-issued identifiers, and financial account numbers).

Purpose of tracking Info of interest Tracking allows agencies to: Benefits of tracking

Law enforcement and intelligenceNB: the collection of PII is the goal of such forms of web tracking. Emails, web traffic, instant messaging, ISP and IP address, location, full name, etc. 1. Collect evidence, 2. Solve crimes, 3. Initiate investigations, 4. Find breaches of laws, 5. Identify, locate, and findsuspects 1. Prevention, investigation, and combating of Internet-related crimes such as identity theft and credit/debit card frauds.2. Increase the number of law-abiding citizens as awareness of the risk of surveillance leads to self-containment and law-abidance.3. Punishing and rehabilitating citizens who are in violation of the established laws and rules.

4. Protecting the community from criminals.

Purpose of tracking Info of interest Tracking allows web-owners to: Benefits of tracking

Web analytics The number of visitors over a period of time, manners in which individuals entered the website, traffic that advertisements bring to the website, approximate geographical location of the visitors,company identification (see competitors that entered the website) and technical details. Evaluate the overall performance of the website. Maximize overall revenue by gathering information such as which pages produce high profits, which banner ads produce high traffic, in which pages the customers decided to close the website, etc,. and making use of that information.

Purpose of tracking Info of interest Tracking allows web-owners to: Benefits of tracking

Usability testsClickstream analysis Comprehensive records of customers’ mouse and keyboard input and sometimes even analyzing eye movements.Clickstream analysis tackles the collection and assessment of such information.  Locate usability problems and fix them. It brings the possibility to see where exactly customers have trouble with the functionality of a website and even to categorize the computer skills of a customer and adapt the page to his skills, amongst other benefits.

3. Means and methods of web tracking.

The typical means of web tracking is to use cookies. These are necessary for session management, identification and authentication of visitors, as well as for various personalizations.

3.1. Basic information

Cookies cannot consist of more than 255 characters and be more than 4K of disk space. For the successful functioning of the cookie it is only necessary for the cookie to have a name and a value. However, there may be more parameters embedded in the cookie’s structure—its expiration time, the requirement of a secure connection in order for the cookie to function, the domain name that created the cookie and that can read it, and the path that the particular cookie is valid for. Thus, cookies are composed of six parameters, while only two of them are mandatory for the successful functioning of the cookie. Cookies are text-only strings that become embedded in the memory of the browser. They can become a file if the lifetime of the cookie is set to be longer than the time you spent surfing the website, your browser then resends these cookies to the website they are meant for every time you revisit the particular website.

3.2. The various types of cookies and their effect on privacy

3.2.1 Zombie cookies

Zombie cookies (supercookies or Flash cookies) are HTTP cookies that recreate themselves after being deleted via backups located outside the standard cookie storage of the user’s web browser. Such cookies can be stored both online and on the user’s machine and are designed to resist deletion attempts. They have serious privacy implications. Firstly, they function outside the safeguards that the browser maintains.  Any web browser allows ordinary cookies only to be written, read, and deleted by the website that created them, whereas such flash cookies can track the client’s behavior and activity on multiple websites; in this way cookies do not limit themselves only to site parameters but go beyond them.

They never expire and a portion of them take the name and the file path of crucial files. They are browser-independent, meaning that they can track activity in all browsers that you use, they allow information to be shared between domains and they reinstate themselves after being deleted from the browser’s dedicated cookie storage, which makes them comparable to Trojans.  Finally, they can use 25 times the disk space of ordinary cookies. Thus, a zombie cookie can store a maximum of 100kb while an ordinary cookie can have a maximum size of 4kb. A way to get rid of zombie cookies is by installing the add-on BetterPrivacy.

They have serious privacy implications, as their chief goal is to store personal data of users for different online marketing purposes. Furthermore, in 2010 websites that used Quantcast technology and Quantcast, which provided these zombie cookies, were sued on the grounds of violation of federal computer intrusion laws while the practice was claimed to breach also state and federal fair trade laws and eavesdropping and hacking laws. Quantcast themselves said that the zombie cookies were an unintended consequence of attempting to measure web traffic precisely. The details from the lawsuit describe the practice as a “pattern of covert online surveillance” and sought status as a class-action lawsuit. The plaintiffs sought unspecified damages and a court order forcing the companies to cease the practice in the future, remove the collected information and establish a transparent method of opting out. Quantcast settled and agreed to pay $2.4 million to settle the class-action lawsuit.

The case can be found here: http://www.wired.com/images_blogs/threatlevel/2010/07/CV10-5484-GW-JCGx-Complaint-Summons-Civil-Case-Cover-Sheet1.pdf.

Zombie cookies are actually Adobe Flash local shared objects (LSOs). Adobe Flash is a famous browser plug-in chiefly utilized for displaying web content that is animated or interactive. The flash plug-in enables servers to store LSOs (Flash cookies) which are like HTTP cookies but are managed by the Flash plug-in instead of a web browser. LSOs were created to circumvent restrictions of the traditional cookies, such as file size (traditional cookies have a limit of 4KB while LSOs 100KB).  Since LSOs are not browser-specific but are common to all applications on the machine using the Flash plug-in, users can be identified regardless of the browser they open. Moreover, Adobe Flash allows developers to evade the same-origin policy that stipulates that sites cannot access data (cookies) stored by other domains. Hence, zombie cookies can take advantage of all these benefits conferred by LSOs and use them to track unsuspecting visitors. Lastly, Adobe Flash is found to be installed on around 98% of PCs, which makes possible for almost everyone to be a possible victim.

These Flash cookies are typically stored in local shared objects of Adobe Flash but can be stored in many places, such as Silverlight isolated storage, web storage, web history, the window.name DOM property, the HTTP cookies storage, etc.

3.2.2 Third-party cookies

Third-party cookies are not created for the domain that the customer is browsing, but for external domains from which the host website fetched supplementary information such as images. These cookies are sent to the third-party server regardless of the page that the visitor is browsing, as long as it has content from the third party.

Third-party cookies are also undesirable. Tracking networks that want to track people can insert         undetectable dummy images, a type of web bug. Every time you enter a website that has web bugs there is a request made to the domain hosting the web bug. This has the following effects on privacy:

  1. The third-party’s tracking service is aware of the entry into the website with the particular web bug of your IP address.
  2. The third-party may establish a cookie containing a unique ID on the user’s computer (or a tracking cookie). Afterwards, this tracking cookie would be sent back to the third party each time you open a page that contain one of its web bugs.

Thus, an advertising company can have web bugs embedded in multiple sites. Therefore, it can track your activity throughout your surfing session because of its cookie network.

To summarize some main points:

  1. Each time someone enters a website, some of its content may originate from other websites, such as scripts, images, and videos.
  2. Parts of this content (undetectable dummy images) may originate from advertising networks.
  3. These ad networks can track which pages you are visiting and are aware when you have visited more than one website located within their network.
  4. After step 3, these ad networks or other entities, such as data aggregators, can sell or share the information with other interested parties.

Nonetheless, almost all browsers’ configurations can be modified to reject all cookies coming from a third party. Therefore, websites use the following technique: they redirect visitors to a page that belongs to the tracking company and the tracking company, accordingly, establishes a first-party cookie that can be afterwards read by web bugs present in other websites.

3.2.3 Other cookies

Persistent cookies (tracking cookies) outlive the browsing session of a user. They can record valuable information, such as how the user found the website in the first place. They can reside in the browser’s dedicated cookie storage for years, depending on their max-age proviso, or they may be permanent unless deleted by the user. They also provide functionality to the user’s experience and are not necessarily negative for the user’s privacy. Persistent cookies are “in charge” of authentication, language, and theme preferences, in-site bookmarks and favorites, among other utilities.

Other cookies, such as session cookies, are important for the proper operation of websites and provide functionality to the website being viewed. They expire at the end of each session and are not designed to stay longer or permanently on your machine, therefore, they do not have negative privacy effects. Session cookies are used, for example, when ordering products. Session cookies can store the relevant ordering information necessary for shopping carts to function; without session cookies, the users would have to memorize all the objects that they have placed in the shopping cart. Also, session cookies are used to store data about the customer’s page activities so the customer can easily continue browsing from the last viewed page. There are many other benefits that session cookies entail.

Users may be identified via their IP addresses, but this is rather uncertain in today’s Internet for numerous reasons, so cookies offer the best method to identify each visitor.

There are other cookies as well such as secure cookies and HttpOnly cookies. but these are not central to this particular discussion.  There are also different varieties of supercookies (from the one we discussed above)

4. Ways to avoid being tracked.

Detailed methods of avoiding web tracking:

  1. Delete all HTTP cookies at the end of each browsing session.
  2. Stop/block third party cookies.
  3. Permit only session cookies.
  4. Delete every single Flash LSO at the end of each browsing session.
  5. Utilize a proxy server to mask your IP address as an anonymization service.
  6. Do not maintain a browser history.
  7. If you do not trust the particular website’s privacy policies do not use its social buttons.
  8. Use the “Do Not Track” feature. It is available for Internet Explorer, Safari and Firefox
    (http://donottrack.us). It enables you to opt-out of tracking by sites that you are not visiting such as analytics service providers and ad networks. “Do Not Track provides users with a single, simple, persistent choice to opt out of third-party web tracking".
  9. Use the “HTTPS Everywhere” extension. It is currently available for Firefox and there is a beta version for Chrome (https://www.eff.org/https-everywhere). It encrypts your communication with many of the important websites as some of them provide only limited HTTPS, only some pages being secure or the communication channel defaults to unsecure HTTP at some point, “HTTPS Everywhere” is an attempt to remedy this, as its title suggests.
  10. If you want websites not to know how you end up on their site, what you typed in the search engine to get there, or which website’s link you followed, install the add-on “Referrer Control” http://goo.gl/G8vkC for Chrome and http://goo.gl/gdx8X for Firefox).
  11. You can block ads, whether in the form of banners, pop-ups or video, even if they are located in such websites like Facebook and Youtube with Adblock Plus (https://adblockplus.org/en/chrome). It is currently available for Chrome, Firefox, Opera, and Android.
  12. PeerBlock enables you to control the entities with which your computer is “talking” on the Internet.  You can effectively stop and block any communications with ad-oriented or spyware-oriented servers, among other functionalities.
  13. Use a VPN to hide your IP address as an anonymization service
  14. Install the extension “Window Name Eraser” to stop user-tracking methods such as evercookies from transferring information via the window.name property (http://goo.gl/gkEW6)  .
  15. You can also install Web of Trust (WOT), which will provide you with a warning if you encounter a potentially harmful website and leave you with the choice to enter the website or not  and it will provide rating of website characteristics such as privacy and trustworthiness.
  16. You can get Priveazy, which will send you “notifications of problematic privacy and security settings as you browse…” (https://www.priveazy.com/)
  17. You can use the BetterPrivacy add-on to delete zombie cookies (https://addons.mozilla.org/en-US/firefox/addon/betterprivacy/ - Firefox).
  18. You can use Tor and Privoxy, preferably in pair.

Basic methods of avoiding tracking:

  1. Ensure that the website is safe before sharing any information there or filling out any registration forms (by checking the website’s privacy policy and commentaries about the website).
  2. Ensure that your online accounts in the different websites are configured for providing optimal privacy levels.
  3. Use an email provider that has a reliable dedication to the protection of the privacy of its customers.
  4. Enhance the privacy of your browser through various add-ons and extensions.

5. Conclusion

From the discussion above it can be concluded that cookies are a necessary part of the web browsing, although there are certain types of cookies that show the increasing interference of ad networks and businesses in the private life of individuals. It can be deduced that while cookies are positive in nature they also have certain negative. The reasons for web tracking are enumerated, shedding some light on the necessity of web tracking where it is justified and where it is for the proper, smooth functioning and development of the Web and its constituent websites and businesses, having their interests in mind. Furthermore, it can be concluded that the protection of privacy is a cumbersome process, a conclusion that can easily be deduced even from the short discussion on ways of protecting oneself from web tracking endeavors.

6. Final notes

There are many other manners of web tracking and client identification, such as browser fingerprinting, JavaScript trackers (also known as beacons or web bugs), deep packet inspection, http referrer (actually mentioned in this article), identification by IP address (uncertain in today’s Internet), hidden form fields, URL query strings, HTTP authentication, and using the window.name DOM property. However, for the sake of this article we have constrained ourselves to reasonable bounds.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

7. References:

  1. Adobe, “Advertising services.” Available at: http://www.adobe.com/privacy/advertising-services.html
  2. VB, “How advertisers track you and what information they collect (infographic).” Available at: http://venturebeat.com/2013/03/04/online-tracking/
  3. Ask MetaFilter, “What information can website owner track about visitors.” Available at: http://ask.metafilter.com/153927/What-information-can-website-owner-track-about-visitors
  4. Byron Acohido, “Web tracking has become a privacy time bomb.” Available at: http://usatoday30.usatoday.com/tech/news/2011-08-03-internet-tracking-mobile-privacy_n.htm
  5. Abine, “How you can be tracked online.” Available at: http://www.abine.com/tracking.php
  6. Niklas Schmucker, “Web Tracking.” Available at: http://www.snet.tu-berlin.de/fileadmin/fg220/courses/SS11/snet-project/web-tracking_schmuecker.pdf
  7. Wikipedia, “Like button.” Available at: https://en.wikipedia.org/wiki/Like_button
  8. Ereachconsulting, “Benefits of Targeted Advertisements: A Spotify Fail.” Available at: http://www.ereachconsulting.com/benefits-of-targeting-advertisements/
  9. Ask Leo, “What is contextual advertising, and how does it affect my privacy.” Available at: http://ask-leo.com/what_is_contextual_advertising_and_how_does_it_affect_my_privacy.html
  10. Wikipedia, “Computer surveillance.” Available at: http://en.wikipedia.org/wiki/Computer_surveillance
  11. Savindra, “Web Tracking Techniques.” Available at: http://superoxideblog.wordpress.com/2013/03/19/web-tracking-methods/
  12. NAI, “Personally Identifiable Information (PII).” Available at: http://www.networkadvertising.org/glossary/term/personally-identifiable-information-pii
  13. Chiron, “How to Protect Your Online Privacy.” Available at: http://www.techsupportalert.com/content/how-protect-your-online-privacy.htm
  14. Wikipedia, “HTTP cookie.” Available at: http://en.wikipedia.org/wiki/HTTP_cookie
  15. Wikipedia, “Zombie cookie.” Available at: http://en.wikipedia.org/wiki/Zombie_cookie
  16. Christian Olsen, “Supercookies: What You Need to Know About the Web’s Latest Tracking Device.” Available at: http://mashable.com/2011/09/02/supercookies-internet-privacy/
  17. Cory Janssen, “Zombie cookie.” Available at: http://www.techopedia.com/definition/25736/zombie-cookie
  18. COOKIE CONTROLLER, “Flash cookies.” Available at: http://cookiecontroller.com/internet-cookies/flash-cookies/
  19. AllAboutCookies, “What are persistent cookies used for.” Available at: http://www.allaboutcookies.org/cookies/persistent-cookies-used-for.html
Ivan Dimov
Ivan Dimov

Ivan is a student of IT and Information Security. He is currently working toward a Master's degree in the field of Informatics in Sweden. He is also a freelance web developer engaged in both front-end and back-end coding and a tech writer. Whenever he is not in front of an Interned-enabled device, he is probably reading a print book or traveling.