The hidden price of advertising-sponsored free online content is the behind-the-scenes trade in web histories collected via tracking technologies.

The most widely used technology tracking users across the Web is the tiny computer files web sites place on your machine called cookies. In their simplest, benign form, cookies sent by a service you're using directly (such as Amazon), cookies enable the site to "remember" you and provide continuity as you browse the site's pages. The growth of third-party networks that place advertisements on sites across the web on behalf of their clients created the more dangerous third-party cookie that tracks you as you interact with sites. The data gathered in this way is used to place ads that match what the networks know of your interests. If you frequently browse sites about tennis news sites may likely show you ads for tennis equipment, clothing, and holidays, while your music-loving child might instead see, on the same sites, ads for new CDs and concert tickets.

In the EU, the 2009 e-Privacy Directive requires users' consent before placing third-party cookies on their machines. The UK's cookie directive, which came into effecting May 2011, implements this directive. In the US, privacy standards have traditionally been enforced via contract.

Many websites legitimately display remote content – embedded video clips, share buttons for social networks such as Facebook and Twitter, and contextual advertising and analytics supplied by Google – that share information about you with the remote site whether or not you actually access that content. Hidden remote content, such as tiny (1-pixel) images or JavaScript, may also forward information about you to remote sites. These widespread practices have led the W3 Consortium, which manages the development of the web, to formulate a Do Not Track protocol that would give users an automated way of signalling websites that they have opted out of tracking.

Do Not Track is needed because users have limited choices for opting out of tracking. Browsers can be configured or extended to block ads and other remote content, but doing so requires technical literacy. With the default set to accept third-party cookies in almost all the major browsers, most users do not realise the extent to which their privacy is being invaded. Similarly, most users do not know to use the ad networks' own opt-out pages or, more drastically, to configure their computer or router to block all content coming from ad networks' domains, a level of blocking that makes it nearly impossible to read mainstream news or entertainment sites.

A second W3C effort is the development of tracking protection lists, a proposal Microsoft implemented for Internet Explorer 9. TPLs have significant problems: users must trust the originating organisation to supply constant updates and block the right sites. Finally, users must choose to install the lists, whereas the reality is that most users never change the default settings. The difference, therefore, between opting out of tracking and opting in is crucial.

There is an additional motive for finding a workable answer to tracking: advertisers are beginning to move on to newer, harder-to-block technologies such as browser fingerprinting. There are some 40 to 60 different factors such as the fonts installed on your machine, time zone, screen size, list of plug-ins, and browser and operating system versions that taken together make each individual computer or mobile phone uniquely identifiable. Users can opt out of targeted ads, but the networks may still keep the data.

Behavioural tracking is inherently invasive. The profiles constructed out of these masses of data may contain highly sensitive information: everything you read, watch, listen to, and search for on the Net. Advertisers claim that such data lacks identifiers such as name and address, and therefore is not legally personal data, which means that citizens cannot file subject access requests to find out what information these companies hold about them – if they even are aware which companies to ask. Advertising networks have no relationship with consumers; their customers are advertisers and websites. A further degree of separation applies to third-party brokers, which trade and cross-match such information to create detailed profiles they can resell. In addition, as usage of behavioural tracking grows, it enables fine-grained discrimination, varying per customer which services are offered at what price.

What you can do:

• Find out: is your browser fingerprint unique? 
• Opt out of member ad networks at NAI
•  Internet Explorer 9 users: add a tracking protection list 
• Read the wiki page for tips on how to block third-party cookies and profiling
• Read more at Privacy International
• Read Eli Pariser's book, The Filter Bubble 
• Join ORG.