call +44 20 7096 1079

Behavioural Tracking

The hidden price of advertising-sponsored free online content is the behind-the-scenes trade in web histories collected via tracking technologies.

The most widely used technology tracking users across the web is the tiny computer files web sites place on your machine called cookies. In their simplest, benign form, cookies sent by a service you're using directly (such as Amazon), cookies enable the site to "remember" you and provide continuity as you browse the site's pages. The growth of third-party networks that place advertisements on sites across the web on behalf of their clients created the more dangerous third-party cookie that tracks you as you interact with sites. The data gathered in this way is used to place ads that match what the networks know of your interests. Gathering data in order to sell you things may seem innocuous, but in 2013 the Snowden documents revealed that the NSA piggybacks on advertiser tracking for surveillance purposes.

In the EU, the 2009 e-Privacy Directive requires sites to obtain users' consent before placing third-party cookies on their machines. The UK's cookie directive, which came into effect in May 2011, implements this directive. In the US, privacy standards have traditionally been enforced via contract.


Many websites legitimately display remote content – embedded video clips, share buttons for social networks such as Facebook and Twitter, and contextual advertising and analytics supplied by Google – that share information about you with the remote site whether or not you actually access that content. Hidden remote content, such as tiny (1-pixel) images or JavaScript, may also forward information about you to remote sites. These widespread practices led the W3 Consortium, which manages the development of the web, to formulate a Do Not Track protocol that would give users an automated way of signalling websites that they have opted out of tracking.

Users have limited choices for opting out of tracking. Browsers can be configured or extended to refuse third-party cookies, block ads and other remote content, but doing so requires technical literacy. Similarly, most users do not know to use the ad networks' own opt-out pages or, more drastically, to configure their computer or router to block all content coming from ad networks' domains (which effectively disables most mainstream news and entertainment sites). Therefore, the difference between opting into and opting out of tracking is crucial. For this reason, Microsoft opted to turn on Do Not Track by default in Internet Explorer 10. As of early 2014 Do Not Track had stalled owing to industry disagreement over this point..

There is an additional motive for finding a workable answer to tracking: advertisers are beginning to move on to newer, harder-to-block technologies such as browser fingerprinting. Taken together, some 40 to 60 different factors such as the fonts installed on your machine, time zone, screen size, list of plug-ins, and browser and operating system versions that taken together make each individual computer or mobile phone uniquely identifiable. Users can opt out of targeted ads, but the networks may still keep the data.

ORG's view

Behavioural tracking is inherently invasive. The NSA revelations show that building an infrastructure that supports surveillance is dangerous even if it's done for purely commercial purposes. The profiles constructed out of these masses of data may contain highly sensitive information: everything you read, watch, listen to, and search for on the Net. Advertisers claim that such data lacks identifiers such as name and address, and therefore is not legally personal data, which means that citizens cannot file subject access requests to find out what information these companies hold about them – if they even are aware which companies to ask. Advertising networks have no relationship with consumers; their customers are advertisers and websites. A further degree of separation applies to third-party brokers, which trade and cross-match such information to create detailed profiles they can resell. In addition, as usage of behavioural tracking grows, it enables fine-grained discrimination, varying per customer which services are offered at what price. At the end of 2013, the state of California led the way by passing amendments to the California Online Privacy Protection Act that require greater transparency about how companies respond to Do Not Track signals

What you can do: