There is something unsettling about an online retailer knowing you are pregnant before you have even told your family. Or a taxi app detecting that your smartphone battery is getting low while knowing their average customer will pay over the odds if they think their phone is about to die.
This first incident happened to an American teenager in 2012 when US supermarket chain Target sent her a discount for baby clothes before she had told her parents. They found out when the coupons arrived in the post.
Target’s data scientists had devised a pregnancy prediction score based on the likelihood of customers purchasing certain products, even going as far as to predict the stage of pregnancy in order to tailor coupons. This was based on a shopper’s unique online identifier, linking their credit card to purchases, browsing habits and all activity within the retailer’s website.
While this is now a famous cautionary tale of behavioural advertising taken to an extreme, it has not stemmed the flow of online tracking. Knowledge is power and companies want to know all about you because it makes it easier to sell you things. And in the case of data brokers, they compile and sell information about you to other companies.
As the old internet adage goes: “If you are not paying for it, you’re not the customer; you’re the product being sold.” Content on the web doesn’t come for free; cookies and other trackers that follow us from site to site are the invisible price we pay.
Most web-savvy individuals are not only tired of hearing this; they think they have the solution to the problem. We get free content in exchange for enduring a few annoying ads which can be spirited away using a browser extension such as AdBlock.
The problem is that this is merely the tip of the iceberg. You might not be seeing those pesky ads any more but tracking technologies are nevertheless following you around online. Ad blockers work a bit like black-out curtains: you don’t have to see all of those zombies pressing up against your window but they’re still out there, waiting patiently for you to move to the next location.
These persistent and patient zombies are known as trackers and they don’t want your braaains; they want to know your habits. Trackers are essentially a network of data collection agencies that follow you everywhere you go on the web and can tell what browser you’re using, the type of device you’re on, your location and, more importantly for them, things you might like to buy based on the websites you frequent.
Behavioural advertising
"As consumers browse websites there are cookies that get dropped on their machines and these cookies store information about you: what you're looking at, what your interests are," says Larry Furr, vice-president of product at Ghostery, a company that provides a free browser plug-in designed to help web users track the trackers and control which ones they do and don't want trailing around after them online.
“They start to build a profile and those profiles are used to target ads towards the user as they go to other sites.”
This is known as behavioural advertising and it works like this: when you Google “holidays in the Bahamas” or search for snorkels on Amazon, cookies are placed on your device. Much like those crumbs dropped by Hansel and Gretel, the idea is to leave a trail so that they can recognise you upon return.
These cookies are shared by advertisers and there are databases that can identify you based on your browsing behaviour and other personal information. While this information might not be tied to your real name, it is a very real profile used to track you from one website to the next.
Watch what kinds of ads pop up in the following days as you move from Facebook to your news site of choice, and it’s likely that the Bahamas, snorkels and related products and services will feature.
“For some people this is great, they really enjoy having ads that are more targeted towards their interests. For others it is creepy and uncomfortable. Everyone has a different opinion as to how they feel about these digital footprints that they leave and how advertisers use them,” says Furr.
Ghostery splits trackers into eight categories including advertising, social media, and website analytics services such as Chartbeat so there is an element of fine-tuning; you may want to keep the useful ones while ditching others. Many trackers are benign and disabling them makes web-browsing a little more difficult. For example, the ability to listen to embedded Soundcloud podcasts or share stories directly to Twitter from the original website are all functions controlled by trackers.
Hidden dark side
Sometimes potentially useful targeting can backfire and hurt consumers. “I know someone who was shopping for an engagement ring and later his girlfriend started seeing all of these advertisements for wedding rings on his computer. The cat was out of the bag so to speak and he wasn’t very happy about that,” says Furr.
Behavioural advertising can also have a hidden dark side. Do you like getting personalised ads? What if I told you that these ads can discriminate against you based on your gender? Researchers Datta et al (2015) from Carnegie Mellon University and the University of California, Berkeley found that “setting the gender to female [in Google’s ad settings] resulted in getting fewer instances of an ad related to high-paying jobs than setting it to male”.
Perhaps the worst offenders are the parasites: ones that even administrators all too often fail to see as they sneak in behind third parties employed by the website.
“An admin might be using some tracker to help users share content through a Facebook or Twitter button but what they don’t realise is that they have now just invited a dozen different adtech vendors on to their website who can now get information on their visitors,” Furr says.
This is confirmed by new research from Princeton University based on the largest known study of online tracking conducted to date. Researchers Englehardt and Narayanan confirm that website operators themselves “are often in the dark about third-party tracking on their own domains”, while noting that “sensitive information such as email addresses may also be leaked to third parties” through a website’s own code.
The good news is that even though this research detected more than 81,000 different third-party trackers, only 123 of these were present on more than 1 per cent of the one million websites they examined. Most web users will only ever encounter third-party tracking from the usual suspects: Google, Facebook and Twitter were the only third-party entities present on more than 10 per cent of websites and the top five are Google-owned.
Smartphone users
Now back to that taxi app: the most intensive kind of data tracking is happening on your smartphone. Recently, Uber revealed that it knew customers were willing to pay up to 9.9 times in surge (pricing in response to demand) for a taxi when their battery level was low. Most smartphone users probably don’t even realise that apps such as these have access to this level of data about their phone usage and this behavioural insight is unlikely to go unused.
"Companies like these have all of this data on you and your phone as well as a history of your trips and locations. They can profile you as an individual and this information isn't only valuable to those companies; it could be dangerous if it fell into the hands of hackers or criminals," says Brian Honan, security expert and director of BH Consulting.
We typically think of browsing or purchasing habits as information that advertisers want but other information including the device you’re using, what IP addresses you log in from and your phone number can be used or sold on to other companies for their marketing needs, says Honan.
A mobile phone number, in particular, is the golden ticket because people usually only have one and it can be used as a single point of reference across all of your online activities. “Many companies ask for a mobile number as a second method of authentication when signing up for a service but it can also be used to market more material to you,” Honan says.
What users also don’t realise is that some of these apps collect data on your location when the app is not even in use. It seems fair that location-based apps access your GPS co-ordinates while you’re using them but it’s possible that somewhere in the terms of use, they have snuck in some extra surveillance with the ability to monitor the blissfully unaware user.
The Federal Communications Commission in the US has issued guidelines to app developers directing that they can do this as long as it is “clearly disclosed” and “offer choices to users regarding such collection” but how is this choice and disclosure manifested? Are we still in the dark?
In defence of these companies, this is pointed out in the terms and conditions of all of these mobile apps. Have you not read these thoroughly? Then, say the smug, the fault lies with you. Or maybe you don't have the time to sit around reading what amounts to the length of David Copperfield or Les Misérables but with no plot and shadier characters.
The Norwegian Consumer Council recently ran what it called the #appfail campaign as a way to highlight the unreasonable length of the average app’s terms and conditions. Taking the top 33 most popular mobile apps in Norway (including WhatsApp, Facebook, Twitter and Netflix), it held a live readathon on YouTube that lasted 31 hours, 49 minutes and 11 seconds.
“The current state of terms and conditions for digital services is bordering on the absurd,” says Finn Myrstad of the Norwegian Consumer Council.
“Their scope, length and complexity mean it is virtually impossible to make good and informed decisions.”
This is worth considering when you next download a cheap app or mobile game and click through the huge page of T&Cs. “You might be thinking, ‘it’s only two quid; I don’t really care’, without realising that it’s not just your money you’re handing over. Maybe your personal information is part of the deal as well,” Honan says.
If this sounds borderline illegal, then it’s worth noting that companies, if they are based in Ireland or elsewhere in the EU, can only gather certain information in accordance with the data protection directive. However, companies operating outside of the EU don’t have to comply.
This tale doesn’t have a happy ending but it has lessons to be learned: use tools such as Ghostery to educate yourself about the trackers on sites you frequent and head straight to the settings each time you download a mobile app, switching off all but necessary data collection. For the online world is dark and full of trackers.