How online ads track users – Explanation for the non-geek

It has been said that web surfers’ online activities can be tracked by Google and other online ad suppliers. Here is an explanation for non-technical folks. I believe this is accurate, but corrections are welcomed, as are suggestions to make this more concise.

First, a little background on how web sites work. The web (http) is “stateless”. That means when a person browses a web site, the site can not retain any information as the user moves between pages. You may find that hard to believe. How could your bank’s web site remember who you are as you clicked on various links and moved between pages? Obviously, the banking web site is able to remember who you are as you navigate. The answer is the “cookie”.

Cookies

A cookie is a small piece of unique information (like a number or string). When you first visit a web site, a cookie can be sent back with the initial web page. The cookie is not displayed anywhere, but it is there behind the scenes. Furthermore, once the cookie is sent to the browser, the browser sends it back to the web site whenever another page is requested. All further communications between the browser and the web site include the cookie. That is how a web site can identify a user and retain state between pages. The cookie identifies you to the web site, allowing the web site to create pages specifically for you.

Cookies may also persist between browser sessions. The cookie may be written to a file. That way a browser can remember the cookie after a user closes the browser. When a browser is started up, it can read the cookies from the prior session.

Browsers provide some security regarding cookies. Mainly, a browser will only provide a web site’s cookie to the source web site. The browser will not supply Amazon’s cookie to eBay. It will only supply it to Amazon’s web site. The browser associates the cookie with a URL and only supplies the cookie to that URL.

Tracking Users

How does this all fit in with online advertisers being able to track specific users? There are three things that are desirable to track: i) the web site where an ad is placed, ii) the user who is viewing (and clicking) an ad, and iii) the identity of the user viewing and clicking ads.

First, Google (or any ad supplier) needs to track where ads are displayed. That is part of their business and a service they provide to their customers. A business that places ads through Google wants to know the sites where the ads are being displayed. Ads are similar to links and a fundamental part of web technology allows for tracking a page referenced from another site. This is standard web technology. There is no issue of privacy here, just the ability to determine where ads are displayed.

Google can also track a user via ads. This is quite common and it is accomplished with cookies. When you visit TheBigFootShoeStore.com and the site displays ads, there are several cookies involved. TheBigFootShoeStore.com has its own cookie. The ads displayed from Google, which are references (links), actually reference Google’s web servers. So Google’s cookie also comes into play. At this point, Google can track all of a user’s web site visits that have Google ads on them. The browser security is still at work, but because the ads are served from the same URL, visits across multiple web sites can be tracked. That may not seem so bad. After all, you are simply anonymous at this point. Or, are you?

You may be revealing who you are to Google, however. If you make use of Google services that are require an account, such as GMail, then Google likely knows who you are. You likely provided your name and possibly other information in setting up your GMail account. If so, Google can track your identity and all web sites you visit that have Google ads on them. It knows how often and when you visited the sites.

Google has been used as an example. Any ad supplier can do the same thing. Google is used because it is the biggest online supplier of advertisements. As they become bigger and more formidable (through acquisition), they gain more control as data collection is centralized. That is not to say that ad suppliers could not cooperate and share data. That could happen too.

Protecting privacy

Recently, I’ve wondered about ways to protect my own privacy. The obvious thing is to turn off cookies altogether. Most browsers provide this option. I don’t recommend turning cookies off though. Some web site won’t work without cookies. Beside, cookies do provide a benefit.

There are a couple of ideas I am experimenting with. I generally don’t log on to Google services. When I do, I make sure to explicitly log off. I am not sure if my identity is retained in the browser after logging off though. Secondly, I noticed that modern browsers seem to have the ability to disallow cookies from specific sites. This is a little tricky to setup, because one must know the URL associated with a cookie. The actual URL from which an ad is served, may not be obvious.

I don’t have any sure fire methods and would like to hear some.