Your Browser is Spying on You
It’s 2019 and websites are only getting more and more intrusive.
It’s been a while since my last piece. A lot has changed. I’ve started working somewhere, I’ve begun new projects, I turned older…
But if I visited your site in the last few months, you probably already knew that.
As the web grows and companies begin to monetize their online presence in an increasingly aggressive manner, netizens like you and me have all but lost any sense of privacy as we browse the internet. Tracking tools from veterans like Google Analytics to the new kids on the block —Hotjar and Peekmap — have allowed websites to track every aspect of our visit, including where we came from, what we click, what our eyes are looking at, and where we’re going.
It’s downright terrifying. How did we get here?
It started with bragging rights, evolved into Google Analytics, and brings us here today with “visitor recordings”, powered by an AI analytics tool that records your visitors and predicts exactly what they’re looking at, aiming to become the behemoth of user tracking.
It all started with bragging rights and the concept of social proof.
It’s a simple, psychologically driven idea, and works the same reason mob mentality does. If you visit a website and see 500 people liked it on Facebook, it has 2400 followers on Instagram, and has been tweeted 240,000 times, then you’re probably going to stay.
A more common earlier form of this was a page hit counter. This would basically be a big number on your page that represents the number of people currently viewing it:
Of course, if I refresh the page or my friend next to me opens it, I expect to see that number go up!
So how do we handle tracking visits? Enter sessions.
A session is basically one usage of the website/service. It starts when you enter the website and it counts when you visit a different page or click something. A session ends when you leave the site and close the tab. It’s a simple idea born out of necessity to count page views accurately.
So every time you visit the site, it counts your session! But this also needs to be tracked. We need a way of identifying each user accurately — enter fingerprinting. I won’t get too into it, but we can digitally fingerprint a user by tracking:
- IP address
- MAC address
- any hardware or internet signals we can get our hands on
- your browser
- your cookies
- and a bunch of other creepy things that let me know you’re you no matter where you go, no matter when you go!
This should already have been enough to raise some red flags, but it only escalates from there. What started as bragging rights/social proof quickly evolved into something much worse.
When you go through an airport, you generally need a Passport. This nifty little book gets you through security checkpoints and allows airports to assert who you are and where you’re from. It also serves to track you as you go from country to country. When you land, normally you’re asked your port of origin (where you’re flying in from), your airline, and why you’re here.
Websites started to check the same thing. They already check your IP, physical address, browser, etc. — your airline. But since websites fingerprint users from when they enter the site, it was a given that they would also take into account where the user was coming from — their online port of entry, if you will. This is known as the referrer.
The referrer would go on to become tremendously important in identifying where users came from, what social channels performed the best, and what traffic was looking like via different sources. Tracking the referrer is an enormous boost to your website — the next time someone tweets you and gets a thousand likes, you’ll know the spike in traffic from your website is coming from Twitter and engage that tweet to milk it for what you can.
Why are you here?
Next came low level tracking tags. People started using services that would log clicks, impressions, conversions and other metrics that arise from user interaction on the website. Developers had been logging requests made to servers for decades at this point, it was a given that the next step would be to filter this and get some useful information.
So every time you click “Add to Cart” or “Buy Now,” the website tracks that and records that in your user file.
Now this isn’t that bad in itself, but what it turned into is the real monster. But first, we must meet the service that caused this mess.
ASL — Age/Sex/Location — is a common slang in anonymous chatrooms in order to identify who someone is talking to.
Of course, your browser doesn’t need this information. But that doesn’t stop it from collecting it and giving it up!
Enter Google Analytics. Google Analytics launched as a webmaster tool — it’s only obvious that the search engine giant would have the best-selling SEO tool — and provided one of the tracking tags I just mentioned. You’d drop this tag into your site and Google would track referrers, sessions, and more, dropping this into a user profile marked with a user ID. You would then call a record event to GA every time an interaction you wanted to log occurred, and Google would amass the data into the correct user profile.
Of course, the “more” is the keyword above. Google, the data giant that it was/still is, began to collect information on user ages, locations, networks, and every piece of profiling data they could get their hands on, turning it all into a neat dashboard that anyone could browse. Google Analytics quickly turned from a logging tool into an intrusive marketing monster.
It got worse.
Heatmap/recording tools had been around for some time but they were always varying degrees of reliability.
When Hotjar released its tool, it pretty much rocked the entire industry — easy visitor recordings for everyone. This was the beginning of one of the most intrusive practices in web analytics, and yet only the tip of the iceberg.
Combining mouse movement tracking with artificial intelligence, Peekmap has managed to create a terrifying tool that tracks everything imaginable. Mouse clicks, movement, typing — it tracks everything and replays it in a nice little video that can be skimmed through. With AI, it then adds eye-tracking without the use of a webcam. It’s terrifying — imagine being able to pretty much watch how your users are using your website.
All of this put together tells a frightening narrative of being able to visualize exactly how visitors use your site — a miracle and the holy grail for webmasters, and a nightmare for users and data privacy.
It’s Time to Draw the Line
With the passing of GDPR, a whole new wave of possibilities has surged in data privacy. What was once a futile proletariat fight against internet giants is now supported by governments across the world.
It’s time that we take a stand against intrusive “analytics” and prohibit tracking to the best of our ability.
It’s a problem that we may just solve with more tech. Take UBlock Origin — it’s a free and open source Chrome extensions that’ll block trackers and ads, keeping you and your data safe. Or Aiko Mail — an AI email client that does all it can to block trackers in your emails. We can fight fire with fire.
In the meantime, tread carefully. Because the next website you go on might just be spying on you.