As you surf the web, upload photos to Instagram, or click and buy via an online shop, do you really know how much is being tracked by increasingly smart technologies?
Earlier this year, the introduction of GDPR increased the conversation around how companies use our data. In a world of ad tracking, location sharing and endless password, personal data and credit card breaches, just how can a user protect their own privacy?
Put simply: is privacy effectively dead online?
“There’s data people knowingly ‘give away’, through checking into Facebook for example, but that’s not the data companies use to make enormous amounts of money,” explained Gus Hosein, executive director at online rights pressure group Privacy International.
“It’s data they use which people have no control of; it’s below the waterline. Once people are aware, they think, ‘How does this company I’ve never heard of have my data?’”
This data is taken by online trackers – computer programs typically embedded into the pages on websites – and done so, in most cases, legitimately.
Ostensibly, online trackers gather information from a user which websites can then use to help improve advertising, or the development of the website itself.
These trackers help website owners learn more about their users, for example, to better tailor content by understanding user journeys, from one page to another, or from one site to another.
Trackers are also used to capture cookie information about you – your likes and dislikes – and this information gets traded to other firms who can then better target adverts at you.
We may think of web pages as just text, images and video but every time you open a web page you are effectively running an increasingly complex computer program within your web browser. And as much of our lives now takes place within the windows of browsers, companies are clearly keen to harvest as much as they can about us.
According to Mr Hosein, there is an entire ecosystem of data brokers who buy and sell the information being gathered by these tools. It’s legal, up to a point, but invisible to consumers, poorly regulated and open to abuse.
Princeton research revealed that hundreds of these trackers are logging everything from each press of a key to the movement of your mouse.
“They are gathering information about your browsing habits – what you click, what you do when online, what kind of advice you are using,” warned Eliot Bendinelli, a technologist at Privacy International.
The Princeton University research showed that the data could leak to other third-party companies and “may expose users to identity theft, online scams, and other unwanted behaviour”.
Websites themselves also expose themselves to vulnerabilities. A recent hack of personal information used by people on the British Airways website is alleged to have originated with malicious code in a tracker on the airline’s site.
Some of the world’s most well-known websites can have upwards of 25 different trackers embedded in their web pages. It’s effectively a web within the web – except the strands of these trackers extend invisibly from our lives and back into the hands of organisations far removed from the brands of sites to which we give our trust.
Questions are now being asked about how pervasive these trackers have become. An independent researcher last year revealed that almost half of the world’s top 1,000 websites shared common trackers – giving rise to fears about aggregation of this information.
“The most important thing is for you to start taking back control and to start demanding your right to consent,” wrote Open Privacy executive director Sarah Jamie Lewis.
“These trackers have a huge amount of data,” Mr Hosein said in agreement.
“It’s no surprise that hackers are interested in them.”
He believes that it’s no longer enough to hope that regulators or legislators can help us, leading Privacy International to turn its attention to highlighting the risks this data brokering industry holds.
In the UK, the Information Commissioner’s Office, the body charged with defending our online rights, had to be taken offline after it was discovered a third-party script on its pages had been hijacked and in fact was using the processing power of computers visiting the site maliciously.
Privacy International recommends users take direct action themselves by using a few simple tools to protect their web habits.
It suggests browser extensions such as Ghostery and UBlock Origin, which will both reveal and block the activity of third-party scripts running inside websites you visit. It also recommends a tool from the Electronic Frontier Foundation, another online rights campaign group, called HTTPS Everywhere, which ensures every website encrypts your data when you visit it.
These steps won’t protect your online privacy entirely, but they might be enough to help raise the risks above the waterline.
