Vicente Diaz Kaspersky Lab
One of the good things about social networks is that they have made people realize how embarrassing and 'undeletable' digital content can be, posing a real threat to their privacy. But there is a much bigger and more threatening practice that affects our privacy every day and that we usually overlook: tracking.
Every time you visit a website you request HTML that will be rendered in your local browser. This code may include external references, so you will request them as well. But what happens when these external requests are used to track you?
After visiting, let's say, Facebook, even after you log out, your browser stores some cookies that identify you. Then you visit some random website that includes any 'I like' buttons, which in fact are external references to Facebook. And as Facebook has access to its own cookies, it gets a request with HTTP-Referer www.randomwebsite.com and with the cookie that identifies you. Result: Facebook knows all the sites you browse as far as they have a reference to Facebook.
But cookies are just the beginning. Flash cookies, agressive JavaScript and other techniques are used on a regular basis to bypass privacy mechanisms.
If we visit a single popular newspaper, we do an average of 11.3 requests to different tracking sites. Over 93% of the top 100 most popular sites include at least one request to tracking sites. A single request to a site may result in more than 10 cookies created in your browser.
This paper explores all the different tracking techniques available and how they are used. Then it performs several experiments by browsing and analysing traffic on the top 100 sites country by country according to Alexa, and cross-checking results with our tracking database. It is quite astonishing when you see the data on how much tracking goes on on a daily basis to millions of users.
Why so much tracking? The answer is money. It's not about advertisements, it's about profiling users. Just think about when you ask for a loan from your bank: you have a profile, and no matter what you say, you will get the loan if and only if the computer finds that your profile fits the requirements. In the near future, all companies could have access to super-profiles where all our data is available, and then the computer will decide...