Introduction\n\nHave you ever loaded your favourite web-browser, visited a few pages and found that they seemed to know you intimately, like they just read your private diary or something? That car and/or clothes and/or holiday that you briefly looked at suddenly following around the internet, literally BEGGING you to make that purchase in new and interesting ways! The TV show you are part way through appearing all over the place, with that episode you haven't watched yet being promoted incessantly! Gosh it's SO annoying! I remember booking my 2016 trip to Vegas, complete with flights ✈ and hotels, hopping onto social media and having everything I purchased being advertised to me (something clearly went wrong)! The only way to make the ordeal stop was to move to a different browser!\n\nHave you ever wondered how it is even possible to be cyber-stalked in such a way? To be honest, it used to really creep me out that so many websites had so much insights into my browsing habits and likes and dislikes based on activity from other services, so this was of definite interest to me! Privacy is so important, and it seems that just by browsing the internet, we are giving up more and more of it, mainly because many of our interactions on many different sites are being tracked using ingenious techniques designed to obtain AS MUCH INFORMATION about us as possible. I personally believe the only way people can properly consent to this tracking is to:\n\nHave an appreciation of tracking\n\nPossess a passable understanding of the techniques being used\n\nBe knowledgeable of the options available to us to avoid such intrusive behaviour\n\nI have previously summarised a number of ways to keep yourself safe online, so if you want further information on this, check out the article at the link below.\n\nFive Ways to Stay Safe and Secure Online\n\nPerson spying on your activities on the internet\n\nWalking Around with Eyes 👀 Looking Over Your Shoulder\n\nWhen embarking on this journey of enlightenment, it would definitely be shrewd to try to define what we mean by 'Tracking'. The best definition I could come across was defined by World Wide Web Consortium (W3C) Working Group for (funnily enough) the Do Not Track (DNT) standard which unfortunately was concluded without widespread adoption. I am familiar with the document as I used it to implement the DNT standard in my own services, and even though no further work will be undertaken, I fully appreciate what they tried to achieve 😀.\n\nTracking Preference Expression (DNT)\n\nAccording to the proposed standard, the concept of Tracking is defined as:\n\nTracking is the collection of data regarding a particular user's activity across multiple distinct contexts and the retention, use, or sharing of data derived from that activity outside the context in which it occurred. A context is a set of resources that are controlled by the same party or jointly controlled by a set of parties.\n\nFor the purposes of this post, I will be using this definition of 'Tracking'. It's important to understand that not all observational behaviour is classified as tracking, and certain elements are absolutely ESSENTIAL when providing a service. For example, it is important that service providers monitor their site usage to observe activities which include (but are not limited to) the following:\n\nSecurity Incidents: Incorrect logins and/or malicious password resets and/or attempting to access forbidden resources may suggest that a service is under attack, forcing the provider to take action.\n\nBugs and Crashes: Any hiccups with site operation needs to be logged to facilitate fixing the underlying issues. This could prove impossible without supplementary data and crash information.\n\nUsage Reports: How the service is actually used is important for developers to understand. This can guide where developmental effort is placed, allow for performance targets to be set and provide vital insights such as location(s) of userbase (for focus and growth) and the kind of browsers used (for targeting).\n\nIf a party (or set of parties) are performing these tasks on resources they control (i.e. their own context), then we could class this as monitoring. It is when information is used from other contexts shared by other parties, that we venture into tracking territory and need to be wary! As an aside, aspects including what data we should be storing and defined retention periods (i.e. GDPR discussions) are conversations for another day.\n\nThe Hidden Pixel\n\nOne way that you are tracked around the web and how marketers and/or scammers know that you've read an email is by making use of an web element that is actually intended for another purpose, i.e. the image <img /> tag used to show you images. Welcome Ladies and Gentlemen to the 'Tracking Pixel', a stealthy, 1x1 pixel image that can be loaded into websites and emails to track your every move and habit, where organisations know more about your activity than you do by recording these actions in their databases. A 'Tracking Pixel' is not intended for the human eye (which is why it is 1x1 in size), and usually takes the following form:\n\nAn example of a tracking pixel which is used to silently alert that documents (such as emails and websites) have been viewed\n\nThe image your device is requesting isn't for your personal benefit, as merely requesting it allows for the cyber-stalking.com domain to stealthily track your page/email view without your knowledge. Think of it this way, if lots of services subscribe to the cyber-stalking.com tracking service to assist with serving you with targeted adverts (a VERY popular use case), then your movements across the internet will be known to cyber-stalking.com whenever you retrieve this pixel. The devil is in the SUPPLEMENTARY_GUFF detail, which allows specific parameters to be tracked. Sometimes organisations go out of their way to hide these elements from you, and encode this SUPPLEMENTARY_GUFF into something ugly using an encoding like Base64:\n\nhttp://cyber-stalking.com/tracking-pixel.jpg?Y2xpZW50X2lkPTEmY2FtcGFpZ25faWQ9MSZ1c2VyX2lkPTE=\n\nIf you see funny SUPPLEMENTARY_GUFF like this (after the question mark '?'), you can use the following handy tools to decode it into human-readable text. You can also create your own scrambled nonsense if you want to!\n\nBase64 Encode and Decode - Online\n\nBase64 Encode - Online Tool\n\nAs an example, let's take the fictional (off the top of my head) Ted's Marketing Email Service (TMES) which is used to send out marketing information. TMES has many clients that use it to send emails to users on collected mailing lists, and offers 'Engagement Analytics' including whether or not the user read the email, how many times etc. How does TMES do this? Well let's have a look at the SUPPLEMENTARY_GUFF 'Tracking Pixels' sent within each email:\n\n3 example tracking pixels which include 2 campaigns sent by by 2 organisations to 3 users\n\nHere we can see two clients (client_id=1 and client_id=2) have each conducted email campaigns (campaign_id=1 for client_id=1 and campaign_id=2 for client_id=2) sending emails out to 3 users (user_id= 1, 2 and 3). When emails are opened by the users, the tracking pixel will be stealthily downloaded and use these parameters to register that the user has opened the email and count the number of times they do so. There are your metrics!!! They can even pull extra metadata such as email client/browser used, location (based on your IP address) using the supplementary information that is provided on every request (more on this later).\n\nBy the way, if this sounds like read receipts to you, please don't be fooled. Email read receipts are opt-in, where a message is displayed asking you if you want to provide a receipt to the sender. These pixels don't give you that option, so every time you open the email, cyber-stalking.com knows about it, along with whichever client created the campaign. This data is also subject to whatever third-party data sharing agreements that the company uses which you couldn't know as you probably aren't even aware of their existence! So next time someone asks you about that email they sent you, be very wary when lying and saying "oh sorry I must have missed it" 😂! They'll likely know more about how many times you read it than you do!\n\nEmails received that can easily be tracked\n\nThis example was for email tracking using this magic pixel, but websites can use similar techniques. So when you view that pair of Jeans, this information then goes to ad networks who now know exactly which pair of jeans you viewed on which site. Along with this they will have an idea of where you viewed them and if even more clever techniques are used (like data enrichment services where you can pay to have further information about users appended to your dataset), they can aggregate your age, gender, etc to paint a very accurate picture of who you are. This can then be used to suggest nearby retailers who stock those jeans, and the belt, socks and shirt that are popularly bought alongside. Beware of the emails you read and pages you navigate to, especially when such data aggregation services have been known to leak their information in the past.\n\nMarketing Firm Exactis Leaked a Personal Info Database With 340 Million Records\n\n2 Billion Unencrypted Records Leaked In Marketing Data Breach --What To Do Next\n\nThere are a few things that you can do help prevent yourself being tracked in this way. For emails, set your email client (Outlook, Gmail etc) to not automatically download images in emails and never elect to retrieve them. I know that it makes some emails look weird, but you'll still be able to read the text. As for blocking tracking across the internet, there are browser plugins that can help keep your privacy in check which include:\n\nElectronic Frontier Foundation Privacy Badger: Tracker Blocker\n\nGhostery: Tracker Blocker\n\nNoScript: Script Blocker (Beware, this can tank websites in your browser so read up if you want to use!)\n\nTracking the Links that You Click\n\nCamera keeping an eye on everything within it's perimeter\n\nSo how do companies know that you specifically have clicked a link even when you aren't logged into their service? How can advertising companies accurately report click links in analytics and pay for click-through marketing? How do scammers know the precise users who clicked through their dangerous emails? Without programming an extra action explicitly into the site that you are using, organisations wouldn't be able to track your click on a link leading to another context (domain controlled by someone else). Instead, companies can use specific links that THEY control rather than the address that you ultimately end up at, register your click to that link and then subsequently redirect you to the address that you actually want to go to.\n\nLet's use an example to illustrate the point. Sandra has a popular website where she discusses gym life, reviews products and also collaborates with major brands. For her sponsored reviews and collaborations, she includes an outbound affiliate link to the brand which takes users to a sales funnel. The company who owns the destination site can track users coming from Sandra's site using the 'referrer' metadata sent with the request, but if Sandra just uses www.some-fitness-brand.com/product, she won't be able to track which of her users ended up clicking the link. She might want this information to measure the success of her campaign, monitor her overall engagement and use the figures to market her site to bigger brands.\n\nFor this information, Sandra enlists the help of cyber-stalking.com and purchases a subscription to their EXCELLENT link tracking tools including trackable links, and the full set of engagement analytics she wants. cyber-stalking.com makes links trackable by integrating with Sandra's site and replacing her links with ones that point to the domains controlled by cyber-stalking.com. When a user clicks this link, their are briefly taken to the cyber-stalking.com domain, click registered (for the analytics provided to Sandra) and then redirected to the site of the brand Sandra is linking to. A basic breakdown of this methodology is shown below.\n\nDiagram showing the stages of tracking a user click (put simply)\n\nTo get around link tracking, you can avoid clicking links (which is great for security), navigate to the homepage of the site in question and find the resource there. Yes I know, very long winded 🤣🤣🤣!\n\nYour Browser Choice Says a LOT About You\n\nWhenever you make a request to ANY web resource (including your crazy cat picture), quite a bit of supplementary information is sent within this request. This extra data is sent as headers, and is used by the sites for a variety of different reasons. These per-request headers include:\n\nAccept: The formats the browser understands\n\nAccept-Encoding: Content encoding (usually a compression method) that the browser understands\n\nAccept-Language: A list of languages the browser understands and the preferred locale\n\nUser-Agent: The browser used along with it's capabilities\n\nDNT: A (now-defunct) method to instruct websites to not track users (they don't have to comply)\n\nThese headers are very useful for websites when monitoring users and their subsequent usage. For example, if a site finds that most visitors use mobile versions of browsers, the developers could elect to optimize their sites for these smaller screens. If a user signals that they do not want to be tracked across the internet (by sending a DNT), then the website owner COULD elect to turn off all tracking and data-sharing methods for these requests. However, it is because many site owners didn't want to integrate this standard that it is now defunct, (perhaps because their business models centered around tracking and and selling user data). What I'm trying to say is that these headers have been included to help rather than for nefarious purposes.\n\nTablet computer showing site using metrics\n\nHowever, all that glitters most certainly isn't gold on the wild west that is the internet. The combination of these very headers are used by many sites to accurately fingerprint visitors and users, EVEN when they aren't signed into a service. Your fingerprint can be further enriched by using some clever website programming to determine further capabilities of your browser not provided by the User-Agent header. This digital fingerprint of your computer can easily follow you around the web, so even if you don't log into various services across your browsing sessions, the sites still identify you and are able to draw upon your online habits to best tailor experiences for you. They can also package up this usage data and sell it on further.\n\nIt is important to note that using a VPN, clearing your browsing history regularly, deleting your cookies and using incognito/private mode does ABSOLUTELY NOTHING to prevent this kind of identification. Doing any of this doesn't change the header values that are sent to the site. The only way to somewhat mitigate this kind of tracking is to use a popular browser and configure it to have a popular, generic configuration. That way when you browse to sites implementing this kind of technology, you look the same as thousands of other visitors and thus cannot be identified. To find out more about these methods and test your browser, check out the excellent resources below.\n\nElectronic Frontier Foundation Panopticlick\n\nAmIUnique\n\nLocation\n\nSites don't have to only rely on GPS or the location capabilities of your devices to know where you are. Every time you make a request, your IP (your address on the internet) is sent alongside, and from this your region and location can be determined. This is because IP addresses fall within a range and each range has a known location. This enables site owners to use their analytics etc to determine where visitors are coming from and (if they want to) track their user locations. It is how streaming services like Netflix and Amazon Video can region-gate their content so that (for example) people in the UK can only view UK Netflix etc.\n\nIf you aren't happy with a site knowing where you are, you can use a VPN service to mask your IP address. Know that some services forbid this in their T&Cs, and some block access from such services. Also, please read up on VPN services and understand what you are getting into before you start tunneling your internet browsing through someone else's network. As an excellent primer for some of the ways VPNs can be more harm than good, have a look at the (harshly named) article below. For the benefits, visit the sites of the various providers and they'll happily fill in the blanks.\n\nDon't Use VPN Services\n\nNothing is Sacred Anymore\n\nThe numerous internet traffic monitoring techniques used by web services make it almost impossible to privately surf the web without being tracked every step of the way. The more we use it, the more accurate the picture that a selection of centralized service providers build up of our habits. If we aren't careful and their security is bypassed, this accurate record of ourselves can make it's way in front of eyes it wasn't intended for, and/or into the wrong hands to be used for nefarious purposes. By having a knowledge of such techniques, understanding how they are used and appreciating the measures available to reduce our exposure, we can take steps to protect ourselves online and get back to looking at those jeans in peace WITHOUT being stalked!\n\nTake care and all the best, Si.