Tracking the Trackers on College and University Web Sites

Tracking the TrackersTracking the trackers on college and university web sites is surprisingly easy and something every CIO, CMO  and compliance officer should be able to do. Here I will offer another layer of insights into how users are tracked on your websites and share with you some tools so you can begin tracking the trackers yourself on your university web site and any others that you visit, including mine. 

How Online User Tracking Works

This will be more of a kitchen table explanation but it is still absolutely essential knowledge for anyone responsible for web governance, social media marketing, security, privacy, and compliance. You should already be familiar with the use of cookies, web beacons and browser fingerprinting.

To keep this simple I thought I would showcase the brilliant work of Franziska Roesner, Tadayoshi Kohno, and David Wetherall of the University of Washington in their paper Detecting and Defending Against Third-Party Tracking on the Web. The following examples are excerpts from this paper which everyone should read for an even deeper understanding.

Third-Party Analytics

Third-Party Analytics

Google Analytics

Websites commonly use third-party analytics engines like Google Analytics (GA) to track visitors. This process involves (1) the website embedding the GA script, which, after (2) loading in the user’s browser, (3) sets a site-owned cookie. This cookie is (4) communicated back to GA along with other tracking information.

Third-Party Advertising

Third-Party Advertising

Doubleclick Ads

When a website (1) includes a third-party ad from an entity like Doubleclick (acquired by Google), Doubleclick (2-3) sets a tracker-owned cookie on the user’s browser. Subsequent requests to Doubleclick from any website will include that cookie, allowing it to track the user across those sites.

Third-Party Advertising Networks

Third-Party Advertising Networks

Ad Networks (Like Google AdSense)

As in the ordinary third-party advertising case, a website (1-2) embeds an ad from Admeld, which (3) sets a tracker-owned cookie. Admeld then (4) makes a request to another third-party advertiser, Turn, and passes its own tracker-owned cookie value and other tracking information to it. This allows Turn to track the user across sites on which Admeld makes this request, without needed to set its own tracker-owned state.

Social Media Widgets and Social Icons

Social Widgets

Facebook Like Button

Social sites like Facebook, which users visit directly in other circumstances—allowing them to (1) set a cookie identifying the user—expose social media widgets such as the “Like” button. When another website embeds such a button, the request to Facebook to render the button (2-3) includes Facebook’s tracker-owned cookie. This allows Facebook to track the user across any site that embeds such a button. This illustrates how the Facebook Like Button violates most privacy policies.

Tracking the Trackers TED

Gary Kovacs, CEO of the Mozilla Corporation, appeared at TED Long Beach in March 2012 and unveiled the hidden world of online trackers. If online trackers is a new world for you then this will be eye opening.

Tracking the Trackers Collusion

Collusion is the browser add-on available for Firefox and Chrome that was featured in the Tracking the Trackers TED presentation above. It’s free and something I find incredibly valuable – and not just to write articles on.Tracking the Trackers Collusion

This particular Collusion graph is from my own browser after visiting just a handful of media sites and some IT blogs I read. What the Collusion graph shows is that I only visited 13 sites shown with the blue halos but over 65 other sites were notified of my visits 30 of which are known tracker sites shown with the red halos.

Tracking the Trackers Ghostery

Tracking the Trackers Ghostery

Trackers on
(Click to Enlarge)

I also run Ghostery which is another browser add-on for all popular browsers. Just like Collusion it displays the trackers being communicated with when accessing a web page using a database of 900+ tracker fingerprints. This is ghostery list just from visiting

What Ghostery does that I find very useful is it provides link to their database where you can find vendor provided and other information on the data practices and privacy policies.

For me, I find that using both Collusion and Ghostery is very beneficial. So I imagine most site administrators, marketing directors and social media folks would also find them useful in examining their sites from tie to time just as the privacy and compliance officers.

What’s Next?

Hopefully you are finding this series of posts on online privacy to be more than interesting. I hope you are finding it enlightening and useful. I hope it inspires a review of your current web governance and social media policies as well as a review of your web site privacy policy.

To help you with those activities I have some other tools to show you as part of some case studies and deeper illustrations. So stay tuned, and if you are so inclined, share your Collusion or Ghostery experiences in the Comments below.

This entry was posted in Privacy and tagged , , , , , , , . Bookmark the permalink.