It’s no secret that websites typically send user data to third parties (typically without their knowledge or consent), but now new peer-reviewed research published by University of Pennsylvania privacy researcher and doctoral student Tim Libert shows that the scale of this is enormous—nine out of ten sites leak user data to an average of nine external domains. That means that a single site you visit will send your data to nine outside websites. Tim Libert cites Google as the worst culprit, but gives Twitter props for respecting browsers’ Do Not Track setting. He also points out that the NSA has leveraged commercial tracking tools in order to monitor users. For added privacy, using Tor is your best bet, Libert told Motherboard, so long as you don’t log into any accounts (Gmail, Facebook, etc.) while you’re on it.
Every time an HTTP request is made, information about the user is transmitted to the server hosting the content. This data includes the IP address of the computer making the request, the date and time the request was made, as well as the type of computer and web browser employed by the user, which is known as the “user-agent” field. In addition, the address of the page which initiated the request, known as the “referer” [sic], is included. This information is found in the raw data of the HTTP request itself, an example of which is shown below:
DATE: [10/May/2014:19:54:25 +0000]
REQUEST: “GET /tracking_pixel.png HTTP/1.1”
USER-AGENT: “Mac OS X 10_8_5…AppleWebKit/537.71”
From the above information, the server receiving the request for the file “tracking pixel.png” can determine that it was made from a user with the IP address 8.67.53.09, using the Safari browser on a Macintosh computer, who is currently viewing a webpage with the address “http://example.com/ private matters.html”. If the server has many such records, patterns of behavior may be attributed to the same combination of IP and user-agent information. This is the most basic form of tracking and is common to all HTTP requests made on the web.