January 21, 20265 min read

How Online Tracking Actually Works

The invisible infrastructure following you across the internet, explained in plain terms.

You're being watched on almost every website you visit.

Not by some shadowy figure in a basement. By automated systems designed to follow you across the internet, building a profile of your behavior that gets sold to advertisers. A 2024 study by Ghostery found that the average website loads 15 trackers before you've even scrolled. We're breaking down exactly how this surveillance machine operates.

Cookies: The Original Tracking Method

Cookies are small text files websites store on your computer. They were invented for useful purposes. Keeping you logged in. Remembering your shopping cart. Saving preferences. That's first-party cookies. Set by the site you're visiting. Mostly harmless.

Third-party cookies are the problem. These come from domains other than the site you're on. Visit a news site, and it loads ads from an ad network. That ad network drops a cookie. Visit a different site with the same ad network? They recognize you. Now they're building a profile across multiple sites.

Google's ad network appears on over 2 million websites. Facebook's tracking pixel runs on 30% of the top 10,000 sites according to BuiltWith data from 2024. One tracker can follow you almost everywhere.

The Tracking Scale

The median website connects to 9 different third-party domains, each potentially tracking your visit. Major news sites can connect to over 100. — Web Almanac HTTP Archive, 2023

Tracking Pixels: The Invisible Watchers

A tracking pixel is a 1x1 transparent image embedded in a webpage or email. You can't see it. But when your browser loads it, the server logs your visit along with your IP address, browser type, and timestamp.

The Facebook Pixel is the most common example. Websites install it to track conversions from Facebook ads. But it also lets Facebook know you visited that site even if you didn't click an ad. Same with Google Analytics, the LinkedIn Insight Tag, and dozens of others.

Email pixels are brutal. A sender embeds one in a marketing email. You open it. They now know when you opened it, where you were (roughly), and what device you used. Some email clients block these by default now, but many don't.

Browser Fingerprinting: When Cookies Fail

Delete your cookies? Clear your history? Fingerprinting doesn't care. It identifies you based on your browser's unique configuration.

Your screen resolution. Installed fonts. Timezone. Language settings. Plugins. Graphics card. How your browser renders specific elements. Combined, these create a fingerprint that's unique to you with 99.5% accuracy according to research from Princeton's WebTAP project.

The irony? Privacy-conscious users with unusual configurations are easier to fingerprint. Your rare browser extensions and custom settings make you stand out more than someone with default everything.

What Data Gets Collected

  • Pages visited and how long you stayed on each
  • Scroll depth (how far down you read)
  • Mouse movements and clicks
  • Items viewed and added to cart
  • Search queries on the site
  • Referrer (where you came from)
  • Approximate location via IP address
  • Device information (mobile vs desktop, operating system, browser)

None of this requires your name. But combine enough data points and you become identifiable anyway. One study showed that four location points were enough to uniquely identify 95% of individuals.

The Real-Time Bidding Machine

Here's where it gets industrial. When you visit a page with ads, your profile gets auctioned in milliseconds. Before the page loads, trackers identify you, pull your profile, and send it to ad exchanges. Advertisers bid on the right to show you an ad. Highest bidder wins. All in about 100 milliseconds.

This happens billions of times daily. Your interests, inferred demographics, browsing habits, and purchase intent get broadcast to hundreds of companies for each auction. The Irish Council for Civil Liberties found that the average European's data gets shared 376 times per day through this system.

Cross-Device Tracking

Trackers want to link your phone, laptop, tablet, and work computer into one profile. They do this through login data (you signed into the same account on both devices) or probabilistic matching (same IP address, similar browsing times, consistent behavior patterns).

This is why you research a product on your phone and see ads for it on your laptop an hour later. Same profile.

What's Changing

Safari and Firefox now block third-party cookies by default. Chrome has been promising to phase them out since 2020 and keeps delaying. Apple's App Tracking Transparency requires apps to ask permission before tracking across other apps. Most users say no.

The industry is adapting. Google's Privacy Sandbox, first-party data strategies, contextual advertising, and more sophisticated fingerprinting are filling the gap. Tracking isn't dying. It's evolving.

Reducing Your Exposure

  • Switch browsers — Firefox or Brave block more tracking out of the box than Chrome
  • Install uBlock Origin — It blocks tracking scripts, not just ads
  • Use private browsing for sensitive searches (clears cookies on close)
  • Disable images in email or use an email client that blocks trackers
  • Log out of Google and Facebook while browsing other sites

You can't disappear entirely. But you can make tracking significantly harder. Every blocker installed, every cookie cleared, every tracker denied makes your profile less complete.

*Stay sharp.*

Put This Into Practice

Install uBlock Origin to Block Ads and Trackers