5 Things We’ve Learned About How Companies Track You Online And Off

Image courtesy of David Menidrey

Is there an ad that seems to be following you everywhere? Perhaps you browsed for new sneakers in a slow moment at work a week ago, and now you see ads for them on every site you view on your phone? Or maybe you clicked an ad on Facebook, and now that company’s product seems to be stalking you around the internet, asking you to buy it in every sidebar ad you see.

The ability for companies to follow you from one platform to another — from your phone to your laptop to a physical store — is called cross-device tracking, and for businesses that want to market and sell stuff to you, it is basically the holy grail.

With robust tracking, a company can follow you basically from the moment you wake up and check social media feeds on your phone, through your commute, to work, back through the evening, and once more to your bed at night.

The “you” who went to Disneyland in the spring and the “you” who goes to a sports bar every weekend are suddenly the same “you” who streams music in the car on a commute twice a day and the same “you” who browses news sites from your work laptop.

That’s incredibly valuable data to a marketer, who can sell ad campaigns that target “you,” granularly, and not just “men ages 18-44” within 20 miles of a certain ZIP code.

But it can be downright creepy for people to realize they’re being followed that way — not to mention invasive and potentially harmful. That’s why the Federal Trade Commission is trying to wrap its head around how all this works, and what the concerns are for you.

To get there, the FTC recently held a workshop on Cross-Device tracking, and has now published a report [PDF] highlighting some key facts about this increasingly popular practice.

Here are the key takeaways:

1. You don’t need always to be logged in to be tracked.
The FTC found that companies are using both “deterministic” and “probabilistic” approaches to identifying users and connecting them to one overarching profile, meaning that advertisers don’t always need you to be logged in to know that it’s you.

Deterministic data is information you give: Logging onto your Google account on your work PC and your personal phone, for example, ties those devices to a single account. Or when you give retail clerks your phone number at the point of sale — that ties that transaction to your unique identifier (your 10-digit phone number), too.

“Companies do not appear to be explicitly discussing cross-device tracking practices in their privacy policies.”

Something probabilistic, on the other hand, is an inference — an educated guess — on the advertiser’s part. Let’s say you log into a shopping site from your phone, at home. If that has the same IP address as your home PC, that increases the chance both are you. Then let’s say you use the WiFi at work to log in again from your phone the next day, and you’ve also logged into that site using your work laptop, once again sharing an IP address. That chain of A=B and B=C mathematically leads a computer to make a pretty good guess that A=B=C, and all three logins are you.

The more pieces of information you leave in your wake — and you leave many — the smarter those guesses can get. It’s not as certain an identifier as when you log in to a site, but the sum total of these data points are likely to paint a pretty convincing circumstantial picture… without you knowing or noticing that it’s happened.

2. Cross-device tracking can actually improve account security.
As unsettling as it might be to be tracked from home computer to your phone to your work computer and back again, this cross-device tracking can actually offer the benefit of preventing unauthorized access to your accounts.

If you’re not familiar with two-factor authentication, it’s the process of using a secondary ID check to the login process. So if you enable two-factor authentication on, for example, your Google account and you’re logging on from a new computer or location, you’ll have to enter both your password and a unique code that is texted to your phone or obtained through an authenticator app.

But how does that service identify that the device you’re using is new? You guessed it: it tracks what devices you usually use, and where you usually use them.

A company has to know your regular usage patterns — what devices you use, and what IP addresses you come from — in order to spot one that could potentially be fraud. If you live in Omaha, and usually log in from residences and businesses in that area, then a login attempt from Moldova can raise a red flag and prompt the service to send you a verification request or a fraud alert — and that’s a good thing.

3. Companies are not at all transparent about tracking practices.
You may have suspected that there’s not much you can do about tracking if you use just about any digital services, but the FTC’s report basically confirms it.

“Companies do not appear to be explicitly discussing cross-device tracking practices in their privacy policies,” the report notes. Of 100 website privacy policies FTC staff reviewed, third-party cross-device tracking was only mentioned in three.

Not only is the fact that it exists completely opaque, the report notes, but also the parties involved are utterly hidden. A consumer can reasonably guess that the service she logs into on both her phone and her computer knows she’s using both devices, but she has no easy way to identify what third parties are also involved.

“Similar issues apply to third-party advertising networks in general,” the report notes, “most of which have little or no direct consumer interaction.”

In other words: Good luck figuring out who’s buying, selling, tracking, and trading your online footprints.

The report recommends that all companies engaged in cross-device tracking should be more transparent about their existence and their actions. And that, the report notes, needs to roll down: a tracking company should tell a publisher exactly what it does, so the publisher can put that information in their privacy statement to consumers.

4. Consumers have very little control.
There’s only so much you can do, the report notes, so consumers are using blunt tools.

Somewhere between 30% and 50% of users clear their browser’s cookies at least once a month, the report says. Meanwhile about 29% of smartphone users in the U.S. and UK have ad-tracking-limiting settings enabled on their devices, and about 22% of all the world’s smartphone users have enabled some kind of mobile ad blocker.

Sometimes, the report notes, users can opt out of traditional online tracking. But those may not even apply to cross-device tracking — after all, if you aren’t ever told something exists, how are you supposed to opt out of it?

Choice, the FTC recommends, should stem from transparency. Tell people what you’re tracking and why, and then let consumers make informed choices about opting in or opting out of services.

5. The industry is working on some voluntary self-regulation… sort of.
Industry groups know you don’t necessarily love what they do. That’s why you’ve been able to go to the National Advertising Initiative or Digital Advertising Alliance websites to opt-out of certain targeted advertising for years.

But there’s always been a catch: you have to select services one at a time, per-device, per-browser in order to opt out. Clearing your cookies deletes your opt-out preferences. And even if the request works (sometimes it doesn’t), there have been few — if any — consequences for an advertiser that ignores your opt-out request.

The DAA has now updated its guidance to include cross-device behavioral tracking. That guidance says that if you opt out of having your behavior tracked on one device, anything collected from that device cannot be used for advertising on other devices. And in the same vein, you can’t get ads on the opted-out device based on activity on other devices.

If companies actually adhere to that standard, then it would change what you see — but not where your data goes. If you opted your phone out, let’s say, you wouldn’t see targeted ads from participating companies on your work laptop based on shopping you did on your phone, and vice versa… but the bigger digital picture connecting “you” would still be out there.

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.