EFF warns of ‘one-way mirror’ in the world of corporate online spying

The report exposes privacy issues and tracking techniques in online services we use on a daily basis.
Written by Charlie Osborne, Contributing Writer

The Electronic Frontier Foundation (EFF) has published an extensive study into the hidden techniques and methods used by online service providers to collect and track our personal information and activities. 

On Monday, as shoppers plundered e-commerce websites for Cyber Monday bargains, the civil and privacy rights outfit released "Behind the One-Way Mirror," outlining corporate surveillance methods with a focus on behind-the-scenes tracking. 

The paper covers a variety of different tracking methods including browser fingerprinting, invisible pixel images, social widgets, mobile tracking, and facial recognition employed by tech giants including Amazon, Facebook, Google, Twitter, as well as countless data brokers, to "collect information about who we are, what we like, where we go, and who our friends are."

Third-party tracking is usually invisible to the naked eye. Code, images, and plugins can all contain functions that track browsing, activities, purchases, the duration of visits, ad engagement, and clicks, and may link up different data sources to create a comprehensive shadow profile of your digital self. 

See also: Malicious Android apps containing Joker malware set up shop on Google Play

According to the EFF, for example, Facebook uses invisible "conversion pixels" to collect data on third-party websites and to track ad engagement; Google uses location information to track user visits to physical stores and makes use of transparent pixel images for tracking, and smart home devices -- including Amazon Echo and Google Home -- can harvest audio data and may be used by human employees to improve voice recognition technologies. 

Unique identifiers are the connecting element from multiple online services and systems used to bring together information on us. These may be tracking codes, cookies, MAC addresses, usernames, phone numbers, IPs, or device identifiers. 

It is the slow accumulation of data points on us that is the real cause for concern. 

"These humble parts can be combined into an exceptionally revealing whole," the EFF says. "Trackers assemble data about our clicks, impressions, taps, and movement into sprawling behavioral profiles, which can reveal political affiliation, religious belief, sexual identity and activity, race and ethnicity, education level, income bracket, purchasing habits, and physical and mental health."

Citing Cliqz GBMH, the paper says that Google collects data about over 80 percent of measured web traffic. The advertising industry, unsurprisingly, is the dominant force behind data collection, also leading to "auctions" which sell-off ad impressions. A single ad, for example, may flog visitor information to dozens of trackers. 

In the corporate realm, data is valuable, and companies dominant in the space can leverage their positions to spread tracking even further. 

"Companies with monopolies or near-monopolies can use their market power to build tracking networks, monitor and inhibit smaller competitors, and exploit consumer privacy for their own economic advantage," the EFF says.

CNET: TikTok accused of secretly gathering user data and sending it to China

The report outlines the ways in which this can be achieved. The first common method is for some vendors, potentially including Google and Facebook, to "pressure" publishers into installing their tracking codes in order to take advantage of the platforms' reach in driving traffic to their own businesses. 

"Google, Facebook, and Amazon also act as third-party ad networks, together controlling over two-thirds of the market," the report says. "That means publishers who want to monetize their content have a hard time avoiding the big platforms' ad tracking code."

Another common technique is for vendors to enter both sides of the tracking market; such as collecting data from mobile devices and browsers they develop. 

TechRepublic: Synack's Trust Report uses Attacker Resistance Score to rate cybersecurity defenses

With widespread tracking dominated by a handful of companies, this can also stifle competition -- in which tracking is used not only to watch users but rivals, too. It may also be possible for tech giants to scupper competition by withdrawing access to their platforms and user data. 

"Privacy is often framed as a matter of personal responsibility, but a huge portion of the data in circulation isn't shared willingly -- it's collected surreptitiously and with impunity. Most third-party data collection in the US is unregulated," said Bennett Cyphers, EFF staff technologist and report author. "The first step in fixing the problem is to shine a light, as this report does, on the invasive third-party tracking that, online and offline, has lurked for too long in the shadows."

The full report can be accessed here.

These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards