Study: how the world’s top websites track your online behavior
At the end of July, Google finally let us have a closer look at Manifest v3 – a revision of how Chrome extensions work. This update has been quite controversial due to concerns that it will steal much of the power from ad-blockers. And while we dislike ads as much as the next person, we feel privacy is a much bigger issue.
It’s easy to understand that we’re being watched on the internet, but it’s difficult to feel it.
It’s easy to understand that we’re being watched on the internet, but it’s difficult to feel it. There’s no shady figure peering at our screens from the darkness and neither do we hear muted breathing when on Facetime. Yet the online world clearly knows which shoes we were looking to buy on Amazon (as it keeps on repeating), and that’s just the beginning.
In light of the controversial Chrome update, we decided to take a closer look at the 50 most popular websites in the world (according to SimilarWeb), to see just how much our activities are being tracked. A few of the websites are really bad, while some are quite benign – apparently, the porn industry respects your privacy more than some of the companies that form the backbone of the internet.
How are you being tracked online?
Most websites use little text files called “cookies” to enable certain features – sites read them to remember your login credentials, which articles you’ve already read, your language preferences, etc. These are stored on your hard drive and are called first-party cookies because they’re given to you by the website you’re visiting. Yet they’re (usually) not the only cookies you’re getting when you visit a website.
To help monetize their website or their service, many websites rely on advertising and analytics tools. By doing so, they allow third-parties to run scripts on their website, and these third-parties also create cookies on your device. Unlike the more benign first party cookies, however, these can track you from one place on the internet to another.
Let’s take one of Google’s advertising services – DoubleClick. Of the Top 50 websites we looked at, 18 use the services of DoubleClick. Let’s say you’ve visited one of the sites serviced by DoubleClick – Reddit. You now have a cookie that has a unique identifier, the time you saw the ad, your IP address, and where on the site you were when you saw it – a home improvement subreddit. Later, you go to Twitch.tv, which also uses DoubleClick and can therefore read the original cookie on your device. Your unique identifier connects your two interests (home improvement and video games) and increases DoubleClick’s targeted advertising accuracy. This may sound abstract, but it really isn’t – just go to this page to see how well Google knows you.
Google is omnipresent and huge, which is a curse, but also a blessing – it’s harder for them to do anything too egregious. The same can’t be said of the thousands of smaller advertisers and web analysis services littering the internet as a whole and the Top 50 websites in particular. For example, Google doesn’t sell the raw data they gather to third-parties, but many others do. As a matter of fact, this is often an important source of revenue.
Cookies are not the only way businesses track consumers. The past decade has seen a great deal of innovation in this sphere, as a result of which there are many tools to keep tabs on you. This includes:
Web beacons. These are transparent images the size of 1 pixel, which have to be retrieved from a different server than the one hosting the website you’re visiting. By retrieving it, your browser gives away certain information – your IP address, browser type, and other information. Web beacons are widely used in conjunction with cookies.
Flash cookies (Local Shared Objects). Similar to regular cookies, only capable of holding much more data, longer-lasting, and more difficult to get rid of. They are notorious for their use in creating zombie cookies – a case where Flash cookies are used as backup for regular cookies, so that they can be restored after deletion.
HTML5 Local Storage. The functionalities introduced with HTML5 are useful to use as an alternative to regular cookies in some cases.
Cached content. To save load times, browsers cache content and reset the cache based on server-given expiration headers. This can be used (and is being used) to infer when a user has already visited a certain website. It’s difficult to prevent unless you want to constantly delete your cache.
Canvas fingerprinting. Another HTML5 feature – the Canvas API creates the ability for JavaScript to draw images on your browser (and to read them). Different GPUs, different drivers, and other system characteristics result in different images. The images, it turns out, are different enough to serve as a great aid in identifying individual machines.
Browser fingerprinting. Most people use plugins and extensions, making their browsers different. Websites can identify these differences and, together with Canvas fingerprinting, identify you in particular. Think you can’t be identified? Check here.
What’s worse – 100 benign trackers or 1 bad one?
Our article ranks websites based on the number of trackers. The main reason for this choice is simplicity, but there’s more to it than that. From the perspective of privacy, virtually all trackers reduce your privacy to a greater or lesser extent, because they all increase your footprint on the web. And, even if they themselves are benign, some of the services they use may not be.
It’s certainly true that not all trackers are equal, but the thick legalese of many privacy policies makes it very difficult to gauge the differences. Therefore, we felt the number of trackers was a more objective unit of measure.
A brief note on the third-party vendors mentioned below
Looking through the trackers on the Top 50 websites, we chose several to illustrate a few points about the issues native to tracking technologies on the web. These are not necessarily the worst trackers for privacy found on these websites, and certainly not the worst overall.
| Tracker | Why is it bad for privacy? |
| AdGear | Shares personal consumer data with third-parties |
| Blue Triangle | Privacy policy focuses on website, doesn’t give information about services |
| BlueKai & Datalogix (Oracle) | Gathers consumer info to help with ad targeting and uses loyalty card data to gauge marketing success in terms of real-world purchases |
| DataXu | Allows their customers (and customers’ partners) to include their own pixels and tracking technologies within ads served by DataXu. These don’t need to conform with their privacy policy. |
| Hotjar | Session replay script: records your individual browsing session (avoiding sensitive data fields – if everything goes as planned) |
| LiveIntent | Analytics service that seems (according to the Privacy Policy) to provide their customers with raw consumer data, rather than processed reports |
| MaxPoint Interactive | Uses an extensive range or tracking technologies to “pinpoint qualified customers interested in purchasing your product with more precision than using traditional zip codes.” |
| PulsePoint | Healthcare ad service. Collects highly sensitive medical data |
| Quantcast | Bad reputation for using permanent “zombie cookies” in the past |
| ScoreCard Research Beacon | Extremely vague Privacy policy, doesn’t specify what consumer data they share with clients |
| Videology | Allows their customers (and customers’ partners) to include their own pixels and tracking technologies within ads served by Videology. These don’t need to conform with their privacy policy. |
Stories of the Top 50
Across the Top 50 websites, we found 459 third-party trackers from 132 different sources. That means that, by visiting these 50 websites, you‘re broadcasting your visit to at least 132 entities. In reality, the number is significantly higher because, firstly, most of these third-parties are sharing data with at least a few others.
Secondly, cookie syncing – the practice of sharing user data between different platforms – means that the conservative number of 182 is probably far from the truth.
Yet not all websites in the Top 50 are equal, so let‘s take a closer look at some of the details you are transmitting as you visit the sites.
Disclaimer: Beyond the Top 50, there are certainly websites that collect more sensitive data than the ones mentioned here.
Who has the most third-party trackers?
The Top 50 doesn‘t lack for cookies and pixels, but here‘s a clear list of 10 that have the most third-parties. These are, in order of appearance:
Let‘s look at each of these in turn.
Mail.ru: 61 third-party trackers
Mail.ru is Russia’s biggest tech company, with its hands in many different cookie jars. For starters, they own all the biggest Russian social media sites, like VK.com and ok.ru. Mail.ru is a website that does a lot of things, not least of which is deliver news, and one of the main ways online news portals monetize is through ads. As such, it’s no surprise that Mail.ru has a whopping 54 advertising trackers on the homepage.
Some of these make no qualms about collecting and using PII and even sensitive data (such as health information, religion, political affiliations, etc.). A few examples are PulsePoint – a healthcare ad service and information platform which lives and dies by their knowledge of very personal details – and Quantcast, which is notorious for having used zombie cookies in the past.
Needless to say, users should be skeptical about their privacy on large Russian sites regardless of the third-party services they are using. Data from Russian companies as large as Mail.Ru is a matter of national interest, and national interest takes precedence over individual freedoms in Russia.
Accuweather.com: 59 third-party trackers
The world‘s favorite weather website and app takes a close second in the race to get more advertising trackers. It has 51 of them, some from large, well-known advertisers (like Google, Facebook, AOL, Adobe, and Yahoo), others from lesser known, shadier sources.
Take DataXu for instance, which seems like a regular targeted advertising vendor. However, in their Privacy Policy you will find the following statement:
“Sometimes our customers include their own (or their partners’) pixels or similar technologies within advertisements that dataxu serves to websites.”
They go on to explain that the practices of these “customers” do not fall under the jurisdiction of DataXu’s Privacy Policy. In other words, DataXu acts as a Trojan horse, allowing nameless third-parties to spy on you with limited accountability.
AdGear is not much better. Here’s a sampler:
“We share certain personal information about consumers with third parties who provide us with information to enable targeted advertising on website(s) and application(s) that use our technology.”
This sounds extremely vague and could be used in any instance where personal information is shared with a third party.
Ebay.com: 37 third-party trackers
Like many online marketplaces, Ebay relies quite heavily on advertising to monetize their site. The company’s waning fortunes over the past decade have not helped at all. Ebay features trackers from industry giants like Google, Facebook, Adobe, AOL, and Yahoo, as well as from smaller vendors.
Videology, for example, is a UK-based video ad vendor who has a detailed Privacy Policy document with in-depth explanations. While that is great, Videology also commits the sin of allowing third parties to use their ads for tracking. In addition, they will retain some of the data collected for up to 2 years.
Ebay also uses 5 different website analytics services, of which ScoreCard Research Beacon is one. This vendor doesn‘t do targeted advertising, rather, they collect information using cookies, pixels, tags, and share “reports, research, and information products” with their clients. The Privacy Policy is somewhat vague about what information they collect and what is included in these reports they offer to clients.
The situation is similar with Live Intent, which, like the ScoreCard Research Beacon above, doesn‘t serve ads, instead collecting and sharing data to aid advertisers (and others). The Privacy Policy of Live Intent seems to suggest this may be raw data, rather than processed reports. Users have reason for concern here because without knowing who uses the data, consumers can‘t check how it is used.
OK.ru: 35 third-party trackers
Odnoklassniki is a Russian social network owned by the Mail.Ru Group – this makes it part of the largest Russian internet company. In this particular case, discussing specific third parties seems pointless: it is understood that there is no privacy for users of large Russian websites, at least where issues important to the government are involved.
Fandom.com: 33 third-party trackers
Formerly known as Wikia and Wikicities is a wiki hosting service – a site containing lots of encyclopedias for films, tv shows, and games. The site makes a lot of its money from advertising, which should be clear considering the 25 advertising-related third parties on the site. Fandom also uses other external services – website analytics (5 trackers) and 2 trackers to facilitate customer interaction.
Two notable tracker names that come up on the Fandom website are BlueKai and Datalogix, both of which are part of the Oracle Data Cloud. BlueKai is responsible for obtaining data to help ad targeting (i.e. tracking what sites you’re visiting and thus determining what your interests are), meanwhile Datalogix provides information on the offline success of marketing (telling advertisers how many consumers purchased a product after seeing an ad).
In case you’re wondering how Datalogix is able to do that, at least partially the answer lies with data gathered by supermarket loyalty cards. In other words, this is a somewhat creepy connection between you of the computer and you of the supermarket.
Samsung.com: 25 third-party trackers
The Korean technology maker uses the services of many advertising and analytics vendors. An example of the latter is Blue Triangle – an A/B testing service. Put simply, the service checks different versions of the website in terms of their success in getting a customer to do something (buy, comment, click a link – whatever it might be).
This is a common type of service on the web and is not especially hazardous to user privacy. However, Blue Triangle’s Privacy Policy primarily focuses on their own website, rather than the service, and says little about the tools they rely on to carry out their mission.
Bbc.co.uk: 25 third-party trackers
Despite being funded by taxpayers, the BBC doesn’t ignore advertising revenue. The British media organization has 25 third parties on their UK website, including 19 advertising-related ones.
Most of the third parties on the BBC website are relatively harmless in isolation.
Amazon.com: 24 third-party trackers
The largest online marketplace in the world uses the services of many third-party trackers. You’ll see the names of some that are on many of the sites in the Top 50 (like Aggregate Knowledge, Advertising.com, or BidSwitch), as well as a few that we have already said some bad things about (PulsePoint, BlueKai). The point to make about Amazon, however, is how Amazon itself tracks your actions.
Your user profile, search queries, and wish list are an obvious example, but there are some avenues of tracking users you might not have considered. Amazon’s streaming services, such as Amazon Prime, are a good example. As are the various gadgets made by Amazon – the Kindle, the Fire TV Stick, and the Echo are just a few notable examples.
To expand on this, we can say that Amazon has been extremely successful at leveraging all this customer data in their Amazon Web Services (AWS). Through a simple API, clients of AWS are able to access and use the deep learning technologies powering Amazon products. As such, we can say that under the veneer of retail Amazon hides a business that is very much about data, and very much not about your privacy.
Reddit.com: 22 third-party trackers
The front page of the internet has seen huge success over the latter decade. Its semi-autonomous subreddits have something for virtually anyone to enjoy – free, we might add. As usual, however, “free” means “powered by ads.”
Reddit has 17 ad-centric third-parties onsite, one of which is MaxPoint Interactive, which uses “cookies, pixel tags, web beacons, server logs, HTML5 local storage, Flash local shared objects (LSOs), statistical identifiers, mobile advertising identifiers (such as IDFA and Android Advertising ID), software development kits (SDKs), server-to-server transfers, and non-cookie technologies” to collect information about users and “pinpoint qualified customers interested in purchasing your product with more precision than using traditional zip codes.”
WordPress.com: 21 third-party trackers
The world‘s favorite content management system is great, but the same can‘t be said for the privacy practices of its official website. Outside of the before-mentioned DataXu and Quantcast, WordPress.com also uses Hotjar – a popular session replay vendor.
Among the various analytical processes performed by Hotjar, not least important is session replay. Whenever you visit a website with Hotjar, it records what you‘re doing – where your mouse hovers, what you type in, what you click, and so on. This is a useful tool for website owners who want to optimize their webpages, but it‘s also a privacy risk.
There have been cases where session replay companies have accidentally recorded login credentials – usernames and passwords. These tools are supposed to ignore anything written into password fields. Yet unfortunately, the way the technology was designed is bound to occasionally cause problems. For starters, passwords are not the only type of sensitive info you may divulge on a website.
Canvas fingerprinting
We found Canvas fingerprinting scripts on 5 of the websites we checked. Is this such a huge deal?
Well, since the images drawn by the Canvas API differ based on the browser, OS, and GPU, they can’t identify you specifically. With that said, this fingerprinting technique is rarely used in isolation. At the very least, the websites relying on Canvas will also use cookies, and often they will use other browser fingerprinting techniques as well.
We decided to single out Canvas because it can’t be blocked unless you’re using the Tor browser, and regular ad blockers won’t show you which sites are using it. Moreover, we feel it indicates the lengths sites will go to for consumer data.
It’s telling that of the 5 sites using Canvas fingerprinting in the Top 50, 1 is Russian (vk.com) and 2 are Chinese (qq.com and aliexpress.com) – two countries that are not known for their stellar privacy credentials.
The other two are Western sites we’ve already mentioned on the naughty list – ebay.com and accuweather.com.
Porn – a bastion of privacy
There are 4 porn websites among the Top 50 most popular sites on the internet:
- pornhub.com
- xhamster.com
- xvideos.com
- xnxx.com
They account for a total of 9 third-party trackers, 5 of which are on Pornhub.com. None of these trackers are particularly bad for user privacy – 3 websites use the services of an adult advertising vendor (either TrafficJunky or Pornvertising), whereas xhamster.com only has 2 Google trackers (DoubleClick and Google Analytics). Pornhub also uses AOL’s Advertising.com and Index Exchange.
Perhaps it is understandable that websites serving something as sensitive as porn would feel the need to ensure their users’ privacy. Yet that certainly wasn’t always the case and the porn industry has cleaned up (no pun intended) considerably since the days of rampant adware and other nasty practices.
Nowadays, porn sites are some of the best at privacy – certainly a lot better than most of your favorite shops and media outlets.
The most prolific spies of the Top 50
As expected, Google trackers are by far the most numerous among Top 50 websites – we found 97 of them in total (more than 20% of all trackers). Facebook comes in at 2nd with 18 trackers. This is generally representative of the internet as a whole. Here is the full list of the more popular third parties:
For some of these companies, cookies and pixels are only one of many ways they gather data about users. Google, for example, has plenty of other resources they can rely on, starting with Gmail and YouTube, continuing with Android devices, and far from ending with Chrome. Meanwhile, Facebook is essentially a personal information database, crowdsourced by the users themselves.
Disclaimer:
We meticulously research our stories and endeavor to present an accurate picture for our readers. We’re also human, and if you believe we have made a factual error (as opposed to disagreeing with an opinion), please contact us so that we may investigate and either correct or confirm the facts. Please reach out to us using our Contact Us page.
- How are you being tracked online?
- What’s worse – 100 benign trackers or 1 bad one?
- A brief note on the third-party vendors mentioned below
- Stories of the Top 50
- Who has the most third-party trackers?
- Mail.ru: 61 third-party trackers
- Accuweather.com: 59 third-party trackers
- Ebay.com: 37 third-party trackers
- OK.ru: 35 third-party trackers
- Fandom.com: 33 third-party trackers
- Samsung.com: 25 third-party trackers
- Bbc.co.uk: 25 third-party trackers
- Amazon.com: 24 third-party trackers
- Reddit.com: 22 third-party trackers
- Wordpress.com: 21 third-party trackers
- Canvas fingerprinting
- Porn – a bastion of privacy
- The most prolific spies of the Top 50