Who is tracking your internet activity, and why?

Everything we do online leaves a trace. Casual browsing, clicking items in a browser, e-payments, calling and messaging, even walking around the city with our phones in our pocket: it is all being tracked in increasingly sophisticated ways. So how is privacy and anonymity online even possible?

Online tracking is now a global phenomenon. Everyone who uses a device connected to the internet is affected whether they realize it or not. Our online activities, behaviors, and desires are now an integral resource for digital capitalism. Sophisticated surveillance technology is harvesting as much of our personal data as possible so that “profiles” of us can be bought and sold. As we will see, this mass data harvesting has and will continue to be used for political purposes and public manipulation – unless, of course, we start preventing it.

Virtual Private Networks (VPNs) and other privacy technologies continue to invent new means of protecting online privacy, but the technological battlefield is constantly shifting. With advancements in online tracking techniques, it’s ultimately a game of cat and mouse.

Thankfully, new decentralized VPNs, in addition to other privacy technologies and practices, can help us stay more private and anonymous online. To understand how, we will first run through the ways we are tracked and who is behind it all.

Internet tracking today

Given the diversity of online tracking techniques and agents, let’s start with a story.

Mass data harvesting

In 2018, it was revealed that a British consulting firm called Cambridge Analytica had harvested the Facebook data of 87 million users. This data was then analyzed, profiled, and ultimately used in targeted advertising, and even to consult for specific political campaigns. The data was originally collected by way of an app which paid users to fill out a psychology questionnaire for the purpose of academic research on “Your Digital Life.” The data scientist behind the app, however, was paid and directed by Cambridge Analytica. The company then received the data of hundreds of thousands of unconsenting users, which was then multiplied to tens of millions of users because Facebook also granted the app access to the friend networks of participating users. No one consented to what Cambridge Analytica eventually did with their personal information.

In the end, Cambridge Analytica had a tracker’s gold mine of user data-points: preferences, likes, associations, etc. This allowed the company to create psychological profiles on users to determine, for example, what kind of political messaging could be directed to them. The data was also likely accessed by Russian intelligence services during its efforts to influence the US presidential election in 2016.

Cambridge Analytica was not the first to do this, and it certainly won’t be the last. But it’s an exemplary case of how tech giants like Google and Facebook are the biggest harvesters of user data. Despite their user privacy agreements, the risks of data breaching into commercial, state, or criminal hands is a continued risk for users.

New default web encryption

Since the many privacy scandals of the 2010s, the public web has fortunately seen more extensive default privacy protections afforded to users. Through HTTPS, most reputable websites now use encryption for end-to-end user activity. Encryption is a cryptographic method for encoding user data so that only you and the intended recipient can read it. So when you’re buying something from a company’s website, the data of your credit card information is most likely secured between your device and the website’s server. It would require sophisticated decryption technology, or hacked devices and servers, for someone to steal this kind of content.

The limits of encryption for privacy

However, advancements in tracking what we do online make it so that encryption, however robust, is not enough. As we will see, the metadata surrounding our encrypted activities can be used to develop precise profiles of what we do, when, with whom, and even about us personally. For data harvesters, brokers, surveillance, and exploiters, this is not simply about what we have done online in the past, but also about what we want, expect, and will do.

VPNs, especially ones with decentralized architectures, can help us fight back against all this. But first we need to understand how we are being tracked online and by whom.

What about us is being tracked?

So if the content of what we do online is usually encrypted, what about our activities and identities can be tracked online?

Our IP addresses

Your IP address (short for Internet Protocol) is the primary way of tracking what you do online. This unique numerical identifier basically allows you to connect with something on the net. Your Internet Service Provider (ISP) assigns you a static one as a client, and other networks might assign you more dynamic ones for efficiency’s sake, say, if you’re just coming and going. But it is also a partial picture of your digital identity.

On its own, an IP address only reveals certain things related to network functionality, such as the type of device you’re using and its proximate location. This is useful in tailoring certain web functions and content to user needs: your location can make useful local information available, and knowing your device type can allow a website to format its contents properly for display settings. While these features might make your online life more convenient, they also make you more traceable.

The biggest advantage of using a VPN is its ability to mask your true IP address, making it harder to trace what you do back to you. So if you’re not using a VPN while accessing the public internet, then the websites you visit, ad agencies collecting data about your preferences, hackers looking to exploit you or your system, and any external surveillance can potentially link your activity online to your unique identifier.

Our online behavior

Our behavior patterns online can be tracked by associating your IP address with all the different things we do. Local websites can use your search histories to target you with internal marketing. Or, in contractual arrangements with ad agencies, third party ads can be precisely targeted to the desires and tendencies you disclose by viewing, browsing, clicking, etc. Every tiny gesture becomes a noteworthy indication of what you might want, even when you think you’re doing something in the privacy of your own home.

Our metadata

Our metadata is a particularly valuable resource for internet tracking. Metadata technically means data about other data. While data may be encrypted, the metadata about it can be perfectly visible. Your IP address is a primary example of a piece of metadata: it can show that your device type in x location is connected to a particular website. Other metadata might include connection timestamps, traffic duractions, geolocation, and used browsers. Metadata details can also vary by application: an email app might include sender and recipient email addresses as metadata, or a mobile phone could specify the recipient phone numbers and call durations.

Even if the content of what you do can’t be easily decrypted, many facts about your activity can still be inferred from metadata. When you connect to a particular server regularly, for example, your work schedule could be deduced. In the case of Cambridge Analytica, the data of your likes and shares, though not necessarily the content of what you post, might reveal your political preferences. And if you connect to certain sites regularly, like a medical clinic, this might indicate that you or your loved ones have a medical condition. Data analysis need not have the full content to know you: with enough data-points, advanced traffic analysis can simply infer it.

Who is tracking us online and why?

Those who track us online have many different motives, ranging from basic network functionality to cyber criminals and government surveillance. Let’s consider them individually.

Network administrators

Making sure networks function properly requires keeping track of what is happening on them. Without knowing who was attempting to connect with what or who when a connection error occurred, patching bugs would be difficult. For this reason, ISPs, work networks, and even traditional VPNs normally collect and monitor user traffic data for functionality and security.

Functionality aside, the data collected and centralized by these services can be used to trace our activities directly back to us. Hackers, organized crime, and other malicious actors can target service databases to exploit the personal information of clients. Governments, of course, can also compel ISPs or VPNs to disclose the metadata of their users’ traffic histories. Again, this could reveal details about who and when you connected with what or who online, but not necessarily the content of what you looked at or said.

Websites and commercial services

Websites and online service providers are major agents of data tracking. Like ISPs, websites track users to identify bugs, improve their product for users, and of course to make sure you get the regional content they are looking for (via geolocation tracking). If you’re in Belgrade, afterall, you won’t be particularly interested in store sales happening in Paris. But these same tracking functions, which may improve user experience online, are also used for reasons that have nothing to do with user needs.

Web services actively collect data to create profiles of users’ interaction with the site, but also the desires revealed through their micro-gestures (clicking, scrolling, lingering). Cookies and web beacons installed on user web browsers can track users across multiple sessions. All this data feeds into information systems that produce targeted advertising toward us particularly. What’s worse, many websites, or the ad agencies they’ve partnered with, sell this data wholesale to third parties like data brokers who market in large-scale data-accumulation and profiling for interested parties to purchase.

Data brokers

The data that is accumulated from the tracking research done by individual sites, and even by less reputable VPN services, is now often sold to data brokers attempting to profile global patterns and individual behaviors. The value of this data is often commercial and profit-oriented. What is important about these agencies is their ability to generate psychological profiles (or psyops) of individual interests, behaviors, and weak-points in order to manipulate them through targeted advertising or messaging. This was the cornerstone of the Cambridge Analytica “consulting” business model: to profile tens of millions of people in the US according to specific data-points so political agents could monopolize on it.

Law enforcement

Local and state law enforcement agencies are very much involved in tracking user activities online. Serious social injustices and exploitations happen online (child pornography, human trafficking, and cyber crimes not limited to identity and financial theft). Targeted user data collected by law enforcement agencies can be used to build evidential profiles of users’ online activities, request search warrants targeting harddrives, and in building prosecution cases.

However, these agencies are sometimes involved in more questionable user tracking, such as predictive policing. This involves the analysis of large amounts of online activity (such as social media posts) according to keywords to predict potential perpetrators of future criminal activity. Naturally, these kinds of activities can lead to many innocent people being caught up in indiscriminate police investigations, particularly when these predictive policing approaches are being fed through AI systems.

Governments

Like law enforcement tracking of targeted individuals, we all assumed governments were doing similar things for so-called “enemies of the state.” But what the Snowden revelations revealed in 2013 was much darker: government programs not only capable of, but actively engaging in, the mass surveillance of ordinary citizens across the world. Not specific targets for any particular crime, but everyone. This was something which many experts previously thought to be virtually impossible. A global network of intelligence agencies, run by the NSA, amassed collections of phone records in collaboration with telecommunications companies, and had direct access to major internet companies like Google and Facebook. They even have programs dedicated to breaking data encryption, though their successes on this front are unclear.

Organized crime

Organized crimes activities online are a huge problem and topic. These groups have become particularly effective in using online tracking to perpetrate cyber crimes ranging from identity and financial theft to blackmail. User data is often collected through various means: phishing scams, public records, data breaches, but also by monitoring social media. When a sufficient amount of data about an individual or group is collected, this can allow criminal groups to empty bank accounts, extort individuals via their sensitive data, or impersonate an individual online.

Hackers

We may sometimes imagine hackers as unknown rogue individuals trying to gain access to our devices, for instance, to hijack our data for ransom. But the reality is much more complicated. Hackers are often employed to track and intercept user data by larger organizations, such as governments, organized crime, and clandestine security agencies. This can be done through specific kinds of attack, where our data is intercepted in transit, or by gaining access to our devices themselves. The key point is that the success of hackers can be greatly enhanced by the technical and financial resources of larger agencies (such as government intelligence programs). Learn more about how to protect ourselves from cyber attacks and hackers.

How are we tracked online?

There is no single kind of mechanism or means for tracking what we do online. It would be an oversimplification to think that a website, government agency, or hacker has any one direct way of accessing your personal identity. Different tracking tools can be used in isolation or together to produce a fuller picture of who you are and what you do online. This all starts with your IP address because it links you directly to your ISP, device, and proximate location (geolocation tracking). But unfortunately it doesn’t end there.

Cookies

We’re all familiar with the now incessant notifications: “this site enables cookies.” A cookie is a piece of data which is installed on your web browser by a particular website. Minimally, cookies allow for more consistent user interaction with and identification by the site. This could simply ensure that the multiple things you want to buy are added to the same shopping cart during a session, or that your account credentials are remembered when signing in from the same device across multiple sessions.

We might be reassured about a browser’s option to “clear” or “delete” cookies, but we really shouldn’t be. Advanced cookies, such as the aptly titled “evercookie” or “zombie cookies,” can persist, or literally resurrect themselves, after deletion. This is because they are stored in multiple software components, like the Flash software used by your browser, allowing them to persist and track after apparent deletion. Advanced fingerprinting methods can optimize on these resources to bypass user attempts to secure their own privacy.

Data aggregation

Data aggregation is the compilation of as much information as possible regarding users’ online activities. This can start with IP addresses, but evolve to include cookie IDs, email addresses, phone numbers, behavioral statistics, and so on. Data can come from metadata provided by websites and profiling from data brokers, but also simply from public registries. In the end, the more data that is compiled about a user, the better the analysis, profiling, and targeting objectives will be. Websites, commercial entities, ad agencies, social media accounts all use it. With the use of AI machines processing mass quantities of our data, our next human moves are being logically anticipated for reasons to which we’ve never consented.

Digital fingerprinting

Digital fingerprinting is a stealthy technique for identifying and tracking digital data-points about users based on mass data aggregation. These data-points further specify certain characteristics and configurations about a user’s browser or device: installed plug-ins, designated time-zones, language settings, or even preferred fonts. All of this can be used to make a kind of “fingerprint” to more precisely link a user to certain online activities.

Digital fingerprinting is used by many different trackers online. Ad companies use it to tailor content to specific users. Often it is used as a security measure by e-retailers, banks, and other institutions to identify fraudulent activity. And of course it can be used by data brokers, governments, law enforcement agencies, and spies to track all activity online.

Traffic analysis

The term traffic analysis can simply refer to tracking user activities through all of the above tools: linking IP addresses to connections and other IP contacts, connection durations, behavioral patterns, geolocations, aggregated data analysis, and through cookies and digital fingerprinting. However, it should be noted that governments and sophisticated hackers, especially when working together, do have the capabilities of enhanced traffic analysis to more precisely identify user activities and identities. The technical skills of hackers, for instance, to break weak encryption can be facilitated by the money and computing power of an organized crime outfit or government sponsored international hacking program. This means that, with the right expertise and resources, anything can eventually be traced back to us.

How do VPNs help to prevent tracking?

Preventing online tracking and preserving your privacy requires a multi-faceted approach, not just the use of one tool. For masking your IP address, using a VPN is a crucial one. But other important practices for security include using password managers, multi-factor authentication for accounts, and anti-virus and malware software.

Virtual Private Networks (VPNs) are a first line of defense in protecting ourselves against online tracking. They add a default level of encryption and mask our IP addresses with their own. But they are certainly not all-in-one solutions for security online. Most importantly, the centralized architectures of mainstream VPNs pose serious privacy risks for users that decentralized VPNs can help avoid.

Using VPN to not be tracked online

A VPN functions like a proxy server for all of your online activities. It does this by first encrypting your connection on your device before securely tunneling your data to the VPN’s own server. This makes it so that the contents of your activity in transit are unreadable to outside eyes. When your data arrives on VPN’s own servers, your IP address is replaced with the VPN’s own before your request is directed to its intended recipient on the public internet.

This process effectively masks what you’re doing while online, at least in principle, making it much harder to link what you do back to you. Not impossible, but more difficult. When you access a website, the site will see the VPN’s IP address and server location, and not yours. Similarly, if an advertising or governmental agency is trying to trace a web access record back to an individual, they will have to pass through the VPN’s server before ever arriving at the true origin of the traffic.

Websites and data brokers can be blocked from creating profiles of your activity to you specifically, though they will still be able to use the anonymous data of what you do for their own purposes. Low level law enforcement and government surveillance might also be thwarted from their tracking endeavors, but more sophisticated investigations can certainly surmount a single-hop VPN routing protocol to track you. But there is a bigger problem with traditional VPN architecture for online tracking.

Tracking vulnerabilities of traditional VPNs

Most VPNs on the market are based on centralized physical architectures: they reroute clients’ internet traffic through their own servers, or servers they rent typically from the same provider. This means that user data is centrally localized once in the hands of the VPN. If logged or recorded there, any metadata of user traffic is potentially at risk of data breaches or targeted cyber attacks. Even if a VPN service promises to not keep records or “logs” or user traffic, they almost certainly keep some metadata records. And as private companies with these records at their disposal, we now know that they are susceptible to coercion from authorities to disclose them.

If we are truly concerned about the possibility of being tracked online, we certainly do not need to abandon VPNs as a tool for protecting our privacy. We simply need a better VPN architecture. Thankfully, more innovative VPN technologies are now available to further curtail this risk for users. This is where decentralization comes in.

Preventing tracking with a dVPN

Not all VPNs function in the same way. Most mainstream VPNs are all based on the same physical infrastructure: one proxy server to mask all their clients’ traffic with the same public IP address. This is a privacy disaster by design. Decentralized services like Nym VPN are built differently to address this vulnerability.

With NymVPN, your data is encrypted on your device like with a traditional VPN, but with more robust and multi-layered encryption methods like an onion. Instead of sending all your data through one central server, where your metadata might be logged, it instead goes through multiple different servers, or “nodes.” These nodes are independently run and unlinkable. Once your traffic arrives at a particular node, one layer of encryption is removed, revealing the next randomized node to which your data will be sent. With NymVPN’s novel mixnet mode, before being routed a second time, your data packets are also “mixed” up with other traffic to further confound traffic analysis and tracking.

The routing of user data through multiple servers is what’s called multi-hop routing, as opposed to the single hop obfuscation you have with a traditional VPN. With Nym, clients have a default 2-hop mode for faster connection, and an optional 5-hop mode for highly sensitive content.

Learn more about how you can custom configure your NymVPN experience to balance speed needs and enhanced privacy, and on the differences between traditional VPNs and decentralized VPNs.

How to know if you’re being tracked

You probably won’t know, but assume you are.

The truth is, everything we do online is the potential object of internet tracking: our browsing habits; the precise wording, phrasing, and questions we put into a search engine; the interests and desires we express in clicking on a product; how long we linger on a particular image, text, or ad; and our geolocations behind all these actions. All of this feeds into complex global data-accumulation systems in which our one lives are analyzed, profiled, and sold. Internet tracking is everywhere and happening all the time. And we, as daily users of the public internet, are the targets.

User privacy is best protected by applying data protection practices, among which using reputable and ideally decentralized VPNs. DVPNs, like NymVPN, can greatly reduce the risks posed by data centralization. The tracking of user data will continue to be a problem, and its technical means will become more sophisticated. By safeguarding your online activity with Nym, we can work together in the fight to impede these constantly evolving and global impingements of internet privacy.

When everything personal about us is sought after for profit or surveillance, the strategy should be to go anonymous.