User Tracking: Cookies & Pixels

Table of Contents

After reading this post, you’ll gain a clear understanding of how user tracking operates on the web and how such simple technologies may compromise our privacy.

🔒 Privacy is the bedrock of a free and democratic society, and when it’s threatened, the entire system begins to collapse. This idea plays a key role in my sci-fi epic, GÖD’S GATE. If you’re interested in how privacy shapes and safeguards our society, check it out! 📚🚀

Landscape

Cookies

Cookies are text files stored in the device’s (local) disk, or the in-memory space reserved for the browser. Cookies are data, not logic (i.e. code). Cookies contain information to help identify a user (e.g. so that the server “remembers” the user when they come back to the website), store their past actions (the state of the user interaction with the website), and are used to support other functionalities: authentication, security, ads, website features, performance, and analytics.

There are two types of cookies based on their ephemerality:

  • Session cookies, deleted after the browser session is ended.
  • Persistent cookies, which contain information useful for the next visit to the website, like login credentials.

And in terms of their purpose, we can classify them in:

  • Strictly necessary cookies for the website to work. These are session cookies such as a shopping cart, authentication, load balancing, and security to assess the legitimacy of a session.
  • Analytics cookies count visits, traffic sources, etc.
  • Functional cookies enable the website to provide enhanced functionality and personalization like font size, language, etc.
  • Marketing cookies used by companies to build a profile of your interest in order to, e.g. serve an ad if the user has visited a competitor’s website.

A website/business owner will develop and manage a website (Step 1 of Figure). Upon a user’s visit (Step 2), the website’s backend server generates and stores the so-called cookies in the user’s browser, like Brave or Firefox (Step 3). In other words, the website server requests the browser to store and update the cookies as the user interacts with the website.

Pixels

A tracking Pixel (also known as web beacon) is a piece of code (logic) a developer includes in their website (Step 1), typically in the header, i.e. the section of the website’s codebase that is executed first by the browser.

A Pixel is code, cookies are data.

When executed, the Pixel code loads a library (developed by the organization behind the Pixel, like Meta or Google), which contains logic to register specific events the website owner chooses (e.g. conversions, transactions, clicks, times, identifiers, etc.) and that are triggered by user interactions (step 2).

The Pixel code instructs the browser to request the website server the creation of new cookies (Step 3). Note that, with a Pixel, the website owner does not need to develop from scratch a script to register events on their website. Pixels are convinient.

Ads Network

An ads network, like those from Google and Meta, is a platform that connects advertisers with websites or apps, using user data to deliver targeted advertisements, track performance, and optimize campaigns across various digital channels.

The Pixel sends to the advertising network owner’s servers (like Meta’s or Google’s) the website’s cookies (Step 4). There, the cookies are synced and aggregated with other cookies from websites the user has also visited, including the advertising network owners’ services (e.g. Facebook, Instagram, YouTube, Google Search, etc.). For instance, Meta or Google will strive to sync the cookies from a user who visited Nike’s website with the cookies that user generated in YouTube. Other social plug-in features such as Meta’s Like Button work similarly to Pixels.

These ads services are made available to the website/business owner through an ads manager console (Step 5). Website owners use this data to refine their websites , ad campaigns (Step 6) (including re-targeting, i.e. serving ads on Facebook, Instagram, YouTube, Google Search, etc. to the same website’s visitors (Step 7)), and find other audiences that match their existing customers. They can also offer their own website for others to advertise on it (Step 8).

In practice, advertisers typically rely on Meta’s Pixel to target customers on Facebook (FB) and Instagram (IG), while advertisers typically rely on Google Analytics (GA4) to get a better understanding of their customer’s journey across the web, since GA4 covers Google Search (GS), YouTube (YT), and Maps and serves ads on GS, YT, and in partner websites. Thus, if a business customer traffic is wider than FB and IG, businesses typically resort to GA4. Yet, Meta also has their Audience Network to advertise in partner websites as well (Step 8).

Data Flow

In summary:

  1. The Pixel code instructs the website server the creation of new cookies as per the website’s owner’s settings and user’s interactions,
  2. the Pixel relays the website’s cookies (stored in the browser) to ads network servers,
  3. these ads network servers sync, aggregate and provide analytics tooling, which
  4. are accessed by the website owner through an ads manager console.

Some advertising networks may use, however, another data flow.

Device Tracking

In addition to the web, there are other identifiers that apps may pull from a mobile device, like the Identifier for Advertisers (IDFA), for tracking purposes. If a user consents for app_A’s developer to attach the device’s IDFA to the app data, when such developer shares their user data with an advertising network service, such network will be able to link that user’s data from app_A to other app data that other developers have also attached to the same IDFA.

Both the web and the activity in a user’s device are tracked.

Overarching User Tracking

I have presented the data flow that underpins “user tracking” on the Internet.

The information stored in (tracking) cookies allows advertising network providers to fingerprint users in order to sync such cookies. For instance, website X might collect details about a user’s device and browser, such as their system IDs and operating system, to generate a unique identifier. This identifier is then shared with the advertising network along with other relevant information, such as whether the user purchased a pair of Nike shoes. Similarly, websites Y, Z, and others can perform the same process, producing the same or almost identical identifiers, enabling the advertising network to track user activity across multiple sites.

It is worth noting that utilities such as “Incognito Mode”, while they might not store cookies locally, do not typically block code like Pixels from relaying information to servers. Also note that cookie banners request consent for cookies, but the Pixels will still execute. However, declining a cookie consent will limit the Pixel since it relays such cookies.

Further, note that whatever information the server decides to store from user interactions, they cannot be blocked by “Incognito Mode” either. Thus, tracking still happens despite these types of privacy solutions. (Also, see US Federal Court Settlement on Google’s Incognito Mode disclosing data collection practices).

There was also an initiative to move on from cookies towards another solution, “The Cookie Pledge”, yet the industry did not find consensus on an alternative.

Concluding Remarks

The people behind these algorithms “don’t care” about who you are—most likely, there is not a person spying on you. I get this a lot when friends ask me about cookies.

What these companies in the ads business typically “care” about is more mundane, e.g. whether you have a dog, ride a bike, your purchasing power, who you work for, where you are, your political orientation, etc.

Ultimately, what matters to them is how much money they will make by serving you ads. It does not matter whether you are a human, an alien, or a duck, as long as you click on an ad, Google and Meta will make money paid by advertisers.

This is part of the infrastructure that enables most of the Internet to be “free of charge”, what it is typically meant by “paying with your data”.

References

https://www.logitechg.com/en-gb/legal/cookie-policy.html
https://gi.org/cookies-and-web-beacons/
https://www.monster.com/career-advice/article/cookies-and-web-beacons
https://www.documentcloud.org/documents/24527110-google-unopposed-settlement/
https://www.ft.com/content/64d8d67a-0f0b-11dd-9646-0000779fd2ac
https://www.facebook.com/privacy/policies/cookies/?entry_point=cookie_policy_redirect&entry=0
https://developers.facebook.com/docs/meta-pixel/
https://developers.facebook.com/docs/plugins/like-button/

Disclaimer
Any views expressed in this post are solely those of the author and do not represent the opinions or policies of any affiliated organizations.