Shadows behind the screen: the story of a browsing session

Written by Emma Flickinger

You enter your favorite coffee shop, prepared to enjoy a hot drink and get a little work done. After placing your regular order, you sit at a table near the counter. You open your laptop to connect to the coffee shop’s free internet while you wait for your drink. There’s no password required to connect to the network, but you have to enter your email to access the Internet.

When you use Wi-Fi to connect to the Internet, your computer is sending packets of data to the Wi-Fi router to request connections with websites, and the router is sending back the requested information.

Most public Wi-Fi connections are unsecured, meaning that the data going back and forth on your connection doesn’t have any protection. (The “welcome” pages where you have to provide your email or check a “terms and conditions” box mean nothing for security.) The lack of password protection means that your connection isn’t encrypted. With the right software, on an unencrypted network, anyone else on the network can access the data you’re transmitting (most likely using what’s known as a man-in-the-middle attack).

Your coffee still isn’t ready, so you decide to check the news. You open a tab on your computer to go to a news site and scroll down the main page, looking for an article to read. From the right side of the screen, a sidebar slides in to notify you: Our website may use cookies.

Many websites store cookies on your computer. A cookie is not a program or a piece of software, but a piece of data related to your visit to a website. When you visit the website again, the website can retrieve and modify the data.

One of the most common types of cookie assigns your computer a user ID for that website. If you dug around in your browser to find the cookie itself, it would look something like User 12345678. By storing the ID on your computer, the website can track information like what you do on the site, when you use it, and how long you spend on it each time.

You click “OK” to dismiss the sidebar. You find an article you want to read — about a lost cat that found its way home after 8 years — and click the link. It opens in the same tab and your browser takes a moment to load. After a few seconds, the article comes up, bordered by several ads. Just under the article’s headline are several social media icons and a “Share” button.

There are many different ways to classify cookies, but two of the most important are first-party and third-party. First-party cookies are the cookies put on your computer or browser that originate from the website you’re on: cookies that remember your login details, or what’s in your shopping cart. They track your activity on that particular site.

Third-party cookies are still delivered by the website you’re on, but they originate from a different website, usually either advertising or social media. If you’re on a website with a “Share” button or the option to comment with your Facebook account, there are probably third-party cookies on the page.

Certain third-party cookies — like Google ad provider Doubleclick — are popular across many, many websites. Because of this, their creators can track you across all these websites, and build up a profile of your online activity.

You pick up your coffee from the bar and return to your laptop. First on your list: email.

You open AOL Mail and respond to some work messages. An ad that proclaims “Adopt a Shelter Pet Today” hovers to the side. After you clear out your work emails, the top message is this month’s banking statement.

Despite being the center of most people’s professional lives, email creates a lot of privacy and security woes.

Both Yahoo and AOL Mail are operated by the Verizon company Oath. Oath’s privacy policy is, well, almost the opposite of a privacy policy. Oath scans any and all of your emails — and their policy explicitly includes emails from financial institutions — in order to get data that they can use to target you with highly personalized ads.

Gmail is much more transparent than it used to be about what it does with your emails, and it’s recently announced a set of expanded privacy options that will ostensibly give users more control over who sees their emails. But these improvements may be mainly for show — some privacy settings could be absurdly simple to get around with basic computer literacy (for example, the recipient of an email that’s prevented from being forwarded could simply take a screenshot, and pass the screenshot on).

So you get your work started — and in the meantime, you’ve left behind a small pile of information about yourself on the Internet.

• The coffee shop has your email address.
• The news site you visited adds to its information about your browsing habits on that site.
• Any social media sites you’re logged into know that you visited the news site and what article you read.
• Any third-party advertising services whose ads you viewed have information about where and when you viewed them, and add it to their information about where and when you’ve viewed their ads in the past — if it’s a far-reaching service, they’ll have a comprehensive picture of your browsing habits.

And that’s assuming no one has tapped into your Wi-Fi connection to attempt malicious action.

What will happen to this information about you? Almost all of it will be exploited — sold to a data broker for profit, who will then use it to help advertisers target you.

Imagine how much data you’re generating as you use the Internet day after day, on your home computer, your work computer, your laptop, and your phone. All that data is the center of a system of markets — and you’re the product being sold.