Is Your Computer Really Spying On You?

We’ve all had the feeling our devices are watching us. Perhaps your Alexa replied to you when you weren’t expecting it. Or LinkedIn suggested you connect with someone you met briefly at a conference.

Most frequently, it’s because you’re scrolling through an unrelated website when you get a super-targeted ad for something you were looking at a few days ago. Or spoke about with a friend on the phone.

You feel the hairs on the back of your neck prick up, you side-eye your laptop, and you whisper… are you spying on me?

Well maybe you’re less dramatic, but it certainly crosses your mind. How does the Huffington Post know you were thinking about buying that jacket? How does CNN know you’re suffering from athlete’s foot?!

Sometimes you can trace back logically to figure out where you laid the clue (you did Google athlete’s foot treatment, after all). Other times, it seems as if you’re being served ads based on conversations you had in person, or even something you’ve only ever mused about in your mind. How on earth does the internet know what you’re thinking?

The good news is that your computer is almost certainly not spying on you. At least, not for custom ad purposes. Let’s take a look at how this bizarre situation comes about, when it’s harmless and when it might be a problem – and how you can put a stop to it.

What’s Really Going On?

To start with, the internet isn’t spying on YOU, specifically.

Rather, it’s your search history, the websites you visit, who you interact with online (and how / when), the groups you join, the pages you like, the interests you express, the topics you discuss. I know that still sounds creepy, but there’s an important distinction here. For websites collecting your information and advertisers targeting you, you’re a data point – an anonymous example of a potential customer – rather than someone they have a KGB-style file on in a dark basement somewhere.

Today, we make it extremely easy for marketers to do exactly that because everything we do online leaves a trace.

If you wander into five different stores in a mall but don’t buy anything, no one knows where else you’ve visited or what you browsed there. If, on the other hand, you hop between five different online stores, each website knows you dropped in. They know exactly what you looked at. They know how close you were to purchasing an item. Most importantly, they know when you turn up elsewhere on the internet, so it’s easy for them to continue advertising to you long after you’ve walked out the virtual door.

What’s more, we hand over so much information about ourselves, either deliberately or unthinkingly, all the time. We do it by interacting with brands, celebrities, and political figures online, or by “liking” pages or profiles on social media. We do it by actively entering personal data about ourselves when we open social media accounts. We do it by letting apps access our Facebook information to speed up the sign-in process.

Unless you’re incredibly careful, you’re leaking information into the internet all the time. Brands don’t need to spy on you. They just scoop up all the crumbs you’ve left for them.

Why Do They Want This Information?

Advertisers don’t want to waste budgets. They want to be as certain as possible that their ads are relevant because it’s in neither of your interests to display a paid ad you’ll then ignore. This challenge led to targeted advertising, which has existed in some form on the internet for nearly as long as the internet itself.

The difference today is simply that the volume, quality, and precision of user data available to advertisers has exploded. 51% of the world’s 7.5billion people are online. 2.9 billion of them are active on social media. That’s a lot of user data to track, analyze and build a picture of who buys what and why. No wonder today’s ads reflect your interests, behaviors and personal information more closely than ever before.

Note that brands don’t usually track user behavior themselves. They use marketing companies like Google’s DoubleClick or Facebook’s Insights for that. These companies work by compiling extensive, strikingly accurate records of people’s browsing habits and what they do while they’re online.

The bottom line is that, when you’re going about your day using websites, apps and social media platforms for free, you are not the customer. You (or rather, your data) are the product. The sites and platforms you visit use this data to help their actual customers, the advertisers, to target ads more effectively.

How Custom Ads Work

Custom advertising refers to any kind of marketing or advertising content that adapts to the person looking at it. Generally, this means one of two things: retargeted ads and personalized ads.

Retargeted Ads

Have you ever found yourself browsing through, say, houses on the market in your area, only to have a particular listing show up as an ad everywhere you go online for the rest of the week?

These are called retargeted ads. They work by collecting clickstream and/or purchase data (more on that below) as you browse. The closer you get, or look like you’ve got, to buying something, the more they take that as an indicator that you’re a good prospect as a customer, and the more likely they are to keep pushing whatever it is at you in ad form.

That means that, wherever you go online next, if the website you’re now looking at hosts ads placed by an ad agency the initial site works with, you may see an ad for the exact item you decided not to buy a moment ago.

This depends on how the brand in question has set up their ad targeting – the end website has very little control over which ads get shown to you. The brand isn’t specifically trying to get to you, as an individual – they’re not spying on you in that sense. But they might have decided that they want to target ads for a particular house to people who have already taken an interest in it. The ad company that rents the space from the website automatically places that ad when you visit, because their algorithm flags you up as someone who was interested enough to take a peek at the listing earlier.

You can see why a lot of brands do this. If they’re going to target their ads to anyone, it might as well be someone they have reason to believe is already interested in the product, after all. Plus, they might think they’re doing you a favor by personalizing your shopping experience.

At the same time, you can also see why some people find this a bit creepy, or at least consider it to be overkill.

To go back to the house listing example, there are lots of reasons why you might have viewed it. Sure, you might be looking for somewhere to buy and were genuinely interested in making an offer. But perhaps it’s your neighbor’s house and you’re just being nosy. Perhaps you have no plans to move any time soon, but you’re curious about property prices in your area should you ever change your mind. Perhaps you’re just daydreaming about living in a lovely house that’s way out of your price range.

For reasons like these, retargeted ads can sometimes be more of an annoyance than anything else – 64% of people say they don’t like them, after all– not least because they give us the uncomfortable feeling of being watched. Brands have caught onto this, and today most are a bit more subtle about custom advertising. Among other things, that means developing personalized marketing audiences instead.

Personalized Ads

Personalized advertising covers a broad church, but in its simplest sense it means a) using data available online to build up a picture of the kind of people who will buy what they sell, and b) cross-referencing this with the data that people provide about themselves / that websites collect on them, to match their ads to people who fit the bill.

Brands pour huge amounts of resources into creating and defining audiences for this purpose, and the incredible wealth of information available about each of us online lets them build a more comprehensive picture than ever before.

Let’s say you’re a makeup brand that specializes in a foundation for darker skin tones. You don’t really want to waste money showing your ads to people with pale skin, because foundation is one of those things you usually buy for yourself, so these people are highly unlikely to become your customers.

At this point, you could do one of two things. You could try to narrow your audience so that you focus on, say, African-American women. Having an algorithm identify these accounts is tricky, though. You could try, for example, targeting ads at people who “like” other hair care and makeup brands that primarily serve this market, or who follow media outlets explicitly aimed at this demographic. There are a billion problems with this, of course, not least that you’ll exclude many potential customers who either aren’t interested in these things, don’t engage with these brands on Facebook, or simply aren’t from this demographic.

Instead, you might decide to use Facebook’s “lookalike audiences” feature. Instead of racking your brains thinking about how to reach your ideal customer, this lets you take a snapshot of the kinds of audiences that follow a rival brand and then target people who resemble them based on comparable likes, interests, and behaviors. In other words, if a brand has a successful competitor who also sells foundation for darker skin tones and they’ve already built up a Facebook following, a rival brand could target ads to their existing followers, or simply to anyone on Facebook who is into the same stuff as these followers.

This is another reason people get the uncanny feeling they’re being spied on. Ads start appearing that seem extraordinarily accurately pitched, linked to details they’re sure they’ve never put on Facebook, or products they expressed an interest in offline. It’s simply because other people similar to them in other ways did put this data online, so the algorithm thinks they, too, might be the right fit for a product or service.

While this feels weird, most of the time it’s not all that insidious. The makeup brand hasn’t done anything wrong by trying to sell a foundation that matches people’s skin tone, for example. However, you can imagine how this kind of behavior gets morally dubious very quickly – especially if the person running the ad is trying to get information to one subset of the population while making sure another part of the population can’t see it. Or if a company only wants customers that come from one demographic, for no other reason than prejudice or perpetuating stereotypes.

We’ll come back to these issues later in this article.

How do they collect this data?

The data used for custom advertising typically comes from one of four sources: clickstream data, search data, profile data, and purchase data.

Clickstream Data

You will have noticed a little box pop up whenever you visit a new website, telling you that the site uses cookies. This is how websites collect clickstream data, which is a record of all the pages you’ve visited while browsing. The cookie is a minuscule text file that the website sends to your computer, enabling it to track the pages on the sites you decide to visit.

Cookies fall into two categories: first-party and third-party. First-party cookies are sent to your device from the website you’re currently visiting, i.e. the domain name you can see in the address bar at that moment. These are totally harmless – websites use them to save you time on your next visit by remembering your preferences and so on.

Third-party cookies are sent from other domains that feed into the site but that you can’t see displayed at a glance. That might be images hosted on the page or, more likely, embedded ads.

Here’s where things get a bit more complicated. The marketing companies that place ads around the internet use these third-party cookies to collect pretty detailed accounts of what you do when you’re online. That’s the basis of how ads follow you around the internet, getting more and more specific and relevant to the things you seem to have expressed an interest in.

For example, if you visit the New York Times website, you’ll see a popup telling you that the site uses cookies and by continuing to use the site, you’re agreeing to their cookie policy. These are used, they say, to “recognize repeat visits and preferences” and “measure the effectiveness of campaigns and analyze traffic”. However, if you check the cookie policy itself, you’ll see that the site also allows third-party cookies.

In this particular case, what that means is that Google Doubleclick (a major ad delivery company) is also placing cookies on your computer as you browse, in order to a) decide what ads to show you at this moment, and b) build up a picture of your interests so they know what kind of ads to show you next time you visit a site they place ads on.

It’s important to note that, while cookies do install themselves on your computer as you browse, they are just tiny, simple text files. A website couldn’t install a virus on your computer via a cookie, for example. Plus, only the website that sent a cookie can read it, so other sites couldn’t use them to “spy” on what you’re up to. But more of that a little later.

Search Data

Do you use search engines like Google, Yahoo or Bing? If not, you’re in a slender minority of people. The fact that so many people rely on these sites to source information has helped companies like Google to position themselves as powerful figures in the online advertising world.

That’s because Google (and most other search engines) continually analyze search terms as well as the ways people behave when ads are placed next to search results. They use this information, firstly, to ensure that the most relevant information always shows up in your searches, but also to sell prime ad space to the highest bidders. Literally.

Companies outbid each other to pay Google for the most sought-after search terms to help them appear prominently on the page. That’s why you get a ton of ads showing up for things connected to your search term as well as your organic results when you search.

Purchase Data

Another way that sites use cookies is to track what you buy, what you almost buy (e.g. add to your cart or watchlist), and what products you view on their site and don’t buy now, but that they think you might give in and purchase some other time.

They use this information in a few different ways. Firstly, if you are signed in to your account on a website, this might trigger follow-ups like abandoned cart emails, which give you another chance to click ‘buy’ without trawling through the site trying to find things again, or reminders to re-order later on, when they calculate that you may need to replace or replenish whatever you’ve bought. For example, if you buy 30 days’ worth of vitamin tablets, the website might email you three weeks later to remind you to reorder before you run out. Or if you add a dress to your ASOS cart but then click off the site without getting to the payment page, ASOS might email you with a nudge to finish the order.

However, they might also use this information to create retargeted ads, which we talked about above.

Profile Data

Are you signed up for any social media sites? If so, you more than likely handed over some personal information at some stage, whether that’s your hometown, job, where you went (or currently go) to high school or university, your age/birthday, and your religion. You may have gone further and filled in much more nuanced information about your political leanings, family members and interests, right down to things like your favorite music, movies or games. If you signed up years ago, you probably can’t even remember what you put down, as you don’t see this displayed when you signed in.

Few people predicted this back when these social networks were just getting off the ground, but all of that information became an absolute gold mine for advertising companies. Facebook, Twitter, Instagram, and their cohorts use this data to sell audiences (as in, their users) to advertisers. Similar to Google, Facebook allows advertisers to choose exactly what kind of people they want to see a particular ad, based on the information they provide in their profile.

Is This Legal?

Yes, it is.

Did you ever see that South Park episode where Kyle clicks “I Agree” on Apple’s notorious 55-page iTunes terms and conditions without reading them, and ends up being abducted and thrown in a cell in solitary confinement when he accidentally breaches them? The running joke of the episode is that he’s the only person who doesn’t know what he’s signed up for – everyone else trawled through every page first. Which, of course, no one does in real life.

Even with the introduction of new laws like GDPR designed to limit what companies can do with our data without our permission, most of us have no idea what we’ve agreed to most of the time. Nobody bothers to read the full T&Cs every time they open a website and click “I agree”. Few people know exactly what their agreement with Google entails, despite the fact that Google knows absolutely everything you do, whenever you’re signed in to your account. I wonder if you know whether your cellphone carrier is selling your location data, either?

What’s more, these arrangements typically include third party agreements, allowing sites to share or sell data to other companies, too. That’s a lot of leeway for Google, Facebook, Instagram (which is owned by Facebook) and so on to make money from your information.

Anyone can buy this information or make use of it to tailor and target their ads. It’s all totally legit.

Is there anything I can do about this?

Yes! If you hate the idea of all this tracking and targeting, there are solid, practical steps you can take to stay anonymous without resigning yourself to the life of a digitally-detoxed hermit. Here are some easy ones.

Clear your cookies – Here’s how

The simplest short term solution is to just clear your cookies on a regular basis on each device. Since ad trackers use cookies for retargeting, that will get them off your back to a large extent.

Here’s how to do that for Chrome, Safari and Microsoft Edge:

Chrome:

At the top right, go to More > More Tools > Clear Browsing Data. Select “All Time” and check next to “Cookies and other site data” and “cached images and files”. Click “Clear Data”

Safari: 

Safari > Preferences, click Privacy, then click either: “Prevent cross-site tracking” (This stops trackers from using cookies and website data to track you across sites), “Block all cookies” or, if you only want to remove stored cookies/data, click “manage website data” and click “Remove All”

Edge:

In Edge, got to More > Settings. Under “Clear Browsing Data” select “Choose What to Clear”, check “Cookies” and hit “Clear”.

Reset your Advertising ID

If you use an Android phone or iPhone, marketers also track you using your “Advertising ID”. You can throw them off the scent by resetting this whenever you like.

On an iPhone, go to Settings > Privacy > Advertising and hit the reset button.

On Android devices, go to Google Settings > Ads and click reset.

Clear your search history

Getting your browser to forget that you’ve been to a website before also makes it harder to track you. You can do that easily by clearing your search history.

To clear your Chrome search history, open Chrome and in the top right-hand corner, click “More”. Then navigate to History > Clear Browsing Data. Check everything you want to delete and select the duration, and click “Clear data”.

In Safari, go to Settings > Safari > Advanced > Website Data, then tap Remove All Website Data. This will also clear your cookies.

In Edge, go to Favorites > History> Clear history. Check everything you want to delete. Select “Clear”.

Install an adblocker

For obvious reasons, Google has banned a lot of ad blockers from the Google Play app store, but you can still download them for use on iPhones and on desktop. You simply need to install one on your device or add it as an extension to your browser.

A few reliable ones to consider are AdBlock Plus, AdGuard, AdBlocker Ultimate, and uBlock Origin.

Use a private browser/go incognito

You can make it a bit more difficult for ad trackers by opening up an “incognito” window as you browse, but if you really want to search in secret, try a private browser with built-in ad and tracker blocking, like Opera or DuckDuckGo.

Get a tracker-blocker

You can also install a tracker-blocker on your desktop or mobile device to stop tracker codes from loading on the websites you visit. A few good options are Disconnect.me and Ghostery.

Opt-out of ad targeting

You do also have the right to opt-out of ad targeting and most sites provide information about how to do this. The problem is, it’s on a case-by-case basis, it’s awkward, and it’s usually very difficult to get into the site to change your preferences without using the site on the way (which the site will take as giving them permission to use cookies). However, for sites you use a lot, this can be a good shout.

Here’s how to opt-out of interest-based ads on Google, Apple devices, Facebook and Twitter. Note that you won’t stop receiving ads, they just won’t be targeted ads.

Get a VPN

The single most effective way to preserve your privacy online and stop advertisers from tracking your every move is by installing a VPN and using it whenever you’re browsing.

A top VPN encrypts your connection to the internet at both ends and re-routes your traffic through an anonymized server. You choose where in the world you want to connect from and you’re assigned an IP number. This disguises who you are and where you are in the world, meaning that you remain entirely anonymous while online.

As well as anti-tracking, there are many benefits to this, including much stronger security, especially when using a public WiFi connection.

Try ExpressVPN, an excellent VPN service that offers great speeds and auto-locks if your internet connection drops so that your identity is never exposed.

Ethical Problems with Data Tracking and Targeting Ads

As we’ve seen, most of the time custom ads are pretty harmless, even if they can be annoying or uncomfortable at times. That said, in the wrong hands, this wealth of granular user data, and the ability to target or exclude certain people can have serious repercussions.

Political Manipulation

Many point the finger at targeted advertising for exacerbating political polarization all over the world, especially in the run-up to elections. Those who want to stir up divisions can target extreme or incendiary content at people most likely to like and share it, helping to whip up a frenzy (even when the content isn’t true).

Plus, by carefully tailoring audiences, advertisers help to create an echo-chamber in which people only see things they already agree with – never anything that challenges their views. Both sides become increasingly entrenched in a viewpoint while also getting the impression that these views are more universally accepted than they actually are. Meanwhile, the people or groups being blamed for the problem or accused of not caring about it barely hear about it because they aren’t the target audience. Everyone gets angrier, and any hope of genuine debate or productive problem-solving diminishes.

This flags up a serious issue with targeted marketing generally: the marketers get to pick their audience or potential customers. Consumers (or in this case, voters), don’t get to see something and decide it’s not for them. They never get to see it all.

Citizen Scoring

While the worst accounts of China’s Social Scoring project turned out to be an exaggeration, there are many smaller scoring initiatives in place across China. Some are used by financial institutions to decide whether people should be given access to credit, while others, like Sesame Credit, are a vast loyalty scheme, with rewards and penalties based on your online behavior, right down to “frivolous” spending.

While these commercial projects are optional, some local authorities have launched their own, compulsory, pilot schemes. If you do something that upsets the authorities, you lose points. If you do something beneficial, like giving blood, the score goes up. If your score gets too low, you’re barred from things like getting a mortgage.

This gets scarier when you consider what would happen if compulsory schemes start to collect data in the same way as commercial ones. Suddenly, the cookies that track when you overspend on shoes or order six cases of beer for your party might also determine whether you’re reliable enough for a student loan. Criticizing the government on social media could get points deducted for “spreading rumors”.

Systems like this seem unthinkable in the West, but they’re possible. What if a credit scoring company began incorporating your clickstream and payment data, for example? Or the best loans, apartments and so on were only ever advertised to the most “desirable” customers?

Conclusion

To wrap up: advertisers aren’t spying on you in the way that we usually picture spying, but they do know much more about you than you may be comfortable with.

Plus, just because marketers aren’t watching your every move through your computer, that doesn’t mean no one is. Spyware is a pernicious form of malware that tricks you into downloading it, tracks what happens on your device and reports it back to hackers and scammers, who can then use this information to steal information, passwords and so on.

If you want to give yourself peace of mind that none of this is happening to you, you can’t be complacent. Install a good VPN, to safeguard your privacy. Invest in decent antivirus software to protect you against viruses and spyware. Clear your cookies regularly.

Remember, too, that ads are inevitable when you’re getting content for free. They’re not going anywhere – but you can make them less intrusive.