LifeHacker


On April 24, President Joe Biden signed a bill that could see TikTok banned in the United States if it does not divest its American operations to a U.S.-owned company. Among the reasons for this: data privacy. Like any social media app, TikTok collects a treasure trove of data and personal information, and as a Chinese-owned company, there are concerns that it could be forced to supply that data to the Chinese government.

“I don’t have a TikTok account,” you might think. “I’m fine.” But the modern internet is more complicated than that. Through ads and deals, data brokers are able to hide cookies, scripts, and  “tracking pixels” on completely unrelated sites and even emails, which they can then use to find out your purchase history and other valuable data. And the perpetrators include more than TikTok—Meta is perhaps the most well-known, going so far as to publicize how it scrapes your data.

That means you could be vulnerable to tracking from services like TikTok and Facebook even if you’ve never once used them. Luckily, there are tools in place that can find out when you’re being tracked and who’s doing it.

How do companies track me?

Currently, there are two major methods of data-tracking online: The first, cookies, is on the way out, but pixel trackers are a bit more complicated.

You’ve probably heard the term cookies before. These are little packets of information that allow websites to store data like your password, so you don’t need to log in every single time you access a website. But in addition to these “necessary” cookies, there are also third-party cookies that can track your browsing session, information that can be sold to data firms later.

These are probably the most obvious way you might get tracked online. If you’ve recently visited a website that operates in the EU (or certain states), you’ve probably noticed a form asking you to consent to cookies. These are what those forms are talking about, and while clicking through them can be a brief annoyance, they’ve gone a long way to making cookies less sneaky and far easier to block.

Throw in Google’s oft-delayed but still planned attempt to kill the cookie outright, and data brokers have had to get more clever.

Enter the tracking pixel. These operate in a similar fashion to cookies, but use images rather than text. Essentially, companies can hide transparent or otherwise invisible pixels on your screen, and get pinged when your browser loads them, allowing them to track which parts of a website you’re accessing and when.

It’s a real letter vs. spirit of the law thing, as while the principle remains the same, there’s little legislation on tracking pixels, meaning users who had gotten used to the government crackdown on cookies now have to go back to square one when it comes to data vigilance. Nowadays, some site elements even come bundled with their own scripts that can go further than cookies ever did.

How do I know when I’m being tracked?

There’s a benefit to how tracking pixels and scripts integrate directly with a website’s code: With enough elbow grease, you can know when you’re being watched.

When tracking pixels are loaded into a site, you can actually see their tags in that site’s code. If you know what to look for, just right click and select Inspect from the drop down menu to begin investigating. This will work on Chrome, Firefox, and Microsoft Edge, although Safari takes a bit more work.

Generally, though, you don’t want to do this manually. There are tools that automate the process for you, plus give context for what you’re looking at.

A graphic demonstrating Feroot PageScanner


Credit: Feroot

The most recent and robust is Feroot PageScanner, a free Chrome extension developed by some of the voices who testified on TikTok for Congress.

Feroot PageScanner has perhaps the most immediate interface for informing you when your data is being tracked. While it won’t do anything to block trackers, it places notifications on your screen in real time that tell you when your data is being tracked and by whom. Its menu also gives you a detailed list of active trackers, who they’re run by, and what purpose they serve. Plus, you’ll be able to sort through any scripts being run on the webpage you’re visiting, all without having to enter the Inspect menu.

It’s intended for enterprise clients running security analyses on their sites, especially those looking to meet PCI compliance. But it’s a great place for anyone to start, as it gives an in-depth, if somewhat scary, look at the scope of the problem.

“TikTok is not the biggest problem by far,” said Feroot CEO Ivan Tsarynny, who had previously testified on TikTok for Congress.

How to block online trackers

Once you know the scope of the problem, there are multiple tools that can help you take control of your privacy online.

A graphic demonstrating Ghostery


Credit: Ghostery

Ghostery works like PageScanner, except it can go a step further and actually restrict trackers. The counterpoint is that its information isn’t as in-depth as PageScanner’s, so while it will tell you where trackers come from and what purpose they serve, you won’t get those pop-up notifications or be able to sort scripts. According to Tsarynny, Ghostery also has conflicts with PageScanner, so it’s best used to act on threats once you’ve already identified them.

Ghostery is available both as an extension for most browsers, or as its own standalone browser that comes with its features built-in. It also runs a privacy-focused search engine that is similarly available as a browser extension or as its own website.

If you’d rather not install anything, you can also see which trackers are active where by going to Ghostery’s whotracks.me site.

But while Ghostery is open-source, it has come under fire in recent years for selling user data and replacing the ads it blocks with its own. Its UI is convenient and easy to use, but the most privacy-focused should look to uBlock Origin instead.

A graphic representing uBlock Origin


Credit: Raymond Hill and Nik Rolls

uBlock Origin is another open source ad blocker, and while it can be a touch harder to understand and use than Ghostery, there’s no doubt that it’s the most powerful of your options. It can block pretty much any element on any site with laser precision, and while it comes with block lists built-in, you can also create and import your own. The downside is that it gives you less information on how and when you’re being tracked compared to PageScanner or Ghostery, as it simply prints out blocked tags and ads and expects you to know how to parse them. It is available as an extension on Chromium and Firefox browsers.

A screenshot demonstrating Privacy Badger


Credit: EFF

Privacy Badger has a similar function and interface to uBlock Origin, but is focused more on trackers than ads. Also open source, its interface doesn’t provide much detail on how you’re being tracked, and there’s no ad-blocking here unless an ad is tracking you. What Privacy Badger does do is learn to block trackers over time. You have two choices here. First, Privacy Badger’s developers are continuously testing tags and scripts for invasive techniques, and regularly update the extension with new trackers to block. Second, and disabled by default, is local learning. Local learning allows Privacy Badger to learn from your own browsing habits, and while it can make you more identifiable to trackers, it can be useful if you regularly visit unpopular websites. Privacy Badger is available on Chromium and Firefox browsers. Local learning can be toggled on and off via the Options page.

Finally, outside of the realm of extensions and websites that block tracking, there are VPNs. A VPN essentially hides your browsing data by filtering it through other sources, obscuring your IP. The best VPNs are paid services, but a few will encrypt your data for free. Don’t trust every free VPN you come across, but names like Proton Pass and Tunnelbear are as reputable as the big guys, if less robust.

Note that tracking pixels can also show up in emails. To protect yourself from these, follow our guide on how to stop email images from loading by default.