When you visit a web page, you should expect to have company—not just from other readers, but from all the tools the page’s owner can use to identify you and your interests.
That instrumentation operates mostly out of sight until you see its exhaust, in the form of ads that supposedly key in on your interests but often miss them by a wide margin. Privacy-optimized browsers block many of these trackers, and the latest versions of Mozilla Firefox and Apple’s Safari now keep a running score of how many they’ve stopped.
But even they miss some common tracking techniques. So Surya Mattu, a developer and journalist with the privacy-focused news site The Markup, built a site-inspection tool called Blacklight that runs its own set of tests.
As an accompanying story explains, Blacklight checks for tracking attempts by a variety of tools:
• third-party cookies: small text files that sites besides the one you’re visiting (often, adversing networks) save to your computer to identify you
• ad trackers: small scripts or invisible images that ad networks also employ to identify you;
• canvas fingerprinting: when a site draws text or images in the browser window, usually without making them visible to you, so that it can watch for tiny variations in how they’re rendered on your computer and therefore identify you;
• session recording: using scripts to see where you click, tap or scroll around a page;
• key logging: using scripts to watch what you type into a form on a page as you type it;
• Facebook: when the social network uses its own tracking code to identify you across the Web;
• Google Analytics: the web giant’s widely-used site-metrics tool can be used to research audiences.
Note that some of these tools can have positive uses. Session recording, for example, can tell a site owner if somebody read to the end of a story, a more accurate gauge of reader interest than page views alone, the metric shown at the top of Forbes.com stories. And key logging allows autocomplete functions to fill out a query for you.
But as another accompanying story notes, many of these tools show up at sites only because publishers added third-party widgets or tools without realizing their privacy implications. It pointed out one dangerous finding: “More than 100 websites serving undocumented immigrants, domestic and sexual abuse survivors, sex workers, and LGBTQ people sent data about their visitors to advertising companies.”
I had to point the Markup’s tool at Forbes.com, and the results were—to steal a line from HBO’s Chernobyl—not great, not terrible.
On the upside, Blacklight reported relatively few of the most common tracking tools: 15 ad trackers and 23 third-party cookies. This tool also detected Facebook and Google’s tracking tools (the former of which should be no surprise to experienced users given the Facebook “share” buttons under stories here).
But Blacklight also identified a hidden instance of canvas fingerprinting, which it helpfully displayed: a tilted triangle with colors that varied from orange to yellow.
Fingerprinting may be the one tracking technique considered harmful by all major browser developers. Safari, Firefox and Microsoft’s Edge all block it by default in addition to third-party cookies and trackers, while Google’s otherwise muddled announcements of privacy enhancements for its Chrome browser at last year’s Google I/O developer conference did include a commitment to block fingerprinting.
Blacklight reported no key logging or session recording at Forbes.com.
Forbes PR did not answer an email request for comment sent Tuesday afternoon.
To see how other widely-read news sites compared, I then pointed this tool to the six news sites covered in the American Customer Satisfaction Index’s most recent report: Fox News, ABC News, NBC News, USA Today (disclosure: I write a technology column there), CNN, the New York Times (I also contribute to its Wirecutter tech guide), and HuffPost.
Blacklight reported the highest number of ad trackers and third-party cookies at ABC: 37 and 65. It detected canvas fingerprinting at Fox News and ABC News and possible session recording at NBC. Facebook’s tracking only showed up at NBC, USA Today, and CNN. The lightest overall load was at the NYT, with 13 ad trackers, 12 third-party cookies and Google Analytics.
The Times has done far more than these other sites at making its money from reader subscriptions instead of ads.
What about the Markup itself? That site, which launched with $20 million in funding from Craiglist founder Craig Newmark, takes pride in avoiding all tracking techniques—and Blacklight and Firefox confirmed their absence.