WEB TRACKERS

 

Trackers are tools that allow users to be tracked so that the entity tracking them can learn about their actions and certain behavioural habits. Not all trackers circulating on the Internet are cookies, nor do they all involve the same risks for users. In this article we will look at the main types of tracking tools that currently exist and explain the purpose of each of them:

-       Cookies;

-       Tracking pixels and other web beacons;

-       Fingerprinting techniques; and

-       HTML storage spaces (LocalStorage, SessionStorage and other functions that access the browser's storage object).

Through the following links you can easily access the information that interests you:

1       ¿Qué son las cookies y que clases hay?. 1

1.1      ¿Qué tipos de cookies hay?. 3

1.1.1       Clasificación de las cookies atendiendo a su finalidad. 3

1.1.2       Clasificación atendiendo al tiempo que perduran. 5

1.1.3       Clasificación de las cookies atendiendo a su procedencia. 5

2       ¿Qué son los Pixels?. 6

3       ¿Qué es el fingerprinting?. 6

4       ¿Qué son los espacios de almacenamiento HTML?. 7

 

1      What are cookies and what types are there?

The widespread use of the Internet has allowed content and service providers, and third parties engaged in network analysis, to develop mechanisms to know, for example, if a person visiting a website was doing so for the first time, where they had come from, what other pages on the website the users had visited, whether they had registered, or to give them the possibility of saving personal settings (such as the display language) or session data. Cookies allow these functions to be implemented and many more.

Cookies allow, among other things, advertisers to know which Internet sites individual people visit in order to offer each of them products/content and services in accordance with their interests (personalized). Likewise, although in a different scope from those we could use to classify them, cookies allow those controllers for the websites to also know which pages have been visited the most and least, as well as other statistics on the effectiveness of the structure and content of their site, in order to make decisions that improve the quality and positioning of their website on the Internet, and much more.

The tracking of user activity on the Internet is implemented through what are generically called “cookies”, which are usually associated with small files used by web page servers to store and retrieve information from a user's device, which allows the processing of personal data of the user when browsing and interacting with the different applications and content displayed on networks, the Internet, extranets and intranets. In fact, under the name of cookies there are many techniques that allow the tracking of users in an active or passive manner, and sometimes in a non-transparent way. Among these tracking technologies we can find those that use the characteristics of the device, unique identifiers and the user's browsing habits. Each time we request a page, an image or content from a web server, we are communicating, at least, our IP address, which can tell our geographic location, but also the model of browser we use and, consequently, also our operating system, the device with which we connect, and how updated it is. A web page server can know if the user who is browsing has a pop-up blocker, how much memory their computer has, what graphic card they use, or how the mouse moves around the screen. All this information is grouped under the generic name of the device's fingerprint and can be used on Internet servers to link all the user's activity and thus be able to create a profile of the user.

The GDPR talks about cookies in its recital 30, recognizing their capacity to create profiles of people and identify them.

1.1    What types of cookies are there?

In general, there are three different ways to classify cookies:

-       according to their purpose;

-       according to how long they last; and

-       according to their origin.

1.1.1   Classification of cookies according to their purpose[1]

The following 4 categories are distinguished according to their purpose:

-       Technical or strictly necessary cookies: These cookies are essential for users to navigate the website and use its functions. Examples of this type of cookies are session identifiers, identifiers to access restricted areas of the website, fraud prevention cookies (linked to the security of the service), visit counters for the purpose of controlling software licenses, cookies that enable dynamic content on the website, etc. Technical cookies are also cookies that allow the most effective management possible of the advertising spaces that, as another element of the layout, are placed on the website, app, or platform (provided that information is not collected from users for a different purpose, such as personalizing advertising content). Technical or strictly necessary cookies do not require the user's prior consent, but the user must be informed of their existence in the cookie policy, or failing that, in the website's privacy policy, in order to comply with the duty of information that the data controller has for the processing of the data collected in the cookies (at least, what they do and, where there may be doubt about their essentiality, why they are necessary).

-       Preference cookies: Also known as "functionality cookies". These cookies allow a website to remember the choices that the user has made in the past, such as which language they prefer, which region they like the weather reports from or what their username and password are in order to automatically log in. If it is the user themselves who chooses these preferences (for example, by clicking on the icon of the preferred language, or selecting the "Remember me" option), the data controller does not need to collect the users' prior consent (with regard to this purpose of processing).

-       Statistics cookies: Also known as "performance cookies" or "analytical cookies". These cookies collect information about how the user uses a website or app in order to improve the functionality offered by the website. Examples of this type of cookies are those that collect which pages the user has visited and which links the user has clicked on. The statistics generated by processing the data collected by these cookies will not be data that can identify a user, since the data collected by these cookies is already aggregated and, therefore, these statistics will be anonymous. However, before being aggregated, the data collected by these cookies usually uniquely identifies visitors in order to distinguish, for example, the case of a visitor who accesses the same page many times from the case of many unique visitors who access that page only once (two radically different metrics to decide which part of a website deserves optimization given the high number of people who visit it). Since the data collected by these cookies before statistics are extracted from them is usually linked to unique identifiers of the visitor, this data must be considered personal data and, therefore, as it is not strictly necessary for the operation of the website, the data controller is obliged to obtain the consent of the users before downloading this type of cookies to the device of said user or, if they are already downloaded, before collecting the data that they have stored.

-       Advertising cookies: These cookies track the user's online activity to help advertisers offer the most relevant advertising or to limit the number of times an advertisement is seen. These cookies usually share this information with other organizations or advertisers (third parties).

1.1.2   Classification according to the time they last

-       Session cookies: Websites do not have memory, so they use session cookies to remember a user for a limited time: the session, which starts when you enter the website (or a web application) from a tab/window of your browser and ends when you exit the website or kill that browser tab. These cookies are designed to collect data and store it while the user navigates the website and are usually used to store information to provide the service requested by the user for the duration of the session, expiring (being deleted) when the user leaves the website. The next time that user enters that same website, or if he or she opens it in a new browser window, it will be considered a new visit and a new session will be opened with its own session cookies. A typical example of this type of cookie is the one used by network load balancers to know which browser window to send a certain content to when the user has several windows open on the same website, or the cookies that collect the products that the user leaves in a shopping cart (although, when only session cookies are used, if the session is broken, the products in the cart are lost, which is why there is usually another persistent cookie that allows the user to recover their cart when they access the e-commerce site again from another browser window/tab).

-       Persistent cookies: This category includes all cookies that remain on the user's hard drive until they are deleted by the user or until their browser does so when it detects that the cookie's expiration date has expired. All persistent cookies have an expiration date written in their code, and their duration can vary between one minute and hundreds of years. As long as the cookie does not expire, the data collected by it may be consulted and processed by the website manager, or by the third parties that created it.

1.1.3   Classification of cookies according to their origin

-       First-party cookies: These are sent to the user's terminal device from the same website that the user is visiting. The difference with other cookies is that only the person responsible for that specific website will be able to read the data collected by their own cookies.

-       Third-party cookies: These are sent to the user from a domain other than the one corresponding to the website that the user is visiting, which means that it will be the owner of that other domain, a third party, who will actually have access to the data collected by their cookies. In this way, third parties obtain an insight into the browsing behaviour of users, which makes it easier to create more precise user profiles that allow third parties to offer, for example, targeted advertising according to the tastes of each specific user. Typical examples of this type of cookies are those installed by companies that manage advertising on certain advertising banners, or preference cookies placed by video playback companies or other providers of services embedded in web pages (payment service providers, etc.).

2      What are the tracking pixels (or web beacons)?

The tracking pixel (or simply “pixel”), also known as a web beacon or transparent gif in its different forms, is usually an image or other type of file inserted in the web that, when downloaded to the user's terminal, allows us to know some aspect of the user's activity (for example, that the user has opened a specific web page where the pixel was located).

3      What is fingerprinting?

Fingerprinting is the name given to the technique of uniquely identifying the computer that a user usually uses, in order to accumulate data with which to create their browsing profile (what types of web pages they view, how often they do so, at what times, etc.).

There are two types of fingerprinting of the browser with which the user accesses a website, active and passive:

-       Passive fingerprinting: The browser through which the user accesses a web page communicates to the server of that web page (the server that sends that page to the browser) some data with which the browser can be uniquely identified, and thus, the user who repeatedly uses that specific browser. Among the data that the browser on the user's computer sends to the web server may be the computer's IP address, the port of the computer that the browser uses to communicate with the web server, the language and keyboard settings of the computer, the computer's operating system (including the version and patches installed), as well as the web page from which the browser is being served (for example, if the web page is accessed as a result of clicking on a link or an advertisement on another website).

-       Active fingerprinting: “Active” browser fingerprinting is similar to “passive” browser fingerprinting, but it also allows the web server to know additional data such as the size of the computer screen or the set of plug-ins (extensions) installed in the user's browser, which allows for more exhaustive individualization.

This tracking technique, unlike the previous ones, does not install anything on the user's computer and, therefore, is not easily auditable by the user. It must be the owner of the website, or its data protection officer, who guarantees (in its cookie policy, and based on the trust that is placed in it) that it does not use this type of trackers.

4      What are HTML storage spaces?

The “Storage” object (from the Web Storage API, available in virtually all browsers that support HTML5) is another of the facilities that allow data to be stored locally in the browser of a website visitor. The advantage that using this technology has for web developers over traditional cookies (HTTP) is that the browser's “Storage” object allows much more information to be stored (between 5MB and 10MB, compared to the 4KB that can be used with cookies) and it is not sent to the web server every time the user visits the website (or rather, every time their browser makes an HTTP request to the web server), thereby saving bandwidth and speeding up the loading of the pages that make up the website.

LocalStorage and sessionStorage are two properties (of the many that exist) that access the Storage object in order to use that local storage space (storage on the website visitor's device). The difference between these two properties is that localStorage stores information indefinitely or until the user decides to clear the browser data, and sessionStorage stores information while the tab where the user has accessed the website remains open. Once closed, the information is deleted.

Regarding the data that each domain (each controller, whether the website itself or third parties) saves in its Storage object, it is a complete mystery. Only the developer can say which variables/data it saves in that object, and what values ​​they have at any given time, so it will be the website, through its cookie policy, who will have to inform us about their respective purposes.



[1] It is important to keep in mind that the same cookie may have more than one purpose and, therefore, may be included in more than one category.