A comprehensive guide to corporate online surveillance in everyday life


Cracked Labs' massive report on online surveillance by corporations dissects all the different ways in which our digital lives are tracked, from the ad-beacons that follow us around the web to the apps that track our physical locations as we move around the world.

Importantly, the report shows how tracking companies join up the dots we leave behind, creating stable identifiers that can connect the data-trails from purchases, apps, devices, and clicks, creating a fantastically detailed picture of our lives built up our of these fragmentary details.


This is important because each little fragmentary disclosure can feel harmless at the time, but once they're merged into a unitary whole, the picture they from is disturbingly detailed.

I think that these disclosures are a bit like puffs on a cigarette. Any one puff on a smoke is probably not going to harm you, but statistically, if you take enough puffs, one of them will lead to a tumor, but it will be years down the road. You have to quit smoking before it manifests its worst harms to avoid those harms.


Likewise, any one tracked click, invasive app or loyalty card will not harm you, but leak enough personal info and eventually it will end up in a silo that gets spilled all over the web, or used by a merchant to profile you and gouge you, or by a political spin-doctor to try to manipulate your votes. These harms will only rise to the level of noticeability once it's too late for you.

Smokers often quit when people who've been at it longer than them — their parents, say — contract horrible, smoking-related illnesses. By highlighting the plights of people caught in today's breaches, we may be able to get people to take action on their own behalf before it's too late.

In the meantime, there's only four months before the EU's General Data Protection Regulation comes into effect, which will make almost all the practices described in this report illegal, on penalty of hundreds of millions in fines. No one has really done anything to prepare for this imminent day — they seem to be playing chicken with the EU, betting that if no one complies with the rule, the EU won't just turn around and start shutting down the entire internet industry. That's a pretty high-stakes bet.

Because of its ambiguity a person's legal name has always been a bad identifier for data collection. The postal address, in contrast, has long been, and still is, a key attribute that allows combining and linking data about consumers and their families from different sources. In the digital world, the most relevant identifiers used to link profiles and behavioral data across different databases, platforms, and devices are email addresses, phone numbers, and unique codes that refer to smartphones or other devices.

User account IDs of the large platforms such as Google, Facebook, Apple, and Microsoft also play an important role in following people across the Internet. Google, Apple, Microsoft, and Roku assign "advertising IDs" to individuals, which are now widely used to match and link data from devices such as smartphones with other information from all over the digital world. Verizon uses its own identifier to track users across websites and devices. Some large data companies such as Acxiom, Experian, and Oracle have introduced globally unique IDs for people, which they use to link their decades-old consumer databases and other profile information from different sources with the digital world. These corporate IDs mostly consist of two or more identifiers that are attached to different aspects of the online and offline life of someone and can be linked to each other in certain ways.
Identifiers used to track people across websites, devices and areas of life
Identifiers used to track people across websites, devices and areas of life

Tracking companies also use more-or-less temporary identifiers, such as cookie IDs that are attached to users surfing the web. Since users may disallow or delete cookies in their web browser, they have developed sophisticated methods to calculate unique digital fingerprints based on various attributes of someone's web browser and computer. Similarly, companies compile fingerprints for devices such as smartphones. Cookie IDs and digital fingerprints are constantly synchronized between different tracking services, and then linked with other, more permanent identifiers.

Other companies provide cross-device tracking services that are based on using machine learning to analyze large amounts of data. For example, Tapad, which has been acquired by the Norwegian telecom giant Telenor, analyzes data on 2 billion devices around the globe and uses behavioral and relationship-based patterns to find the statistical chance that certain computers, tablets, phones and other devices belong to the same person.

Corporate Surveillance in Everyday Life [Wolfie Christl/Cracked Labs]