Tracking: your digital trail

“Big Brother is Watching You” ― George Orwell, 1984

Although he wrote his dystopian masterpiece even before ARPANET was a twinkle in the eye of the US Department of Defense, Orwell described the essence of a society in which words, actions and even thoughts are constantly monitored. In 2018, the society he described is no longer fiction: GPS and smartphone apps track our location, Alexa sits in our homes listening to our private conversations, Google knows what we are thinking sometimes even before we do, and we feed Facebook a constant stream of personal data to enable advertisers to sell us stuff we don’t need or persuade us to vote a certain way.

Data is the new oil and most businesses now obsessively gather information on their customers, employees, website visitors and anyone else they come into contact with. Some of this Big Data is useful – either to the business or their users – but much of it is simply collected and stored (this is known as Dark Data). But although the EU has attempted to safeguard the privacy rights of its citizens with the GDPR, and privacy campaigners such as Max Schrems have made inroads to challenging the collection of data by Silicon Valley, the vast majority of people still willingly (or unknowingly) trade their personal data in exchange for a multitude of internet services.

Although much of this raw data is valuable in its own right, organisations which can find the links between different data silos, and effectively see how an individual navigates the internet and conducts their life, ends up with refined – and far more valuable – data. The way to link all the pieces of individual data and create a data trail is through the use of tracking.

Most internet tracking can be categorised as either browser activity tracking or location tracking.

Browser activity tracking

Browser activity tracking relates to the use of an internet browser (eg Chrome, Internet Explorer, Firefox etc). Browsers are also often integrated into certain apps such as Twitter. Once a browser has been marked (or “fingerprinted”) it can then be identified by other websites, creating an internet activity trail (or “digital shadow”).

Often at least one of the websites in this trail (eg Facebook) will require a user to log in, whence it is possible to determine the identity of the user creating this trail.

Forms of browser tracking include the use of cookies, web beacons and server logs.

Cookies

Cookies are tiny files which are automatically downloaded from a website to a browser and track the user’s interaction with both that website and any other websites which contain relevant code (eg any website which has joined a particular affiliate advertising network). Cookies can be used to log users into web services and remember their preferences, provide recommendations and serve up targeted adverts. It’s important to note the distinction between first party and third party cookies; the former are generally only used by a specific website (eg to remember a user’s preferences/login) whereas the latter are normally used by digital advertising companies for purposes of behavioural advertising. The distinction should also be noted between session cookies, which are necessary for purposes of an ecommerce transaction and which are erased once the browser is closed, and persistent cookies, which remain in the browser unless they are erased by the user. Finally, Flash cookies are used by Adobe Flash; they are distinct from, but very similar to, regular cookies.

Web beacons

Also known as pixel trackers, web bugs or pixel tags, web beacons normally comprise transparent images, the size of a single pixel, which are called from a server when a user views certain online information (which may sit on a different server). These are often used in email marketing software which embeds the web beacon into email campaigns; analytics can then show what percentage of recipients have opened a mailshot and how many times a particular recipient has read each email.

Server logs

All servers log web user activity, including IP addresses of visitors, the time and date web pages were loaded, the type of devices used to access the website, referrer pages (eg the previous website a browser had visited). IP addresses can sometimes be used to narrow down the identity of a specific user and it’s this element which potentially compromises privacy. Server logs are the basis for web analytics software such as Google Analytics.

Location tracking

As well as being able to build up a picture of the browser activity of users, analytics software can also track geographic locations – often with disconcerting accuracy – to further “enhance” user profiles. User locations can be tracked by a variety of means.

GPS

Virtually all smartphones now come with a built in Global Positioning System (GPS) chip which is used by a plethora of apps, from Google Maps to Tinder. Unless “location services” are switched off, many apps automatically collect location logs which can help companies to build up a picture of where a phone user spends their time and even where they live (ie a static location every night will be marked as ‘home’). Camera apps often also append location data to every photo taken, so if these are later uploaded to cloud services, it is possible for other users to view where someone took a particular photo.

Mobile phone masts

Even with the GPS turned off, all phones need to constantly communicate with mobile phone towers. As an individual moves around, the phone will connect with a series of these towers – each of which is identifiable – and this creates a location trail which is logged by mobile phone companies.

WiFi history

If WiFi is switched on, in order to find a new connection, phones and other devices will broadcast a signal containing the names of previous networks it has connected to, which can be intercepted. Large free WiFi networks (eg The Cloud) can view the various locations where a user has logged in to use their WiFi.

IP location logs

This is one of the server logs described under “browser activity” above. It’s not always very accurate, but it can often pinpoint the city or locale of a user.

Legislation relating to tracking

PECR

The Privacy and Electronic Communications Regulations 2003, as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (the “cookies law”), generally requires website operators using cookies to provide information about cookies to its website visitors and to gain their consent for the use of cookies. In practice, this often simply comprises a cookie statement which is displayed the first time someone visits the website, asking them to accept the use of cookies if they wish to use the website.

GDPR

The General Data Protection Regulation came into effect in May 2018 and includes reference to “online identifiers” in Recital 30; this covers cookies and other methods which track individuals. What this means is that, if tracking data can be linked to the identity of a data subject, this is all covered as “personal data” and is therefore subject to the protections of the GDPR.

Data Protection Act 2018

Replacing DPA 1998, DPA 2018 largely reflects the GDPR (in preparation for Brexit) but it also supplements certain provisions. For purposes of tracking, this means that the GDPR rules surrounding “online identifiers” will continue to apply beyond Brexit.

Investigatory Powers Act 2016

Dubbed the “Snooper’s Charter”, this piece of legislation gave sweeping powers to UK intelligence agencies and the police to hack and track internet and phone activity for purposes of crime fighting and national security. Ex-CIA employee Edward Snowden, whose well-publicised disclosures in 2013 revealed numerous global surveillance programs, has described the IPA 2016 as the “most extreme surveillance in the history of western democracy.”

Employee tracking

Employers are increasingly tracking their employees, both through monitoring internet activity and with bracelets which track their movements in the workplace (eg to see how quickly warehouse operatives are working) or GPS in vehicles to check where they have been.

Part 3 of the ICO’s Employment practices code deals with data protection and monitoring at work. It offers key points and actions which employers should consider if they are monitoring their staff. Most relevant to tracking is section 3.2 which covers the monitoring of electronic communication and section 3.5 which covers in-vehicle monitoring. Note that the Code is dated November 2011 and has not yet been updated to take account of GDPR or DPA 2018 so should be read with the new legislation in mind.

Internet for Lawyers Newsletter

Edited by Nick Holmes