
How tracking pixels work - dailymorn
https://jvns.ca/blog/how-tracking-pixels-work/
======
vassilyk
This article is brushing a lot of stuff very fast. In reality there is much
more to it:

1\. You don't need to visit Facebook properties for them to link your activity
to you. Unless you're a brand new user and they have never finger printed
you...

2\. Referrer might be in the pixel tracker, but there is way more to that,
including product IDs, product costs, your stage in the funnel (have you Added
to Cart but not Purchased?), product category, etc.

3\. Everytime a Facebook owned property (or piece of: Like button, FB connect)
is 'used' by a device you use, then you can be sure the relation between you
and that Pixel call is made (ahem, improved).

Install the Chrome Extension Facebook Pixel Helper, and check what happens
when you use an ecom site. You'll be amazed to see what is shared with
Facebook (no PII though).

~~~
rconti
In particular it would be interesting to go into why and how these 3rd party
trackers get included on a page. I mean, the answer to both is obviously
"money", but how does it work in practice? Old Navy agrees to implement a
facebook tracking pixel in every page? Or it comes "for free" with a like
button? etc.

~~~
vassilyk
It's part of the onboarding of any Facebook Ads user (i.e., advertiser) to
implement the Facebook Pixel on their site.

Without it you're not going to achieve much on Facebook as you need to
feedback their system when a particular ad had an impact so that they can
model the ad delivery accordingly and get you more converting users. Whatever
your conversion is (viewing a page, registering, purchasing).

------
annexrichmond
Ever since I enabled Dark Mode on Mac I started seeing so many 1x1 white
tracking pixels on recruiter emails. Now I’ve disabled loading images by
default in my email client.

~~~
oneeyedpigeon
I think I assumed 'tracking pixel' was just a metaphor — you mean they're
literally serving 1x1 images? Why not 0x0 images? Why not a single transparent
pixel?

~~~
C4stor
All of tracking pixels I've worked with come with a css attribute "hidden", so
they don't actually show except in some edge cases.

~~~
tatersolid
Huh... I thought browsers didn’t fetch hidden images. Or is that only if the
image or its parent elements are "display: none"?

~~~
C4stor
I don't _think_ either case it true.

------
Rainymood
>Safari and Firefox both block many third-party cookies by default (which is
why I had to change Firefox’s privacy settings to get this experiment to
work), and as of today Chrome doesn’t (presumably because Chrome is owned by
an ad company).

Wow. I am very strongly considering switching to Firefox now, just from this
paragraph.

~~~
cj
Doesn't Chrome have a "Block third-party cookies" setting (disabled by
default) that you can enable in Settings > Site Settings > Cookies and site
data > "Block third-party cookies"?

I'm under the impression that Safari and Firefox have this enabled by default.
Is the only difference that it's disabled by default in Chrome?

~~~
ishitatsuyuki
Safari and Firefox both have a blacklist of known trackers in addition to
cookie blocking. Not only that, these browsers also fight against other means
of fingerprinting.

~~~
saagarjha
Safari does not have a blacklist of known trackers; it generates one
dynamically based on tracker-like behavior it sees as you browse.

------
mkolodny
If anyone's curious about why tracking pixels use a gif, here's a great
explanation:
[https://stackoverflow.com/a/6639140](https://stackoverflow.com/a/6639140)

~~~
tyingq
You can do a png instead of a gif. It would be ~68 bytes instead of ~35 bytes.
A webp image would actually be 1 byte smaller than the gif. So perhaps Google
will move to that if Safari ever caves and supports it.

~~~
antsar
I was going to say: isn't "Content-type: image/webp" one byte larger than
"Content-type: image/gif", making this useless?

But apparently 204 No Content allows you to omit Content-type. Leaving this up
in case anyone else was wondering :)

------
bestouff
That's all nice, and I thank Firefox for blocking all these, but once there
are too many browsers or extension doing the blocking, I wonder what will
prevent sites to implement tracking server-side instead of client-side ?

~~~
vimda
Serverside doesn't have access to my tracking cookies. It has to be a request
initiated by my browser to the third party domain

~~~
close04
They will definitely keep tracking users based on info available to the
server, like IP address. However that is orders of magnitude less precise than
what is in place now.

~~~
voidmain0001
Is it less precise? [http://uniquemachine.org/](http://uniquemachine.org/)

~~~
close04
It certainly should be. You can make it _much_ more precise with the tracking
mechanisms that browsers like Firefox are blocking now (tracking pixels, 3rd
party cookies). It's the difference between having a snapshot in time
available to a specific site vs. a whole history across the internet.

Facebook can't show you customized ads if all it can recognize is that it's
you. It already knows who you are, you told it by logging in, now it needs to
know everything you're doing everywhere else so it can connect all those dots
to you. This can't work if all it can say is "this is definitely voidmain0001
from their home computer but I know nothing else about them". The only way is
to share that tracking between companies which is more difficult and still
more limited in scope than 3rd party cookies.

I know you are voidmain0001 here and can read all your comments. But if I have
no idea who you are on amazon.com so I can sell you your favorite tech in my
ads then the usefulness of this information is limited.

Just as a rule of thumb, if those mechanisms weren't adding to the precision
then nobody would have invested so much in constantly developing them.

P.S. The site above keeps failing half way for me. "Computer says no" type of
thing.

------
saagarjha
> tracking pixels: it’s not the gif, it’s the query parameters

Sometimes it’s also the base URL too.

~~~
Doxin
Exactly, You're just a mod_rewrite away from serving a single gif under
infinitely many names. All you have to do is include a unique name in every
email, and then look through your log files to see if anyone came for that
gif.

Tracking pixels are a pretty ancient technique and for good reason. It's
basically no effort at all to set up the basics, and only a tiny bit more
effort to get fancy at it and stick the accesses in a database instead of in
the server logs.

~~~
tinus_hn
The first party website can’t see the tracking cookie so now tracking is
compartmentalized for every first party and there is no more tracking across
sites. Quite a win.

------
y42
Good and short description, but it's only a little part in digital marketing.

This is just retargeting, an old hat. You can do even more sophisticated
things, like predicting what's the best next step in the sales funnel. In
general, every step you take before you purchase online is recorded to build
your customer journey. And there's a lot more data, like referrers, user
agent, times and so on.

------
Endy
Thank you for sharing this. I work with marketing tech, and having this laid
out allows me to share with them a little more of the tech that we rely on.

And, it allows me to remind them that our work is utterly terrifying in terms
of privacy. That's (part of) why I use Pale Moon, I have control of what gets
downloaded or sent to servers.

------
willvarfar
Its only a matter of time before the ad companies make their tracking
unblockable e.g. by hosting something critical to the page, e.g. "make the
webpage download jquery.js from our mirror, and you get all this tracking that
can't be blocked!"

Isn't this happening already, and if not, why not?

~~~
1f60c
This is called CNAME cloaking[0] and it’s already happening in the wild[1].

    
    
      [0]: https://medium.com/nextdns/cname-cloaking-the-dangerous-disguise-of-third-party-trackers-195205dc522a
      [1]: https://9to5mac.com

------
pfortuny
Very nice and simple explanation. Worth reading if you still do not know.

I am not a bot despite sounding like one.

~~~
lawn
That's what a bot would say.

------
tzs
Do any browsers or popular blockers object to these things if they aren't
setting cookies?

I've used a 1x1 transparent image on many pages on my site for a long time,
with a simple page identifier attached to the URL, such as "?index" for the
main page.

This was simply for convenience in analyzing logs. If I wanted to know which
of those pages were visited in the last N days, it was a simple matter at the
command line to take the logs for those data and make a quick report that
counted how many times that image was fetched, broken down by page identifier.

------
incomplete
nice, quick intro in to how this crap works. combining DNS blackholing, plus
adblockers and firefox or brave will make the biggest difference. :)

~~~
MandieD
[https://jvns.ca](https://jvns.ca) is full of explanations that bridge the gap
between general, layperson understanding and actual technically applicable
knowledge. She’s helped me relearn the Linux/bash ecosystem after a decade of
absence.

------
jc01480
This crudely represents one way law enforcement and intelligence agencies
(friend and foe) identify targets for further analysis. Think about ways this
is weaponized a little more. We saw an example of this in the US Navy
prosecution of Gallagher for war crimes.

~~~
saagarjha
> This crudely represents one way law enforcement and intelligence agencies
> (friend and foe) identify targets for further analysis.

What, using tracking pixels?

------
peter_d_sherman
A future web browser will allow fine-grained access control for 1x1 pixel
images (and other objects) that are retrieved from other domains...

------
scarejunba
Hey, I ran one of those trackers once. Good stuff, though you only captured
one aspect of the domain. Enabled lots of content. Good times, good times.

There are a couple of other use-cases other than the 3rd party ID-syncing use-
case without a 3rd party cookie. You can record information through one of the
client-side onboarding providers on their side. Though, to be honest, they
have pretty big latency.

------
tfang17
Would also recommend Brave for privacy-conscious users.

------
anujkrajput
thanks for sharing good information

------
thdrdt
So Google is hosting fonts because they are a nice company that is just
providing us with free fonts?

Think again.

If you block tracking pixels you should also block the loading of external
fonts. Extra bonus: fast loading pages.

Some CDN also exist for this reason.

~~~
lern_too_spel
The font resources are hosted on a cookieless domain and sent with caching
headers. None of this applies.

The reason Google is hosting fonts is to make the web an attractive platform,
so they can monetize you in other ways.

~~~
thdrdt
So my IP address never ends up in their logs?

~~~
lern_too_spel
IPV6 privacy extensions make IP addresses have very little tracking value, but
this article is about tracking pixels, and Google Fonts clearly don't apply
here. If you set your Referrer-Policy headers correctly, Google doesn't know
which pages your users are visiting.

------
guessmyname
@jvns you can fix that ugly content overflow [1] with this:

    
    
      .entry-content code { word-break: break-all }
    

[1] [https://i.imgur.com/ajiycSw.png](https://i.imgur.com/ajiycSw.png)

~~~
modernerd
Heads up that there's a repeated word in the first sentence too:

"I spent some time yesterday talking to a reporter yesterday"

Thanks for the post — I enjoyed it!

------
jen729w
I don’t see how, in 2020, any conscientious member of this site could justify
their use or advocacy of Chrome. It’s an evil product peddled by an evil
company for evil means. The alternatives are as good if not better from a
usability perspective.

Safari is great if you’re a regular Mac user.

Firefox is great if you’re a dev on any platform.

Chrome is toxic evil that needs to die for the good of humanity.

~~~
Consultant32452
There's still some sites where chrome just works and Firefox does not
including major sites like Periscope. I'm confident I could clear my
cache/cookies, disable plugins, or other wizardry to get it working but in
reality I just use chrome for these sites. That's why I'm a Firefox user but
not an advocate. My mom can't handle the idea of using a different browser for
some sites.

~~~
boring_twenties
Not sure why you're being downvoted, this is sad but 100% true. For me, it's
only a very rare site that doesn't work in Firefox, but one of them is my
medical account. No choice but to have Chromium installed, otherwise I can't
view my lab results, read my doctor's notes, and pay the bill. I assure you I
don't like it but it's a fact of life.

I only use it for those very few sites (less than 1% for sure), but not having
it handy at all is just not an option.

As for my mom, luckily she hasn't had any complaints so far, so she just uses
Firefox as it's what's installed by default. I certainly don't think I could
train her to switch between two different browsers, though. If it came to that
it would have to be Chromium full time, there.

One site that deserves a plug here is binance.com. They stopped working with
Firefox a couple of months ago, but it was fixed in 2-3 days after I reported
it. I guess a little healthy (heh) competition goes a long way.

------
EducatorDirTeam
Very good information

