2020年1月7日 星期二

The Privacy Project: Why you should take a close look at what tracks you

It might help you manage your privacy.
Mark Lennihan/Associated Press

By Thorin Klosowski

Charlie Warzel is off this week, so he’s turning the newsletter over to his colleague Thorin Klosowski.

In case you missed it last week: check out a new package of fiction and poetry about surveillance here.

When we read stories — like the recent Times Opinion investigation of location tracking — about how much data gets collected about us, we are first indignant, then frustrated, and finally we throw our hands in the air and forget about the whole thing. But, like logging calories on a diet, logging ad trackers is a way to self-impose a constant reminder of corporate surveillance.

Most companies track your web browsing. All of these trackers create a profile — often inaccurate — to serve up ads, personalized recommendations and more. To understand the scope of these types of trackers, last year Times Opinion mapped out the data collected across 47 sites. Gizmodo left the web browser and logged every bit of information transferred by every device on a home network to see where those devices stored data and how often they transferred information. If you’re curious about the technical details, the Electronic Frontier Foundation recently laid out how it all works.

After we read these types of stories, we might take a step back and nod thoughtfully about how bad it all seems. Maybe we install an ad blocker. Many people shrug it off as an inevitability of modern life. The tools that monitor ad trackers are growing increasingly available and (sometimes) user-friendly. It’s worth installing them.


The most accessible way to monitor trackers is with the Firefox web browser. A recent update added a weekly report card page that shows how many trackers Firefox blocks. You can click a shield icon in Firefox’s URL bar when visiting any site to see what type of tracking content a site uses. A running ticker is nice, but the data can still be hard to parse, because Firefox doesn’t explain what each tracker means. For example, on the home page of Wirecutter, a New York Times-owned website, Firefox shows a tracker from something called Optimizely. Digging around and talking to Wirecutter’s data team, I learned it’s an innocuous and common tool used to test different versions of a page (like A/B testing).

Still, as dense as the data may be, it’s fascinating to see just how many trackers you can collect every day. Firefox isn’t the only option for seeing this type of data, but it’s the easiest to understand. If Firefox isn’t for you, a browser extension like Privacy Badger or Disconnect displays trackers on each site, while the privacy-focused web browser Brave keeps a running total of the ads and trackers it blocks.

Our desktop and laptop computers are only a small portion of what we connect to the internet. We also have phones, televisions, video game consoles, smart speakers and more. If you’re mildly technically inclined, you can track all of this too.

If you want to see what all of your connected devices are doing online, check out the Princeton IoT Inspector. You can run the software on a Mac, but it’s better suited to the Raspberry Pi, a $35 tiny computer that runs a variation of the open-source Linux operating system. Once installed, IoT Inspector constantly monitors the traffic into and out of your network, then displays it on a dashboard. Using IoT Inspector, I found that my older-generation Samsung TV, which can barely pull itself together long enough to launch Netflix, frequently pings a site I assume is Samsung’s Automatic Content Recognition software, which can track what you’re watching by reading pixels to identify shows.


IoT Inspector shows you where your data goes but doesn’t allow you to block anything. A Raspberry Pi can help you there, too. Pi Hole and Adguard are free programs that block ads across your network and log statistics while doing so. They can be a bit tricky to set up, but once they’re running, you’ll see exactly how much tracking is happening on your computer, phone, TV and any other smart device you hook into the system.

None of these programs tell you exactly what data is collected or how it’s used. But, like knowing exactly how your phone collects and shares location data, being aware of how many ad trackers you encounter and how much data gets collected can help turn the most privacy-carefree into partial believers. It is one thing to read a story about the thousands of online trackers encountered by a stranger online; it’s another to see it in your own home.

Ranking California Consumer Privacy Act Policies

Like many other fun-loving Californians, I’ve spent the first few days of the year reading the dozens of updated privacy policies following the start of the California Consumer Privacy Act. These new rules require most large companies that operate in California to disclose how they collect and use data. As Californians, we have the right to know what data gets collected and if the data is sold to third parties. If it is sold, we can opt out of those sales. We can also request to see any data that has already been collected and ask companies to delete it, though doing so often means deleting your entire account. That’s assuming companies follow the law and do so in a way a layperson can understand (spoiler: they don’t).

I’ve already spent over six hours filling out forms, sending emails and clicking random verification links. Companies seem to interpret the law in various ways, with some providing simple tools to exercise your new rights, while others obfuscate the process and make it difficult to figure out what you can and can’t do. Some companies automate the process, delivering any data you request within a few days, while others need to do it manually.


Facebook’s policy is the most unclear to me. When you request data from any Facebook-operated service, including Instagram or WhatsApp, you get a form email with basics about downloading data, but that’s just for data you’ve knowingly provided them, like pictures or videos. It’s not possible to delete collected data without deleting your entire account, there’s no clear way to opt out of the sale of personal data, and you have to make each data request individually for each Facebook service.

Apple is an interesting contrast to Facebook. Apple makes it clear how to request data and opt out of interest-based ads, but there doesn’t seem to be a way to ask Apple to delete the data, which can range from previous addresses to podcast playback positions. Amazon sits somewhere in the middle, making requesting data clear but everything else complicated.

Media and gaming services were consistently the clearest and easiest to use. Nintendo, Spotify and Hulu are all very straightforward, though Spotify throws a little shade at the new law in its “Sale of Personal Information” section. The game developer Blizzard goes a step further, allowing you to opt out of any future data sharing, even though the company doesn’t share data right now. It’s not all great on the media side, as Netflix makes you send an email to exercise any of your rights, which is tedious.

If you’re looking to request and delete your data and don’t want to wade through your inbox, this list of new California-compliant privacy policies is the most comprehensive I’ve found. I’ve requested my data from every company mentioned above, but only Apple has delivered anything so far (it can take up to 45 days to get your data after you request it).

My Apple data came packed inside dozens of spreadsheets, and honestly, it’s all pretty bland. The most surprising data I found was from a free trial of Apple Music in 2015. It included every song I listed to, when (and if) I paused or skipped the track and what time of day I listened to it.

Based on that data, I was able to conclude that (probably after a few drinks) one night around midnight I listened to the odd combination of two Taylor Swift songs, a Jesus Lizard song and two Replacements songs. The next morning I played M83, probably in a regretful mood. A list of songs alone paints a clear picture, and I shudder at the thought of how clear that image could be if combined with my web browsing or location data (Apple notably doesn’t sell this data, but it’s an interesting thought experiment).

I want to hear from you

Send me your pressing questions about tech and privacy. Each week, I’ll select one to answer here. And if you’re enjoying what you’re reading, please consider recommending it to friends. They can sign up here.

What I’m Reading

Need help? Review our newsletter help page or contact us for assistance.

You received this email because you signed up for The Privacy Project from The New York Times.

To stop receiving these emails, unsubscribe or manage your email preferences.

Subscribe to The Times


Connect with us on:


Change Your Email|Privacy Policy|Contact Us

The New York Times Company

620 Eighth Avenue New York, NY 10018