Facebook Facebook ads Google Google ads User tracking

How Facebook, Google and other trackers “fingerprint” users — A basic explanation

Tracking services “fingerprint” users by looking at various data and method available. The most reliable that Facebook use is appending the fbclid parameter to all outgoing links on Facebook. It looks something like this:…

Worth adding is that Facebook, Google etc are not restricting these methods to ads only. They do this on everything they can.

These seaming random characters are actually 100% unique for that event (what ad you clicked, where on the ad you clicked, what the destination was etc).

Actually, if you dig into this, you will notice that every single clickable element on one and the same ad has different fbclid. Every additional time you see the same exact ad all the fbclid will be different, for every ad, for every person, for every device. It will be unique to that specific impression.

When you click and arrive on the website, the FB pixel will see this data and save it in your browser in the background. This data stays there, on your device even after you close your browser.

When you use your browser a few days later the FB pixel can read that stored data to know EXACTLY who you are and what you did so they can continue the journey where it left of. There are many types of data “containers” available to store such data.

You can actually retrieve it yourself if you know how, and you can delete it if you want.

Trackers have many other methods to fingerprint that are less precise. They determine how likely, based on available data it is that you are some specific person. Often, one method alone is not enough to determine anything, but 5-10 methods might have a very high compounded certainty.

The whole iOS14 debacle about Apple starting to heavily restricting apps and tracking services is exactly about what data they will have access to in order to fingerprint users. The restriction will also impact how LONG data that trackers save in your browser (or apps) will be allowed to remain before it’s forcibly deleted.

For example, two of the most commonly used data containers are cookies and localStorage (but there are more). What iOS14 will do is to have data in those containers that was saved by KNOWN trackers to be forcibly deleted after specific times, while data saved by others (say, the webshop itself) will be allowed to remain much longer or even indefinitely.

I mention “KNOWN trackers” because unknown trackers will be likely able to get around many restrictions. This is also the reason I think custom tracking solution will be awesome and anything widely available will suffer.

Functions that rely on these data containers and methods have very legitimate and very important use-cases. It’s exactly these function that allow you to remain logged in, to add products to cart etc. If you would forcibly delete data for everyone, you would break 80% of the internet.

It’s important to add that you don’t need to recognize a function as known tracker to figure out what the purpose of their data collection and data storage is. The methods for detections are somewhat similar to how spam-filters work; you look at a plethora of attributes and determine to a certain statistical degree if the function is likely a tracker and should be restricted or legitimate and hardless and should be green-flagged.

Leave a Reply

Your email address will not be published. Required fields are marked *