Why are they tracking me?

So now you know that every time you use your computer or phone, your behaviour is being tracked.

But why are they doing this? And is it something to really be worried about?

The reason Google makes as much money as they do isn’t because of their search engine (although it’s the best). It isn’t because of GMail (although that’s good). It isn’t because of Android (although that’s good).

It’s because Google is an advertising company. And they are popular with advertisers because the advertisers can target their adverts very precisely. The same goes for Facebook – they are an advertising company and the advertisers can specify exactly who they want to see their ads – down to “interested in spoon whittling” or “fan of Doncaster Rovers”.

They do this by building up a profile of you – looking at your behaviour across lots and lots of websites and figuring out what you’re interested in. That fingerprint I mentioned earlier.

That, by itself, isn’t so bad. Creepy maybe, but not bad.

The problem is it’s not just advertising. These profiles can be used to predict what you’re going to do next.

The most famous example isn’t online at all – Target, a store in the US, had a loyalty card that tracked your purchases. A man found out his daughter was pregnant when Target started sending him maternity promotions – because she changed the moisturiser that she was using. That was from a loyalty card in one store.

Imagine what they can predict about you from everything you do online.

And then imagine what could be done by the bad guys if the collecting companies got hacked. Or, if the government decided that this profile information and associated predictions should be used to prevent “undesirable” behaviour. Yes, it’s hypothetical. But once the data is collected, it’s not likely to be thrown away.

Take action: If this bothers you, switch to Firefox or Safari as your browser. Switch off location services on your phone. Be wary of the apps that you install on your phone, and check their permissions. And install an ad-blocker.

Does private browsing keep me safe?

Your browser probably has a “private browsing” or “incognito” mode. Does this protect you from the pervasive tracking that is common on the web nowadays?

Private browsing means that your browser erases your browsing history when you close that tab. In addition, all the cookies associated with that tab are also deleted.

So does that prevent tracking?

Well, it makes it harder for the trackers. They can’t dump identifying markers on your machine and read them back later.

Unfortunately, it’s not enough. Remember that every time your browser makes a request, it sends a load of information up to the web-server to help the web-server return the right format back to you. But that information can also be used to identify you. The web-server knows which operating system and browser, it knows your IP address (so it can figure out which ISP you are using and your location).

Some servers, the ones operated by the most successful tracking companies, use this to build a “fingerprint” of you – a unique collection of information about your system that can be used to track you, even without cookies.

So, no, private browsing won’t prevent you from being tracked.

Disclaimer: All the information here is greatly simplified. I completely admit that some of how this fingerprinting stuff works is beyond me – especially when the trackers start to collude with each other. And I used to run an online advertising business.

Cookies and more

So a web page is built out of many different files – the HTML, the stylesheets, the Javascripts, the images and possibly many more.

Often, all these files live on the same server. As each one is requested, your browser sends some identifying information to the server, but that’s fine – you navigated to somesite.com, so you’re happy to help somesite.com display that content to you in the most optimal way possible.

But, when those ancillary files aren’t all stored on somesite.com is when things get interesting. For example, to prevent servers from getting overloaded, you might put all your images onto a separate server – maybe images.somesite.com. But it’s also common for third-party Javascript files to be loaded from other servers, whether it’s Amazon Web Services for cheap file hosting, a media player for playing some background music or a tracker from someshadycompany.com. Suddenly, all that identifying information is being sent to places you didn’t even know about. And each of these servers can also leave a cookie on your machine, so it can identify you.

To make it even trickier, nearly all websites use “analytics” code. This is special Javascript designed to measure your site’s performance, to see how many visitors you have, to see how long they stay on your site, how quickly the server is reacting. Most people use Google Analytics – which means nearly every website you visit sends your information to Google.

Everyone wants their website to be shared widely – that post you spent ages writing might just go viral. So the site owner sticks sharing buttons on the site. “Facebook Likes”, “Share on Twitter” – all of these are third party Javascript, sending your information and recording cookies, with the providers of those buttons.

Finally, there’s a ton of other stuff that gets loaded with a web-page. For example, some sites include tiny images that are loaded from third party sites (the so-called Facebook Pixel is one example), which, again, are used for Analytics. That video player that’s showing that funny cat video is actually loading from another site and dropping its cookies.

In fact, a quick experiment, run after GDPR Day, showed that the same page, when shown in the US was one hundred times larger than the same page, stripped of trackers, shown in the EU. So not only are these things tracking you, they’re also using up your data allowance and slowing everything down.

Disclaimer: All the information here is greatly simplified. Don’t write in and complain that I’ve got it wrong. Pretty please?

How web browsers work

This is a very simplified view of how a web browser works, but it should be enough to explain how web tracking works.

When you click a link – for example https://somesite.com/some-page – firstly, your browser looks up the address of somesite.com. It then sends a message, using a protocol calls “HTTPS1“, asking that address for the contents of “some-page”. That message includes some information about you and your browser (which operating system you are using, which browser, various other bits and pieces which are supposed to help the web-server).

The web-server figures out what you mean by “some-page” and then returns a document back to your browser. That document is normally written in HTML2 and tells the browser what “content” to display. This is basically the words that appear on screen, along with some simple codes for things like “this is a heading”, “this is a paragraph”, “this is a section” and so on.

However, a HTML document by itself doesn’t do much. So the HTML contains references to other files to help it out. The most common of these are stylesheets (CSS3 files, which define the appearance, colours and fonts of the page) and Javascript files (which define are programming code that can make your page interactive). Plus, HTML documents don’t contain images – instead they contain a reference, so another message is sent to the web server, saying “load up image1.jpg” and insert it here.

Whenever the web server receives one of these messages, it figures out which file it needs to find (whether that’s HTML, CSS, JS, image or whatever) and sends it back. But the web-server can also drop small pieces of information, known as cookies, onto your machine – which are useful for storing information about you. For example, if you’re logged in, then it can record a token saying who you are. If you always like your products listed from “Low to High price” then that’s probably stored in a cookie. Cookies are legitimately useful bits of information.

So that’s the basics of how a web page is shown … it’s pretty simple. Tomorrow is where we get into the consequences of that simple scheme.

Disclaimer: All the information here is greatly simplified. Don’t write in and complain that I’ve got it wrong. Pretty please?

  1. Hyper-Text Transfer Protocol Secure
  2. Hyper Text Markup Language
  3. Cascading Style Sheets

How tracking works

People are becoming more and more aware that their activities online are being tracked.

But how does it work?

The other day my wife mentioned that she had been looking up some information on the Flying Scotsman. The next day, her Facebook feed was full of adverts about trains. She looked up some information on plants. Then she started seeing ads for garden centres.

How can Facebook know what you’re interested in, even when you’re not browsing Facebook?

The answer is trackers. Some of them are visible, some invisible, some are really really sneaky.

But to explain how it works, I need to run through how a web-browser displays pages to you … which is coming tomorrow.

(I started writing this before Apple’s Worldwide Developer Conference at the start of June, when they announced some measures to give you control of this tracking).

Take action:: How comfortable are you with tracking?

The power of the timeline

I mentioned a few days back that I was noticing a load of junk on my timelines for Facebook and Instagram. This is because I’m not using them as often, due to my little Privacy Experiment.

One of the things that Facebook did, as it started to grow, back in 2006-2007 was, instead of displaying everyone’s updates chronologically, it used an algorithm to pick out what it thought you were interested in and showed you that at the top of your feed. Instagram went through the same process, as did Twitter.

The reason is simple. As the services got bigger and bigger, there was more information to show. Displaying it chronologically meant you were likely to miss the things that mattered to you. Displaying it algorithmically meant that the important stuff floated to the top.

However, on Twitter, I don’t use the offical Twitter app. I use an app called Tweetbot. The big advantage of Tweetbot is it displays everything chronologically. Often, when I open it, it shows hundreds of items, with a section saying “tap here to load missing tweets”. And often I don’t bother. Quite often I just scroll to the top and take a look at the newest stuff. Other times, I do scroll through the entire list, scanning the hundreds of items for anything that looks interesting.

And I think this makes a huge difference.

Because there’s probably the same amount of junk on Twitter as there is on my Facebook or Instagram. I don’t really know why, but I feel overwhelmed by the junk Facebook throws at me; I don’t with the stuff that Tweetbot does. When I use the official Twitter app (which also uses an algorithm to choose what to show you), I once more feel overwhelmed.

Maybe it’s because I know that deep-down, someone else is making the choice for me. With Tweetbot, it’s just the passing of time.

Take action: I genuinely don’t know what to say here. Tweetbot is rumoured to be about to die (Twitter are changing their terms of service). If that happens, I think I won’t bother with Twitter again. I guess, the action to take away is “if it makes you uncomfortable, stop doing it

More on the Facebook Privacy Saga

As you may be aware, I’ve been running a small Facebook experiment. My latest update spoke of how nothing has really changed.

But there is one change. And it’s one that I sort of knew about, without ever thinking about it.

Due to the experiment, I’ve been checking Facebook and Instagram far less frequently than I used to. And because of this, I’ve noticed how inane a lot of the stuff on there is. Sure, there’s some really good stuff – a witty observation, a funny joke, an interesting discussion. But there’s also pages and pages and pages of pure crap. I’m just scrolling through and scrolling through and it’s surfacing more crap at me.

I knew it was mainly junk before, but I happily moved through it, looking for the gold. Now I’m there less often, I don’t think I can be bothered with it all.

Update: since writing this I’ve been locked out of Facebook – I can’t get past the “accept our settings” box.  But my account is still active, as the Twitter link I have set up still posts through to my account.  Which, in my opinion, is a breach of the law as I haven’t accepted their terms.  

Take action: Take a break. A month. Or just a week. And take note, really take note, of your feelings, when you return.

Why hourly billing reduces your credibility

So your customer asks you how much you charge for a logo.

Do you respond with an hourly rate? Or a fixed price?

I would bet that in most cases, your customer will want a fixed price. That way they know, in an instant, whether the logo is affordable. That way they know, right away, if your services make sense for them.

And your customer’s wishes are important.

But just as important is the fact that logo design is your domain. This is what you’re good at. You’ve been doing it for years. You know that in most cases, it takes X days to get the brief together. It takes a further Y days to get the first draft done. And then Z days of back and forth and revisions. And then the customer is happy.

If you bill hourly, you’re implicitly saying that you don’t know how this job is going to turn out. That you’re covering your back in case of surprises.

If you offer a fixed price, you’re implicitly saying “I’ve got this. I know what needs to be done, I know what to expect, I can deliver on schedule”.

Take action: Which of your services can you switch to fixed prices?

How much will it cost?

Imagine you’re a graphic designer. Or if you are a graphic designer, just look at yourself in a mirror.

One of the mainstays of your business is logo design. You’re really good at it. It’s a branding thing. It’s a colours thing. It’s a typography thing. It’s an understanding the client thing.

A new client comes along, they explain what they need. You nod vigorously. You know you can do an amazing job here. You know the client will be happy.

And then they ask how much it will cost.

Do you say “I charge £75 per hour”? Or do you say “it’s £500”?

Which do you think the customer would prefer? And why?

Take action: Can you guess what my answer will be? I’ll explain more tomorrow.

What’s your hourly rate?

I’m chatting to someone who does software consulting in a similar field to me.

“What’s your hourly rate?” they ask.

“I don’t have one” I reply.

I wait a moment and watch the look of surprise on their face.

“Umm, what do you charge then?” they ask.

“Well,” I start, “it depends on what you need. My prices are on my website.”

“But everyone else in this field pays hourly!” they splutter, not really comprehending what I’m saying.

“I tell you what you are going to be getting in advance. And the price is fixed. ” I explain, calmly, “If you don’t like it, you can go elsewhere. If you don’t like my work, it’s guaranteed.”

“You pay for my expertise, I guarantee you’re going to get results” I finish. Trying not to sound too smug.

“But what if the project overruns?” they ask.

“Then that’s my fault for sizing up the project incorrectly. Why should you, as the customer, pay the extra?” I reply. Definitely smug now.

“I still don’t get it. It’s way too risky”.

“Only if you’re not sure about what you’re doing”. Yeah, I’m a smug git.

Take action: What’s your hourly rate?