Home > Articles

This chapter is from the book

This chapter is from the book

Information Privacy Engineering and Privacy by Design: Understanding Privacy Threats, Technology, and Regulations Based on Standards and Best PracticesInformation Privacy Engineering and Privacy by Design: Understanding Privacy Threats, Technology, and Regulations Based on Standards and Best Practices

Learn More Buy

This chapter is from the book

This chapter is from the book

Information Privacy Engineering and Privacy by Design: Understanding Privacy Threats, Technology, and Regulations Based on Standards and Best PracticesInformation Privacy Engineering and Privacy by Design: Understanding Privacy Threats, Technology, and Regulations Based on Standards and Best Practices

Learn More Buy

8.7 Tracking

Tracking refers to the capability of a web server or other online system to create a record of websites visited by a user over time. Tracking can also involve the ability to include in this history all of the web pages visited at each website by the user and what links on each web page the user selects. This data collection technique, particularly if it involves sharing information with third parties that can consolidate tracking information on a single user from multiple sources, raises substantial privacy concerns.

Tracking is a complex and ever-changing technology. This section provides an overview of common tracking technologies, as well as common countermeasures.

Cookies

A cookie is a short block of text that is sent from a web server to a web browser when the browser accesses the server’s web page. The cookie is stored in the user space of the web browser user. The information stored in a cookie includes, at a minimum, the name of the cookie, a unique identification number, and its domain (URL). Typically, a website generates a unique ID number for each visitor and stores the ID number on each user’s machine using a cookie file. When a browser requests a page from the server that sent it a cookie, the browser sends a copy of that cookie back to the server. A website can retrieve only the information that it has placed on the browser machine. It cannot retrieve information from other cookie files.

The method of cookie retrieval is as follows:

  1. A user types the URL of a website or clicks a link to a website.

  2. The browser sends an HTML message requesting a connection. If there are any cookies from that website, the browser sends those cookies along with the URL.

  3. The web server receives the cookies and can use any information stored in those cookies.

Cookies are a convenience for both the user and the web service. Here are some examples:

  • Saved logon: For example, if a user subscribes to a news site that is protected by a pay wall, the user must log on to access the site. This creates a cookie. Subsequently, the user can go to the news site without having to log on again because the website has the cookie information to say that the user has successfully logged on.

  • Aggregate visitor information: Cookies enable sites to determine how many visitors arrive, how many are new versus repeat visitors, and how often a visitor has visited.

  • User preferences: A site can store user preferences so that the site can have a customized appearance for each visitor.

  • Shopping carts: A cookie contains an ID and lets the site keep track of you as you add different things to your cart. Each item you add to your shopping cart is stored in the site’s database along with your ID value. When you check out, the site knows what is in your cart by retrieving all of your selections from the database. It would be impossible to implement a convenient shopping mechanism without cookies or something like them.

Note that most cookie information is stored on the web server. In most cases, all that is required in the user’s cookie is the unique ID. Note that a user’s removing a cookie does not necessarily remove potential personal data from the server.

Cookies can be characterized along three dimensions: identity, duration, and party (see Table 8.5). If a user visits a website without logging on to the website—such as a news site that does not have a logon requirement or a retail site for the purpose of browsing without shopping—the web server does not know the identity of the user. In this case, the only identifying information associated with the cookie is a unique ID assigned by the server; this is an unidentified cookie. If the user does log on to the site, then typically the web server will associate the user ID with the cookie, either by storing the user ID in the cookie or by maintaining state information at the website that associates the user ID with the cookie ID; this is an identified cookie.

TABLE 8.5 Characteristics of Cookies

Characteristic

Types

Identity

Unidentified cookie: Does not contain user ID

Identified cookie: Contains user ID entered at logon to website

Duration

Session cookie: Deleted when web session terminates.

Persistent cookie: Deleted when time specified in cookie expires.

Party

First party: Contains URL of the website the user is visiting

Third party: Contains URL of a third party

With respect to duration, cookies are either session or persistent cookies. A session cookie remains on the user system only while the user has on open window to that website. When the user closes all windows connected to that website or closes the browser, the browser deletes the cookie. Session cookies are useful for temporarily maintaining information about a user, such as for a shopping cart or a chat session.

A persistent cookie includes an expiration date. This means that, for the cookie’s entire life span (which can be as long or as short as its creators want), its information will be transmitted to the server every time the user visits the website that it belongs to or every time the user views a resource belonging to that website from another website (e.g., an advertisement). A persistent identified cookie allows a user to revisit a website that requires a logon without having to go through the logon procedure again. A persistent unidentified cookie can also be useful to the web server, in that it allows the website to track the activity of a single user over multiple visits, even though that user is not identified. The site could use such anonymous information for a number of purposes. One purpose could be to improve the interface so that more frequently visited pages on the site are easier to find. Another possible use is price manipulation: If the same user visits a site multiple times and looks at the same item, this could indicate interest in the item but resistance to the price, and the site may lower the price for that user.

Cookies can also be first party or third party. A first-party cookie is set and read by the web server hosting the website the user is visiting. In this case, the domain portion of the cookie matches the domain that is shown in the web browser’s address bar.

A third-party cookie, however, belongs to a domain different from the one shown in the address bar. This sort of cookie typically appears when web pages feature content from external websites, such as banner advertisements. This type of cookie opens up the potential for tracking a user’s browsing history and is often used by advertisers in an effort to serve relevant advertisements to each user. A third-party cookie is placed on a user’s computer to track the user’s activity on different websites, creating a detailed profile of the user’s behavior. Third-party cookies can only track user activity through pages related to a site’s advertising; they cannot establish full surveillance capability through any website.

There are a number of mechanisms by which web servers can install third-party cookies on web browser machines, including requesting that the browser connect to the third-party website and the installation of a Java plugin.

Third-party cookies enable advertisers, analytics companies, and others to track user activity across multiple sites. For example, suppose a user visits nypost.com to get the news. This site will contain a number of advertisement images. Each advertiser can install a third-party cookie. If the user subsequently visits another site, such as an online clothing site, that has the same advertiser, the advertiser can retrieve its cookie and now knows the user is interested in the news plus in clothing, and possibly which types of clothing. Over time, the advertiser can build up a profile of the user, even if it does not know the identity of the user, and tailor ads for that user. Further, with sufficient information, the advertiser may be able to identify the user. This is where online tracking raises a privacy issue.

Various browsers offer a number of countermeasures to users, including blocking ads and blocking third-party cookies. Some of these techniques may disable certain sites for the user. In addition, third-party trackers are continually trying to come up with new ways to overcome the countermeasures.

Other Tracking Technologies

A flash cookie is a small file stored on a computer by a website that uses Adobe’s Flash Player technology. Flash cookies use Adobe’s Flash Player to store information about your online browsing activities. Flash cookies can be used to replace cookies used for tracking and advertising because they also can store your settings and preferences. Flash cookies are stored in a different location than HTTP cookies; thus users may not know what files to delete in order to eliminate them. In addition, they are stored so that different browsers and standalone Flash widgets installed on a given computer access the same persistent Flash cookies. Flash cookies are not controlled by the browser. Erasing HTTP cookies, clearing history, erasing the cache, or choosing a “delete private data” option within the browser does not affect flash cookies. As countermeasures to flash cookies, recent versions of Flash Player honor the privacy mode setting in modern browsers. In addition, some anti-malware software is able to detect and erase flash cookies.

Device fingerprinting can track devices over time, based on the browser’s configurations and settings. The fingerprint is made up from information that can be gathered passively from web browsers, such as their version, user agent, screen resolution, language, installed plugins, and installed fonts. Because each browser is unique, device fingerprinting can identify your device without using cookies. Because device fingerprinting uses the characteristics of your browser configuration to track you, deleting cookies won’t help. A countermeasure to fingerprinting is to make your device fingerprint anonymous. This approach is taken in a recent version of Safari on macOS, which makes all the Macs in the world look alike to trackers.

Do Not Track

All browsers allow the user to select a “do not track” option. This feature enables users to tell every website, their advertisers, and content providers that they do not want their browsing behavior tracked. When the “do not track” option is selected, the browser sends an identifier in the HTTP header field. Honoring this setting is voluntary; individual websites are not required to respect it. Websites that do honor this setting should automatically stop tracking the user’s behavior without any further action from the user.

Many websites simply ignore the “do not track” field. Websites that listen to the request react to the request in different ways. Some simply disable targeted advertising, showing you generic advertisements instead of ones targeted to your interests, but use the data for other purposes. Some may disable tracking by other websites but still track how you use their websites for their own purposes. Some may disable all tracking. There’s little agreement on how websites should react to “do not track.”

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020