Do you know how many see-everything-you're-doing-on-the-web trackers get loaded into your browser when you watch a YouTube video? Would you care to guess?
It's about sixty.
Sixty. Six zero. Sixty trackers when you load one video. I know this because I decided to take Browser Guard, the Malwarebytes' browser extension that blocks ads and keeps you safe from trackers, scams, malvertising, and other online threats, for a wander through the web's top 25 sites.
Web users have always spent a disprorportionate amount of their time on the web's most popular sites, and websites like Facebook, Twitter, and Twitch are designed to keep you hanging around for as long as possible. So what happens on the top sites has an outsized effect on users because the top sites don't just reach more people, they also keep people for longer.
Before I get into the why I was counting how many things Browser Guard blocks, take a look at the numbers in the table below.
The table shows the number of items—ads, cross-site trackers etc—that Browser Guard blocked on a single page on each of the top 25 most visited websites. I looked at one page on each site, and chose pages that were broadly representative of what somebody might go there to do. So, on Google I looked at a search results page, on YouTube I looked a page displaying a video, and so on. Where I was asked to log in and I had an account, I logged in, and where I was asked to accept cookies I did.
|Site||Page type||Items blocked|
Browser Guard blocked a total of 172 items across the 25 pages tested. That's a mean average of seven on each site, and a median of two. The mean average is heavily skewed by YouTube and Samsung, which accounted for 100 items between them.
(Note that if you try to repeat this experiment you might get slightly different results, although we expect them to be similar to ours. Because of the way that ad tech works, different numbers of items may be downloaded for apparently identical page loads.)
How tracking affects security and privacy
So why does it matter?
Cross-site ad tracking follows you from site to site and builds up a rough picture of your likes, dislikes, and demographics, which is then used to help ad providers choose relevant, targeted ads to show you (or at least, that's the theory.)
This model comes with advantages, but it also comes with significant risks to both your privacy and security.
You are the product
The price you pay for the popular, free-to-use-websites like Facebook and YouTube is that somewhere, somebody is amassing a whole lot of data about you. You likely don't know who they are, what they know or how much, how securely the data is stored, how long it's kept, or who it's been shared with, sold to, or stolen by.
Some people see this kind of tracking as benign, or at least a necessary evil. The ad economy is what keeps sites like Facebook and YouTube free after all, and they would rather see ads that might at least appeal to them than something chosen at random. For others, the targeted ad economy and the cross-site tracking it relies upon are an unacceptable violation of their privacy.
But that's not the whole story. Ads and trackers aren't just a privacy problem, they come with a pair of security problems too.
Efficient threat distribution
The first is that ad distribution networks—the amazingly efficient, just-in-time auction houses that fill ad slots as a page loads—are just as good at distributing scams, links to phishing sites, and malware downloads, as they are at distributing ads. Ad companies don't encourage this, but despite their efforts malicious advertising—malvertising—is resurgent in 2023. A lot of malvertising works by impersonating well known brands, and the scammers do it so well that you have almost no chance of spotting it.
Simply, the more ads and ad networks you're interacting with, the more likely you are to encounter something bad. And if you do, you probably won't spot it until it's too late.
Criminals with "God mode" access
The second problem is that ad networks and cross-site tracking generally rely on components pulled from third-party websites as a page is loaded. This means that when you visit a page with a single tracker on it, your browser is actually talking to two websites: The website you're looking at and the website it's loading the tracking code from.
But lots of sites have far more than one tracker. If you visit a page with 20 trackers, your browser could be assembling the page you're looking at from as many as 21 different websites. Scarily, each website you load a component from gets full access to the page the component is included in. FULL access.
Among many other things, the third-party components are allowed to alter the code of the page you're looking at in any way they like, they can all see anything you type into a form on that page, even if you don't submit it, and they can copy any authentication cookies you have for that site too, which effectively means they can steal your password.
In other words, any site that suppliies any content for the page you've loaded gets "God Mode" on that page. So if you're looking at a page with 20 trackers, that's as many as 21 sites with God Mode on that page.
That's bad enough if you trust everyone concerned, because even legitimate companies have been known to play fast and loose with that level of access. But it gets really serious if any of those organisations are compromised, because now you're giving God Mode to a malicious hacker.
There is simply no way for an individual, even a highly skilled one, to know when they're using a website that includes a third-party component compromised by criminal hackers or operated by a company prepared to bend the rules at the expense of your privacy and security. And while legitimate ad companies offer opt outs from tracking, staying on top of them is unworkably hard.
Technologies like Browser Guard fill the gap, staying on top of the known nasties and blocking ads that can harbour malvertising, scams, and other threats, even on the biggest websites.
If you want to find out how much Browser Guard can block for you, download it today.