Your Web Browsing Is Being Tracked -- Is Government Regulation the Answer?

You might think your online activity is private. Think again.

Every click you make on the Internet is being tracked, not just by your Web browser but by hundreds of small companies that tie the click of your mouse to your IP address -- and then to your name. And that data is sold to the highest bidder.

The problem is serious, and growing -- and it's reached Washington's ears. Recently, Rep. Jackie Speier, D-Calif., introduced a proposal in the House for new "Do Not Track" legislation, with guidelines for how the Federal Trade Commission might regulate Web tracking and fine those who don't comply.

“Many consumers don't even know they're being tracked, let alone where to adjust their privacy settings,” Tim Schlittner, a spokesman for Speier, told “Companies have clearly not done enough.”

Experts hope the legislation will end the patch-and-exploit battle between Web browsers and those who snoop.

More On This...

“The idea with 'do not track' is to end the arms race,” said Harlan Yu, a graduate student at Princeton University's Center for Information Technology Policy who has been studying Internet tracking.

Security experts know that tracking companies, such as Quantcast and BlueKai, plant cookies at websites to track the activities of visitors -- and sell that information for a profit. Security experts wonder how the data is really being used, arguing that it could be used against you in a legal proceeding, during a job interview or when you apply for a loan.

And that's where things get murky.

We know where you browsed last summer

What’s unclear about Web tracking is who is doing it, how they are using the data and who buys it.

“This is a big part of the problem: We can tell that third parties have a presence on a large swath of websites and are able to actively track users,” Yu told “The extent to which these companies are then correlating, sharing or selling those consumer profiles downstream is largely unknown.”

Ashkan Soltani, a researcher and security consultant, says there are almost too many Web tracking companies to name, and it is hard to know who is doing what. Even the FTC has issued reports showing the complex flow of data flows among online networks.

“The customers [of Web tracking companies] use this data for a variety of reasons including credit card offers, job applications, insurance, background checks, as well as ad targeting,” Soltani told

In most cases, those who could make the most use of the tracking data deny being involved. Giant insurance company State Farm is one.

"State Farm does not make use of it," said Heather Paul, a spokeswoman for the company. "We've heard about this idea, but simple knowledge of the websites that an individual visits is of doubtful underwriting value."

The sheer volume of tracking implies that it is big, business, however -- and someone is definitely buying.

Who can fix the problem?

Blocking these trackers is far harder than you might imagine. Brand-new Web browsers such as Internet Explorer 9 and Firefox 4 do include an option to disable Web tracking. According to Yu, these short-term solutions don't guard against modern snoops.

“[Web tracking companies] engineer around the tracking protection by buying a new domain every single day and using that new domain across their third-party network,” Yu told Trackers are hidden in images and Adobe Flash animations, and embedded deep in the Web programming language behind a site. These can fool even the best of today's tools.

Like Do Not Call legislation, Do Not Track would be a one-stop shop for regulating those companies that track your online activity. According to Yu, it might simply involve a line of code that is sent every time you visit a site. Each Web server would be obligated to scan that code and disable tracking if you've opted out. Random audits would ensure compliance.

Google runs the largest ad network on the Web and says it will provide a Do Not Track feature in its ad network as well as a way to opt-out of Web tracking. Google did not respond to requests for additional details, however, and experts wonder if such features will really work.

“There have been calls for self-regulation of third-party Web tracking for years. The business response has been wholly inadequate,” said Jonathan Meyer, a graduate student in Computer Science and Law at Stanford University who wrote some of the original Do Not Track proposals. “Our patience has worn.”

Companies such as Microsoft and Google are adamant that more legislation is not the answer, however, and that the new features built into browsers are more than adequate.

“Consumers deserve and need protection from some forms of tracking. Law enforcement and regulation can certainly help, but they often have more pressing issues and tight budgets,” Dean Hachamovitch, corporate vice president of Internet Explorer at Microsoft, told “With Microsoft's tracking protection, consumers have active protection today.”

Soltani suggests yet another method for dealing with Internet tracking -- a concept he calls Do Not Identify, where tracking can still occur, unconnected to a specific user.

And one company is already using the model: Facebook spokesperson Andrew Noyes explained to that the company does link advertising to your personal tastes but does not sell any personal data to advertisers -- it is done without their direct involvement.

“We never share your personal information with advertisers. We never sell your personal information to anyone,” Noyes said.