Cookies - stored in your browser when you click the annoying little cookie banners that almost every website presents to you upon first visit - track you while you surf across the web. This profiling is used in marketing to enable companies to post targeted advertisements. But cookies have a hard time lately: Google and Apple, the owners of Android, the iPhone, and the Chrome and Safari browsers, are phasing out support for these so-called third-party cookies and mobile advertising identifiers.
Google in particular is probably not primarily concerned with data protection, but with hindering its competitors in the field of personalized ads - in order to get an even higher share of the $336 billion market for Internet advertising itself.
On top of that, the EU has declared cookie banners illegal as these are not compliant with the European data protection regulation GDPR. This - on its own - is good for consumers. The EU gave good reasons to declare cookie banners illegal: Cookies are usually not transparent enough, for instance they do not contain enough information or are too complicated to understand. Additionally, it is often too difficult to deny the tracking via cookies.
As a consequence, the marketing industry is working on an alternative. Silently, websites are switching to a new form of tracking of their website visitors: Profiling based on people's email address or phone number.
Profiling is used to track and group website visitors for marketing purposes. This enables the marketing industry to display targeted advertisements to individual users - either based on their individual profile or based on the group profile.
A tracker profiling you can either be a cookie (stored in your browser cache), or a personally identifiable information such as your email address or phone number.
The information collected about you while you surf the web is put together to create a profile. Tracking profiles are used to group users together, to profile and target certain users, and to sell the data collected to third parties.
Such profiling is heavily used in marketing. Companies buy and use these profiles for even more focused ad targeting.
The new cookie-less technology is gaining momentum as it also works without the support of the monopolists Google and Apple.
Identity providers register when a person logs into a website. This information is being passed on to advertising companies. This way they can recognize who is interested in what, even without cookies. Most of the times the email address is used as a unique identifier. For tracking purposes and to protect the identity of the person that is being profiled, the email address (or phone number) is usually hashed (=converted into a sequence of numbers and letters) that uniquely matches the original address like a fingerprint.
Example of a profiling technique: Personalized advertising with an identity provider works via tracking people via their login data and their IP addresses (simplified example).
A person is registered at an online shop and clicks on a vacuum robot. The shop registers this information. The store then bids for an ad space on any ad-financed site - these auctions are fully automated and run within milliseconds. The advertiser can add conditions for their ad to be placed. In this case, the ad should only reach people who have viewed the vacuum robot before. The person that was previously logged into the store and has now also logged into a news site with the same email address, for example. The advertising platform can merge both logins as both are linked ot he same email address and display the vacuum robot ad on the news site.
Some sites go a step further and even track you via autofill: Your browser or password manager autofills certain fields, e.g. for an email address, to make a login easier. The site already registers these automatically inserted addresses to track you, even when you do not log in.
But advertising companies are still looking into ways to track you beyond this...
To increase the tracking range, the identity provider also uses people's IP addresses. While the IP address only remains the same for about one day, the provider can still connect it to individuals over a longer period of time. As long as one person from the household is logged in at one service, an identity provider can simply track the IP changes.
This example will explain how the tracking works in this situation: Again, a person is looking for a vacuum robot, this time he or she is not logged into the shop or the site. However, a child in the same household is using an app with a login. The app leaks this information to the identity provider. The service recognizes that the app, the shop and the news site have been accessed from the same IP address and can thus collect behavioral data from the household under one profile. Through the login of the app, they can also track IP changes, knowing that is still belongs to the same household. Again - if it works as planned - the "right" person receives the vacuum robot ads.
There are some very easy steps that you can take to stop being profiled and tracked while browsing the web:
1. Don't accept cookies: Usually, it takes a few extra clicks, but it is well worth it to deny cookies.
2. Do not enter your phone number on random websites.
3. Do not use password managers with autofill. In Firefox you can disable autofill.
4. Use ad blockers, on mobile preferable from F-Droid.
5. Use catch-all to create a separate email address for every website.
The last point is also the most important one: You can stop any tracking based on your email address if your email address stops being the same. Instead, use a unique email address for every website.
You can achieve this easily with Tutanota, for instance. When you use Tutanota with a custom domain, you can activate catch-all. This feature make sure that all emails sent to your custom domain are being received in your inbox - no matter the prefix of the email address.
This enables you to create a limitless number of email addresses - one for each website where you need to register, e.g. /firstname.lastname@example.org, /email@example.com, /firstname.lastname@example.org etc.
Unique email addresses are the best way to stop the new form of profiling.
A technical explanation of "How you are tracked without cookies using Identity Providers" can be found here.