Eric Ransom Writing Projects Other Stuff Contact

Header image


Tracker Horror #1


Case Study: The New Yorker (https://www.newyorker.com/)

This is the first in a series of articles where I will be looking at the terrible mess of advertising and tracking that constitute most sites on internet. Websites have become increasingly overrun with huge page loads full of javascript that track every move of your mouse, third-party cookies that store persistent data which is shared across multiple companies, advertisements concealed as actual content, and other nefarious nonsense.

I’ll be using the following tools to help me analyze this information:

I’ll say right off that I am not an expert on these topics in any capacity, and my understanding of what some of the below trackers are actually doing took a bit of research to work out. This article is not intended to be a technical analysis of commercial web design. The goal is to look at a broader picture of the extent of nefarious web elements on popular sites to understand and try to avoid them.

Why The New Yorker

I chose the New Yorker somewhat randomly because I recently received a trial subscription to their site, and I was curious to see what kind of tracking was taking place despite being a paid subscriber at the time. This is not a product that I would ever regularly pay to subscribe to, especially given the state of their website. I gathered information with the tools above while I was actively logged into the site.

As far as I can tell, there is nothing particularly unique about the New Yorker’s site or the ways that they use cookies, tracking, and fingerprinting. Unfortunately, these techniques are all commonly used by companies regardless of if you are paying for their product. I’m sure there are more extreme examples, but this site serves well enough to highlight commonly-used tactics.

I should note that I generally enjoy the New Yorker’s articles, so nothing about this is a criticism of their actual content. I am only focused on how it is presented on their home page and the trackers/ads/cookies involved.

My general expectation as a customer paying for a service would be that I receive a product relatively free of advertisements and third-party trackers. I am more understanding of the need for such measures when offering a product for “free”, but my expectation is that you should not be farmed for data if you’re already paying for the product. It will become pretty clear that the New Yorker fails pretty miserably in this regard.

Baseline measurement

I will be using this site (ericra.com) as a baseline for what it means to have a site that includes no advertisements, trackers, or cookies. If I look at my site with the tools above, I find that:


ublock origin output for ericra.com home page


So this is the baseline for a non-monetized site that has no intentions of serving advertisements, tracking you, doing any analytics, or generating cookies to store persistent data.

Looking at the New Yorker homepage (https://www.newyorker.com/)

So let’s turn to the New Yorker’s home page for comparison. Remember that I am currently signed into my paid account when looking at these tools.


Firefox tracker detection for newyorker.com home page



Privacy Badger output for the newyorker.com home page



uBlock Origin output for the newyorker.com home page


Note that if I turn off uBlock tracking for the site but view what domains are being accessed in the uBlock extension, I get a list of calls to 73 different domains to load JUST the New Yorker homepage:


newyorker.com www.newyorker.com ad.gt adobedtm.com ads-twitter.com akamai.net akamaiedge.net amazon-adsystem.com associates-amazon.com bounceexchange.com bouncex.net branch.io casalemedia.com chartbeat.com chtbl.com cloudflare.com cnevids.com condenast.map.fastly.net pixel.condenastdigital.com condenastdigital.com cookielaw.org criteo.net d1exbt14vyjc4u.cloudfront.net z-na.associates-amazon.com d1i63z6fdxg20x.cloudfront.net ext.chtbl.com d1ykf07e75w7ss.cloudfront.net c.amazon-adsystem.com d1z2jf7jlzjs58.cloudfront.net d24j0ds5uudgu2.cloudfront.net web.chtbl.com d2941xw9rhwgkc.cloudfront.net player.cnevids.com d2g4fzj6rqzfhe.cloudfront.net ak.sail-horizon.com d3f7zc5bbfci5.cloudfront.net static.chartbeat.com d3l22sipwx377d.cloudfront.net cdn.keywee.co dcs-edge-va6-802167536.us-east-1.elb.amazonaws.com condenast.demdex.net demdex.net doubleclick.net facebook.net fastly.net fbcdn.net flashtalking.com fonts.googleapis.com fourd-api-elasticl-13k9c6pqkejf3-218301974.us-east-1.elb.amazonaws.com 4d.condenastdigital.com google-analytics.com google.com googletagmanager.com gstatic.com hotjar.com hwcdn.net ibytedtos.com indexww.com keywee.co licdn.com mathtag.com moatads.com newrelic.com onetrust.com parsely.com pdst.fm pinimg.com pinterest.com pinterest.map.fastly.net quantserve.com rlcdn.com sail-horizon.com sail-personalize.com sc-static.net scorecardresearch.com snapchat.com tapad.com tiktok.com trkn.us twitter.map.fastly.net us-central1-adaptive-growth.cloudfunctions.net wnyc.net wnyc.org yahoo.com yahoodns.net yimg.com zqtk.net


Some of these are retrieving harmless things like fonts from third-party sites. But the fact is that a large portion of these are solely being used for the purpose of serving advertisements, trackers, persistent cookie info, etc. I am, of course, consenting to all of this either implicitly by using the web site or explicitly by agreeing to some set of terms and conditions when accepting a subscription agreement. So it's not like they are doing anything illegal, but this level of 3rd party tracking is pretty disgusting for a paid service in my opinion.

Another tracking tactic blocked by Firefox on the New Yorker site is browser fingerprinting via the third-party company BounceX (which appears to have recently rebranded itself as Wunderkind).


BounceX Fingerprinting Blocked by Firefox Tracking Protection


Fingerprinting is the process of collecting data about a user’s browser, hardware, operating system, or other persistent device info to track users across sites. This cannot be prevented even by using a VPN to access sites since connecting to sites from a different IP address does not change your device’s fingerprint. The only potential way to prevent this is to stop the site from collecting the fingerprinting data in the first place, so this is something that Firefox attempts to do for you automatically. Again, I am seeing this while I am signed in as a paid subscriber to the New Yorker’s site. Why is it normative for sites to harvest data and track my usage even when I am paying for the service?

If you want to learn a bit more about fingerprinting, check out the Electronic Frontier Foundation’s Cover Your Tracks web tool:


EFF - Cover Your Tracks


In addition to all of the third-party tracking going on here, the page load itself is completely bloated with data that does not contribute to the site’s content. The home page alone is over 5MB and took over 5.5 seconds to load on average because of 117 HTTP GET requests to Google, Adobe, Amazon, KeeWee (marketing analytics), OneTrust (geolocation), and many others. The majority of the site’s bulk consists of 3rd party elements that have nothing to do with the actual page’s content.

Conclusion

This article was intended to provide an initial look at a single website homepage and get an overview of the extent of third-party tracking and other data-harvesting methods being used. For the next article, we’ll go a little deeper into analyzing what the JavaScript code used on sites like these is actually doing and how companies use these tools to exploit your data for profit.

I’m grateful for the creators of Firefox and these open-source, free extensions because they are really putting in a lot of work in making the pages like this usable. uBlock is regularly replacing malicious or unneeded Javascript code with dummy code to allow sites to load normally while blocking out harmful elements.
Firefox is blocking quite a bit by default, and it can be made better by tweaking a few settings.

If you would like a similar setup with the settings and extensions mentioned in this article, I created a short beginner’s guide a while back to getting that set up quickly. No prior knowledge is needed, and it should not take more than 10 minutes or so to get set up:


Guide to Setting Up Firefox for Privacy


There are alternatives that offer similar security and privacy protections, but this is the setup I use. It works out of the box without having to change many options, and the extensions do not break many sites when used with default options. They also give you an easy way to inspect websites that you use regularly so you can see for yourself what they are attempting to do.

That’s all for this one. Feedback always welcome!

Published: December 12, 2020.
Last updated: December 18, 2020
Correction and Edit History:
*License Info: This article is licensed under Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)

Licensed under CC BY-SA 4.0