Third-Party Tracking: Cookies, beacons, fingerprints and more

Originally published in Inside the Influence Industry's Personal Data: Political Persuasion - How it works by Tactical Tech's Data & Politics team.

What is third-party tracking?

If a political campaign wanted to target their advertisements to women interested in the Bible, conservative politics and the environment, it could turn to one of the scores of marketers and data brokers who have amassed large troves of personal data. This is precisely what Jim Bender's New Hampshire Senate campaign did in 2010 with the help of a marketing firm called RapLeaf. But how did RapLeaf know who was interested in the Bible and also concerned about the environment? And how do campaign ad tech companies ascertain this sort of information across the millions of voters on whom they boast having data? The answer is tracking services.

A wide range of tools are used to track users as they surf the internet or access services on a mobile phone. These are used across digital services and the marketing industry and include cookies, tracking pixels, browser fingerprinting, web beacons, IP targeting, HTML storage, GPS data and more. In recent years, there has been substantial growth in political and commercial tracking services. Virtually all political campaigns use them. In fact, many specifically promote a 'political cookie', a piece of data that can be used to match a person's online identity with their offline details, like 'party registration, voting history, charitable donations, address, age, and even hobbies'. When voter files are supplemented with data purchased from data brokers, as the CEO of one targeting firm explained, 'working with about 100 high-traffic websites that register their users, they can match the offline data to the online identities of individuals'.

A video published by DSPolitical on its website. The film’s voice-over confirms the link between tracking cookies and voter information: ‘we take cookies and match them with the voter file’.

Source: ‘DSPolitical Brings Technology It Pioneered in U.S. to UK’, DSPolitical, 17 February 2015.

This matching is possible because many campaign websites reserve the right to share their visitors' information with unaffiliated third parties in the legal jargon of their privacy policies. In recent congressional elections in the US, third-party trackers were found on 87% of websites affiliated with candidates. Data protection regulation, where it exists, can be ineffective: none of the eleven candidates' websites in the 2017 French presidential elections fully obeyed the country's legal requirements regarding consent and the use of cookies.


In a study by Ghostery, third-party trackers from Google, Facebook and Twitter were found on 75%, 53% and 30%, respectively, of the 981 websites affiliated with 2018 US congressional candidates.

Source: ‘2018 Midterm Election Study’, Ghostery, 30 October 2018, accessed 11 March 2019.

How is your data used?

Cookies: Not all cookies are bad; in fact, cookies are legitimately used by a wide range of websites to remember useful things like your login details, preferences and items in your shopping cart. These first-party cookies improve your user experience, while third-party cookies can track your browsing.

Third-party cookies are a greater concern for privacy because cookies from the same tracking company can monitor various sites. To illustrate: in the run-up to an election, a voter may want to research candidates by visiting their affiliated websites. Even when the candidates and parties are different, these sites could be showing ads using the same service. This ad serving company could monitor activities like donations, signing up for a newsletter, or even what is clicked on. A tracking company could then cross-reference the user's browsing activity and combine it with external data sources that profile the voter. Then, further browsing -- even on seemingly unrelated sites -- could contain ads that promote candidates or views based on the information gleaned by the tracking cookies during the voter's initial research.


A slide deck leaked to US News & World Report from Jeb Bush’s 2016 presidential campaign shows how it was ‘constantly targeting the person, not the site, not the device’.

Source: ‘Jeb Bush’s Campaign Blueprint’, 29 October 2015.

Tracking Pixels: Tracking pixels are single-pixel transparent images that exist within some websites but come from a third-party. While they are invisible to the user, this seemingly discrete connection allows third parties to glean useful information about your device such as your system hardware, browser configuration and IP address. Apart from your browsing history, tracking pixels can be used to determine whether emails are opened or not. Campaigns also use them to track how many people start the donation process but don't finish it, so they can streamline their donation forms. NationBuilder, a popular campaigning software, has a prepared set of instructions online for 'How do I add a tracking pixel to my site?'

Browser Fingerprinting: Browser fingerprinting is a technique that combines a browser's characteristics (such as time zone, language, screen resolution or installed fonts) to uniquely identify it. While cookies can be cleared and other tracking technologies can be blocked, browser fingerprinting is more sophisticated and harder to circumvent.

Beacons: Beacons are physical devices that wirelessly register the presence of nearby mobile devices. Beaconstac, a manufacturer of portable beacons, has proposed deploying volunteers with beacons to political campaign rallies to collect data on nearby devices, which could be used to identify attendees. Attendance could then be combined with other data points obtained, for instance, from third-party data brokers.

IP Targeting, Geofencing, and Other Technologies: Campaigns are expanding beyond tracking cookies into more sophisticated techniques such as IP targeting and geofencing. IP addresses not only identify a specific connection to the internet, but they also reveal the connection's approximate geographical location. Political campaigns are targeting devices 'anchored' in home's IP address.

Mobile devices can be tracked through geofencing, which tracks users' locations based on their GPS data or connections that can be registered by other technologies such as Bluetooth, Wi-Fi and radio frequencies. Many other techniques are proliferating: a recent assessment identified 70 different tracking technologies used to capture actions like email opens.

Some examples

In Colombia: During Colombia's 2018 national election, an analysis of websites belonging to leading candidates revealed extensive use of third-party tracking tools. Of the leading 21 candidates' websites, eight had third-party Facebook trackers, 12 had Twitter trackers and 11 had some form of tracking on the donation page. Among 10 political party websites, five had Facebook trackers, seven from Twitter, and five had other trackers on the donation page. As one anonymous interviewee who managed the campaign of a Liberal party candidate explained, 'if you enter the website of name of political candidate and return to Facebook, images of them begin to appear. This is done using software' (namely third-party Facebook tracking software). Another digital strategist remarked, 'at a marketing level, what people do is... start "sticking" cookies to you from when you turn on the computer to when you turn it off'.


A chart showing active data collection on Colombian candidate and party websites. Notably, 38% of the 21 candidates’ website contained a third-party Facebook tracker, compared to 57% from Twitter.

Source: Varoon Bashyakarla, ‘Colombia: Personal Data in the 2018 Legislative and Presidential Elections’, accessed 26 February 2019.

Across the European Union: A 2018 investigation found that a number of European political party websites had Facebook tracking pixels embedded on them. The parties spanned the European continent and the political spectrum. Facebook's tracking pixel was also detected on the sites of two EU agencies. The Nordic Council's digital editor explained, 'we have installed the Facebook pixel in order to expose more relevant content on Facebook for website visitors. This is mainly career opportunities or free publications and news about specific subjects that the user has showed interest in on our website'.


A visualisation of potential trackers on UK political party websites from June 2017, based on an investigation at Tactical Tech. Labour’s website exceeded the tracker count on the Conservatives’ website.

Source: Tactical Tech, 2017.

How can I avoid being tracked?

Recently, browsers have implemented a 'Do Not Track' request; however, it is not binding, as a tracker can simply ignore the request. Browser extensions and ad blocking firewalls offer more robust defences. While cookies are currently too useful for non-tracking purposes to block outright, recent browser designs and privacy legislation is starting to limit their privacy vulnerabilities. Since 2017, Safari took measures to limit cookies and Firefox has added a 'Facebook Container', which prevents the social network from tracking you around the web.

In the EU, because of the General Data Protection Regulation (GDPR), websites must request consent for cookies to access the website, though many claim this form of consent is simply a barrier to access content and not a meaningful decision regarding privacy. Notions of voter privacy are changing how some political campaigns deal with voter information; some offer a degree of transparency regarding their collection of data, even permitting voters to submit corrections.

Some services are becoming more transparent: Google allows users to review what information the company has amassed on them for advertising purposes. Despite this progress, much of the responsibility still falls on the user to avoid tracking.

The Electronic Frontier Foundation, a non-profit defending digital privacy, has a free tool called Panopticlick that shows users if their browser blocks third-parties and if their browser fingerprint is unique.


↘ Tracking can prevent users from seeing the same ad repeatedly.

↘ Cookie matching can enable political campaigns to exclude voters who are not politically engaged from seeing political ads.


This screenshot shows that third-party tracking services like cookies are anonymous, but companies like LiveRamp have a history of working with political campaigns and offer identity-cookie matching services.

Source: ‘Data Matching with Identity Graph’, LiveRamp, accessed 26 February 2019.

↘ Tracking helps identify click fraud, a practice in which a person or automated script repeatedly clicks on a paid ad without any real interest in it, thereby generating revenue for the website or draining revenue from the advertiser.

↘ When used in a transparent and privacy-respecting way, third-party tracking can strengthen democratic foundations by, for example, promoting Get Out The Vote messages.

↘ The amount of personalisation in advertising and communication today risks skewing voters' understanding of candidates' priorities and agendas.

↘ The chain of consent is opaque and extends without end. When consenting to receiving cookies from a third-party on a given site, users have no control over whether and how that information is subsequently used and can not find out later where their information has gone. This extension of consent is particularly sensitive when consent is granted to sharing data in an apolitical context and when any captured data is later shared with a political actor. Additionally, simply soliciting users for access (e.g., click 'Accept all cookies to access this website') is not meaningful consent. Consent is only meaningful if it is an actual choice, not simply granted to a gate for the purpose of access.

↘ Personalised advertising allows campaigns to show relevant ads to voters, but surveys show that voters don't want their political ads tailored to their personal interests.

Author: Varoon Bashyakarla