How Web Tracking Works

Every time you visit a website, you're not just loading a page — you're broadcasting a remarkable amount of information about yourself. Your IP address reveals your approximate location. Your browser sends a detailed description of your device. And behind the scenes, invisible scripts fire off requests to dozens of third-party servers that record your visit and stitch it together with your activity across the rest of the internet.

The tracking industry exists primarily to serve targeted advertising, which represents a $600+ billion global market. Companies like Google, Meta, and thousands of data brokers have built their businesses on understanding who you are, what you're interested in, and what you're likely to buy.

A single page load on a typical news website triggers 50–200 third-party requests to advertising networks, analytics services, social media platforms, and data management platforms. Each one receives information about your visit and, critically, can cross-reference it with data from millions of other sites.

The result is a detailed profile that follows you across the web. You search for flights to Paris, and within hours you see hotel ads on unrelated sites. You research a medical condition, and suddenly health-related products appear everywhere. This isn't coincidence — it's the tracking ecosystem at work.

Cookies: First-Party vs Third-Party

Cookies are small text files that websites store on your device. They serve both legitimate and tracking purposes:

First-party cookies are set by the website you're actually visiting. They serve useful functions: keeping you logged in, remembering your preferences, saving items in your shopping cart. These are generally benign and necessary for websites to function properly.

Third-party cookies are set by domains other than the one you're visiting — typically advertising networks and social media trackers embedded on the page. When you visit news-site.com and it loads an ad from ad-network.com, ad-network.com drops a cookie on your device. When you visit shopping-site.com and it also loads content from ad-network.com, the network reads its cookie and connects your visits. This creates a cross-site tracking profile without either site sharing data directly.

The good news: Third-party cookies are being phased out. Safari and Firefox have blocked them by default for years. Chrome is implementing deprecation with Privacy Sandbox alternatives. By mid-2026, third-party cookies will be largely extinct across major browsers.

The bad news: The tracking industry has already developed alternatives that don't depend on cookies. Browser fingerprinting, server-side tracking, and first-party data enrichment are replacing third-party cookies — and some of these methods are harder to block.

Browser Fingerprinting

Browser fingerprinting creates a unique identifier for your browser based on its configuration — without storing anything on your device. Unlike cookies, there's nothing to delete because the fingerprint is calculated from information your browser reveals about itself.

Information used for fingerprinting:

• Browser type and version
• Operating system and version
• Screen resolution and color depth
• Installed fonts
• Installed plugins and their versions
• Time zone and language settings
• WebGL renderer information (reveals your GPU)
• Canvas rendering patterns (how your device draws graphics)
• AudioContext patterns (how your device processes audio)
• Hardware concurrency (number of CPU cores)

Individually, none of these data points is unique. Combined, they create a fingerprint that's unique in 99.5% of cases according to research by the Electronic Frontier Foundation. Your browser configuration is as distinctive as a physical fingerprint.

Why fingerprinting is hard to fight: You can't simply "clear" a fingerprint like you can delete cookies. Ironically, extreme privacy measures can make fingerprinting easier — if you block JavaScript, use an unusual screen resolution, or have a unique set of fonts, your browser stands out more, not less.

Best defenses against fingerprinting:

• Use Firefox with Enhanced Tracking Protection set to Strict — Firefox automatically randomizes some fingerprinting data
• Use Brave browser — blocks fingerprinting by default and randomizes exposed data
• The Tor Browser — designed specifically to make all users look identical, defeating fingerprinting
• Don't stand out — using a common browser (Chrome, Firefox) on a common OS (Windows, macOS) with default settings paradoxically provides better fingerprint anonymity than exotic setups

Tracking Pixels and Web Beacons

Tracking pixels (also called web beacons) are invisible 1×1 pixel images embedded in web pages and emails. When your browser or email client loads the pixel, it sends a request to the tracking server that includes your IP address, the time, your device information, and which page or email you were viewing.

Email tracking pixels are particularly invasive. When you open an email containing a tracking pixel, the sender (or their email marketing platform) knows:

• That you opened the email and when
• Your IP address and approximate location
• Your device and email client
• How many times you opened the email

Marketing platforms use this to score "engagement" and decide whether to send more emails or mark you as inactive.

How to block tracking pixels:

• Disable remote image loading in your email client. This prevents tracking pixels from loading.
  • Gmail: Settings → General → "Ask before displaying external images"
  • Apple Mail: Mail → Settings → Privacy → "Protect Mail Activity" (blocks trackers automatically)
  • Outlook: File → Options → Trust Center → Trust Center Settings → Automatic Download → "Don't download pictures automatically"
• Use an email provider that strips trackers — ProtonMail and Hey email both block tracking pixels by default.
• On the web, ad blockers like uBlock Origin block most tracking pixels along with ads and tracking scripts.

How to Block Trackers

A multi-layered approach provides the most effective tracker blocking:

Layer 1: Browser choice and settings. Use Firefox (Strict tracking protection) or Brave (built-in ad and tracker blocking). These browsers block third-party cookies, known tracking scripts, and fingerprinting attempts by default.

Layer 2: uBlock Origin. Install this free, open-source extension. It blocks ads, tracking scripts, malware domains, and other unwanted content. It uses filter lists maintained by the community and updated regularly. On Firefox, it can also block CNAME-cloaked trackers — a technique where trackers disguise their domain to appear as first-party.

Layer 3: DNS-level blocking. Services like NextDNS or Pi-hole block tracking domains at the DNS level — before your browser even connects. This protects all devices on your network, including smart TVs, IoT devices, and apps that bypass browser-level blocking.

Layer 4: VPN with ad/tracker blocking. Some VPN providers (Mullvad, ProtonVPN, IVPN) include DNS-level tracker blocking. When enabled, tracking domains are blocked at the VPN server level.

Each layer catches trackers that others miss. Browser-level blocking is the most effective for web browsing but doesn't help for apps. DNS-level blocking covers everything on the network but can't block trackers served from the same domain as the content (first-party tracking). Together, they provide comprehensive protection.

Browser Privacy Settings

Regardless of which browser you use, these settings improve privacy:

Firefox:

• Settings → Privacy & Security → Enhanced Tracking Protection → Strict
• Enable "Tell websites not to sell or share my data"
• Enable "Send websites a 'Do Not Track' request" (limited effect, but no downside)
• Under Cookies: "Delete cookies and site data when Firefox is closed"
• Under HTTPS-Only Mode: "Enable HTTPS-Only Mode in all windows"

Chrome:

• Settings → Privacy and Security → Third-party cookies → Block third-party cookies
• Settings → Privacy and Security → Security → Enhanced protection
• Settings → Privacy and Security → "Send a 'Do Not Track' request"
• Settings → Privacy and Security → Site Settings → review permissions granted to individual sites

Brave:

• Shields → Aggressive tracker and ad blocking
• Fingerprinting protection → Strict
• Block third-party cookies
• Upgrade connections to HTTPS

Safari:

• Safari → Settings → Privacy → "Prevent cross-site tracking" (enabled by default)
• "Hide IP address" → "From trackers and websites"
• "Block all cookies" (may break some sites; enable if you're willing to deal with occasional issues)

Advanced Anti-Tracking Measures

For users who want stronger protection, these advanced techniques provide additional layers:

Container tabs (Firefox only). Firefox Multi-Account Containers let you isolate websites from each other. Facebook runs in one container, Google in another, shopping in a third. Cookies and other tracking data don't cross container boundaries, preventing services from tracking you across contexts.

Browser compartmentalization. Use different browsers for different activities: Firefox for general browsing, a separate Brave profile for social media, Chrome for work. Each browser has independent cookies, history, and storage.

JavaScript blocking. Extensions like NoScript block JavaScript by default and let you selectively enable it per site. Since most tracking relies on JavaScript, this is extremely effective — but also the most disruptive to normal browsing, as many sites rely heavily on JavaScript.

Tor Browser. For maximum anonymity, the Tor Browser routes your traffic through three layers of encryption across the Tor network, making it virtually impossible to trace back to you. It's specifically designed to defeat fingerprinting by making all users' browsers look identical. However, it's significantly slower than regular browsing.

Disposable browsers. For one-time visits to unfamiliar sites, use a private/incognito window (which starts with a clean slate and deletes all data when closed) or a disposable virtual machine.

Finding the Right Balance

Anti-tracking measures exist on a spectrum from "minimal effort, significant benefit" to "maximum protection, significant inconvenience." Finding your sweet spot depends on your personal threat model and tolerance for disruption.

Level 1 — Minimal effort, major improvement:

• Switch to Firefox or Brave
• Install uBlock Origin
• Use a privacy-focused search engine (DuckDuckGo)
• Disable email image loading

Level 2 — Moderate effort, strong privacy:

• All of Level 1
• Use DNS-level blocking (NextDNS)
• Use container tabs for major services
• Clear cookies regularly or on browser close
• Use email aliases for new accounts

Level 3 — High effort, near-maximum privacy:

• All of Level 2
• Use Tor Browser for sensitive browsing
• Use a VPN
• Compartmentalize browsers by activity type
• Use NoScript with per-site whitelisting
• Disable JavaScript by default

Most people will be well-served by Level 1 or Level 2. The jump from "no tracking protection" to "basic blocking" provides the largest privacy improvement with the least friction. Each additional level provides diminishing returns in privacy for increasing inconvenience.

---

Web tracking is pervasive, but it's not unstoppable. A privacy-focused browser with uBlock Origin blocks the majority of trackers with zero effort. Add DNS-level blocking and disciplined cookie management, and you've eliminated over 90% of web tracking. For most people, that's more than enough to reclaim meaningful privacy without sacrificing the convenience of the modern web.