Julia Angwin

A new, extremely persistent type of online tracking is shadowing visitors to thousands of top websites. This type of tracking, called canvas fingerprinting, works by instructing the visitor’s Web browser to draw a hidden image.

Because each computer draws the image slightly differently, the images can be used to assign each user’s device a number that uniquely identifies it.

[Commentary] For years people have noticed a funny thing about Facebook's ubiquitous Like button. It has been sending data to Facebook tracking the sites you visit.

Each time details of the tracking were revealed, Facebook promised that it wasn't using the data for any commercial purposes. No longer. Facebook announced it will start using its Like button and similar tools to track people across the Internet for advertising purposes.

Facebook said on Sept 27, 2011, not to worry, telling the New York Times that it doesn't use data from Like buttons and other widgets to track users or target advertising to them, and that it deletes or anonymizes the data within 90 days.

OK, worry… On June 12, 2014, Facebook told Ad Age that it will start tracking users across the Internet using its widgets such as the Like button. It's a bold move. Twitter and Pinterest, which track people with their Tweet and PinIt buttons, offer users the ability to opt out. And Google has pledged it will not combine data from its ad-tracking network DoubleClick with personally identifiable data without user's opt-in consent.

Facebook does not offer an opt-out in its privacy settings. Instead Facebook asks members to visit an ad industry page, where they can opt out from targeted advertising from Facebook and other companies. The company also says it will let people view and adjust the types of ads they see.

Online marketers are increasingly seeking to track users offline, as well, by collecting data about people's offline habits -- such as recent purchases, where you live, how many kids you have, and what kind of car you drive.

Here's how it works, according to some revealing marketing literature we came across from digital marketing firm LiveRamp:

• A retailer -- let's call it The Pricey Store -- collects the e-mail addresses of its high-spending customers.
• The Pricey Store brings the list to LiveRamp, which locates the customers online when the customers use their email address to log into a website that has a relationship with LiveRamp. (The identity of these websites is a closely guarded secret.) The website that has a relationship with LiveRamp then allows LiveRamp to "tag" the customers' computer with a tracker.
• When those high-spending customers arrive at PriceyStore.com, they see a version of the site customized to "show more expensive offerings to them." (Yes, the marketing documents really say that.)
• Tracking people using their real names -- often called "onboarding" -- is a hot trend in Silicon Valley. "The marriage of online and offline is the ad targeting of the last 10 years on steroids," said Scott Howe, chief executive of broker firm Acxiom. The Direct Marketing Association, which represents the data broker industry, doesn't offer a specific opt-out for onboarding. It does offer a global opt-out from all of its members' direct mail databases, but it only requires members to remove people's data for three years after they opt-out.

[Commentary] The US data business is largely unregulated, which is not the case in most Western European countries. Those countries require all data collectors to provide individuals with access to their data; the ability to correct errors in the data; and, in some cases, the right to delete the data.

After reading the fine print on 212 websites, I learned that only 33 of them offered me a chance to see the data they held about me. But upon closer examination, not all of them were real offers. Some required me to set up accounts in order to see my data. I contacted 23 data brokers and received my data from 13 of them. Some asked me to send my requests by postal mail, along with a copy of my driver’s license. Others allowed email requests. Most of the responses I got were from the biggest players in the industry.

[Angwin is the author of Dragnet Nation and an investigative journalist for ProPublica]