When we talk about advertising privacy, we need to understand what were comparing against. Google and Facebook have built the most sophisticated user surveillance systems in human history. This article explains exactly how they work - not to vilify them, but to establish what "industry standard" tracking actually means.

The Scale of Data Collection

Before diving into techniques, lets understand the scope:

Google's Reach

Chrome browser - 65% global market share, sees all browsing activity
Android - 72% of smartphones, constant location and app data
Gmail - 1.8 billion users, email content analysis
Google Search - 92% market share, intent signals
YouTube - 2.5 billion users, video preferences and watch time
Google Maps - Location history, places visited, commute patterns
Google Ads network - Present on millions of websites

Facebook's Reach

Facebook - 3 billion monthly users
Instagram - 2 billion users
WhatsApp - 2 billion users (metadata even if E2E encrypted)
Facebook Pixel - Installed on millions of websites
Facebook Login - SSO on countless apps and sites
Oculus/Meta Quest - VR usage and environment data

This infrastructure means they see you across almost every digital touchpoint.

Cookie-Based Tracking

The oldest and most well-known tracking method.

First-Party Cookies

Set by the website you visit directly:

Login sessions
Shopping cart contents
Site preferences

These are relatively benign - theyre what you expect from a website.

Third-Party Cookies

Set by external domains embedded in the page - this is where surveillance begins:

Google Analytics - Present on 55%+ of all websites
Facebook Pixel - Embedded on millions of sites
DoubleClick (Google) - Ad serving across the web

When you visit Site A with a Google tracker, then Site B with the same tracker, Google knows you visited both. Scale this across millions of sites and they have your complete browsing history.

Cookie Syncing

Different ad networks share cookie IDs through "cookie syncing":

You visit a page with multiple trackers
Tracker A has ID "abc123" for you
Tracker B has ID "xyz789" for you
They exchange: "abc123 = xyz789"
Now both companies data about you is merged

This happens invisibly, instantly, millions of times per day.

Browser Fingerprinting

When cookies are blocked, fingerprinting identifies you by your browsers unique characteristics.

Canvas Fingerprinting

Your browser draws a hidden image. Due to hardware and software differences, the resulting image is slightly unique:

GPU rendering variations
Font rendering differences
Anti-aliasing implementation

The image is hashed into an identifier. Studies show canvas fingerprints are unique for 90%+ of browsers.

WebGL Fingerprinting

Similar to canvas, but using 3D rendering:

GPU model and driver information
Shader precision values
Supported extensions
Rendering peculiarities

Combined with canvas, this approaches 99% uniqueness.

Audio Fingerprinting

Processing audio through the AudioContext API reveals:

Audio stack implementation
Hardware audio characteristics
Processing precision differences

You never hear anything - its all silent, invisible data extraction.

Font Enumeration

Detecting which fonts are installed on your system:

Default OS fonts (reveals OS version)
Application-installed fonts (reveals software you use)
Language-specific fonts (reveals language preferences)

The combination of installed fonts is highly identifying.

Hardware and System Fingerprinting

Screen resolution and color depth
CPU cores (navigator.hardwareConcurrency)
Device memory (navigator.deviceMemory)
Touch support and touch points
Battery status (now restricted but was used)
Installed plugins
Timezone and language
Do Not Track setting (ironically, makes you more unique)

Behavioral Fingerprinting

How you interact with devices is unique:

Typing patterns and speed
Mouse movement characteristics
Scroll behavior
Touch gesture patterns
Gyroscope and accelerometer data (mobile)

Cross-Device Tracking

The holy grail: connecting your phone, laptop, tablet, and work computer as one identity.

Deterministic Matching

When you log into the same account across devices:

Sign into Chrome on laptop → connected to phone Chrome
Facebook login on any device → all devices linked
Google account on Android → linked to all Google services

One login = complete cross-device profile.

Probabilistic Matching

Even without logins, companies infer device connections:

IP address patterns - Devices on same WiFi
Location proximity - Phone and laptop always together
Behavioral patterns - Similar browsing times and interests
Audio beacons - Ultrasonic signals between devices (yes, really)

Device Graphs

Companies maintain massive databases linking devices:

Googles device graph: billions of device connections
Facebooks cross-device data: integrated across all Meta properties
Third-party graphs: Tapad, Drawbridge, LiveRamp

Shadow Profiles

Facebook builds profiles on people who have never created accounts.

How It Works

Your friends upload contacts containing your info
Websites with Facebook Pixel track your visits
Your email appears in others Facebook data
Photos of you are uploaded and tagged (facial recognition)

What They Know

Without you ever signing up:

Your name, email, phone number (from contacts)
Your photo and appearance (from tagged photos)
Your social graph (whos connected to you)
Your interests (from browsing tracked by Pixel)
Your location patterns (from friends photos metadata)

Mobile Tracking

Smartphones are surveillance devices you carry voluntarily.

Advertising IDs

IDFA (Apple) - Unique identifier for ad targeting
GAID (Google) - Android equivalent

These IDs persist across apps, linking all your mobile activity.

Location Tracking

GPS - Precise location
WiFi positioning - Location from nearby networks
Cell tower triangulation - Approximate location always available
Bluetooth beacons - Indoor location tracking

App Data

Apps with Google/Facebook SDKs share:

App usage patterns
In-app purchases
Content viewed
Time spent
Other installed apps

The Pixel and Tag Ecosystem

Facebook Pixel

A snippet of code on millions of websites that:

Fires when pages load (PageView)
Fires on specific actions (AddToCart, Purchase, Lead)
Captures URL, referrer, user agent
Matches visitors to Facebook profiles
Enables retargeting and "lookalike" audiences

Google Tags

Google Analytics - Page views, sessions, user behavior
Google Ads conversion tracking - Purchase and lead data
Google Tag Manager - Container for multiple trackers
Floodlight - Cross-site conversion tracking

Data Sent Back

When these fire, they transmit:

Full URL of page visited
Timestamp
Cookie IDs
User agent string
Screen resolution
Referrer URL
Any custom data the site sends (purchase amounts, product IDs, form data)

Data Broker Integration

Google and Facebook dont operate alone. They integrate with data brokers who have:

Offline purchase data - Credit card transactions, loyalty programs
Public records - Property ownership, voter registration, court records
Survey data - Lifestyle and preference information
Healthcare data - Prescription and diagnosis information (in some markets)
Financial data - Credit scores, loan history

Data Onboarding

The process of matching offline data to online identities:

Retailer shares customer email + purchase history with broker
Broker matches email to Facebook/Google ID
Advertiser can now target "people who bought X in stores"

Machine Learning on Your Data

Raw data is just the beginning. ML models create:

Predictive Profiles

Political affiliation probability
Purchase intent scores
Life event predictions (moving, marriage, pregnancy)
Health condition inferences
Financial status estimates
Personality trait assessments

Lookalike Modeling

"Find people similar to my customers":

Your data trains models
Models identify patterns you share with others
Those others get targeted based on your behavior

The Privacy Paradox

Despite privacy concerns:

Google and Facebook still grow
Most users accept tracking for "free" services
Regulations (GDPR, CCPA) have limited impact
Alternative business models struggle to compete

What This Means for Advertising

This surveillance infrastructure is what makes Google and Facebook "work" for advertisers. The precision comes from knowing everything about everyone.

But theres an alternative: advertising systems that target context (what someone is doing) rather than identity (who someone is). Systems that dont need to track you across the web to show you relevant ads.

PopTrade takes this approach - minimal data collection, no cross-site tracking, no surveillance profiles. Its possible to run effective advertising without building a dossier on every internet user.

The question for the industry is whether convenience and targeting precision are worth the privacy cost - and whether users will eventually demand something different.