Who is tracking your internet activity, and why?

Internet tracking today

Given the diversity of online tracking techniques and agents, let’s start with a story. In 2018, it was revealed that Cambridge Analytica harvested Facebook data from 87 million users. Originally collected via an app for academic research, the data was exploited for targeted ads and political campaigns. The app accessed not just users but also their friends’ data, multiplying exposure.

Cambridge Analytica built psychological profiles from user preferences and likely aided Russian interference in the 2016 U.S. election. This case highlights how tech giants like Facebook and Google collect massive user data, posing risks of breaches into commercial, state, or criminal hands — all despite privacy agreements.

New default web encryption

Since the privacy scandals of the 2010s, the web has improved default privacy protections. Most reputable sites now use HTTPS encryption, securing user activity.

[Encryption](/blog/what-is-encryption] ensures only you and the intended recipient can access the data you share, protecting transactions like credit card payments. Hacking or advanced decryption would be needed to intercept this information. However, while default web encryption like HTTPS secures data in transit, it doesn’t protect metadata or prevent tracking by websites and advertisers.

The limits of encryption for privacy

Advancements in tracking what we do online make it so that encryption, however robust, is not enough. As we will see, the metadata surrounding our encrypted activities can be used to develop precise profiles of what we do, when, with whom, and even about us personally.

For data harvesters, brokers, surveillance, and exploiters, this is not simply about what we have done online in the past, but also about what we want, expect, and will do.

VPNs, especially ones with decentralized architectures, can help us fight back against all this. But first we need to understand how we are being tracked online and by whom.

What about us is being tracked?

So if the content of what we do online is usually encrypted, what about our activities and identities can be tracked online?

Our IP addresses

Your IP address (Internet Protocol) is a unique identifier assigned by your ISP that enables internet connectivity while also tracking online activity. It can be static or dynamic, depending on your network. While an IP address helps websites tailor content to your location and device type, it also makes you traceable to advertisers, hackers, and surveillance entities.

On its own, an IP address only reveals network-related details, such as proximate location and device type. However, it can still be used to track browsing habits and link online activities back to you. A VPN masks your true IP, adding an extra layer of privacy. Without one, your metadata is exposed, allowing websites, advertisers, and cybercriminals to monitor your behavior, collect personal information, and potentially exploit security vulnerabilities.

Our online behavior

Our behavior patterns online can be tracked by associating your IP address with all the different things we do. Local websites can use your search histories to target you with internal marketing. Or, in contractual arrangements with ad agencies, third party ads can be precisely targeted to the desires and tendencies you disclose by viewing, browsing, clicking, etc. Every tiny gesture becomes a noteworthy indication of what you might want, even when you think you’re doing something in the privacy of your own home.

Our metadata

Metadata is data about data and remains visible even when content is encrypted. Your IP address, connection timestamps, traffic duration, and geolocation are all metadata used for tracking. Different applications expose different metadata, like email senders/recipients or phone call durations.

Even without decrypting content, metadata reveals patterns. Frequent server connections can expose work schedules, while likes and shares reveal political views. Regular visits to a medical clinic’s site might indicate a health condition. Advanced traffic analysis doesn’t need full content — with enough data points, it can infer personal details, making metadata a powerful tool for surveillance and profiling.

Who is tracking us online and why?

Those who track us online have many different motives, ranging from basic network functionality to cyber criminals and government surveillance. Let’s consider them individually.

Network administrators

Making sure networks function properly requires keeping track of what is happening on them. Without knowing who was attempting to connect with what or who when a connection error occurred, patching bugs would be difficult. For this reason, ISPs, work networks, and even traditional VPNs normally collect and monitor user traffic data for functionality and security.

This data collected and centralized by these services can be used to trace our activities directly back to us. Hackers, organized crime, and other malicious actors can target service databases to exploit the personal information of clients. Governments, of course, can also compel ISPs or VPNs to disclose the metadata of their users’ traffic histories.

Websites and commercial services

Websites track users to improve services, but they also collect data for other purposes without consent. They monitor clicks, scrolling, and time spent on pages, using cookies and web beacons to build profiles for targeted ads. Many sites or ad partners sell this data to data brokers, who resell user profiles to businesses, marketers, and political groups. This raises serious privacy concerns about data misuse.

Data brokers

Data from website tracking and even untrustworthy VPNs is often sold to data brokers, who analyze global patterns and individual behaviors for profit.These agencies create psychological profiles to manipulate users through targeted ads and messaging. Cambridge Analytica used this strategy, profiling millions to aid political campaigns.

Law enforcement

Local and state law enforcement track online activity to combat crimes like child exploitation, human trafficking, and identity theft. They use collected data to build evidence, obtain search warrants, and support prosecutions.

However, some agencies engage in controversial tracking, such as predictive policing, analyzing social media for crime forecasting. AI-driven approaches risk wrongful investigations, potentially implicating innocent individuals.

Governments

While governments have long monitored targeted individuals, the 2013 Snowden revelations exposed mass surveillance of ordinary citizens. Intelligence agencies, led by the NSA, collected phone records and accessed data from companies like Google and Facebook.

Governments even invest in breaking encryption, though their success remains unclear. This unprecedented surveillance challenges privacy rights worldwide.

Organized Crime

Cybercriminals exploit online tracking for identity theft, financial fraud, and blackmail. They gather data through phishing, public records, and data breaches, monitoring social media to build detailed profiles.

Once enough information is collected, criminals can empty bank accounts, extort individuals, or impersonate victims online, increasing the risks of digital identity theft.

Hackers

Hackers aren’t just lone individuals seeking ransom; they are often employed by governments, criminal organizations, and intelligence agencies. They intercept data through cyberattacks, gaining access to personal devices or communications.

Their success is enhanced by the technical and financial resources of these larger organizations, making cybersecurity more challenging for individuals and businesses alike.

How Are We Tracked Online?

Tracking online is complex, using various tools to create a detailed profile of users. It begins with an IP address, linking users to their ISP, device, and approximate location, but doesn’t stop there.

Cookies

Cookies store data on web browsers to enhance user experience, remembering login details or shopping cart contents. However, advanced cookies, like “evercookies” or “zombie cookies,” persist even after deletion.

Stored across multiple software components, these cookies track users across sessions, making it difficult to maintain privacy despite browser settings to delete them.

Data aggregation

Data aggregation compiles user information, from IP addresses and cookies to emails and behavioral patterns. Sources include metadata, public registries, and data brokers, creating comprehensive digital profiles.

AI-driven data analysis anticipates user behavior, shaping ads and online experiences without consent, raising concerns about privacy and manipulation.

Digital fingerprinting

Digital fingerprinting is a stealthy technique for identifying and tracking digital data-points about users based on mass data aggregation. These data-points further specify certain characteristics and configurations about a user’s browser or device: installed plug-ins, designated time-zones, language settings, or even preferred fonts. All of this can be used to make a kind of “fingerprint” to more precisely link a user to certain online activities.

Traffic analysis

Traffic analysis tracks user activity over time across a network through IP addresses, connection durations, behavioral patterns, geolocation, cookies, and fingerprinting. By tracking, for instance, who is sending data to whom and when, traffic analysis can discover patterns from metadata.

How do VPNs help to prevent tracking?

Preventing online tracking and preserving your privacy requires a multi-faceted approach, not just the use of one tool. For masking your IP address, using a VPN is a crucial one. But other important practices for security include using password managers, multi-factor authentication for accounts, and anti-virus and malware software.

While VPNs are a first line of defense in protecting ourselves against online tracking, the centralized architectures of mainstream VPNs pose serious privacy risks for users that decentralized VPNs can help avoid.

Using VPN to not be tracked online

A VPN acts as a proxy for your online activity by encrypting your connection before routing it through its own server. This makes your data unreadable in transit. Once it reaches the VPN’s server, your IP address is replaced with the VPN’s before continuing to the internet.

This process masks your activity, making it harder — though not impossible — to trace it back to you. Websites see the VPN’s IP instead of yours, and agencies tracking web access must go through the VPN first. While this helps block profiling and basic surveillance, advanced tracking methods can bypass traditional VPN protections.

Tracking vulnerabilities of traditional VPNs

Most VPNs use centralized architectures, rerouting traffic through their own or rented servers. This means user data is stored in a central location, making it vulnerable to breaches or cyberattacks. Even VPNs that claim no logs likely retain some metadata, which authorities can pressure them to disclose.

While VPNs remain valuable for privacy, a better architecture is needed. Decentralized VPN technologies are emerging to reduce these risks, offering enhanced security by eliminating central points of vulnerability.

Learn all about the difference between centralized and decentralized VPNs in Nym's guide.

Preventing tracking with NymVPN

Most mainstream VPNs use a single proxy server to mask traffic, creating privacy risks. Decentralized services like NymVPN address this by routing data through multiple independently run servers, or "nodes," instead of a central server that could log metadata.

NymVPN encrypts data in multiple layers, like an onion, removing one layer at each node to reveal the next randomized destination. Users can choose between a default 2-hop mode for speed or a 5-hop mode for enhanced privacy. With the mixnet in Anonymous Mode, your traffic patterns are further scrambled data with cover traffic, data mixing, and timing obfuscation to prevent tracking.