WhoTracks.Me: Web Tracking Measurement
- WhoTracks.Me is a privacy-by-design measurement platform that collects real user telemetry to quantify and analyze online tracking across the web.
- It leverages a browser extension to record anonymized metadata of third-party requests, mapping tracker identities and aggregating data at scale.
- Empirical findings reveal dominant tracking behaviors—especially by Google—and illustrate evolving tracking techniques impacting user privacy and market dynamics.
WhoTracks.Me is a large-scale, privacy-by-design longitudinal measurement and public data platform focused on quantifying the prevalence, methods, and impact of online tracking as experienced by real-world web users. It provides the largest and longest-running dataset on web tracking, based on real user telemetry from millions of consenting browser extension users, supporting open research into the structure, market dynamics, and social costs of the web tracking ecosystem (Karaj et al., 2018, Bonfils, 10 Aug 2025).
1. System Overview and Rationale
WhoTracks.Me was established to overcome the methodological limits inherent in web crawler-based tracking studies—especially their inability to measure tracking as users actually experience it and their exclusion of “non-public web” content (behind logins, paywalls, or region restrictions) (Karaj et al., 2018). Its primary aim is to “shed light on the opaque world of online tracking” by continuously collecting and aggregating data from real browsers, thus enabling high-resolution, longitudinal trend analysis at Internet scale.
At its core, WhoTracks.Me leverages a browser extension—deployed to over 5 million users via Ghostery and Cliqz (as of 2018)—that instruments each page load and logs structured metadata for all outgoing third-party requests. All data collection is governed by privacy-preserving design: no raw URLs, personal identifiers, or persistent client-side UIDs are transmitted; all sensitive elements are hashed or truncated; and data is anonymized and unlinkable via proxy routing and message randomization (Karaj et al., 2018). Only explicitly opt-in users contribute anonymized aggregates.
Since 2017, these practices have generated a global, monthly-updated dataset: over 1.5 billion page loads in the first year alone, now comprising more than 29 GB of monthly-aggregated CSVs, subdivided by region and time (Bonfils, 10 Aug 2025).
2. Measurement Methodology and Data Aggregation
Instrumentation and Telemetry
Each instrumented browser records, for every page load (from the initial main request until tab close or navigation):
- The (hashed/truncated) first-party URL.
- All third-party domains contacted (where “third-party” is defined by a mismatched TLD+1).
- Metadata for every third-party request: HTTP method, resource type, presence of cookies, embedded identifiers, geo-IP location, response Content-Length, HTTPS usage, and detection of stateless fingerprinting.
All third-party domains are mapped to logical tracker identities and parent companies via a curated, manually maintained tracker database of approximately 1,000 entries. This mapping supports aggregation at both domain and organization levels (Karaj et al., 2018, Bonfils, 10 Aug 2025).
Privacy-by-Design Protocols
Client-side privacy protections include:
- Hashing of first-party hostnames and truncated paths, ensuring that private or personalized URLs are never exposed.
- Removal or canonicalization of tracker domains to block user-specific subdomains.
- No generation or storage of persistent client data; unlinkability is enforced by routing reports through rotating proxies which strip IP addresses, ensuring the aggregation server never sees raw network or message order data.
Data Aggregation and Publication
Monthly aggregates are computed over all anonymized events:
- Reach and site-reach per tracker and organization.
- Mean third-party requests, tracking-context requests, content-length, and HTTPS adoption.
- Resource type prevalence (scripts, images, beacons) and blocking rates.
Public data releases are provided as CSV/JSON files under a permissive license, accompanied by an open tracker–domain mapping database, interactive website dashboards, and direct breakdowns for both tracker- and site-level behavior (Karaj et al., 2018, Bonfils, 10 Aug 2025).
3. Core Metrics and Analytical Formulations
WhoTracks.Me defines, computes, and publishes a common set of presence and behavioral metrics:
Presence Metrics
- Reach: For tracker , ;
- Site-reach: ;
Tracking Prevalence
- Tracking prevalence: $P = \dfrac{\text{page loads with$\geq$1 tracker}}{\text{total page loads}}$.
Method Usage and Traffic Cost
- Mean trackers per page: ;
- Requests per company per page: ;
- Mean content length (bandwidth cost): , in KB (Bonfils, 10 Aug 2025).
Tracker Identification and Profiling Dynamics
Additionally, WhoTracks.Me supports advanced metrics inspired by instrumentation studies such as Puglisi et al., including “online footprint” (per-page and per-user unique third-party domains), L₁-profile convergence time for ad networks, coverage, prevalence, and per-tracker impact quantifications (Puglisi et al., 2016).
4. Key Empirical Findings
Ecosystem Structure and Dominance
Analyses of data from 2017–2025 establish that Google’s tracking infrastructure is omnipresent, appearing on nearly 100% of the top 10,000 sites (site_reach ≈ 98%) and present on ≈78% of global page loads (reach) (Bonfils, 10 Aug 2025). On pages where Google appears, there are on average 4–5 distinct Google-affiliated trackers per page. Facebook, Amazon, and Microsoft constitute a clear but distinctly lower “Tier 2” (reach spanning 7–21%). Apple is effectively absent as a third-party web tracker, forming a third tier (Bonfils, 10 Aug 2025).
Empirical studies on simulated browsing sessions indicate per-page third-party footprints ranging from 2 to 28 (median 8, 90th percentile ~18), and user-level unique tracker exposures from 25–112 (median ≈62) (Puglisi et al., 2016).
Profiling Rate and Tracker Impact
Google’s ad infrastructure achieves rapid alignment between its estimated ad-interest profile and the true browsing distribution of users. L₁-distance between user and ad network PMFs drops by ≈20% within two page loads; median user profiling time to convergence is ≈4 page visits (equivalent to less than 30 seconds of interaction) (Puglisi et al., 2016).
Table: Top Google-affiliated third-party domains by coverage and L₁-profile impact (Puglisi et al., 2016)
| Domain | Coverage | Prevalence | Mean L₁-norm Drop |
|---|---|---|---|
| google-analytics.com | 68% | 72% | +0.42 |
| doubleclick.net | 61% | 66% | +0.35 |
| googlesyndication.com | 47% | 50% | +0.29 |
| fonts.googleapis.com | 44% | 47% | +0.05 |
Evolution of Tracking Techniques
Longitudinal measurement shows a plateau in Google’s reach by 2020, with a notable reduction in average content length per tracking request after June 2023, linked to the introduction of the Privacy Sandbox Topics API and reduction of data collection on YouTube (Bonfils, 10 Aug 2025). The deprecation of third-party cookies in Chrome (from May 2024) precipitated a sharp, coordinated decline in observable content lengths and request counts for all major trackers (including GAFAM), which cannot directly measure covert or fingerprinting-based methods—a plausible implication is increased adoption of non-cookie-based and harder-to-detect tracking strategies.
Regional and Site-Specific Patterns
A country-level matrix shows U.S.-hosted third-party resources dominate global tracking, except in Russia. Tracker reach varies by website category, with news/portals exhibiting highest third-party exposure and banking the lowest. HTTPS adoption rose from ~57% to ~81% for third-party requests among top sites between 2017–2018, though lagged on news domains (Karaj et al., 2018).
Market Effects and Social Costs
The dataset supports new lines of inquiry into the relationship between tracking reach and advertising revenue. While Google’s ad revenue continues to rise after its reach plateaus or begins to decline (correlation coefficient post-2020 is negative, ρ ≈ –0.3), reach increases for other companies exhibit no clear link to revenue, supporting the “critical mass” hypothesis of diminishing marginal returns to tracking (Bonfils, 10 Aug 2025).
Tracking scripts entail significant environmental and social costs. Google and Amazon trackers have historically averaged 10 MB per page load (pre-2023), with an estimated 1 gCO₂e per page due to tracking bandwidth alone. High prevalence of tracking enables “formal indifference”—systematic extraction of behavioral data at the expense of user welfare, facilitating manipulative design and privacy violations (Bonfils, 10 Aug 2025).
5. Implications, Applications, and Alternatives
WhoTracks.Me enables granular threat modeling for researchers, regulatory monitoring for compliance authorities, media investigations of market power, site auditing for web developers, filter derivation for block-list maintainers, and user education (Karaj et al., 2018).
For platforms wishing to emulate its dashboard, best practices include longitudinal CDFs and per-site or per-user dashboards of footprint and exposure, visualizations of profiling speed (heatmaps of for relevant thresholds), per-tracker rankings by coverage and prevalence, and the reporting of advanced divergence metrics (2-norm, KL-divergence, Fisher information) (Puglisi et al., 2016).
Alternatives to the extractive web model are exemplified by the Gemini protocol: a minimalist, markdown-style hypertext that eschews JavaScript, cookies, CSS, and third-party requests by design. The Gemini protocol demonstrates the feasibility of a privacy-preserving, low-bandwidth, non-surveillant online environment (Bonfils, 10 Aug 2025).
6. Public Dataset and Longitudinal Resource
Monthly WhoTracks.Me datasets are made freely accessible, encompassing per-tracker and per-organization aggregates, blocking rates, method usage, regional breakdowns, and a public domain–service database. The platform’s interactive dashboards provide transparency for individual websites and trackers, detailing identity, reach, methods, and contextual metrics (Karaj et al., 2018).
Researchers, policymakers, and technical practitioners utilize these data to analyze regulatory outcomes (such as GDPR), audit third-party supply chains, and characterize emergent tracking methods. The open dataset structure allows for robust, reproducible analyses of the evolving online surveillance ecosystem across nearly a decade (Bonfils, 10 Aug 2025).
7. Limitations and Ongoing Developments
WhoTracks.Me excludes tracking that occurs outside of third-party web requests (e.g. device fingerprinting in its covert forms, synchronous scripts running post-load). While it incorporates stateless identifier detection (k-anonymity tests), the dataset cannot exhaustively capture fingerprinting, “covert” behavioral clustering, or data leakage via browser side-channels. Sampling bias is present: only consenting extension users are measured, potentially underrepresenting mobile and less privacy-conscious cohorts. After the widespread deprecation of third-party cookies, and a marked drop in observable network activity attributable to tracking, the platform’s coverage of covert tracking has necessarily declined—a plausible implication is that the most persistent forms of tracking now evade standard measurement protocols (Bonfils, 10 Aug 2025).