Chapter 12 Exercises: Browser Cookies, Tracking Pixels, and the Third-Party Data Ecosystem
Exercise 12.1 — Cookie Audit (Individual, 30–45 minutes)
Purpose: Make the abstract concept of cookies concrete by examining what your actual browser stores.
Instructions:
Step 1: Open your browser's developer tools (F12 in most browsers, or right-click → Inspect). Navigate to the Application tab (Chrome/Edge) or Storage tab (Firefox). Open the Cookies section.
Step 2: Visit each of the following websites: a national news site, a social media platform, your university's website, and an e-commerce site. After each visit, return to the cookies panel and record:
- How many cookies are set?
- Which domains set cookies (first-party and third-party)?
- What are the expiration dates of the longest-lasting cookies?
- Can you identify the purpose of any cookies based on their names and values?
Step 3: Clear all cookies. Revisit one of the sites. What happens? Are you logged out? Do any preferences reset?
Step 4: Turn on private browsing / incognito mode. Visit the same sites. Open the cookies panel. Are cookies being set in private mode? What does this tell you about what private browsing does and does not protect?
Reflection Questions:
a. After completing this exercise, how would you describe cookies to someone who has never heard the term?
b. What surprised you most about the cookies you found?
c. Given what you observed about private browsing, do you think the term "private browsing" accurately describes what the feature does? What would be a more accurate name?
Exercise 12.2 — Tracker Mapping (Individual or Pairs, 60–90 minutes)
Purpose: Visualize the third-party tracking ecosystem by mapping trackers across websites.
Materials: Browser extension such as Ghostery, uBlock Origin, or Privacy Badger (free, widely available)
Instructions:
Step 1: Install the privacy extension of your choice. Enable the tracker-counting feature (Ghostery calls them "Trackers Found"; uBlock Origin shows a count in the extension icon).
Step 2: Visit 10 different websites across multiple categories: - A national news site - A local news site - A major social media platform - A health information site - A government (.gov) site - A university (.edu) site - An e-commerce site - A streaming entertainment site - A recipe or lifestyle blog - A site of your choice
Step 3: For each site, record: - Total tracker count - Which companies appear (categorize if possible: Google/ad network, Facebook/Meta, analytics, data broker, social widget, etc.) - Which trackers appear on multiple sites
Step 4: Create a visualization (table, chart, or diagram) showing which tracking companies appeared across multiple sites. Which company appeared on the most sites in your sample?
Analysis Questions:
a. Which website category had the most trackers? Which had the fewest? Were you surprised by either finding?
b. Were there any trackers on government or university websites? What do you think those trackers are doing?
c. The chapter describes Google's advertising networks appearing on 80%+ of top websites. Did your sample reflect this? What does near-ubiquitous tracking by a single company imply for the concentration of surveillance power?
d. What is the relationship between a site's number of trackers and the complexity of its advertising (banner ads, video ads, sponsored content)? Does tracker count correlate with visible advertising?
Exercise 12.3 — Cookie Consent Banner Analysis (Pairs, 45–60 minutes)
Purpose: Apply the dark patterns framework to analyze real cookie consent interfaces.
Instructions:
Visit five different websites and screenshot the cookie consent banner on each. Analyze each banner using the following rubric:
Design Analysis:
| Feature | Yes/No | Notes |
|---|---|---|
| "Accept all" button is prominent (colored, large) | ||
| "Reject all" option is available on first screen | ||
| "Reject all" requires more steps than "Accept all" | ||
| Pre-checked boxes favor data collection | ||
| Consent framed in value-laden language ("help us improve") | ||
| Partner list available and accessible | ||
| Number of partners listed | ||
| Estimated time to complete full opt-out process |
Step 1: Fill in the rubric for each banner.
Step 2: Rank the five banners from most to least genuinely consent-respecting.
Step 3: Based on your analysis, draft what you consider a genuinely consent-respecting cookie banner. What would it look like? What information would it present, in what order, in what visual hierarchy?
Reflection: The GDPR requires that consent be "freely given, specific, informed, and unambiguous" and that withdrawing consent be as easy as giving it. Evaluate whether any of the banners you analyzed meet this standard.
Exercise 12.4 — Browser Fingerprint Investigation (Individual, 30 minutes)
Purpose: Experience browser fingerprinting firsthand.
Instructions:
Step 1: Visit the Electronic Frontier Foundation's "Cover Your Tracks" tool at coveryourtracks.eff.org (the updated version of Panopticlick). Run the test with your default browser settings. Note your "uniqueness" score and which characteristics contribute most to your fingerprint.
Step 2: Run the same test in private/incognito mode. Does your fingerprint change? By how much?
Step 3: If possible, run the test in a different browser (if you have two installed) or on a different device. How different is the fingerprint?
Step 4: Research two techniques for reducing browser fingerprinting (options include: using the Tor Browser, using Firefox with privacy.resistFingerprinting enabled, using the Brave browser's fingerprint randomization, or installing extensions like Canvas Blocker). Without necessarily implementing them, understand how they work and what tradeoffs they involve.
Analysis Questions:
a. What was your fingerprint uniqueness result? What characteristic contributed most to making your browser distinctive?
b. Private/incognito mode did or did not significantly change your fingerprint. What does this tell you about the privacy protection that incognito mode actually provides?
c. Browser fingerprinting requires no storage on your device and leaves no visible trace. What does this imply about the effectiveness of strategies like "clearing your cookies" as privacy protection?
d. If fingerprinting normalization (making all users' browsers look the same) is technically possible, why isn't it the default behavior of mainstream browsers?
Exercise 12.5 — Email Tracking Experiment (Individual, Takes 1–2 weeks)
Purpose: Detect and analyze email tracking pixels in real email communications.
Materials: An email client that supports viewing email source code (Gmail, Thunderbird, or any client with "Show original" or "View source" capability).
Instructions:
Step 1: Over the course of one week, collect a sample of 10 marketing/promotional emails you receive (newsletters, retail promotions, etc.). Do not open them yet.
Step 2: For each email, view the raw HTML source (in Gmail: "More → Show original"; in Thunderbird: "View → Message Source"). Search for <img tags with dimensions of 1x1, or look for URLs containing words like "track," "open," "pixel," or "beacon."
Step 3: For each email, document: - Does it contain a tracking pixel? - Which company hosts the tracking pixel? (Look at the domain in the src= attribute) - What information does the tracking URL seem to encode? (Look for encoded identifiers in the URL)
Step 4: Open one tracked email and immediately check your email analytics (many email service providers offer "email engagement" views in marketing platforms). If you have access to such a platform, observe what data was captured when you opened the email.
Reflection Questions:
a. What proportion of the emails in your sample contained tracking pixels?
b. Which companies were most frequently hosting tracking pixels in your sample?
c. Given what you've learned about tracking pixels, how would you describe what "opening an email" actually involves from a data perspective?
d. Many email clients now offer options to "load remote images" or block external content by default. Should this be a default-on or default-off feature? Who does each choice benefit?
Exercise 12.6 — The Ecosystem Architecture Diagram (Group, 60–90 minutes)
Purpose: Build a comprehensive diagram of the third-party tracking ecosystem, mapping the relationships between its major actors.
Instructions:
Working in groups of 3–4, create a visual diagram showing the relationships among the following actors:
- A user's browser
- A publisher (e.g., a news website)
- An advertiser (e.g., a shoe company)
- An ad exchange
- A DSP (Demand-Side Platform) on behalf of the advertiser
- An SSP (Supply-Side Platform) on behalf of the publisher
- A DMP (Data Management Platform) holding behavioral profiles
- A data broker who supplies data to the DMP
- A consumer loyalty program that sold data to the data broker
- An identity resolution service linking the user's device ID across contexts
For each relationship between actors, label: 1. What data flows in each direction 2. Whether any money flows and in which direction 3. Whether the user is aware of the relationship 4. Whether the user has formally "consented" to the relationship and in what form
Discussion: Share diagrams across groups. Where do diagrams differ? Are there relationships that are contested or uncertain? Where does the user appear in the diagram — are they an actor, or a subject? Does the answer depend on how you frame the question?
Chapter 12 | Part 3: Commercial Surveillance