Around the spring of 2017, Rich, a 33-year-old in Sacramento, dipped his toes into the engagement ring market. His plan was to propose to his girlfriend that summer, so he visited a few online jewelry stores to familiarize himself with all the price-influencing considerations of a diamond ring. “I bounced around from site to site for a few hours before hopping off,” Rich recalls.
Later that night, something familiar caught Rich’s eye when his girlfriend (now wife) set down her laptop on the coffee table. “Her Facebook page was open, and there were at least three or four different ads for the exact diamond ring I’d been looking at just hours before,” he says.
Rich froze, his mind racing with panic and paranoia. “Part of me wanted to say ‘screw it’ and propose on the spot, but I was also really annoyed and ticked off,” he tells me. Opting to hold off his rushed proposal in hopes his girlfriend wouldn’t notice the ads, Rich went in search for answers. Why, exactly, was his girlfriend seeing ads based on his browsing history? And was there anything he could do to prevent it from happening again?
According to Allan Buxton, a computer forensics specialist for Secure Data Recovery Services, someone seeing ads based on another person’s browsing history is hardly a rare occurrence, especially if those two people live under the same roof. “The massive digital ad-tracking infrastructure that drives the modern web works by assigning identifiers to every single computer that accesses the internet,” Buxton begins. “At minimum, anyone you cohabitate with shares the same IP address when browsing the web.”
But ad-tracking doesn’t end with your IP address, of course. “From Amazon to Google and many more, these identifiers include a combination of your IP address, certain characteristics of your computer, your browser version and plug-ins, past browsing history, third-party cookies and any associations with known logins or other advertising IDs,” Buxton continues.
All of which is to say, digital ad companies are able to not only build a pretty solid profile of who you are, but the people you surround yourself with as well. For example, a marketing company could see that you and the advertising ID belonging to your wife often share the same location, are in each other’s contact lists and have subscriptions to the same budgeting app. Given all of that overlapping data, the company might then deduce that your wife is as interested in crypto as you are, even though she’s not.
“Assigned advertising IDs may be commingled,” Buxton explains, “meaning [your partner] will get ads for some of your activity, and you will likely get ads for some of theirs.” This could also happen if your partner uses your Google login to access the New York Times, or if you both use the same Amazon account.
“I worked at a big data company that did targeted advertising, and the level at which they can target users is truly astounding,” says Greaux, a 38-year-old pseudonymous privacy hawk who works in information security. Unlike Rich, Greaux was “acutely aware this type of stuff happens” when shopping for his wife’s wedding ring, so he avoided going online altogether. “I only called jewelers or went in person,” he tells me.
One of the many online privacy tools Greaux employs is called a Pi-hole, which essentially prevents advertisers from tracking and targeting any device connecting to the internet via the same IP address. But even then, Greaux couldn’t prevent ads targeted for him from showing up on his wife’s computer. “I’d been shopping for a specific type of desk for my office, and a few days later, she mentioned she was served an ad for the exact desk I showed her on my laptop only days before,” he says.
Flustered by the breach in his fortress of digital privacy, Greaux went to work. “I beefed up my Pi-hole, adding advertiser blocklists from GitHub, scoured my query logs and individually blocked suspicious items.”
Greaux “ended up blocking over a million advertising domains,” but he had no concrete answer as to how one of them knew to show an ad for desks on his wife’s laptop. “Companies are constantly conjugating their gathered data, using it to model users, and thus improve their targeting,” he says. “It’s like an ultra-modern game of cat and mouse, where the cat is a billion-dollar industry with an army of top developers and the mice are casual hobbyists and a handful of generous GitHub contributors.”
But what if we’re neither, and just an Average Joe who wants a baseline of privacy? Utilizing your browser’s incognito mode is a decent start, but “a browser like Brave or DuckDuckGo Privacy Browser, which have been heavily modified to prevent ad display and tracking, is even better,” Bruxton says. “And if you’re ultra-paranoid, use a VPN when shopping for that surprise gift, as the VPN will hide your IP address and negate the IP address match.”
Had Rich known this before his fateful engagement ring Google search, he could’ve avoided a week of panicking every time his girlfriend logged onto her social media accounts. “In the end, it all worked out — she loves the ring, said yes and swears she never noticed the ads,” he says. “But you can bet I’ve bought every anniversary and birthday gift since then under about six layers of privacy protection.”