CodaMail - The Hidden Web: What You Don't See Is Watching You

Ever wonder why that pair of shoes you looked at once follows you across the internet for weeks? Or why an app seems to know exactly what you're interested in despite never telling it? You're experiencing the invisible web of third-party trackers that silently collect data on nearly everything you do online.

I've spent months researching this hidden ecosystem, and what I've discovered is both fascinating and concerning. Today, I'm pulling back the curtain on the vast network of analytics scripts, fonts, content delivery networks, and tracking pixels that operate behind the scenes of your favorite websites and apps, and providing you with a comprehensive toolkit to protect yourself.

The Invisible Web is Everywhere

The numbers are staggering. According to HTTP Archive's Web Almanac, over 94% of mobile web pages contain at least one third-party element. And it's not just a few websites, more than 95% of the top 50,000 sites rely on resources hosted by third parties. Think about that: practically every website you visit involves some third-party code running in your browser.

These third-party elements aren't just limited to obvious advertising trackers. They include analytics tools (used by 76% of sites), content delivery networks (63%), advertising networks (57%), and various developer utilities (56%). If you're using the internet, you're almost certainly being tracked.

What's particularly concerning is that a small handful of companies control this ecosystem. The top 100 domains account for about 30% of all network requests across the web, with Google, Facebook, and YouTube commanding a huge portion of this landscape.

The Unexpected Trackers: Web Fonts and Icon Libraries

When we think about tracking, most people immediately picture advertising networks or analytics tools. But some of the most pervasive third-party elements on the web are ones you might never suspect: fonts and icon libraries.

Google Fonts: Beauty with a Privacy Cost

Google Fonts is by far the most widely used font service on the web. Research indicates that more than 60% of websites use fonts hosted by third parties, with Google Fonts dominating this space. Every time you visit a site using Google Fonts, your browser makes a request to Google's servers, potentially sharing your IP address, browser information, and which site you're visiting.

While Google claims in their privacy documentation that "the Google Fonts API is designed to limit the collection, storage, and use of end-user data," there are ongoing privacy concerns. In fact, in January 2022, a German court ruled that a website's use of Google Fonts violated the GDPR because it transferred a user's IP address to Google without consent or legitimate interest.

The tracking potential of font services goes beyond simple analytics. When a site loads a font from Google's servers, Google can potentially see:

Which websites you're visiting
How long you spend on those pages
Your approximate location (via IP address)
Your device and browser information
Which languages you use

This information can be combined with other Google services you might use (Gmail, YouTube, Search) to enhance your overall profile. While Google states that fonts.googleapis.com and fonts.gstatic.com are "separate from and don't contain any credentials sent to google.com," the potential for cross-referencing this data remains.

Icon Libraries: Small Visuals, Big Tracking Potential

Icon libraries like Font Awesome, Material Icons, Bootstrap Icons, and Feather Icons have become essential tools for web designers. Font Awesome alone is used on millions of websites, making it one of the most prevalent third-party resources on the internet.

When a website uses externally hosted icon libraries, each icon load can potentially track user activity. For example, Font Awesome is used by millions of developers, designers, and content creators worldwide, offering both free and premium icons. When using the CDN-hosted version, each icon request goes through Font Awesome's servers, potentially logging your visit data.

The most popular icon libraries include:

Font Awesome - The most widespread icon library with over 1,500 free icons and 6,000+ in their premium plan
Material Icons - Google's icon collection designed for their Material Design language
Bootstrap Icons - Created by the Bootstrap team with over 1,000 icons designed for the framework
Feather Icons - Known for their simple, minimal aesthetic with an emphasis on consistency
Ionicons - Originally created for the Ionic framework but now widely used across the web

Each of these services, when loaded from their respective CDNs rather than self-hosted, creates a connection to an external server that can potentially track user activity across all sites using that service.

Why This Matters

What makes fonts and icons particularly concerning from a privacy perspective is their ubiquity and necessity. While you might be able to block advertising trackers without breaking most websites, blocking font and icon requests often results in a broken or unusable interface.

Additionally, these services are often implemented by developers who are simply trying to improve design efficiency and performance, with little consideration of the potential privacy implications. Many developers don't realize that when they add a line like <link href="https://fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet">, they're potentially exposing their users to tracking.

The security risks are also significant. An IEEE study found that more than 95% of the top 50,000 websites rely on resources hosted by third parties, but only a small fraction use Subresource Integrity (SRI) checks to verify that these resources haven't been tampered with. This means that if a font or icon CDN were compromised, malicious code could potentially be injected into thousands of websites simultaneously.

Mobile Apps: An Even Bigger Privacy Problem

If you thought website tracking was bad, mobile apps take things to another level. Nearly 70% of Android apps leak personal data to third-party services. And these apps aren't just connected to one or two trackers, an Oxford University study found that one-third of all apps in the Play Store link to at least 10 different third-party tracking SDKs, with one in five sharing user data with as many as 20 different tracking services.

Popular apps are often the worst offenders. According to mobile intelligence firm MightySignal, Tinder connects to a staggering 51 different tracking SDKs, Airbnb uses 41, and ESPN incorporates 40. Each of these connections potentially shares data about your behavior and identity with different companies.

Even more troubling, research shows that almost half of analyzed apps contact third-party tracker domains even when users explicitly deny consent to tracking. In a comprehensive study of 400 popular mobile apps (200 each for Android and iOS), researchers found that not a single one fully complied with GDPR requirements on valid consent for tracking.

How Are You Being Tracked?

On Websites

The tracking technologies used on websites have grown increasingly sophisticated:

When you visit a website, your browser might load resources from dozens of different domains. Each of these connections potentially shares information about you, including your IP address, browser details, operating system, which page you came from, and your browsing behavior.

Cookies are the most familiar tracking mechanism, but they're just the beginning. Modern trackers also use browser fingerprinting (identifying you based on your device's unique characteristics), embedded scripts that monitor your actions, and web beacons, invisible 1×1 pixel images that track when a page loads.

These techniques work together to create a detailed profile of your online behavior. For example, when you load Google Analytics on a site, it doesn't just count your visit,it can track how you navigate through the site, where you click, how long you spend on different pages, and correlate this with other sites you visit that also use Google Analytics.

In Mobile Apps

Mobile app tracking is even more invasive because apps can access more of your device and data:

Apps use Software Development Kits (SDKs),third-party code libraries that developers integrate for functionality like analytics or advertising. These SDKs can collect extensive data about you and your device.

Unlike websites, apps can access persistent device identifiers that make tracking more effective and harder to avoid. They may continue collecting data even when you're not actively using them, and they can potentially access your location, contacts, camera, and other sensitive information if you've granted those permissions.

The Oxford study mentioned earlier found that 88% of analyzed apps could send data to Alphabet (Google's parent company) and 43% to Facebook. This means these companies can build comprehensive profiles of your behavior by combining data from numerous sources, often without your knowledge or meaningful consent.

What Information Are They Collecting?

The types of data collected by different tracking technologies might surprise you:

Analytics services don't just count page views, they track your entire journey through a site, including where you click, how far you scroll, which features you use, and even how you move your mouse. They create detailed funnels showing every step of your interaction with a service.

Even seemingly innocent elements like fonts and CDNs (Content Delivery Networks) collect data. When your browser loads a Google Font, for instance, Google can see your IP address, which pages you're visiting, how long you spend there, and information about your device and browser.

Advertising networks build the most comprehensive profiles, tracking your browsing history across sites, shopping interests, search queries, demographic information, and locations. They connect these data points to create detailed advertising profiles.

Mobile app SDKs can access even more intimate data: your precise location (often via GPS), contacts, device information, app usage patterns, purchase history, and sometimes even access to your camera, microphone, or photo library, depending on what permissions you've granted.

The most sophisticated trackers can even connect your activity across devices, figuring out that your phone, laptop, and tablet all belong to the same person by analyzing behavioral patterns, account logins, or network information.

Where Does Your Data Go?

After collection, your data enters a complex ecosystem of buyers and sellers. Here's how it typically flows:

Collection Points: Apps and websites gather your data through various trackers and SDKs.

Data Brokers: Companies like Acxiom, Oracle Data Cloud, and Gravy Analytics aggregate, package, and sell this information to advertisers, marketers, and other interested parties.

Advertisers and Marketers: These companies use your data to target you with personalized ads and marketing campaigns.

Government Agencies: As revealed in recent years, intelligence and law enforcement agencies worldwide purchase commercial location data to circumvent legal restrictions on direct surveillance.

Financial Institutions: Banks and insurance companies may use this data for risk assessment and credit scoring.

The recent Gravy Analytics data breach of January 2025 exposed the true scale of this operation, revealing 17 terabytes of sensitive location data collected from thousands of popular apps including dating apps, games, productivity tools, and even religious applications. This breach confirmed that seemingly innocuous apps are feeding into a vast surveillance infrastructure with both commercial and governmental clients.

Why Should You Care?

The privacy implications of this tracking ecosystem are profound:

Your digital life is an open book. Third-party trackers can build detailed profiles that reveal sensitive information about your health, finances, political views, sexual orientation, and personal habits, often without your knowledge or meaningful consent.

Data leaks are inevitable. Each company that collects your data represents a potential security vulnerability. If they're hacked or mishandle your information, your personal details could be exposed.

Manipulation is possible. The profiles created through tracking can be used to target you with personalized content designed to influence your behavior, opinions, and purchasing decisions, sometimes in ways that aren't in your best interest.

Algorithmic discrimination happens. The data collected about you can lead to being treated differently by algorithms, potentially affecting your access to opportunities, pricing for services, or the content you see online.

The legal risks for businesses are significant too. Healthcare organizations have faced HIPAA violations for tracking technologies that capture protected health information. Media companies have been hit with lawsuits under the Video Privacy Protection Act for sharing viewing data. And major tech companies have paid hundreds of millions in settlements over location tracking practices.

Comprehensive Protection: Your Privacy Toolkit

No single tool can protect your privacy completely in today's complex digital ecosystem. A layered approach using complementary tools is the most effective strategy. Here's a comprehensive toolkit organized by type:

Browser Extensions for Tracking Protection

These open source tools can significantly reduce tracking exposure while browsing:

uBlock Origin: This remains the gold standard for ad and tracker blocking due to its efficiency, customizability, and low resource usage. It's designed to be lightweight while effectively blocking ads, tracking scripts, and malware sites. With Google's transition to Manifest V3, uBlock Origin Lite is now available for Chrome users. Available for Firefox and Chrome.
Privacy Badger: Developed by the Electronic Frontier Foundation (EFF), Privacy Badger uses heuristic algorithms to automatically identify and block trackers without relying on predefined lists. It's particularly good at identifying behavioral tracking techniques and stops advertisers from secretly tracking your browsing activity across websites.
LocalCDN/Decentraleyes: These extensions protect against tracking through content delivery networks by serving common resources locally. They intercept requests to third-party CDNs and inject resources from local storage instead, automatically and without configuration.
ClearURLs: Automatically removes tracking elements from URLs in the background, operating silently to strip out tracking parameters that follow you across sites.
Cookie AutoDelete: Automatically deletes cookies when you close tabs, allowing you to keep only the cookies you trust while removing others to prevent tracking between sessions.
SponsorBlock: Community-driven tool that automatically skips sponsored segments in YouTube videos, reducing exposure to targeted advertising.

DNS-Level Protection

DNS-level blocking provides network-wide protection for all your devices without installing software on each one:

Pi-hole: A network-level ad and tracker blocker that can be self-hosted on inexpensive hardware like a Raspberry Pi. It blocks ads and trackers for all devices on your network at the DNS level without requiring client-side software.
RethinkDNS: An open source DNS resolver with unlimited free queries. Unlike other DNS services with limited free tiers, RethinkDNS offers unlimited queries without charge, making it ideal for users with multiple devices.
Quad9: A security-focused DNS service that blocks malicious domains while prioritizing privacy.

Self-Hosted VPN and Network Protection

For those with technical knowledge, self-hosting a VPN provides maximum control:

OpenVPN: The most established open source VPN protocol with strong security features, including AES-256 encryption and support for dynamic IP addresses for extra privacy.
WireGuard: A newer, faster VPN protocol gaining popularity that offers enhanced speed and security compared to older protocols.
SoftEther VPN: A versatile multi-protocol VPN software that offers seven different encryption protocols with fast connection speeds when properly configured.
Algo VPN: Simplifies self-hosting with automated setup scripts while supporting modern protocols like WireGuard.
Pritunl: An enterprise-focused open source VPN server with an intuitive web interface.

Mobile Privacy Tools

Protecting your mobile devices requires specialized tools:

Blokada (Android): An ad-blocker for Android that works system-wide. Its streamlined version, Blokada Slim, adheres to Google Play's policy guidelines while still protecting privacy.
RethinkDNS for Android: Combines DNS filtering with firewall capabilities, integrating a DNS resolver, firewall, and VPN client to block ads, trackers, and malware across all applications.
Tracker Control (Android): Allows monitoring and blocking of trackers in Android apps with detailed insights into their behavior.

Privacy-Focused Browsers

Your choice of browser significantly impacts your privacy:

Firefox with privacy enhancements: The most customizable mainstream browser for privacy, offering a private browsing mode with tracking protection, malware protection, and anti-fingerprinting features (though users should disable telemetry functions).
LibreWolf: A Firefox fork focused on privacy with tracking protection built-in, designed to increase protection against tracking and fingerprinting while including security improvements over standard Firefox.
Tor Browser: Provides maximum anonymity through onion routing with pre-installed privacy add-ons and encryption.
Brave: A Chromium-based browser with built-in ad and tracker blocking.

Font and Icon Privacy Solutions for Developers

For web developers concerned about user privacy:

Self-host Google Fonts: Download and host the font files on your own server using tools like Google Webfonts Helper.
Bunny Fonts: A privacy-friendly drop-in replacement for Google Fonts that doesn't track users.
System fonts: Use font stacks that rely on the user's system fonts, eliminating external requests entirely.
Self-hosting icon libraries: Download packages from Font Awesome, Material Icons, or other providers
and host them on your own server.
SVG sprites: Create custom SVG sprite sheets that contain only the icons you need, reducing both tracking risk and page weight.

Considerations for Tool Selection

When selecting privacy tools, consider these factors:

Resource usage: Some tools like uBlock Origin are designed to be lightweight on your computer's CPU and memory, unlike some other resource-intensive ad blockers.

Compatibility: Consider which browsers and operating systems are supported by each tool.

Maintenance and updates: Open source tools with active communities tend to stay current with new tracking techniques through regular updates.

Layered approach: Combining multiple types of protection (browser extensions, DNS filtering, VPNs) provides better overall security, though using multiple extensions may make your browser fingerprint more unique.

Privacy practices: Some privacy tools themselves may collect data, so reviewing their privacy policies is important.

The Future of Tracking and Privacy

The tracking landscape continues to evolve rapidly:

Companies are increasingly focusing on first-party data (collected directly rather than through third parties) as privacy concerns mount. Apple and Google are both pushing for this shift, though with different approaches and timelines.

Privacy itself has become a competitive advantage. Apple's App Tracking Transparency framework demonstrated the market value of privacy features, and privacy-focused alternatives are gaining traction across browsers, search engines, and apps.

With Google planning to phase out third-party cookies in Chrome, the industry is developing alternatives. Some are potentially more privacy-friendly, like federated learning approaches that keep data on your device. Others, like browser fingerprinting, may be even more invasive and harder to detect than cookies.

Technical innovations like differential privacy (adding statistical noise to data to protect individuals) and zero-knowledge proofs (verifying information without revealing it) are creating new possibilities for privacy-preserving analytics.

Public awareness about tracking is growing, with more consumers actively using privacy tools and demanding transparency. At the same time, the proliferation of consent mechanisms has created "consent fatigue," with many users blindly accepting all tracking just to get past annoying popups.

Finding Balance

The ideal future isn't necessarily one without any tracking at allsome data collection genuinely improves services and user experiences. The key is making tracking transparent, consensual, beneficial, limited, and secure.

For businesses, success in this new landscape means investing in privacy-enhancing technologies, building privacy considerations into design processes from the beginning, and creating valuable services that don't rely on extensive tracking.

For us as consumers, it means using available privacy tools, supporting privacy-focused alternatives when possible, and advocating for stronger protections.

The future of online privacy will be shaped by this ongoing negotiation between technological capabilities, business needs, user preferences, and regulatory requirements. By understanding the landscape of third-party tracking and implementing appropriate protections, we can all make more informed choices about our digital lives.

Published: April 4, 2025