The Peril of Tracking Pixels

I've known about tracking pixels for a long time but never figured that they were much of a problem. Of course, they do reveal that you read an email or accessed a web site, but there are riskier things to worry about reading emails or browsing the web. 

But things have changed, as Steve Gibson pointed out in the latest installment of his Security Now podcast. From page 8 of his show notes:

I just learned how far tracking pixels have evolved. They’re easy to miss because, much like cookies, the code their presence on any webpage allows to run is hidden from us. But last Wednesday the 18th, the security researchers at Jscrambler shared what they had recently learned about what TikTok and Meta are doing.

Their headline was: “Beyond Analytics: The Silent Collection of Commercial Intelligence by TikTok and Meta Ad Pixels”. As we’ll see, this writing is targeted at web merchants who are voluntarily adding these insidious tracking pixels to their sites’ own webpages without a full appreciation or understanding of the privacy implications for their visitors. 

It turns out that Meta and TikTok are grabbing both personal information (names, addresses, phone numbers, credit card information) and a log of just about everything that people are doing on sites with these tracking pixels. From the report, Gibson quotes this: 

Meta’s pixel includes a feature called Automatic Events, which is enabled by default. The feature automatically scans page elements and captures information such as checkout interactions and visible payment card details, including the last digits, expiration date, and cardholder name. Since this is the default behavior and not an opt-in, merchants may not be aware that the pixel is collecting this information. On separate sites, Meta captured recipients' full names and delivery addresses when users selected address options during checkout.

This information can be used by Meta to compile a huge database of behaviour that it can sell. It's also presents a risk to anyone using those sites in the case of a security breach at Meta and because the information being sent to Meta may not be encrypted, making it a vulnerability should the user be the target of an attacker. 

Both TikTok and Meta's pixel code can load and begin transmitting data before the website's consent management system has time to block it, meaning information can leave the browser before the user’s choice is applied. Even more concerning is that data may be transmitted in cleartext—occasionally within the request URL itself—exposing sensitive information to browser histories, server logs, intermediaries, and debugging tools.

This vulnerability stems not only from the pixel’s data-collection methods but also from misconfigurations during its implementation or from issues with the website's underlying architecture. Consequently, the attack surface is significantly broader than a surface-level analysis suggest

Using Firefox, which supports the full uBlock Origin, is probably a good idea. Google Chrome supports uBlock Origin Lite (which I am using), but it's not as effective as the original uBlock Origin in blocking tracking pixels, web beacons, and tracking scripts. 

Yet another item to add to my To Do list. 

Photo of the Week - March 29, 2026

This week's picture is a follow up to last week's photo. This is the same yucca, but without any snow on top of it. I hope it recovers from the winter. Taken with my Pixel 8 Pro.

A yucca after the snow melts

Saturday Sounds - St. Vincent - Live in London

I haven't followed the musical career of St. Vincent (the stage name of Jules Buckley) closely though I have listened to some of her albums and enjoyed them. Live in London was performed at the Royal Albert Hall with a full orchestra as part of the BBC Pops series. 

Orchestral pop albums can be hit or miss but this one nails it. The arrangements perfectly suit her songs and the recording quality, as you might expect from the BBC, is outstanding. She's performing in Toronto with an orchestra on her current tour but unfortunately ticket prices are out of my league. 

The Bloated Web Page

I'm constantly annoyed and frustrated by the crap that websites are blasting my phone with when I try t o read an article or browse a web page. Popups, autoplaying videos that refuse to close, ads that jump out and shove the text I'm reading out of the way;; I'm sure you've seen it all.

If you want to get a better idea of what's happening and why, read The 49MB Web Page by Shumham Bose, a developer and user interface design expert. The article was triggered when they looked behind the scenes at what was happening when they opened an article from The New York Times website and found that the browser downloaded 49 MB of data. (That's roughly equivalent to an album of MP3s or 50 books in EPUB format). 

When you open a website on your phone, it's like participating in a high-frequency financial trading market. That heat you feel on the back of your phone? The sudden whirring of fans on your laptop? Contributing to that plus battery usage are a combination of these tiny scripts.

I don't usually see most of this on my PC because I run an ad blocker (uBlock Origin Lite) that blocks much of the crap that the article discusses.  I use Firefox with uBlock Origin as my default browser on the phone, despite the annoyance of having different browsers on my PC and phone. (I know, I know; it's just laziness that keeps me from using Firefox on my PC). Apps, where publishers seem to consider pushing ads their primary purpose in life, are also problematic. 

I should point out that there are real security problems inherent in the use of programmatic ad auctions and tracking pixels and their associated scripts. (I'll have another post about this tomorrow or Monday). 

This is the best article about web design that I've seen in a very long time. Even if you're not particularly technical, it's worth reading just to understand why your browsing experience is so unpleasant.

Featured Links - March 25, 2026

Things I was interested in but didn't want to do a full blog post about.

Bluffer's Park on a cloudy day

• Inside the fiery, deadly crashes involving the Tesla Cybertruck. "Cybertrucks have locked passengers inside and burned so hot they’ve disintegrated drivers’ bones. Victims’ families blame what they say is the faulty design of a truck Elon Musk calls ‘apocalypse-proof’" Just in case you need another reason to not buy a Cybertruck. 
• No Pills or Needles, Just Paper: How Deadly Drugs Are Changing (gift link). "Lab-made drugs soaked into the pages of letters, books and even legal documents are being smuggled behind bars, killing inmates and frustrating investigators."
• Inside the Dirty, Dystopian World of AI Data Centers (archive link). "The race to power AI is already remaking the physical world."
  
• Resisting the superbugs (archive link). "Canadian researcher Gerry Wright is searching for the next generation of life-saving antibiotics." Unfortunately, discovering a new antibiotic is easier than getting it to market. 
  
• Record-torching March heat ‘virtually impossible’ without climate change. "Friday’s spring equinox may seem like a quaint notion to those already enduring furnace-like 90-110°F summer heat." In this part of the country, we've had a cold winter with more snow than usual in recent years.
• The Trap Always Closes. "Donald Trump, Lyndon Johnson, and wars we can’t win." History shows that Trump can't win this war. His only way out is to stop, and he won't.
• Ryugu asteroid samples contain all DNA and RNA building blocks, bolstering origin-of-life theories. "We are stardust, we are golden ...".
• The World Factbook. "The community-maintained successor to the CIA World Factbook. Comprehensive data on 254 countries and territories." The CIA killed the CIA World Factbook in February and that this site is maintaining the information. 
• Canada wants to build up its long-neglected Arctic. The hard question is how. "Ottawa wants to modernize a region in the north that’s about six times the size of Texas, ‘just like in the 1800s’"
• As SpaceX Launches its 10,000th Satellite, A Photographer Captures the Impact on the Night Sky, "This week SpaceX passed an eye-watering milestone: it launched its 10,000th satellite into low-Earth orbit. The sheer scale of the devices whizzing around above humanity is unimaginable, but photographer Joshua Rozells is helping people see. Rozells’ image, Swamped Skies, is a composite of 343 photos that all contain at least one satellite streak. The Australian photographer didn’t set out to make the image; he originally wanted to capture star trails."
• Project Hail Mary is packed with hard science. An astrophysicist breaks it down. '"Project Hail Mary" is more than just an epic adventure film with beautiful visuals. It's a story that reminds us how important our world is—and how vital science is to our continued existence on it.'
• When Hyperglobalization Meets Chaos. "Choke points are everywhere you look." The crisis over the strait of Hormuz is only the beginning. 
• Historians Say They’ve Discovered a Long-Lost Page From the Archimedes Palimpsest, a Treasure Trove of Rare Ancient Mathematical Treatises. "Three leaves had been missing for more than a century. Researchers found one of them when they decided on a whim to check the archives of a French museum."

Photo of the Week - March 22, 2026

This week's photo is of a hasta yucca in our front yard that has spent most of the winter buried under a waist-high mound of the snow. I hope this winter hasn't killed it off. Taken with my Pixel 8 Pro and edited in Google Photos to improve the contrast. 

Leaves of a yucca mostly buried in the snow

Saturday Sounds - Santana - 1970/08/18 - Live at Tanglewood

This week's musical treat jumps back to 1970 with a concert from Santana at the famous Tanglewood Music Festival. Santana had released their second album, Abraxas, and the set contains several songs from that album. Carlos Santana and his band are in fine form. This is a pro shot video with good sound and decent video for the era. Enjoy,

COVID-19 Six Years Later

It's hard to believe that it's been six years since the beginning of the COVID-19 pandemic. Concern about COVID-19 has faded into the background for most people, but it's still out there, lurking in the air when you go our shopping or go to a concert. 

So what's the real situation with COVID-19 right now? Your Local Epidemiologist has published an article that looks at the current disease landscape; how much COVID is out there right now, how it's affecting people, and what are the current trends. 

Six years! Six years with a complicated data story of real progress alongside real stubbornness. This anniversary is striking to me for two reasons. The first is the virus itself: it continues to surprise us, and we remain humbled by how much we still don’t understand. The second is what has happened to us in its wake.

For myself, I'm still being careful, masking in crowded situations and in medical facilities like doctors' offices and hospitals. (A good rule of thumb is that if the staff are masking then you should be too.) I'll keep getting vaccinated twice a year and keep hoping for a vaccine that protects against infection. And I'll keep reading YLE and other reputable sites for reliable information about COVID and any other nasties that might be out there.