App developer

NYT: You're Being Tracked (And We're At It To)

One Nation, Tracked is an astonishing report from Stuart A. Thompson and Charlie Warzel for The New York Times Privacy Project. It details how they were able to use one dataset to track the location of 12 million Americans and then connect what is supposed to be non-identifable data to real people.

The companies that collect all this information on your movements justify their business on the basis of three claims: People consent to be tracked, the data is anonymous and the data is secure.

None of those claims hold up, based on the file we’ve obtained and our review of company practices.

Yes, the location data contains billions of data points with no identifiable information like names or email addresses. But it’s child’s play to connect real names to the dots that appear on the maps.

Here’s the problem, though: by reading this article I, along with anyone else not using some form of ad-blocker or VPN, are likely being tracked as well. The site is rife with trackers. Browsing the article with Ghostery enabled reveals the following:

  • 3 advertising trackers (, Amazon Associates, and DoubleClick)
  • Google Tag Manager
  • 3 site analytics trackers (Google Analytics, Optimizely Geographical Targeting, and Optimizely)
  • 2 unknown trackers (The New York Times, Optimizely)

How does the NYT square away their in-depth reporting of privacy violations while being complicit in those same violations? With this generic statement at the bottom of the article:

Like other media companies, The Times collects data on its visitors when they read stories like this one. For more detail please see our privacy policy and our publisher’s description of The Times’s practices and continued steps to increase transparency and protections.

Reading the privacy policy is illuminating. Through technologies such as cookies, web beacons, tags and scripts, software development kits (or SDKs) and beyond, the NYT will log everything from your IP address and location to your device identifier. If you go further down the rabbit hole and follow the link to view the cookie policy you will find that there are 12 different cookie policies.

It’s unlikely most people will read the privacy policy. It’s even more unlikely that they will read any of the cookie policies. They are lengthy, dry, and written in legalese. Perhaps the NYT is hoping we’ll just look the other way and not hold them to a higher standard?