Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

What Can a Website I Visit Tell About Me?

//
When I visit a web site that collects visitor statistics, I understand they can see my IP which will tell them my ISP, that I have a  Mac, the area where I may live, what browser I use, if I’m new to the site, or if I click information on the site. But can the site collect the following information:
  • My computer name (the name I assigned to my computer)?
  • Profile information???
  • My browsing history (any/all sites I’ve visited and when) or can they just tell the number of items in my history?
  • Email addresses associated with my computer?

I’ve reviewed similar questions but I’m not sure I truly understand what information a web server can collect from my connection/browser.

This turns into a fairly complex answer pretty quickly. It’s both more and less than you might think.

I’ll start by covering what every website sees.

Become a Patron of Ask Leo! and go ad-free!

Page visits

Almost every web server on the planet keeps a record of the pages that have been requested of it. Each time a webpage is requested, the server adds a line of information to that log.

Here’s an example log entry from my own server of someone accessing https://askleo.com/someones-sending-email-address-stop/ (my article “Someone’s Sending from My Email Address! How Do I Stop Them?!“).

109.152.159.2 – – [24/Jul/2018:09:26:44 -0700] “GET /someones-sending-email-address-stop/ HTTP/1.1” 200 47906 “https://www.google.com/” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/601.7.8 (KHTML, like Gecko) Version/9.1.3 Safari/537.86.7”

There are several interesting bits of information there:

  • Peek a boo!109.152.159.2: the IP address of the internet connection of the computer requesting the page.
  • [24/Jul/2018:09:26:44 -0700]: the date, time, and time zone offset that the page was requested.
  • GET /someones-sending-email-address-stop/ HTTP/1.1: the operation (GET), the page requested, and the HTTP protocol version to be used.
  • 200: the return code. In this case, 200 means success.
  • 47906: the size of the response in bytes.  In this case, this would be the size of only “/someones-sending-email-address-stop/”, without any additional files (like images or support files) it might reference.
  • https://www.google.com/: the site that had the link to https://askleo.com/someones-sending-email-address-stop/ that this person clicked. This person arrived at Ask Leo! after performing a Google search and clicking on a link in the results.
  • “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/601.7.8 (KHTML, like Gecko) Version/9.1.3 Safari/537.86.7”: this fairly long and obscure string, known as the “User Agent” string, identifies the browser used (Safari), the operating system (Mac OS X), and occasionally some other things the browser chooses to put in there.

As you can see, it’s both a lot, and not so much.

Your IP address doesn’t convey as much as most folks think. I’ve written about this repeatedly, but unless you’re a law enforcement agency with a court order, the best a website owner can tell is your ISP and roughly where on the planet you are — sometimes as accurate as your neighborhood, and sometimes only as close as your continent. In our example, the IP address is owned by British Telecom, and is somewhere in the UK, possibly York, as determined by a quick “whois” lookup on the IP address.

But that’s about it. Note the things you’re worried about that aren’t on the list: your computer name, your profile, your history, and your email address are not made available to a web server by a simple website visit.

However…

Websites remember what you tell them

Sites that allow you to sign in know who you are because you told them.

They generally log this information as well, either in the server logs I described above or in other logs maintained by whatever software on the server is processing the login. If the website profile associated with that login includes things like your email address, then the server knows that too.

Because you told it.

That’s something most people fail to remember: the vast majority of data collection and tracking exists because you explicitly provided it somehow.

Websites remember what their associated sites remember

In that same vein, whether it’s information you provided or was collected from simple visitor logs, websites that are associated with one another can certainly share data. There are several different examples.

  • Sites from the same provider naturally share data. Gmail, Google Search, YouTube, and other Google properties all likely realize that you are you by virtue of your having logged in to check email.
  • Sites from related properties may do the same. We don’t think of sites like Instagram and Facebook as being related, but they are (Facebook owns Instagram). I don’t know that they share data, but they certainly could. There are many such relationships out there.
  • Unrelated sites could enter into agreements to share data. In theory, this would be disclosed on a privacy page, but is typically limited to wording about sharing information with “third parties”.
  • Advertising.

Advertising is a special case.

Advertisers remember you, sort of

We’re all aware of ads that seem to follow you around from site to site. The sites that have those ads don’t need to know who you are at all; they just need to use the same or related advertising services.

All the advertising service needs to know is that “this computer looked at external hard drives” in order to then show you ads for external hard drives as you surf other sites. No personal information whatsoever was necessary to make that happen. It feels like you’re being tracked, but you’re not.

Of course, it could be more than that. The web servers of the advertisers have that same log information we started with, except they also know on what sites their ads were placed. So in a sense, they can see what sites you’re visiting.

And, of course, if you’re logged in to one of those sites, or a related site, or a site related to the advertising service, they might know who you are — because you told them.

Podcast audio

Play

16 comments on “What Can a Website I Visit Tell About Me?”

  1. being Canadian we are not allowed to see videos on the major tv networks web pages and i guess they know who we are by our ip address. if you miss an episode and want to watch it later you can’t unless you hide your ip address.not too fair

  2. Good info. Thx.
    Can a website tell where I have come (what website I was at previously) and what website I go to next?
    For example, if I am at store alpha and go to store beta, can alpha see that I left them to go to beta, and can beta see that I came from alpha? Thx.

    If site A links to site B and you click on that link, then site B will get information that says you came from site A. But without that cooperation, there’s no way for an arbitrary site to know where you came from or where you are going.

    Cookies, on the other hand, are another matter and open a series of related issues. I’ll be discussing that in future articles.

    – Leo
    23-Sep-2008
  3. Leo, are you using pop-up ads on you web pages?
    On opening this article a blue pop-up ad appeared on the page, asking if I wanted to sign-up for Ask-Leo newsletter. Was this generated by your site, or is it generated by some kind of malware that I am infected with?

    That’s me. Malware wouldn’t be about something as benign as a newsletter, or as on-topic as something relating to the site you’re on.

    – Leo
    29-Sep-2008
  4. In a previous newsletter, you challenged your readers to google themselves and see what they find. Well, I did, and I was shocked! There was even a reference to a response I made to one of your newsletters! The problem is I have an unusual name, and when I want to post a comment on your website, it asks for my name (required). I take it I can’t use a fake name, so what should I do?

    It depends on what you want to accomplish.

    I too have a unique name – unique enough that all the results of searching on it are related to me somehow. Things like commenting on websites like this one don’t bother me, and I use my real name. Doesn’t matter to me if that shows up in a search result.

    If it’s some place I do care, I do use a fake name. Even here, while it asks for your name you can still make one up if you want. Just means that if I contact you I’ll call you by that fake name.

    So in general, use a fake name, or no name at all, when you think it might matter. The most important point of all is to be aware that what’s posted online stays online for a long, long time.

    – Leo
    05-Oct-2008
    • I never thought my name was common but I do not come up in the first pages of the search. However, the image search came up with a photo of me driving in an autocross competition in 1989, my father’s college yearbook (same first name) when he was graduating (small college), and my grandparent’s grave marker (grandfather’s middle name was William)

    • If you are referring to Leo’s pop-up ad for the newsletter, closing the ad by clicking on the X in the upper left will keep it from popping up again for a month, unless you clear your cookies. Clearing the Ask Leo! cookie will cause the pop-up to appear the next time you visit askleo.com.

  5. Hi can I please ask what happens if you don’t visit a website but don’t have any firewalls or security protection if you have javascript disabled can the website owner see more information

Leave a reply:

Before commenting please:

  • Read the article. Comments indicating you've not read the article will be removed.
  • Comment on the article. New question? Start with search, at the top of the page. Off-topic comments will be removed.
  • No personal information. Email addresses, phone numbers and such will be removed.
  • Add to the discussion. Comments that do not — typically off-topic or content-free comments — will be removed.

All comments containing links will be moderated before publication. Anything that looks the least bit like spam will be removed.

I want comments to be valuable for everyone, including those who come later and take the time to read.