2.1. Cookies

Website owners and third parties commonly use HTTP cookies to track users and monitor their behavior via the HTTP protocol. They are among the most well-known WT systems. A cookie is not a program but a text file containing key-value pairs (e.g., Visiting Time = 21:12, IP Address = 127.0.0.0). HTTP cookies are stored on the client’s computer.

Whenever a user visits a website, the server retrieves the cookie to efficiently access the necessary information. If no cookie exists for that site, the server assumes the user is visiting for the first time. The server then generates a new identifier for the visitor in its database and sends a cookie. Cookies store user data, such as passwords, allowing users to avoid reentering them each time they log in. This benefits both websites and internet users [7,8,15,16,17,18].

Permanent cookies, also known as zombie cookies or ever-cookies, are HTTP cookies controlled by scripts. When deleted, they are recreated from backups stored in the HTML5 local storage or on the client’s hard drive. This occurs when a user visits a webpage that secretly sends a script or executable program via the browser. The script checks a specific location on the client’s disk to restore the deleted cookie from a backup or save the cookie’s current state [19,20].

2.2. Local Shared Objects

Local shared objects are cookies that do not rely solely on the HTTP protocol for tracking but require software manipulation. For example, Flash cookies are managed by Adobe Flash Player, while Silverlight Secure Storages are handled by Microsoft Silverlight [21,22]. These development tools enhance web content and user experience by using their APIs and scripts to communicate with browsers, retrieve data from viewed pages, or access browser storage.

The collected data is stored in local shared objects, which may include small databases, JSON-formatted files, or complex storage structures beyond simple key-value texts. These objects improve the user experience by storing privacy preferences, restoring time points (e.g., where a user stopped playing a Flash video), and more.

Additionally, they can link a user’s activities across different websites or browsers and synchronize their cookies. Cookie synchronization involves linking data from various cookies using fingerprinting techniques to create user interest profiles. Local shared objects have a larger storage capacity than regular cookies and are harder to delete due to their ability to be recreated by the associated software [5,8,9].

2.3. HTML5 Tracking

HTML5 offers numerous APIs to enhance the web experience, such as server-sent events, XMLHttpRequest2, Web Messaging, and Geolocation. By using HTML5 APIs, websites or software can gather user data through the browser and store it either on the server or the client’s storage. Additionally, HTML5 introduces new client-side storage mechanisms, including Web Storage, Local Storage, and Indexed DB. These options allow for more efficient data storage using JSON-formatted files, NoSQL techniques, and API calls. Consequently, HTML5 provides an effective means of tracking through API interactions [7,8,10,14,23].

2.4. Web Beacons

A Web beacon (also known as a web bug, tracking bug, pixel tag, or clear GIF) is a technique that involves displaying a very small (typically 1 × 1 pixel) image in an HTML file or web programming code (e.g., JavaScript). For the image to appear, the user’s browser must send a request to the server hosting it. This request allows the server to identify which user wants to view the image.

Due to its small size, the Web beacon is usually invisible to users, though it can be detected by examining the source file. This enables tracking without users’ knowledge. Additionally, the image’s URL may include a script written in server-side programming languages like PHP or ASP.NET. When executed on the server, this script collects even more user data. Typically, all data gathered by a Web beacon is stored on the server [7,8,15,23].

2.5. Spyware

Spyware tools are software programs installed on a computer to monitor activity or cause harm. They can access third-party APIs or components from browsers or operating systems (OS), such as Layered Service Providers and IConnectionPoint, to retrieve user data. Once collected, this data is saved in hidden files, and a background process transmits the files to a specific server via HTTP.

Additionally, Spyware often collaborates with other software or techniques, such as Adware or keystroke loggers. Keystroke loggers operate at the kernel level, monitoring binary data sent by input devices (e.g., keyboards) through OS APIs, allowing them to capture sensitive information like passwords.

Most Spyware tools are illegal and lack authorization for download, installation, or access [24,25,26].

2.6. Email Tracking

Email tracking is implemented using a web beacon or email services. It can operate on various networks (public, local, etc.) to reveal how often a message is read or transmitted and by whom, along with their IP address. If a server collects data from a specific web beacon, it can determine which email was opened, where, and when. Modern email services use scripts (usually involving POST and GET methods) on their servers to track the communication channel, sender, and receiver. They may also use web analytics services. All this data is stored on servers [27,28,29].

2.7. Local-Based Services

Recent advances in wireless location tracking, such as cellular networks or RFID tags, offer many opportunities to implement or enhance Location-Based Services. Using APIs and maps enables real-time traffic analysis, as APIs (like Google Maps API) provide extensive geographic information. APIs repeatedly communicate with telecommunication systems managed by location providers and brokers, requiring a stable connection between the client, server, and provider. Location-Based Services often process queries based on current location (e.g., “Where is the nearest hotel?”) by calculating distances between the current and target locations. These services also track a person’s location (e.g., via GPS) to improve traffic flow or assist with navigation to specific destinations [30,31].

2.8. Fingerprinting

Fingerprinting is a technique used to create a unique string that identifies internet users. This string is stored in a cookie or browser storage, allowing websites to request it and identify visitors. Trackers use fingerprints to enhance tracking, build user behavior profiles, and provide personalized services. They can also be used for multi-factor authentication and improved security. Some fingerprints are generated via HTTP mechanisms like ETags or scripts, while others are more complex, based on collected data. For instance, canvas fingerprinting sometimes uses the Canvas API [32] to gather information like fonts, graphics card details, screen size, and other features, which are then hashed to produce the fingerprint. Similarly, various APIs enable methods like audio, battery-based, font fingerprinting, and more [33,34,35,36].

2.9. Taint Tracking

Taint tracking, or information flow tracking, monitors how applications access and manipulate personal data. Specifically, when an application initiates one or more processes in IPC (Inter-process Communication), a taint tag is added to the process based on specific dataflow rules [37]. This can be implemented using virtual or hardware components, such as a VM interpreter or shadow memory, to access low-level OS APIs. The taint tracking system labels sensitive data sources and temporarily tags them as they flow through an application. When tainted data is transmitted over a network, the system records the tags, the responsible application, and the destination. This provides real-time feedback to users about how their data is being used [38,39,40].

2.10. Web Privacy Measurement

Many researchers use Web Privacy Measurements to track tracking services on websites. These tools employ browsers and task managers to convert high-level commands (e.g., “visit a website”) into specific subroutines, distribute commands to browser administrators (e.g., create command threads per browser), and interact with browser APIs to analyze data flow. They also use COM interfaces or IConnectionPoint for deeper data collection and tracker detection. Additionally, Web Privacy Measurements crawls files and scripts from websites or data collected by them, manipulating and storing this information in databases for analysis. By crawling websites, they can identify WT systems, such as detecting “src” tags in HTML files leading to web analytics services or tracking scripts (e.g., cookies, fingerprints). Advanced tools can even reveal how personal data is used. These complex systems rely on APIs, databases, browser interfaces, and scripts, and often integrate machine learning algorithms, datasets from privacy tools like Ghostery, and more [41,42,43,44].

2.11. Other Tracking Techniques

3.1. Materials

The proposed classification of tracking systems is not very common in the literature, even though it can provide a better understanding of those systems. A classification scheme allows the separation of certain objects into categories, according to specified criteria. The current paper investigates WT systems based on how they work and their technological architecture, and for that reason, the proposed classification is developed based upon this. HTTP and APIs are the main methods of tracking, whether the data is stored on the client or on the server. Moreover, fingerprints are typically generated by APIs or scripts, but it would be better to distinguish them from other WT systems. That’s because fingerprints don’t collect data, but it’s an exclusive category of identifying internet users to help other tracking mechanisms. And there are more complicated tracking systems as well, combining all the previous tracking methods. Hence, the current scheme proposed 6 classes, which are represented in Table 1. Lastly, to mention, this scheme is not based on any other previous research effort.

3.2. Methods

Based on the four classes analyzed above, Table 1 showcases a comparison of these different classes. In this section, we compare our work with two previous studies. In [5], the authors introduced a classification framework, classifying web trackers based on tracking behaviors and properties. Specifically, the scheme identifies 5 behaviors and 7 properties, primarily observable from the client’s side. A web tracker is classified as a behavior if it exhibits at least one of the specified properties, as detailed in Table 2 and Table 3 [5].

Another classification scheme was proposed in Imane Fouad’s research to identify tracking domains and their interconnections. The authors in [7] focused on analyzing WT webpages using web beacons (pixel tags) by detecting these beacons. The arrows in [7], representing potential relationships between categories in a stateful crawl, suggest that categories within each class likely interact sequentially, as shown in Table 4.

By crawling 829,349 webpages and detecting web beacons, a tracking classification framework was developed, categorizing web trackers based on their behavior. This scheme consists of 4 classes and 7 categories, each explaining how the WT domain operates, its impact on user privacy, and statistical results from the research dataset. A web tracker using web beacons is classified based on its tracking behavior, as outlined in [7].

The Franziska Roesner classification scheme (Table 2 and Table 3) focuses on web tracker behaviors and properties, primarily high-level criteria observable from the client (user’s browser). In contrast, our scheme (Table 1) relies on lower-level criteria, emphasizing programming implementation and technological background, mostly observable from the server’s side. Additionally, Imane Fouad’s scheme (Table 4) covers more complex, non-basic WT systems based on the perspective of website usage. Our classification (Table 1), however, includes simpler mechanisms like HTTP and session IDs in hidden fields, classifying software rather than the website’s tracking methods. In conclusion, the differences between these classification schemes stem from differing research perspectives, providing a more comprehensive understanding of WT mechanisms [5,7].

The next section will discuss internet users’ awareness and their perspective on WT systems. The classification of WT systems in this research (Table 1) has limited relevance to users’ perspectives, as it focuses on observable behaviors from the browser rather than what occurs on the server side. For example, users may notice cookie notifications but are less aware of fingerprints. Consequently, the most recognized WT tools are cookies (96.9% familiarity) and GPS (68.9%), while other tools are 30% less well-known (Appendix, Questions 7, 18). In conclusion, previous research and classification efforts are more aligned with users’ perspective, which relies on observable behaviors from the client side. In contrast, this paper’s classification, focused on server-side criteria, is less related to users’ awareness.

4.1. Questionnaire Structure

In this research, an online questionnaire survey was conducted using Google Forms, with 1,032 participants from Greece. Different types of surveys offer varying advantages and disadvantages depending on the research goal. For our study, we chose an online questionnaire via Google Forms to reach as many internet users as possible and ensure ease of data collection. This approach was simple to create and share online, guaranteeing anonymity and no time pressure for participants (allowing them to review questions as needed). The questionnaire aimed to explore how much internet users know about WT systems and the factors influencing their knowledge. Additionally, we examined whether a lack of awareness about WT systems affects users’ privacy concerns.

To ensure the questions were understandable for all participants, regardless of their technical knowledge, we avoided jargon and technical terms, opting for small, closed questions (up to 21 words). Most questions included open-ended answers, such as “other, describe in a few words.” The data was analyzed using distributional descriptions, statistically comparing groups (e.g., correct vs. incorrect answers) and identifying possible associations between variables. The questionnaire began with demographic questions, including gender, age, daily internet usage, and computer science background (Appendix, Questions 1–4) to identify factors influencing awareness of WT systems. It then included four multiple-choice questions on WT systems, each with three incorrect answers and one correct option, such as: “Do you know what cookies are? a) Text files, b) Software, c) Virus, d) I don’t know” (Appendix, Question 8). Some multiple-choice questions were more subjective or debatable, such as: “Which of the following tracking systems do you know? a) Local-based service b) Flash Cookies c) …” (Appendix A, Question 18) [50,51,52].

Lastly, regarding the survey methodology used, it is noted that participants were reached online using anonymous sharing, i.e., sharing of Google Forms; thus, we aimed for wide accessibility and voluntary participation. Specifically, we paid extra attention to ensure that the questionnaire was intentionally simple to avoid bias from technical terminology, and closed-ended questions were used as a means to facilitate statistical comparison. However, it must be noted that the sampling method may introduce limitations via this mode of operation, as it may lead to self-selection bias, and thus, the sample may not fully represent the broader spectrum of the population. As such, while descriptive statistics and basic comparisons were used as a means to analyze responses, in future analysis of a bigger sample, it should also help to include regression models to quantify the impact of different variables on user awareness and concern.

4.2. Structure Analysis

The first objective was to uncover how much internet users know about tracking systems. The average correct answers across four multiple-choice questions were 37.63%, although only 26.4% claimed to understand how WT systems work (Appendix, Question 6). People appear aware of the data websites collect and the reasons behind it, yet only 25.2% are familiar with the WT systems (33.6% including cookies) that websites employ (Appendix, Questions 16–19). In conclusion, internet users have some knowledge about tracking systems, but at a very basic level.

The second goal of the questionnaire was to identify the most significant factor affecting internet users’ awareness (gender, age, daily internet usage, and relation to computer science). To achieve this, queries in SQL were utilized within an Oracle Apex database. The sum of correct answers was calculated for each factor. For example, if 51% of men answered correctly to Question 8, and 54% answered correctly to Question 9, the sum for men would be 51% + 54% + ... The goal was to assess the deviation between lower and higher correct answers for each factor. For the “Age” factor, 13–18-year-olds had the lowest sum of correct answers (446%), while 19–24-year-olds had the highest sum (540%). This indicates that younger people know the least, whereas 19–24-year-olds know the most about WT systems. The deviation is the difference between these percentages, 540% − 446% = 94%, indicating that age affects awareness by 0.94. Similarly, gender affects awareness by 0.78, daily internet usage by 0.7, and relation to computer science by 1.42. These numbers provide a comparative measure of how each factor influences correct answers. Thus, the “relation to computer science” emerged as the most important factor affecting internet users’ awareness of WT systems.

The third and final objective was to examine whether internet users’ lack of awareness correlates with increased concerns about WT tools. To accomplish this, SQL queries were used to identify users who answered with the term “virus” (i.e., “cookies are viruses” from Appendix, Question 8). These users (203 in total) are assumed to be concerned about WT systems. The average of correct answers for those concerned is 0.39 (let A1). By repeating this process for users not concerned about WT systems, the average of correct answers is 0.37 (let A2). If A1 significantly differed from A2, it would suggest that concerned users have less knowledge about WT systems than non-concerned users, implying that awareness reduces concerns about WT systems. However, since A1 and A2 do not differ significantly, it is concluded that awareness about WT systems is independent of concerns regarding WT tools. While initial results showed that awareness does not significantly correlate with concern about data misuse (as the average correct answers between concerned and unconcerned users were 0.39 and 0.37, respectively), further statistical analysis could help validate this finding. Future work could involve the use of inferential statistical methods such as hypothesis testing or regression models to confirm the absence or presence of statistically significant differences between user groups. This would provide a more robust understanding of whether concern is indeed independent of awareness or influenced by other hidden variables.