They Are Watching - How Google and Facebook Track You Without Telling You

They Are Watching

How Google and Facebook Track You Without Telling You

Dominik Bärlocher
by Dominik Bärlocher
time to read: 10 minutes

Your life has value. That’s what the Internet thinks. Sure, occasionally the net is a horrible abyss of unspeakable things and stuff that is just plain weird, but there are good, wholesome places. Like Google. Parental filter enabled, Safe Search on, you can google even the weirdest stuff and you’re still not in need of a psychiatrist just so that you can be a productive member of society again. Facebook is also nice. There’s filters and ignore functions and thanks to those, you haven’t gone postal because you’ve been asked to help your friends out with Farmville one too many times.

But the thing is, both Facebook and Google are multi-billion dollar companies. And companies trade in something. Somehow, they need to be generating revenue. How else do you think that Google manages to afford their trips around the world in cars with cameras on the roofs, their weird “Internet on a balloon”-experiment thing or the development of Google Glass? What Facebook needs the money for other than keeping itself alive is not entirely clear, but that’s not the point of this Labs.

Original artwork by Oliver Widder

The point is: You are their money. Everything you say or do or post or click or voice search… that’s where they make their money. Every single bit of data you give them is used for one purpose and one purpose only: Advertising revenue. “How do they do that”, you ask? Here’s a very simple example.

You Are Money. How it Works.


  1. Vendor stocks a product. Let’s say a t-shirt that says #yolo.
  2. Facebook checks how many people use #yolo as a hashtag. It’s ten million people. You and a lot of friends among them.
  3. Facebook goes to vendor and says “Hey, vendor, we want to sell your god-awful shirt. There’s ten million people we could advertise it to! Give us a 100 000 dollars and we’ll do just that.”
  4. Vendor is impressed and does the math. One shirt sells for $19 (Yes, that shirt actually does sell for $19). That makes $190 000 000 of potential revenue. Assuming that two percent of all people actually end up buying that shirt, that equals this 190 million divided by 50, that still makes 3.8 million dollars.
  5. Vendor gives Facebook the money
  6. You get to see the ad on your screen and, assuming you have no sense of taste whatsoever, you will buy it.

Therefore, you are very interesting. Everything you do or say is suddenly marketing value. Therefore, both Google and Facebook have been working hard on getting as much out of you as they possibly can. This results in the following reality we find ourselves in: Facebook and Google know even the stuff we don’t post.

Google Knows What You Search Before You Search for it.

Google likes users. In fact, one of Google’s core principles at some point was Don’t be Evil. It sort of still is, because if we’re being honest, Google could be much more evil if they wanted to. The slogan was supposed to be a jab at their then-competitors who according to Paul Buchheit, creator of Gmail and Google employee, “were kind of exploiting the users to some extent.” This is somewhat ironic, seeing as Google is after your every bit of data these days. Everything you’ve ever looked for? They know it. And they even know where you’re sitting right now.

“How are they doing that”, I hear you ask? Simple. Most of the time, they help you find it. Let’s assume you’re trying to figure out who is watching the watchmen (that quote, by the way, is attributed to the Roman poet Juvenal in Latin Quis custodiet ipsos custodes? and gained popularity with Alan Moore’s graphic Novel called Watchmen where the phrase became graffiti).

So off to Google you are. The search-box pops up and you start typing away. Google is nice, really. They suggest what you might be looking for:

Helpful Google is helpful. Thanks, Google!

So how does it do that? It’s simple. It’s a JavaScript command called onKeyPress. It goes like so:

<input type="text" onKeyPress="myFunction()">

In Google’s case, myFunction() is something that queries their entire database and guesses what you might be looking for, which is what that weird thing about prostitution invaded my search for the Roman quote.

In fact, it does it so well that if you have the automatic search enabled, you can see how it works. Not only is the autocomplete-feature at work, but also this. Look at the URL-bar. It refreshes itself with every push of a button.

Wait, I didn't enter that URL.

What happened? Basically this:

This results in the following: Even if you decide to not perform the search, Google knows what you were looking for.

Note: It doesn’t have to be onKeyPress seeing as there is probably a similar function out there, but onKeyPress would be the easiest solution, seeing as it’s a default Java-function.

Not bad enough? It gets worse and much more personal.

Facebook Knows What You Didn’t Post.

The girl you have a crush on posts a picture. She smiles at the camera, you want to tell her she’s beautiful. In a rare fit of courage, you click on the comment-box, and you start typing the words “You’re beautiful”. But just as quickly as the courage got you, it leaves you again. You delete those words.

But Facebook knows. Again, onKeyPress makes it possible. Even if you only got to “You’re beauti” and then decided to not do it, it doesn’t take a genius to figure out what you meant. In fact, you just wrote 76.5 percent of the message you decided to not post. Way more than enough for a clever computer to figure out what you were trying to say.

Of course Facebook doesn’t tell us that they’re doing that. So how do we know? We know this because Sauvik Das of Carnegie Mellon and Adam Kramer of Facebook have recently published a study titled Self-Censorship on Facebook. In the abstract, the following can be read:

We report results from an exploratory analysis examining “last-minute” self-censorship, or content that is filtered after being written, on Facebook. We collected data from 3.9 million users over 17 days and associate self-censorship behavior with features describing users, their social graph, and the interactions between them.

So there you have it. Facebook even has the capability to analyze what you didn’t post. And they did so to figure out the following:

Our results indicate that 71% of users exhibited some level of last-minute self-censorship in the time period, and provide specific evidence supporting the theory that a user’s “perceived audience” lies at the heart of the issue…

Wonderful. The fact that you are occasionally not posting things apparently makes it okay to know that you’re crushing on that woman you talk to at work. Does this sound okay to you?

Service vs. Spying

Google’s method is primarily aimed at bettering their own search function. Besides, you’re not very likely to tell Google that she’s beautiful. Granted, you might be looking for the cure to some embarrassing illness you might have contracted somewhere, but that is nowhere near as devastating to your social life as what Facebook does. Generally: Google aims at improving their service. Which makes them not quite as evil as they could be.

Facebook on the other hand has little to no reason to monitor status-boxes with onKeyPress. Because, looking at it from a service-oriented perspective, what possible use could you have for an autocomplete-function similar to Google’s in the field you write your status into? Or the one you write a message to your brother? Or the one you post your status. Besides, bought new t-shirt #yolo as a status is not something you post often.

So… how do you get around this?

You don’t.


You can disable JavaScript entirely. This will make your surfing the Net a complete nightmare, seeing as most websites use some sort of JavaScript somewhere. However, there’s a number of plug-ins – the most popular arguably being NoScript – that will allow you to selectively disable JavaScript on certain pages. The issue here is that setting this up takes a lot of time and effort.

About the Author

Dominik Bärlocher

Dominik Bärlocher has been working with IT subjects since 2006. The journalist relied on his affinity for all things IT during his tenures at news papers and benefited from it. At scip, he conducts OSINT researches and is an expert at information gathering.


Are you interested in a Penetration Test?

Our experts will get in contact with you!

How I started my InfoSec Journey

How I started my InfoSec Journey

Yann Santschi

Area41 2024

Area41 2024 - A Recap

Michael Schneider

Prompt Injection

Prompt Injection

Andrea Hauser

How to secure your online accounts

How to secure your online accounts

Ian Boschung

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here