
Credit: Burst / Pexels
Most people know that social media platforms track what they like and share. They know Google $GOOGL keeps a record of their searches. They've heard about cookies. But the data economy runs far deeper than the platforms people consciously use — it operates through the devices they trust, the stores they walk into, the cars they drive, and even the way they hold their phones.
Data collection has become infrastructure. It underlies the business model of industries that have nothing to do with technology on the surface: grocery chains, insurance companies, credit card networks, employers, landlords. The result is a web of observation that most people move through without ever thinking about it, because the collection points are designed to be invisible, or are buried in terms of service agreements long enough to discourage reading.
The scope of what is tracked goes well beyond browsing behavior. Location data is harvested from apps that have no obvious reason to need it. Biometric information is captured at airports, stadiums, and retail stores. Metadata from emails, calendar entries, and file downloads tells platforms a great deal about daily routine without anyone ever reading the content. Smart home devices log ambient sound, light levels, and occupancy patterns. Cars transmit driving behavior — speed, braking force, cornering — back to manufacturers and insurers.
What makes this worth understanding is not paranoia — it is agency. A person who knows how data is collected can make more deliberate choices about what to share, what to withhold, and which tradeoffs they are actually willing to accept. The tracking is often legal, sometimes useful, and in many cases unavoidable. But the first condition for navigating it is knowing it exists.
The 20 examples below span everyday devices, physical spaces, digital services, and institutional systems. Some involve explicit consent you may have forgotten giving. Others involve consent that was technically obtained through a checkbox buried in an update notification. A few involve no consent at all under current law in many jurisdictions. All of them are happening right now, at scale, in ways most people never think about.
1 / 20

Credit: Erik Mclean / Pexels
Modern vehicles are equipped with telematics systems — onboard computers that continuously record data about how the car is being driven. This includes vehicle speed, acceleration and deceleration rates, cornering forces, braking behavior, seat belt use, and the time of day trips occur. That data is transmitted, in many cases, back to the manufacturer.
The uses vary. Automakers use telematics data for warranty analysis, to identify mechanical issues before recalls, and to improve future vehicle design. Some manufacturers make this data available to insurers, either through direct partnerships or through opt-in programs that promise a discount in exchange for driving behavior monitoring. Programs of this kind, offered by major U.S. insurers, work by plugging a small device into a car's OBD-II port or by using a smartphone app — but the underlying telematics data from the vehicle's own systems is separate and flows regardless.
What surprises many car owners is that this transmission happens by default, without any action on their part, and without a clear dashboard notification each time data is sent. The terms of service for connected vehicle features typically authorize this collection, but those agreements are accepted at the time of purchase or software activation — often during a dealer handover when attention is elsewhere.
The data can be linked to the vehicle identification number and, through registration records, to the registered owner. Insurers in some states have begun using manufacturer telematics data in underwriting decisions. Law enforcement has obtained vehicle location and trip history data from automakers through legal process.
Rental car companies also collect telematics data from their fleets, and some rental agreements explicitly authorize monitoring of speed and geographic boundaries. Customers who exceed those limits have been charged fees based on data collected during their rental.
The broader point is that a car purchased years before the current wave of connected-vehicle services may have already been retrofitted with data collection capabilities through software updates. The car sitting in a driveway is, for many manufacturers, a data collection endpoint that happens to also provide transportation.
2 / 20

Credit: Jack Sparrow / Pexels
Loyalty programs — the cards and apps that track purchases at grocery stores, pharmacies, and coffee chains — are, at their core, data collection infrastructure. The discount offered is real. But it functions as payment for something equally real: a detailed record of purchasing behavior that can be profiled, sold, and used in ways that go well beyond the retailer who issued the card.
A grocery loyalty program that spans a decade contains information about diet, health management (through pharmacy purchases), household composition (through purchase volumes and product types), income signals (through brand choices and bulk buying patterns), and life events (through sudden shifts in purchasing categories). The birth of a child, a cancer diagnosis, a change in diet due to a chronic condition — all of these leave traces in purchase history.
This data is used internally for targeted promotions, shelf placement decisions, and inventory management. It is also sold to data brokers, shared with consumer packaged goods companies that want to understand which households buy their products, and in some cases shared with health insurers and employers — depending on jurisdiction and the terms of the program agreement.
Retailers also use loyalty data to link in-store purchases to online behavior. If a customer uses the same email address to log into a retailer's app as they use on other platforms, data brokers can match records across systems and build a more complete profile. This matching process, known as identity resolution, is a significant business in its own right.
The data does not expire. A loyalty profile built up over years is an asset that retains value even if the consumer stops shopping at that retailer, because historical purchasing behavior is useful for modeling future behavior by similar consumers.
Many people assume loyalty data is anonymized. In practice, the combination of purchase patterns, a linked email address, a home ZIP code, and a credit card number makes re-identification straightforward.
3 / 20

Credit: www.kaboompics.com / Pexels
Smart televisions — nearly all television sets sold in the U.S. and Europe for the past several years — include a technology called automatic content recognition, or ACR. It works by taking screenshots of whatever is on screen, several times per second, and matching those images against a database of known content. This allows the TV to identify what is being watched: a specific episode of a television series, a sports broadcast, a streaming film, a news segment, or even content playing from an external device like a gaming console or a cable box connected to an HDMI port.
The data collected through ACR goes to the TV manufacturer and, in many cases, to third-party advertising platforms. It is used to serve targeted advertisements in the TV's own interface, to sell viewing data to advertisers and media companies measuring audience reach, and to build household-level profiles that can be matched with other consumer data.
ACR operates regardless of how the content is being delivered — over streaming services, over cable, or over the air. The television is watching what its owner watches, in detail that broadcast ratings systems could never approach.
This is disclosed in the setup process, typically during the initial terms of service acceptance when a smart TV is first connected to the internet. Most users click through without reading. The default setting for ACR is on. Turning it off requires navigating to a specific section of the TV's privacy settings — which varies by manufacturer and is not prominently surfaced.
The manufacturers involved include the largest brands sold globally. Vizio, for example, built a data division — Inscape — that sells ACR data as a core part of its business model. Samsung and LG have similar programs. The viewing data sold through these platforms is granular enough to show which ads a specific household watched, for how long, and whether they changed the channel immediately after.
4 / 20

Credit: Robert So / Pexels
Voice assistants — on smart speakers, smartphones, and increasingly on TVs and appliances — are designed to listen continuously for a wake word. The device records ambient sound, processes it locally or in the cloud, and activates when it detects the trigger phrase. What is less well understood is what happens before, and sometimes after, that trigger is detected.
Multiple device manufacturers have acknowledged that voice assistants occasionally activate without an intentional wake word, either due to sounds that phonetically resemble the trigger, or due to processing errors. When this happens, audio from the surrounding environment is captured and, in some implementations, sent to cloud servers for processing.
Amazon $AMZN, Apple $AAPL, and Google $GOOGL have all faced scrutiny for the practice of having human reviewers listen to samples of voice assistant recordings — including recordings captured by accidental activations — as part of quality assurance processes for improving speech recognition. All three companies adjusted their policies following reporting on the practice.
Beyond accidental activations, the metadata around voice assistant use is itself informative. The time of day commands are issued, the types of requests made, and the frequency of use all provide data that can be used to infer household routine, sleep patterns, and occupancy.
Devices from third-party manufacturers that integrate voice assistant platforms may have different privacy settings than the first-party devices from Amazon, Google, or Apple. A smart speaker from a home audio brand that uses the Alexa platform as its voice layer may collect data under both the brand's own terms and Amazon's.
The living room, kitchen, and bedroom are where these devices are most commonly placed. They are also the spaces in which the most private conversations occur. The boundary between ambient noise and captured audio is determined by software thresholds that consumers cannot inspect.
5 / 20

Credit: Luis Quintero / Pexels
Every smartphone that has Wi-Fi enabled — even when not connected to a network — constantly broadcasts what are called probe requests. These are short signals sent by the device as it searches for known networks to join. The signal includes, in older device implementations, the unique hardware identifier of the phone, known as the MAC address.
Retailers, airports, transit systems, and urban environments have deployed sensors that capture these probe requests to track the movement of people through physical spaces — without those people connecting to any network, downloading any app, or taking any action at all. The device's presence is detected passively.
From probe request data, a tracking system can determine when a person entered a space, how long they stayed in different sections of it, how often they returned, and — by correlating data across sensor networks — where they went before and after. Retailers use this data for store layout optimization, understanding traffic flow and dwell time in different departments. Shopping centers sell aggregate movement data to tenants and to brands seeking to understand foot traffic patterns.
Apple $AAPL introduced MAC address randomization in iOS 14, which cycles through random hardware identifiers during Wi-Fi scanning to make probe request tracking harder. Android introduced similar protections around the same period. But older devices running earlier software versions do not have this protection, and the randomization protocols have known weaknesses that researchers have documented.
Beyond smartphones, laptops and tablets also emit probe requests when their Wi-Fi is on and they are not connected to a network. Many people carry a laptop in a bag through an airport or train station without realizing the device is broadcasting its identity.
6 / 20

Credit: RDNE Stock project / Pexels
Every digital file contains metadata — data about the data. A photograph taken with a smartphone contains the date and time it was taken, the make and model of the device, the focal length, the exposure settings, and — if location services were enabled at the time — the precise GPS coordinates of where the photo was taken. This information is embedded in the file itself and travels with it when the photo is shared by email, posted to a website, or included in a document.
Document files carry their own metadata. A Word or PDF document records the author name (as entered in the software account), the organization name, the creation date, the modification history, and sometimes the names of previous contributors through version tracking. A document prepared on a work computer may carry the employer's name in its metadata even when shared from a personal email account.
Journalists have used photo metadata to locate conflict-zone combatants who posted images online without stripping the embedded GPS data. Law enforcement has used document metadata to identify the sources of leaked materials. Advertisers and data brokers have used photo metadata from images posted publicly to infer location history, device ownership, and the places where a person spends time.
Most social media platforms strip metadata from uploaded images — but not all of them, and the stripping happens after the platform has already extracted and retained the metadata internally. Email attachments, files shared through messaging apps, and images posted to smaller websites often retain their full metadata.
Most image editing software and smartphone settings allow metadata to be removed before sharing. Most people do not know to do this, and the setting is not typically the default.
7 / 20

Credit: Canva Images
Cookies are the tracking method most people have heard of, and most people now know they can be blocked or cleared. Browser fingerprinting is a different technique, and it is significantly harder to prevent.
When a browser connects to a website, it reveals a large amount of information about the device it is running on: the browser type and version, the operating system and version, the screen resolution, the installed plugins and fonts, the time zone, the graphics card details, the language settings, and many other parameters. Taken individually, none of these is unique. Taken together, they form a fingerprint that is specific enough to identify a returning visitor with high accuracy — without setting any cookie, without requiring any login, and without any data stored on the user's device.
Browser fingerprinting scripts run silently in the background of many commercial websites. The technique is used by fraud detection systems, by advertising networks, and by data brokers. A user who clears all cookies, opens a private browsing window, and uses a VPN can still be fingerprinted if the browser returns the same combination of parameters on each visit.
The fingerprint is built in milliseconds, requires no disclosure on the part of the website, and is not addressed by most browser privacy settings. Extensions that block fingerprinting exist, but they work by either blocking the scripts that collect the parameters or by feeding false parameter values — which can break website functionality.
Because fingerprinting does not use stored data, it is not covered by regulatory frameworks that focus on cookies. The legal status of fingerprinting under privacy laws like GDPR is contested, but enforcement against it has been limited.
8 / 20

Credit: Stanislav Kondratiev / Pexels
Apps that have no connection to navigation, mapping, or location-based services frequently request and receive permission to access a smartphone's location. Weather apps, flashlight apps, games, retail apps, and productivity tools have all been documented collecting location data, in many cases continuously and in the background.
The permission request at installation rarely explains how the location data will be used. The explanation is in the privacy policy — typically a long document accessible by a link in small type — which may disclose that location data is shared with advertising networks, data brokers, or analytics companies.
Location data collected by apps is sold through a market for location intelligence. The buyers include hedge funds seeking signals on retail foot traffic, insurers modeling risk, employers assessing commuting patterns, and political campaigns targeting voters. The data is typically sold in aggregate, but at the individual device level it is granular enough to show home address (the place where the device spends nighttime hours), workplace, medical facilities visited, places of worship, and political events attended.
In 2018, The New York Times reported on the location data market in detail, using data from a broker to trace the movements of specific individuals through their location history — including visits to abortion clinics, addiction treatment centers, and domestic violence shelters.
A smartphone with a dozen apps that have background location permission is a continuous location tracking device. The user may have granted each permission individually, in the context of a specific app's request, without understanding that the data would be aggregated and sold.
Revoking background location permissions for apps that do not need them for core functionality is the primary mitigation. iOS and Android both now provide options to share location only while an app is in use, rather than continuously.
9 / 20

Credit: Kampus Production / Pexels
Every credit card transaction creates a record: the merchant, the amount, the date, the time, and in many cases the specific items purchased. This record is held by the issuing bank, by the payment network (Visa $V, Mastercard $MA, American Express $AXP, or Discover $DFS), and by the merchant's payment processor. It is available to all three parties and is routinely used in ways beyond fraud prevention and billing.
Card networks have sold aggregated transaction data to hedge funds and market research firms. The data shows, at scale, whether consumer spending at a particular retailer is rising or falling — useful for investors before earnings reports are published. At the individual level, transaction history is used by banks for credit decisions, product recommendations, and risk modeling.
Some issuers offer programs that analyze transaction history to offer cashback or rewards in specific spending categories. These programs require the cardholder to consent to deeper analysis of their transaction data, but many cardholders do not read the terms carefully enough to understand what that consent covers.
Merchant category codes assigned to each transaction reveal not just where money was spent but what type of establishment it was spent at — including medical providers, legal services, and adult entertainment. A transaction at a cardiologist, a bankruptcy attorney, or a fertility clinic is categorized in the transaction record, and that category travels with the data.
The aggregation of transaction data across time creates a behavioral profile that is, in many respects, more accurate and complete than what a person would volunteer about themselves. It captures behavior rather than self-reported preferences, and it does not forget.
10 / 20

Credit: Connor Scott McManus / Pexels
Smart meters, now installed in a majority of homes in the U.S. and across much of Europe, transmit electricity and gas consumption data to utility companies at intervals as frequent as every 15 minutes. This granularity — far beyond what was possible with analog meters read monthly — creates a detailed behavioral record of household activity.
Electricity consumption patterns can reveal when residents wake up and go to sleep, when they cook, when they use certain appliances, whether they are home during the day, and how many people are in the household. Researchers have demonstrated that smart meter data, at 15-minute resolution, can identify the specific appliances being used by recognizing their characteristic load signatures.
Utility companies use this data for grid management, demand forecasting, and billing. In many jurisdictions, they are also permitted to share or sell it — to third parties, to landlords, or to government agencies — under terms that vary by state and country. U.S. privacy protections for utility data are fragmented, with no federal standard equivalent to those that exist for financial or medical records.
Law enforcement has used smart meter data to identify properties with electricity consumption patterns consistent with indoor cannabis cultivation. The inference does not require entering the property.
Insurance companies and mortgage lenders have sought access to smart meter data to assess property condition and occupancy. Real estate platforms have used it as a proxy for home energy efficiency ratings.
The granularity of smart meter data is typically disclosed to customers, but the practical implications — that the meter records whether someone is home, awake, or using a medical device that draws continuous power — are not commonly explained at installation.
11 / 20

Credit: AMORIE SAM / Pexels
Employers have long had the legal right to monitor activity on company-owned devices and networks. What has changed is the sophistication and scope of the tools available to them. A category of software known as employee monitoring or productivity software can log keystrokes, capture screenshots at regular intervals, record which applications are open and for how long, track mouse movement to distinguish active from idle time, monitor email and messaging content, record video from a device's camera, and measure the time spent on specific tasks or websites.
Deployment accelerated significantly during and after the period of widespread remote work. Tools from companies including Teramind, ActivTrak, and Hubstaff became common in remote work environments, and many employees were not clearly informed of what was being monitored.
In most U.S. states, employers are not required to notify employees that monitoring software is installed on company devices. The notification requirements that do exist tend to be minimal — a line in an employment agreement or an acceptable use policy that employees sign at onboarding and rarely revisit.
Some monitoring tools extend beyond company devices to personal devices that access company networks or email accounts. When an employee installs a company email application on a personal phone, the mobile device management profile required for that installation may give the employer visibility into the device beyond the email application alone — including the ability to remotely wipe the device.
Productivity scores generated by monitoring software have been used in performance reviews, layoff decisions, and disciplinary actions. The scores measure activity, not output, which critics note creates incentives to perform the appearance of work rather than the work itself.
12 / 20
-1920x1280.jpg)
Credit: Burst / Pexels
Facial recognition technology is deployed at airports, sports stadiums, concert venues, casinos, retail stores, and hotel lobbies — often without customers being aware of it. The system works by capturing images from surveillance cameras, extracting a mathematical representation of each face, and comparing it against a database.
The databases vary. At airports, facial recognition is used for identity verification against passport photos held by government agencies — a relatively bounded application. At private venues, the database may contain watchlists compiled by the venue, by law enforcement agencies, or by third-party vendors. Some retailers have used facial recognition to identify known shoplifters. Some casinos use it to identify self-excluded gamblers. Some venues have used it to flag people who have previously been banned.
The legal framework for facial recognition in private commercial settings is limited in most of the U.S. Illinois has the Biometric Information Privacy Act, which requires informed consent before biometric data is collected — and which has generated significant litigation. A small number of other states have enacted similar laws. No comprehensive federal law governs the use of facial recognition by private companies.
The accuracy of facial recognition systems varies by demographic group. Documented error rates are higher for darker-skinned individuals and for women compared to lighter-skinned men, a disparity documented by MIT researcher Joy Buolamwini's work on algorithmic bias.
When a venue uses facial recognition without disclosure, the faces of every person who walks through the entrance are processed and compared against a database without consent. The processing may result in no action and no stored record — or it may result in a flagged identity and a security response.
14 / 20

Credit: Brett Sayles / Pexels
An internet service provider sees every domain name a customer's devices connect to, the timing of those connections, and the volume of data transferred. In the U.S., the Federal Communications Commission's 2016 rules that would have required ISPs to obtain opt-in consent before selling browsing data were repealed by Congress in 2017. Since then, U.S. ISPs have been permitted to sell aggregated — and, under some interpretations, individual — browsing data to third parties without customer consent, subject to the ISP's own privacy policy.
The ISP is structurally positioned to see traffic that bypasses other tracking methods. A user who employs a private browser, blocks cookies, and uses a VPN that terminates at a domestic exit point is still generating DNS traffic visible to the ISP before it reaches the VPN. HTTPS encryption protects the content of web traffic, but the domain names — the addresses of the sites visited — are visible in DNS queries and in Server Name Indication headers that are transmitted before the encrypted connection is established.
Major U.S. ISPs including AT&T $T, Verizon $VZ, and Comcast $CMCSA have established advertising and analytics businesses that use subscriber data. Verizon has offered its Precise Location Data — precise movement data from mobile subscribers — to third-party companies. The company reached a settlement with the FCC in 2021 over data sharing practices related to location data.
The relationship between an ISP and its customer involves a level of trust that is structurally different from the relationship between a user and a website: the ISP is the infrastructure through which all internet activity passes, and the user typically has limited choice about which ISP to use.
15 / 20

Credit: Canva Images
Data brokers are companies that collect personal information from a wide range of sources and compile it into detailed profiles that are sold to businesses, marketers, insurers, landlords, employers, and others. The sources include public records (property ownership, court filings, voter registration, marriage and divorce records), commercial data (purchase history, loyalty program records, transaction data), and digital data (browsing behavior, app usage, location history).
The profiles that result can include name, address history, family members, estimated income, consumer purchasing categories, political affiliation, health condition indicators, employment history, and a large number of inferred attributes. Major data brokers — Acxiom, Experian, LexisNexis, CoreLogic — maintain records on hundreds of millions of individuals.
Most people have never heard of the company holding a detailed file on them. The data broker industry operates largely outside public awareness. A person's profile at a data broker is compiled without their active participation, may contain errors, and may be used for decisions that affect their lives — including credit offers, insurance pricing, and background checks — without them knowing.
The data broker industry in the U.S. is regulated in narrow, sector-specific ways. Credit reporting is governed by the Fair Credit Reporting Act. Health data by HIPAA. But the general data brokerage market — which buys and sells information that falls outside those categories — operates under limited federal oversight.
Vermont requires data brokers to register with the state. California's Consumer Privacy Act gives residents the right to request deletion of their data from brokers. Several other states have enacted similar rights. But exercising those rights requires knowing which brokers hold your data and submitting individual requests to each one.
16 / 20

Credit: Atlantic Ambience / Pexels
Smartphones contain a suite of sensors beyond the camera and microphone. The accelerometer measures device movement and orientation. The gyroscope measures rotation. Together they can detect the pace and pattern of walking, whether the user is sitting, standing, or lying down, and the way the device is held. These sensors do not require a location permission to access — in most mobile operating systems, they are available to any app by default.
Researchers have demonstrated that accelerometer and gyroscope data can be used to identify users across sessions — because the way a specific person walks and holds their phone is distinctive enough to function as a biometric. The pattern of micro-vibrations transmitted through the phone while it is carried is individual.
Applications in health and fitness tracking rely on these sensors legitimately for step counting and activity classification. But the same data stream accessed by an app in the background reveals information that was never consciously shared: how much the user is moving, when they are stationary for extended periods, whether their movement pattern is consistent with a disability, and whether they are driving.
The keyboard on a smartphone also generates accelerometer signal. The taps produce vibrations that carry information about what is being typed. Researchers have demonstrated keylogging using accelerometer data without access to the keyboard input itself, though this technique requires close proximity and specific conditions.
In 2019, researchers at Northeastern University demonstrated that accelerometer data could be used to infer what room of a house a person was in based on the structural vibrations transmitted through the floor.
17 / 20

Credit: alleksana / Pexels
Email services see the content of messages sent through them — and, where scanning is enabled for advertising purposes, analyze that content. But the metadata of email traffic is its own data category and is collected independently of content.
Email metadata includes the sender and recipient addresses, the time and date of each message, the subject line, the message size, the IP address from which the message was sent, and the read receipt timing where that information is available. From this metadata alone — without reading a single word of message content — a detailed picture of a person's life can be constructed.
The frequency and timing of communication with specific senders reveals professional relationships, personal relationships, and service subscriptions. The subject lines of bank statements, utility bills, medical appointment confirmations, and e-commerce order confirmations disclose financial accounts, health care providers, and consumer purchasing even without opening the messages. The IP address associated with outgoing mail can reveal location.
Gmail analyzes email content for smart features including Smart Reply, Smart Compose, and automatic categorization. Google $GOOGL states that this analysis is automated and not reviewed by humans for advertising purposes, following policy changes made in 2017. But the automated analysis generates signals that inform the advertising profile associated with a Google account.
Third-party email clients and productivity apps that request access to a Gmail, Outlook, or Yahoo mail account can, if granted permission, read all messages in an inbox. Many apps request this level of access to offer features like subscription management, invoice tracking, or calendar integration. The scope of data accessible through a single OAuth authorization grant to one of these apps is, for most users, not fully understood at the time permission is given.
18 / 20

Credit: AI25.Studio AI GENERATIVE / Pexels
Behavioral biometrics is a method of identifying and authenticating users based on how they interact with a device — rather than what they know (a password) or what they have (a hardware token). It analyzes patterns including typing rhythm (the specific timing between keystrokes), mouse movement patterns, scrolling behavior, swipe dynamics on a touchscreen, and the way a user navigates through an application's interface.
Financial institutions, e-commerce platforms, and fraud prevention companies use behavioral biometrics to detect account takeover attempts and fraudulent transactions. The logic is that a legitimate account holder interacts with their bank's website in a consistent, recognizable pattern — and a fraudster using stolen credentials will behave differently.
The technology works by collecting interaction data in the background during a normal session and building a behavioral model that is compared against the established baseline on each subsequent visit. This happens without the user knowing it is occurring.
The collection extends to what the system does not know about the user. A person who pauses frequently, uses a screen reader, or navigates differently due to a disability will register as anomalous against a neurotypical baseline. Fraud models that flag unusual behavior can thus inadvertently flag accessibility-related interaction patterns.
The data collected for behavioral biometric modeling — keystroke timing, mouse trajectories, touch pressure and angle — is detailed enough to serve as a behavioral identifier across sessions and potentially across platforms, if the models are shared or sold. The practical implications for long-term identity tracking are not yet fully understood, because the technology is relatively new at commercial scale.
19 / 20

Credit: Torsten Dettlaff / Pexels
Email marketing messages contain invisible tracking pixels: single-pixel images embedded in the message body, hosted on a remote server. When the email is opened, the pixel is loaded from that server, and the server logs the request. That log entry includes the IP address of the device that opened the email, the email client used, the device's operating system, the time the email was opened, and, in many cases, the location associated with the IP address.
Senders use pixel tracking to measure open rates for marketing campaigns and to determine which recipients engaged with which messages. But the same technique is used in personal emails and in surveillance contexts. A lawyer sending a settlement offer, a journalist seeking comment, or an employer sending an HR communication can embed a tracking pixel — or use a service that does it automatically — to know exactly when the email was read, on what device, and from what location.
Services like Superhuman and others faced scrutiny after a 2020 backlash over their use of pixel tracking in personal email, where the feature was enabled by default and recipients were not notified.
The pixel is invisible to the reader. It loads silently as part of the message. No action by the recipient — other than opening the email — is required. Email clients that block remote images by default prevent pixel tracking; some clients, including Apple $AAPL Mail since iOS 15, route image loading through a proxy server that obscures the recipient's IP address. Most email clients, however, do not do this by default.
The information a pixel sends is modest compared to some other tracking methods, but its use in personal correspondence — rather than bulk marketing — raises distinct concerns about the surveillance of private communication.
20 / 20

Credit: RDNE Stock project / Pexels
When a user creates an account with a new app or service using the "Sign in with Google $GOOGL" or "Sign in with Facebook $META" option, they are asked to authorize a set of permissions. The permissions are described in a consent screen, but the language is often broad, the time pressure to proceed is high, and most users do not read the details.
A typical broad-access authorization might include access to the user's name and email, their contacts list, their calendar, their photos, and the ability to send emails or post content on their behalf. Applications that request calendar access can infer daily schedule, meeting frequency, travel patterns, and the names and organizations of people the user meets with. Applications that request contacts access receive, effectively, the social network of the user — including the phone numbers, email addresses, and names of people who never agreed to share their information with that application.
The data collected through these permissions flows to the third-party application — not back to Google or Facebook, which serve only as the authentication intermediary. What the third-party does with that data is governed by their own privacy policy, which the user has typically not read.
OAuth permission grants often do not expire automatically. An authorization given years ago to an app that is no longer actively used may still be active and still receiving new data from synced accounts. Most users have never reviewed the list of apps authorized to access their Google or Apple $AAPL account.
The most underappreciated aspect of this type of data collection is the contact list access. When an app uploads a user's contacts to its servers — for features like "find friends who are also using this app" — it collects personal information about people who never downloaded the app, never agreed to any terms of service, and have no knowledge that their phone number is now in a third-party database.