What Trackers Actually Know About You (And How to Stop Them)

The average news article on your phone ships dozens of third-party scripts alongside the words you came to read. Most are invisible. All of them are watching. If you have ever wondered why a pair of sneakers follows you across four unrelated websites for the next week, the answer lives inside those scripts — and understanding what they actually collect is the first step to making them stop.

The five kinds of trackers

Not every tracker does the same thing. They cluster into five rough categories, and each is built around a different data source.

1. Analytics scripts

Analytics trackers — Google Analytics, Adobe, Mixpanel, Amplitude and friends — are the most common. They log every page you visit on a site, how long you stayed, what you scrolled past, and what you clicked. On their own, they collect first-party data. Combined with other trackers, they become part of a profile.

2. Ad network trackers

Ad networks (DoubleClick, Taboola, Outbrain, The Trade Desk, many more) exist to match you to advertisers in real time. When a page loads, your browser pings dozens of ad exchanges, each of which can read its own cookie — the mechanism behind cross-site remarketing.

3. Social pixels

The Facebook Pixel, LinkedIn Insight, TikTok Pixel and their counterparts fire the moment you land on a site that has embedded them, whether or not you use that social network. If you are logged into Facebook elsewhere, the pixel ties the visit back to your account. If you are not, it builds a shadow profile keyed to your browser.

4. Fingerprinting scripts

Fingerprinting does not need a cookie. It reads signals that, combined, identify your device uniquely: screen resolution, installed fonts, timezone, GPU model, canvas rendering quirks, battery level on older browsers, audio-stack behavior. A well-tuned fingerprint can track you across private browsing windows and across VPN changes. This is why clearing cookies alone does not stop tracking.

5. Beacons and tracking pixels

A beacon is a one-by-one transparent image whose real job is its URL. Loading the image registers the page view with the server that hosts it. Beacons also fire from inside email clients, which is how marketers know you opened a newsletter.

What the data actually looks like

Pulled together, a tracking profile typically contains:

• Device signals — model, OS version, screen, language, carrier.
• Approximate location — derived from IP address, sometimes cross-checked against Wi-Fi network names.
• Browsing patterns — which sites you visit, in what order, how often.
• Interests and intent — inferred from categories of content you read and products you looked at.
• Identity anchors — email hashes, phone hashes, and logged-in identifiers from partner sites.

That profile gets bid on, sold, resold, merged with offline data, and packaged into audience segments advertisers rent by the thousand. You never see any of this, because the exchange happens server-to-server.

How cross-site tracking actually works

The classic mechanism is the third-party cookie: a cookie set by a domain other than the one in your address bar. When you visit news.example and it loads an ad from adserver.example, adserver.example sets a cookie on its own domain. The next time a different site loads anything from adserver.example, the same cookie comes along — and now adserver.example knows you visited both sites.

Modern Safari already blocks third-party cookies by default, which is why trackers have moved on to fingerprinting and to first-party redirects that look native but pass data out through URL parameters. The arms race has shifted from cookies to script execution, and the only reliable defense is to block the scripts before they run.

Why private mode is not enough

Private browsing does one thing well: it forgets local state — cookies, history, form data — when you close the tab. It does nothing about the scripts themselves. Every tracker on every page still loads. Fingerprinting scripts still run and still identify your device across sessions, because the fingerprint is the same whether you are in a private tab or not.

If your goal is to keep a gift purchase off a shared laptop's history, private mode is the right tool. If your goal is to stop being tracked, it is not.

How content blockers stop trackers

A Safari content blocker like AdBlock Pro intercepts requests at the network boundary. When a page asks for adserver.example/pixel.gif, the rule matches, and Safari never sends the request. The script or beacon never loads, so no data is sent, no cookie is returned, and no fingerprint is computed.

This is a very different model from a browser extension that waits for scripts to load and then tries to clean up the DOM. By then, the tracker has already run. Blocking at the network layer is the only way to prevent execution outright — and it is exactly what Safari's content blocker API is designed to do.

Blocking is not the same as privacy

It is worth drawing a line. Blocking stops tracker requests from leaving your device. Privacy is a broader property: who gets to see your data, where it is stored, and for how long. You can have a blocker that is effective but leaks telemetry of its own — many browser extensions do. A trustworthy blocker has to be judged on both axes.

AdBlock Pro is built so that no browsing data ever leaves your iPhone. Filter lists are downloaded. Rules are applied locally inside Safari. There is no account, no cloud sync of your history, and no server-side log of the sites you visit. What stays on your device stays on your device.

The short answer

Trackers know more than most people imagine and less than conspiracy theorists claim. They know your device, your rough location, the shape of your interests, and — if you have ever logged into a partner service — your identity. They do not know what you are thinking, but they get closer every year. The good news is that the defense is simple: block their scripts before they run, and almost every layer of the tracking stack collapses at once.