Advertisements on websites usually come in the form of iframes — basically, rectangular areas into which a completely different website (the ad) is loaded. These ads are served by just a few big ad companies like DoubleClick.

Cookies are just little text files that a website can store to save a bit of information it doesn’t want to lose between reloads — for example, that you are logged in to something, so you don’t have to re-login all the time. Cookies left by a site of one domain name can only be read by other sites of that same domain name. So a cookie set by e.g. hotmail.com will only ever be read by hotmail.com.

But iframes with ads subvert this principle — any DoubleClick iframe can read the cookies set by any other DoubleClick iframe, and the cookies that these iframes set contain, among other info, the exact page you were on. So the company DoubleClick knows your complete browsing history (of all pages with DoubleClick ads on them, but that’s a lot).

Similarly for Facebook and Google and Amazon and other big companies — lots of websites include widgets (such as a like button) by these companies, and just by visiting the website, without you clicking the button, Facebook etc. will know that you were on that website, because the like button is actually an iframe that reads Facebook’s cookie which says you are currently logged in on that machine.

So what happens: stuff tracks you even more than it does anyways.