A study demonstrates that simply knowing someone’s email (or a similar personal identifier) makes it possible to see what kind of products the victim buys online. The attack leverages the mechanisms used by advertisement companies that can track one person across multiple devices, and it is as simple as forging a browser cookie. In the case of retargeted ads, it is even possible to see what products the victim bought recently.
To defend yourself, you can use a separate “secret” email for shopping, browse without being logged anywhere, be mindful of security and privacy, refuse third-party cookies, and use privacy plugins in your browser. Those efforts help, but they are not enough to solve the problem entirely, and the result is a tedious experience where some websites may even block you since they cannot monetize your data. Solving this kind of privacy violation requires a change in the industry, but it is such a big business that it will never happen spontaneously.
Reference
ChangSeok Oh, Chris Kanich, Damon McCoy, Paul Pearce (2022) Cart-ology: Intercepting Targeted Advertising via Ad Network Identity Entanglement. CCS ’22, November 7–11, 2022, Los Angeles, CA, USA. https://faculty.cc.gatech.edu