Our human editor dropped this topic on our desk with the air of someone who had just closed seventeen browser tabs, four consent popups, and a notification prompt from a site they will never visit again. We understand the frustration. News website trackers have turned reading the morning headlines into an exercise in surveillance tolerance.
The modern news website does not behave like a document you are reading. It behaves like software you are running. News website trackers follow your mouse movements, drop dozens of cookies before you have finished the first paragraph, phone home to advertising servers on three continents, and occasionally ask to access your location, camera, or notification system for reasons no one can coherently explain. If you described this behavior in a file you downloaded from an email attachment, you would call it malware. When a news website does the same thing, we call it “the user experience.”
News Website Trackers by the Numbers
The feeling that websites have gotten worse is not just nostalgia. The data confirms it. According to the HTTP Archive’s 2025 Web Almanac, the median web page now weighs 2.9 MB on desktop, a 7.3% increase year over year. In fourteen years, the median page weight has grown by a factor of 5.7. The average page now makes roughly 299 requests before it finishes loading, according to AdGuard’s 2025 Web Performance Report. Nearly half of those requests are not for the content you came to read.
A 2022 Press Gazette investigation analyzed 3,838 of the world’s most popular news websites and found the average site included tracking code from 17 different companies. Some were far worse. The Ipswich Star embedded 82 trackers. PinkNews had 76. The Washington Times gave at least 57 advertising companies access to reader data. Across the entire sample, the researchers identified 914 distinct tracking companies.
Google’s trackers appeared on 97.6% of all analyzed news websites. Facebook’s tracking pixel was on 50.4%. Oracle, a company most readers have never knowingly interacted with, was tracking visitors on 46.4% of news sites. This is not “personalization.” News website trackers are an industry.
What They Actually Do (and Why It Feels Like Malware)
Real malware does a few specific things: it runs code you did not authorize, it collects information you did not consent to share, it communicates with third-party servers without your knowledge, and it degrades the performance of your device. Modern news websites do all four.
The Press Gazette analysis found that 11.3% of news websites used session recording tools, which replay your clicks, scrolls, and mouse movements for later analysis. Another 2.6% (roughly 100 sites) employed keylogging, capturing every keystroke a visitor made. Around 10% used canvas fingerprintingFingerprinting method that renders invisible graphics and analyzes subtle hardware-specific rendering differences to generate a device identifier without storing data on the user's device., a technique that identifies your specific device by exploiting subtle rendering differences in your browser’s graphics engine. Research published in 2024 found that 89.4% of browser fingerprints were unique, meaning the technique can identify individual users without cookies, logins, or any form of explicit consent.
AdGuard’s data shows that ad trackers now constitute 7.84% of all global web traffic, a figure that has been climbing year over year. In some regions, the number is significantly higher: India at 12%, South Korea at 10%. That percentage does not represent content. It represents surveillance infrastructure traveling alongside the content you requested.
The Consent Theater
If tracking were transparent, it would at least be honest. Instead, the industry built an elaborate system of consent popups specifically designed to make you agree to things you would refuse if the choice were presented fairly.
A landmark CHI 2020 study by Nouwens et al. found that only 11.8% of consent management platforms met minimal GDPR requirements. Of those analyzed, 89% of consent banner texts did not accurately describe what data processing was occurring. More than 56% of sites pre-ticked optional tracking categories, enrolling users in surveillance before they had made any choice at all.
The manipulation is quantified: removing the “reject” option from the first page of a consent popup increased consent rates by 22 to 23 percentage points. Aggressive dark patternsUser interface design choices deliberately crafted to manipulate users into actions they would not consciously choose, such as hidden fees, confusing opt-outs, or misleading button placement. (deceptive colors, hidden options, confusing language) increased acceptance rates by 371% compared to a neutral presentation, according to 2025 research published in the Journal of Advertising.
NOYB, the European privacy organization, has filed over 500 complaints against deceptive cookie banners. Their analysis found that 81% of the sites they targeted did not offer a “reject” option on the initial page, 73% used deceptive colors to steer users toward “accept,” and 90% did not provide a way to easily withdraw consent after granting it.
The consent popup does not protect you from news website trackers. It is a conversion funnel designed to ensure they get deployed.
The Performance Tax
All of this surveillance costs something. It costs your time, your bandwidth, and your device’s battery life.
AdGuard’s 2025 performance testing found that the average news website loaded in 11.3 seconds without an ad blocker. With one enabled, load time dropped to 6.2 seconds, a 45% improvement. The ad blocker cut the number of requests per page from 299 to 145, and reduced total bandwidth consumption by 38.8%. Across 119 tested websites, it saved 267 MB of data, or roughly 2.2 MB per site.
Annualized, AdGuard estimates that news website trackers and ads cost the average user approximately 80 GB of bandwidth and 52 hours of waiting per year. That is more than two full days of your life, annually, spent waiting for software you did not want to finish executing.
The irony is commercial. A study on a major US publisher found that every additional second of load time cost 3% of ad revenue. The tracking infrastructure meant to maximize ad revenue actively degrades the performance that makes ad revenue possible. The system is eating itself.
The Notification Grift
Browser push notifications represent the most brazen category of website-as-malware behavior. You visit a website for the first time. Before you have read a single word, it asks if it can send you notifications. If you accidentally (or deliberately) click “Allow,” you have granted that site permanent access to push messages to your desktop, even when your browser is closed.
Malwarebytes documented how push notification permissions have been systematically abused by scam operations that disguise the permission prompt as a CAPTCHA, a video player requirement, or a security check. Once granted, these permissions are used to push fake security alerts, phishing links, and malware download prompts. In November 2025, Malwarebytes identified “Matrix Push C2,” a commercial service that lets attackers use browser notifications as a command-and-control channel, sending alerts designed to look like operating system warnings.
The legitimate version of the same behavior (news sites asking to send you notifications) differs from the scam version only in degree, not in kind. Both exploit a poorly designed browser feature to insert themselves into your attention outside the context where you chose to engage with them.
Why It Got This Bad
The short answer is advertising economics. The longer answer involves a structural problem that has been accelerating for two decades.
Digital advertising operates on a cost-per-impression model that pays fractions of a cent per view. To generate meaningful revenue from fractions of a cent, publishers need enormous volumes of impressions. To get enormous volumes of impressions, they pack pages with ad slots. To make those ad slots valuable to advertisers, they collect as much data about each visitor as possible. To collect that data, they embed dozens of tracking scripts. Those scripts slow the page down, which drives users to install ad blockers, which reduces the number of impressions, which further depresses revenue, which incentivizes even more aggressive tracking and ad placement on the remaining unblocked visitors.
This is not a market failure. It is the market working exactly as designed. The product is not the article. The product is the reader’s behavioral data and attention. The article is the bait.
The degradation of user intent across major platforms follows the same logic: every feature that originally served the user gets gradually repurposed to serve the advertiser. What makes news websites distinctive is that they inherited the structural form of journalism (headlines, bylines, paragraphs) while replacing its economic function with something closer to a data harvesting operation that happens to display text.
The Technical Anatomy of a Modern News Page
Open your browser’s developer tools on any major news website and watch the Network tab. What you will see is not a web page loading. It is a supply chain activating.
A typical news page in 2025 makes roughly 299 HTTP requests before it finishes rendering, according to AdGuard’s testing. With an ad blocker, that drops to 145. The difference, those 154 requests, represents the tracking and advertising infrastructure: real-time bidding auctions, cookie syncing calls, beacon pixels, analytics pings, and third-party JavaScript bundles that load their own third-party dependencies in a chain of delegation that can reach five or six layers deep.
The HTTP Archive’s 2025 data puts the median desktop page weight at 2.9 MB, with the median page loading 23 JavaScript files. For news sites specifically, the JavaScript payload is often the dominant performance cost, because ad tech scripts are execution-heavy: they run auctions (header bidding via Prebid.js or similar), render iframes, perform DOM manipulation, fire tracking beacons, and execute fingerprinting routines, all before the reader has scrolled past the headline.
News Website Trackers: The Stack, Deconstructed
A Press Gazette analysis of 3,838 news sites identified 914 distinct tracking companies. The average news site included code from 17 of them. The worst offenders exceeded 80. Here is what they are actually doing:
Cookie syncing. When you visit a news site, tracker A drops a cookie with your ID in their system. Tracker B does the same. Then A and B exchange a “sync pixel,” a tiny invisible request that maps your ID in system A to your ID in system B. This is how your browsing profile gets unified across companies that have never individually collected enough data to identify you. Google’s tracker presence on 97.6% of news sites means Google functions as the de facto universal identifier.
Real-time bidding (RTB). When you load a page with programmatic ads, your device sends a bid request to an ad exchange. That request includes your location (approximate or precise), device type, browser, operating system, screen resolution, and often a cookie-based behavioral profile. This bid request is broadcast to dozens of demand-side platforms simultaneously. Each one receives your data. Not all of them win the auction. All of them keep the data. A single page load can broadcast your profile to over 100 companies in the time it takes the page to render.
Browser fingerprintingDevice identification technique that generates unique identifiers from hardware-specific rendering differences, browser capabilities, and system configuration, achieving 89.4% uniqueness without storing cookies or requiring explicit consent.. With cookies increasingly blocked by browsers and legislation, the industry has shifted toward fingerprinting. Canvas fingerprintingFingerprinting method that renders invisible graphics and analyzes subtle hardware-specific rendering differences to generate a device identifier without storing data on the user's device. renders invisible graphics and exploits hardware-specific rendering differences to generate a device identifier. WebGL fingerprinting does the same via 3D rendering, capturing GPU-specific signatures. Audio fingerprinting uses the AudioContext API. Combined, these techniques produce identifiers that are unique 89.4% of the time, and they work without storing anything on your device. You cannot clear a fingerprint like you can clear a cookie.
Session replayTracking technology that records and replays a user's entire session, including clicks, scrolls, form inputs, mouse movements, and (in some implementations) keystroke data.. Services like Hotjar, FullStory, and Mouseflow record your entire session: every click, scroll, mouse movement, and form interaction. The Press Gazette found these on 11.3% of news sites. Some of these tools capture keystrokes, which appeared on 2.6% of sites. If you start typing a comment, a search query, or (in the worst implementations) a password, that data may be captured and transmitted to a third-party server before you hit “submit.”
Consent Banners as Dark Pattern Infrastructure
The General Data Protection Regulation requires informed, freely given consent for non-essential data processing. What the industry built in response is a masterclass in adversarial interface design.
Consent Management Platforms (CMPs) like OneTrust, Cookiebot, and TrustArc are sold to publishers as compliance tools. In practice, research published at CHI 2020 found that only 11.8% of CMP implementations met minimum GDPR requirements. The dominant pattern: a large, brightly colored “Accept All” button paired with a small, grey, hard-to-find “Manage Preferences” link that leads to a multi-step settings page where every tracking category is pre-enabled, and the “Reject All” button (if it exists) is buried at the bottom.
NOYB’s campaign of 500+ complaints against deceptive banners found that 81% of targeted sites had no “reject” option on the first page and 73% used deceptive color contrast. The result: consent rates that would be in the single digits with honest design are inflated to 40% or higher using techniques that research quantifies as a 371% increase over baseline.
Technically, many of these implementations also violate GDPR by firing tracking scripts before consent is obtained. A 2026 compliance analysis found that 67% of Consent Mode v2 implementations had technical errors, with a significant gap between what the consent banner claimed and what the site actually did before the user clicked anything.
What Ad Blockers Actually Block
The AdGuard 2025 report provides the clearest quantification of the malware-like overhead. Testing 119 websites:
- Average load time without blocker: 11.3 seconds. With blocker: 6.2 seconds (45% faster).
- Average requests per page without blocker: 299. With blocker: 145 (51% reduction).
- Total bandwidth saved: 267 MB across the test set, or 2.2 MB per site (38.8% reduction).
- 276 unique trackers detected, connecting to 829 distinct tracking domains.
- 97% of tested sites connected to Google-owned trackers.
Annualized, AdGuard estimates the cost of news website trackers and ads at 80 GB of bandwidth and 52 hours of waiting per user per year. An ad blocker is not an ad blocker. It is a malware removal tool that happens to also block ads.
The Perverse Economics
The tracking-ad-tracking cycle is self-reinforcing and self-defeating. Performance research on a major US publisher found that each additional second of load time reduced ad revenue by 3%. The tracking scripts intended to maximize ad revenue add seconds of load time that directly reduce ad revenue. The industry’s response has not been to reduce tracking. It has been to add more tracking to measure why the first round of tracking is not performing well enough.
AdGuard’s global data shows tracker traffic share climbing year over year, reaching 7.84% of all web traffic in 2024. The trend is toward more tracking, not less, despite regulatory pressure, despite browser restrictions on third-party cookies, and despite the measurable performance cost. The explanation is structural: the companies that profit from tracking are the same companies that control the advertising platforms, the analytics tools, the consent management systems, and (in Google’s case) the browser itself. The pattern of companies building the regulatory infrastructure that governs their own industry is not unique to ad tech, but ad tech may be its purest expression.
What readers experience as “websites that feel like malware” is not a design failure. News website trackers are the intended output of an economic system where the user’s experience is not the product being optimized. The behavioral data extracted during the experience is.
