Our Opinion March 2002

Our Opinion Page for March 2002

Web bugs: The nearly invisible cookie

Cookies found on the World Wide Web are small unique text files created by a web site and sent to your computer's hard drive. Cookie files record your mouse-clicking choices each time you get on the Internet. After you type in a Uniform Resource Locator (URL), your browser contacts that server and requests the specific web site to be displayed on your monitor. The browser searches your hard drive to see if you already have a cookie file from the site.

If you have previously visited our forum, the unique identifier code, previously recorded in your cookie file, is identified and your browser will transfer the cookie file contents back to that site. Now the server has a history file of what you selected when you previously visited that site. You can readily see this because your previous selections are highlighted on your screen. If this is going to be the first time you visit the forum, when you do, an ID is assigned to you, and this initial cookie file is saved on your hard drive.

What is a web bug?

A web bug is a graphic on a web page or in an e-mail message that is designed to monitor who is reading the web page or an e-mail message. Like cookies, web bugs are electronic tags that help web sites and advertisers track visitors' whereabouts in cyberspace. However, web bugs are essentially invisible on the page and are much smaller, about the size of full-stop at the end of a sentence.

Known for tracking down the creator of the Melissa virus, Richard Smith, chief technology officer of PrivacyFoundation, is accredited with uncovering the web bug technique. According to Smith, "Typically set as a transparent image and only one pixel by one pixel in size, a web bug is a graphic on a web page or in an e-mail message that is designed to monitor who is reading the web page or e-mail message". According to Craig Nathan, Chief Technology Officer for MEconomy, the 1x1 pixel web bug "is like a beacon, so that every time you hit a web page it sends a ping or call-back to the server saying, Hi this is who I am, and this is where I am."

Most computers have cookies, which are placed on a person's hard drive when a banner ad is displayed or a person signs up for an online service. Savvy web surfers know they are being tracked when they see a banner ad. However, people cannot see web bugs, and anti-cookie filters will not catch them. So the web bugs can wind up tracking surfers in areas online where banner ads are not present or on sites where people may not expect to be trailed.

It is possible to check for bugs on a web page. Once the page has loaded, view the page's source code. Search the page for an IMG tag that contains the attributes WIDTH=1 HEIGHT=1 BORDER=0 (or WIDTH="1" HEIGHT ="1" BORDER="0"). This indicates the presence of a small, transparent image. If the image that this tag points to is on a server other than the current server (i.e., the IMG tag contains the text SRC="http://"), it is quite likely a web bug.

Privacy and other web bug issues

Advertising networks, such as DoubleClick or Match Point, use web bugs (also called Internet tags) to develop an "independent accounting" of the number of people in various regions of the world, as well as various regions of the Internet, who have accessed a particular web site. Advertisers also account for the statistical page views within the web sites. This is very helpful in planning and managing the effectiveness of the content, because it provides a survey of target market information (i.e., the number of visits by users to the site). In this same spirit, the ad networks can use web bugs to build a personal profile of sites a person has visited. This information can be warehoused on a database server and mined to determine what types of ads are to be shown to that user. This is referred to as directed advertising.

Web bugs used in e-mail messages can be even more invasive. In web-based e-mail, web bugs can be used to determine if and when an e-mail message has been read. A web bug can provide the IP address of the recipient, whether or not the recipient wishes that information disclosed. Within an organisation, a web bug can give an idea of how often a message is being forwarded and read. This can prove to be helpful in direct marketing to return statistics on the effectiveness of an ad campaign. web bugs can be used to detect if someone has viewed a junk e-mail message or not. People who do not view a message can be removed from the list for future mailings.

With the help of a cookie, the web bug can identify a machine, the web page it opened, the time the visit began and other details. That information, sent to a company that provides advertising services, can then be used to determine if someone subsequently visits another company page in the same ad network to buy something or to read other material. "It's a way of collecting consumer activity at their online store," says David Rosenblatt, senior vice president for global technology at DoubleClick. However, for consumer watchdogs, web bugs and other tracking tools represent a growing threat to the privacy and autonomy of online computer users.

It is also possible to add web bugs to Microsoft Word documents. A web bug could allow an author to track where a document is being read and how often. In addition, the author can watch how a "bugged" document is passed from one person to another or from one organisation to another.

Some possible uses of web bugs in Word documents include the following:

• Detecting and tracking leaks of confidential documents from a company
• Tracking possible copyright infringement of newsletters and reports
• Monitoring the distribution of a press release
• Tracking the quoting of text when it is copied from one Word document to a new document

Web bugs are made possible by the ability in Microsoft Word for a document to link to an image file that is located on a remote web server. Because only the URL of the web bug is stored in a document and not the actual image, Microsoft Word must fetch the image from a web server each and every time the document is opened. This image-linking feature then puts a remote server in the position to monitor when and where a document file is being opened. The server knows the IP address and host name of the computer that is opening the document.

A host name will typically include the company name of a business. The host name of a home computer usually has the name of a user's Internet Service Provider. Short of removing the feature that allows linking to web images in Microsoft Word, there does not appear to be a good preventative solution. In addition to Word documents, web bugs can also be used in Excel 2000 and PowerPoint 2000 documents.

Synchronisation of web bugs and cookies

Additionally, web bugs and browser cookies can be synchronised to a particular e-mail address. This trick allows a web site to know the identity of people (plus other personal information about them) who come to the site at a later date. To further explain this, when a cookie is placed on your computer, the server that originally placed the cookie is the only one that can read it. In theory, if two separate sites place a separate unique cookie on your computer, they cannot read the data stored in each other's cookies. This usually means, for example, that one site cannot tell that you have recently visited the other site.

However, the situation is very different if the cookie placed on your computer contains information that is sent by that site to an advertising agency's server and that agency is used by both web sites. If each of these sites places a web bug on their page to report information back to the advertising agency's computer, every time you visit either site, details about you will be sent back to the advertising agency utilising information stored on your computer relative to both sets of cookie files. This allows your computer to be identified as a computer that visited each of the sites. An example will further explain this: When Fiona, the web surfer, loads a page or opens an e-mail that contains a web bug, information is sent to the server housing the "transparent GIF". Common information being sent includes the IP address of Fiona's computer, her type of browser, the URL of the web page being viewed, the URL of the image, and the time the file was accessed. Also, potentially being sent to the server, the thing that could be most threatening to Fiona's privacy, is a previously set cookie value, found on her computer.

Depending on the nature of the pre-existing cookie, it could contain a whole host of information from user-names and passwords to e-mail addresses and credit card information. To continue with our example, Fiona may receive a cookie upon visiting web Site #1 that contains a transparent GIF that is hosted on a specific advertising agency's server. Fiona could also receive another cookie when she goes to web Site #2 that contains a transparent GIF which is hosted on the same advertising agency's server. Then the two web sites would be able to cross-reference Fiona's activity through the cookies that are reporting to the advertiser. As this activity continues, the advertiser is able to stockpile what is considered to be non-personal information on Fiona's preferences and habits, and, at the same time, there is the potential for the aggregation of Fiona's personal information as well.

It is certainly technically possible, through standardised cookie codes, that different servers could synchronise their cookies and web bugs, enabling this information to be shared across the web. If this were to happen, just the fact that a person visited a certain web site could be spread throughout many Internet servers, and the invasion of one's privacy could be endless.

Further Reading

The Blind Alley's "Web Bugs Nibbling at Consumer Privacy" http://theblindalley.com/webbugsinfo.html
CIAC's Information Bulletin I-034 "Internet Cookies" http://ciac.llnl.gov/ciac/bulletins/i-034.shtml
HowStuffWorks' "How Internet Cookies Work" http://www.howstuffworks.com/cookie2.htm

Until next month cya in cyberspace.