|
||
 |
||
|
| Beware Of Web Bugs & Clear GIFs |
 Email This
 Print ThisView My Personal Library |
|
The Threats April 2000 • Vol.8 Issue 4 |
Beware Of Web Bugs & Clear GIFs Learn How These Innocuous Tools Invade Your Privacy | ||
 Web Bugs or Clear Graphical Interchange Format (Clear GIFs) files are a threat to the privacy of Web users, but they aren't a new phenomenon. People have known about them for some time, but only recently have they received media attention as privacy experts hasten to educate Web users of the threats they pose. Web bugs are used by large organizations that make financial gains by tracking user behavior on the Web. They are used as a tool for tracking where individual users go on the Web and what they view. This way a profile of an anonymous user can be created over time, eventually providing rich detail about that user's preferences and interests. Advertisers can use this data to target advertising banners and information specifically to that user. Web bugs can also be used in conjunction with e-mail. When used with e-mail, they allow these same organizations to link or synchronize e-mail addresses with information the company has in its anonymous profiles about individual users. In this way your Web surfing history can be linked to your e-mail address. This poses a significant threat to your personal privacy.  Defining Web Bugs. Any image can be used as a Web bug, but a Web bug is most often implemented as 1 x 1 pixel GIF format image files which has its color set to transparent so it is effectively invisible on a Web page or in a Hypertext Markup Language (HTML)- enabled e-mail program. The image file's transparency gives it the names Clear GIF and Transparent GIF. These images (or Web bugs) are embedded in a Web page or an e-mail message in the same way as any other image inside an <IMG> HTML tag. The difference with these images is that they don't reside on the same server as the Web page. Instead, they reside on the server of an Internet advertising company, such as DoubleClick or MatchLogic. These images work in a similar way to Web counter programs; a call is made to the advertising company's site for the GIF image to be downloaded whenever a user downloads the page from the company Web site. This tells the advertising company that someone is visiting the site and provides some detail about that visitor. Clear GIFs aren't new; they've been used for some time in Web pages. For example, David Siegel encouraged the use of what he called Single Pixel GIFs in his "Creating Killer Web Sites" book. These small invisible images were used to accurately position images on a Web page, something that was quite difficult to do otherwise. The significant differences between these GIFs and Web bugs are that Clear GIFs are used as a page formatting tool, and the images themselves reside on the same server as the Web page. In contrast, Web bugs are used to collect information about visitors' Web browsing habits, and the image file generally resides on a different server than the one on which the Web page resides. Seeing A Web Bug. If you'd like to see a Web bug, visit InvestorPlace at http://www.investorplace.com; you'll find a bug at the top of the page, which you can see if you choose View, Source in Internet Explorer or View, Page Source in Netscape. The code provides information about an IvestorPlace visitor to the advertising agency DoubleClick, and it looks like this: <IMG SRC="http://ad.doubleclick.net/activity;src=328142;type=mmti;cat=invstr;ord=<Time>?" WIDTH=1 HEIGHT=1 BORDER=0> There are multiple bugs similar to this on AltaVista's home page at http://www.altavista.com. When you're looking for Web bugs, don't be fooled into thinking that they exist only where you find banner ads. That's simply not true. Banner ads and Web bugs are entirely different entities. You can check for bugs on a Web page by waiting until the page has loaded and then viewing the page's source code. Search the page for an IMG tag that contains the attributes WIDTH=1 HEIGHT=1 BORDER=0 (or WIDTH="1" HEIGHT="1" BORDER="0"), which indicate the presence of a small, transparent image. If the image that this tag points to is not on the current server (for example, the IMG tag contains the text SRC="http://"), you've most likely found a Web bug. In Internet Explorer, the page source code is opened inside Notepad. Using the Search option in Notepad lets you use that text editor to do the work of looking for the code for you. If you're using Netscape, with the source code visible on the screen, press CTRL-A and then CTRL-C to select and copy the source code, then paste it into a word processor or Notepad and use the search option to find the bug if it exists.
What Bugs Say About You. When you load a page that contains a Web bug, quite a bit of information about you is sent to the server, which hosts the transparent GIF file. This information is similar to that which is routinely collected by most servers and stored in the visitor log files on a server. The information includes the Internet Protocol (IP) address of the computer you are using, the universal resource locator (URL) of the page you're viewing, the time you are viewing it, and the type of browser and operating system you are using. Additionally, the value of a cookie, which is already stored on your computer, can be sent to the server. It is this last piece of information that is most threatening to your privacy. Cookies & Web Bugs. To understand why cookies and Web bugs are so potentially threatening, you need to understand one special fact about cookies. When a cookie is placed on your computer, the server that originally placed the cookie is the only one that can read it. In theory, if two separate sites each place a cookie on your computer, they can't read the data stored in each other's cookies. That means, for example, that one site can't tell that you have recently visited the other site. However, the situation is very different if the cookie placed on your computer contains information that is sent by that site to an advertising agency's server, and that agency is used by both Web sites. If each of these sites places a Web bug on their page to report information back to the advertising agency's computer, every time you visit either site, details about you will be sent back to the advertising agency utilizing information stored on your computer in the agency's cookie. This allows your computer to be identified as the computer that visited each of the sites. Over time, an advertising agency with a significant presence on the Web (a network of client sites) can build up a detailed profile of your browsing habits. The result will be that you are likely to see that the advertising served up on the Web sites you visit is closely aligned to your personal preferences because the advertising agency knows a lot about the sites you visit and what you view based on the information it has stored on you. At this point the agency knows a lot about you, but you are still anonymous because it doesn't know who you are. Web Bugs & E-mail.
In addition, the Web bug can include your e-mail address (regardless of whether it's encoded) to allow the company to track whether you in particular have read your message. When the e-mail is read, the browser sends for the image to download and in the process sends your e-mail address to the server. Now the sender knows that you have read your message, and this indicates that your e-mail address is still current. If you don't read the message, the company will know this, too, and it can purge its e-mail records of your address, allowing it to maintain an accurate and current list of e-mail addresses. Web bugs provide a highly reliable alternative to read receipts. Read receipts aren't supported by all e-mail software and can be easily disabled. In contrast, Web bugs are automatic and invisible to the user and cannot be disabled. Web bugs allow an e-mail sender to learn a lot about you even though they may have begun by only acquiring an e-mail address. Perhaps the most worrisome aspect of Web bugs in e-mail is that a company that knows your e-mail address can encode this address in a tag that your browser uses to request an image from someone else's Web site, such as an advertising company. This process potentially gives the advertising company your e-mail address and the opportunity to link it to its own cookies, which it already has stored in your Web browser. At this point, it not only knows the sites you visit and what you view on those sites, but it also knows your e-mail address. In this scenario, the e-mail company and advertising agency need to be working together, or they need to be the same entity. It is highly possible for an advertising company to rent the small amount of space required to code its IMG tag in an e-mail company's e-mail messages and to arrange for your e-mail address to be included in that tag.
Web bugs in e-mail messages look much the same as a Web bug on a Web page. Chances are that because the sender knows your e-mail address, the Web bug will also include a reference to your e-mail address, which may or may not be encrypted. Protect Your Privacy. Web bugs are simply images downloaded from other servers, and you can't do anything to stop the image from being downloaded, short of turning off image display for all the images on your Web page. For most users this will be too high a price to pay for maintaining anonymity. However, you can be more selective about which companies you allow to place cookies on your computer, and it is recommended that you set the cookie controls on your browser at the very least to always ask you before a cookie is written to your computer. When you do this, you should also remove any existing cookies from your computer as they can be accessed even when you have cookies disabled. Another way of preventing Web bugs from doing their work is not to read any HTML mail you receive from an unknown source. Deleting junk e-mail without having opened or read it will prevent the Web bug from signaling to the sender that you have read the message. The Junkbusters Corporation, with a mission "to free the world from junk communications," suggests other options for protecting yourself, which include using cookie management or ad filtering software. Where The Information Goes. It's not just the advertising agency or the Web site placing the Web bug in an e-mail message that has access to your information. An article in Wired, February 1998 (http://www.wired.com/news/news/culture/story/10555.html) reported a potentially embarrassing situation encountered by an employee who was accessing his private e-mail account from his employer's computer. One e-mail message he received contained a link to an image on a server so that when the message was viewed, the image was downloaded from the server, and the IP address of the image was recorded in the employer's logs. This allowed the company to make a link between the employee and the Web site, which contained the image with potentially damaging consequences to the privacy of the employee. The Responsibility Factor. The threat to your security posed by Web bugs is a direct result of the current generation of e-mail software being able to send cookies when e-mail messages are read. According to Richard Smith, this is a security hole in both the Microsoft and Netscape browsers. He believes that the best solution to the problem would be for those companies to prohibit cookies from being sent out in HTML e-mail messages. He maintains that while the actual use of Web bugs is relatively new, people have known about their potential for some time. He suggests that if "banner ad companies enter the e-mail servicing business, they'll be putting themselves in a very good position to also know the identity of people who are surfing to Web sites," simply because of their ability to use the browser security hole. One significant indication of this trend was the move late last year by the shareholders of the advertising agency DoubleClick and the junk mail database company Abacus Direct to merge the companies. This is exactly the scenario that Smith is warning about. Jason Catlett, President of Junkbusters sums up the situation when he states "It's intolerable that e-mail can be used to silently zap a nametag onto you that might be scanned by a site you visit later. It's like secretly barcoding people with invisible ink.''  by Helen Bradley For More Information: Disabling cookies http://www.junkbusters.com/ht/en/cookies.html Cookie management http://www.junkbusters.com/ht/en/links.html#measures Ad filtering software http://www.junkbusters.com/ht/en/links.html#filtering Junkbusters' comments on online profiling to the FTC (October 1999) http://www.junkbusters.com/ht/en/profiling.html Richard Smith's Web bug FAQ http://www.tiac.net/users/smiths/privacy/wbfaq.htm The Cookie Leak Security Hole in HTML E-mail messages (Richard Smith) http://www.tiac.net/users/smiths/privacy /cookleak.htm Web Bugs at Proctor and Gamble Web sites (Richard Smith) http://www.tiac.net/users/smiths/privacy /wbpg.htm Phar Lap software's Who are you? Network diagnostics page http://jshelper.pharlap.com/netdiags/wru.htm Apple Spam with Web bugs http://www.macintouch.com/applespam1299.html |
|
Home Copyright & Legal Information Privacy Policy Site Map Contact Us