Your Web Browser is Bugged

Cookies have been the nemesis of privacy advocates for quite some time now, but cookiesare relatively tame compared to their sneakier siblings, Web bugs, which stealthlytrack you as you view content from around the Internet. Web bugs are tiny little 1-pixelimage files that you never see on the screen. In addition to relying on stored cookieinformation sent in association with a banner ad or other content, companies such asDoubleClick have added Web bugs to their arsenal of profling devices.

The way Web bugs work is simple: when a user visits a Web page that contains a Web bug,that page will have an HTML tag designed to request the bug (image file) from a specificserver designed to gather information about the user. The image, usually 1-pixel in size,is so small that almost no one will notices it on the screen, particularly if it's matchedto the background color of the Web page.

The tracking ability comes from the inherent inner workings of the Web browser itself, andthe fact the almost every users allows graphics to be displayed in their Web browsers. Asyou know, when a Web browser sends a request for content to a Web server, it usually sendsthat request in conjunction with a some amount of detail with regard to the user'smachine. For example, when asking for a Web page, Internet Explorer and Netscape both sendthe user's IP address, operating system type and version, browser type and version, thelast Web page you visited, and more. In addition, the URL request itself can be encoded toinclude information that you had previously entered during a given Web site session. Forexample, Quicken's Web site had a Web bug that sent date-stamp session parameters back to DoubleClickand MatchLogic.

All of the information sent during a request is recorded by Web servers. In addition,while delivering a Web bug the server could read existing cookies to learn past surfinghabits. Keep in mind that Web bugs work in any application capable of displaying HTMLgraphics, including email clients, newsgroup readers, chat clients, word processors, andmore. Cookies can be disabled or the browser can be configured so that it prompts the userbefore automatically accepting them. But since almost everyone allows their browser toretrieve images embedded in Web pages, its incredibly difficult to stop the companies fromspying through the use of Web bugs that take the form of 1-pixel images.

Cookies and Web bugs bother many people bad enough, but add to that the fact that inNovember of 1999 DoubleClick purchased Abacus Direct, holder of detailed consumer profileson more than 90 percent of the households in the U.S., and there is plenty of room forheated conflict. DoubleClick's acquisition prompted one law firm to file suit againstthe company, which makes for a current total of four privacy-related suits against theadvertising firm.

Security professional Richard M. Smith maintains a Web Bug FAQto answer numerous common questions on the subject. But more interesting than the FAQ isthe page of links Smith provides for locating Web bugs using the Altavista search engine(JavaScript required). Smith's search links locate Web bugs belonging to more almost twodozen companies that track your Web surfing habits without your direct knowledge. Forexample, a search using a URL formatted by Smith to locate DoubleClick Web bugs return some178 bugged pages, including bugs which were located on the Web pages of several majorpharmaceutical vendors, a major hotel chain, and money lenders.

Even Microsoft'sown Windows 2000 Web site has a Web bug tracked by DoubleClick, as seen in the HTML tagin Figure 1 below. The tag was extracted from Microsoft's Windows 2000 default Web page onJuly 13th. Notice that this particular Web bug also tests your browser's SSL capabilitiesby requesting the Web bug via the HTTPS protocol instead of the usual HTTP protocol. Bycross-referencing known IP address assignments, it may be possible to use such a Web bug toidentify computers that are using 128-bit SSL in areas of the world where possession ofthat technology may be illegal either through local laws or through illegal export fromthe U.S.

Even major retailers are using Web bugs to secretly track your Web browsing habits. Forexample, Barnes and Noble (B&N), best known for selling books, is now receiving plentyof notoriety for their efforts to track unsuspecting users--many of whom may never buy abook from the company--on sites all around the Internet. A quick search using yet anotherURL formatted by Smith reveals that some 109,113 Web pages contain Barnes and Noble sanctioned Web bugs!Everything from ESPN's IronMan Coverage to the Virtual Resume Home page contain B&NWeb bugs.

Take time to explore Smith's preformatted search URLs to locate yet other Web bugs inuse around the Web. If Web bugs are a privacy concern for you and your environmentprovides a mechanism for site blocking or URL and content filtering then consider establishingrules that block the offending Web bugs. Use the URLs on Smith's page of search links as abaseline for developing your rules.