Arawak Net Analysis: Invasion of internet privacy by means of web bugs combined with cookies

WEB BUGS, SMALL GRAPHIC OBJECTS THAT CREATE A HIGHWAY FOR INTERNET PRIVACY INVASION

"On July 20, Microsoft announced that it was introducing a beta security patch for the next version of Internet Explorer that would allow for better management of web cookies. The test version of the patch should be available to the public by the end of August", writes Electronic Privacy Information Center (EPIC) in its EPIC Alert newsletter of July 27th.

If you are tired of hearing or reading about cookies, welcome to the club!

But please try to tarry a while here; because there are two 'angles' to the Microsoft announcement that are worthy of thought. First, put it up against some other late-breaking news and you may begin to see a picture which says that Little People have far more power in their hands, in this privacy war, than we may have thought. Second, and more on your doorstep, it is time for you to learn something about a 'new' development that makes the presence of cookies on your computer much more ominous than you might have thought at first. Ånd that development causes the Microsoft announcement to take on a great deal of significance for all of us.

That development is called the "Web Bug". The Web Bug comes into your computer with absolutely no warning from your browser, and none is to be expected in the foreseeable future.

The Web Bug does not cause harm to your system; because it is a harmless graphic object. But it becomes the highway for dossiers to be built about you. The equally harmless cookies are an essential ingredient in the process. Therefore, since you should not reasonably expect to purge all your cookies, you need to pay some attention to cookie management, and to programs that help you with the management functions.

WHY THE MICROSOFT ANNOUNCEMENT IS IMPORTANT

But first, let's get back to the news. Since version 4.5, Internet Explorer (I.E.) has had decent cookie management functionality (choose Preferences and then Cookies, and you will see various options open to you for handling various groups of cookies or individual ones; but keep in mind that just disabling a cookie is not enough to prevent its use -- you must delete it). ( It appears that you need special programs to achieve similar control over cookies with Netscape.)

So if recent versions of I.E. already give you decent control over cookies, why has Microsoft moved to make its July 20th announcement? It wasn't even announcing the prompt availability of the new program! Could it be that the leaders of The Great Corporation have come to the conclusion that it's a good idea to help lower the level of public concern about privacy invasion on the internet?

Consider these next two items that point in the same direction.

First, Disney quickly announced that it was willing to purchase the Toysmart.com customer files to prevent them from being used by third parties, contrary to what Toysmart promised its clients. This was going to be a straight out-of-pocket expense that would bring Disney no revenue, only some public goodwill. Could it be that the leadership of Disney also came to the conclusion that public concern about privacy invasion on the internet has reached a level that a key foundation for future e-commerce growth is being threatened?

Second, examples of web pages where sneaky Web Bugs had been placed are given in the few articles on the web that deal with this subject. I went to five of the web pages where the examples were supposed to found, and not one had any examples. The owners of those sites, including some Very Big Boys, evidently got the message that that sneaky stuff was in fact dynamite for their own business, and they have got rid of it. (I will explain the sneaky and the non-sneaky Web Bugs below.)

Put those three developments together and a picture emerges -- the Big Boys suddenly sense that their lovely dreams about future e-commerce growth may be about to evaporate due to mishandling of the customer privacy matter by 'their own people'.

Unfortunately, even if I am correct this is no time at all to 'lay up' on our oars and break out the champagne due to having regained reasonable control over our privacy. Millions of people still do not know what's being done to them, and a huge number will not know enough about their computers to be effective in seizing the power to frustrate the sneaky privacy invaders.

Therefore, a massive public education effort remains needed; because in the end it will be millions of people taking individual self-empowerment actions that will be the real protection of a decent level of privacy on the internet. This is not a problem where it will make any sense to "let George do it". Forget delegation here, if you want to be of any help.

WHAT IS A WEB BUG?

The reason this position is correct can be seen clearly from a review of the situation concerning Web Bugs. I am deeply indebted to two web sites, which will be named below, for reasonably clear explanations on all but one crucial point about Web Bugs.

Here are some basics about Web Bugs.

Your Favorite Web Site makes a deal with The World's Greatest e-Marketer whereby at a certain point in the HTML code for a page at that site (often the main page) a graphic image is imported from the computer of The World's Greatest e-Marketer. That importation triggers computer code at the e-Marketer's end to download information stored in certain cookies on your computer.

Exactly which cookies is not clear in the literature; but you need to note that it is now established that it is possible, contrary to what we have been told, for a cookie created by one web server to be read by another server, under certain circumstances. Also, it is certainly easy for the programmers at Your Favorite Web Site to extract cookie information and pass it to their e-marketer associate.

Now here is the kicker.

Your browser imports the graphic object from e-Marketer's computer with no way of 'knowing' what function that object might serve; thus it has no basis for warning you about that particular object. Second, should 'things' be arranged for the importation process to facilitate passing information from your computer to e-Marketer's, with the active or inactive help of Your favorite Web Site, there is nothing in the existing browser software that would cause your browser to warn you that that is happening when it does happen.

WHY YOU NEED TO MANAGE YOUR COOKIES

Therefore, at this point the Web Bugging process is unstoppable.

The only way to render it useless to e-Marketer is for you to arrange to block all cookies on your computer that might be used to provide information an e-Marketer might use.

But it's not too sensible to arrange to block ALL cookies, if you are an active web surfer, so you need to fall back on cookie management. This will, however, need to be supported by a fair degree of openness by the people at Your favorite Web Site concerning the companies that are supporting their operation and what form that support takes.

Now a technical point about the distinction between a sneaky Web Bug and a non-sneaky one. As already noted, the Web Bug is a graphic object served up by a third-party computer, by virtue of a deal between the owner of that computer (usually an e-marketing firm) and the owner of Your favorite Web Site. It could be any graphic object.

If you can see the object on your screen, you often (alas there are exceptions) can tell who sent you that object (by either watching the address box as it loads or just moving your mouse over the object -- it is the latter that some smart guys are now blocking with 'cute' HTML code). This is the non-sneaky kind -- at least the object is out there in the open for you to question what use is being of it by e-Marketer.

THE SNEAKY BUG VIA "CLEAR GIFS"

It is quite feasible for you to be sent an object so small that you cannot see it. This is the so-called "clear GIF" or "transparent GIF", and there is literature that is focused on its legitimate and illegitimate uses.

Clear GIFs are most often used to control the locations of other objects on the screen; but, as noted, smart guys have been using them to facilitate secret privacy invasions.

And it is exactly this kind (the Clear GIF) that has disappeared from the pages where we are told, at other sites, we would find them -- the people who had them in use, when they are in fact not needed, must have realized that they were playing with a fire they should have avoided in the first place; because, as the literature correctly states, the only reason for a third-party computer to send you an invisible object is to set the stage for some information passing 'by stealth'.

Now here is the hard part.

The Big Boys with multi-millions of dollars of e-commerce investments can be relied upon to embark upon aggressive damage control, as we are now seeing. Little Bad Guys who see no other way to buy food and pay rent can be expected to be involved in continued use of the 'stealthy kind' of Web Bug.

This is strongly suggested by an article in the July-August issue of Brill's Content, where Richard Smith, the guru on Web Bugs, is reported to have found some at porn sites. Now if you visit a porn site that is using Web Bugs, you can forget about any privacy you thought you might be protecting by so doing. You would be more effective in protecting your privacy by putting on a trench coat and a broad-rimmed hat and buying your stuff in a plain brown wrapper at your neighborhood XXX-rated store!

And that's true for a very interesting reason. That store is almost certainly a Mom and Pop shop, and the clerk an under-paid soul. Any record they have of you is quickly lost -- no one at that company can afford to compile client records. Not so with tracking your web behaviour and purchases -- there we have people IN BUSINESS FOR THE PURPOSE OF CONDUCTING THAT TRACKING as effectively, and often as stealthily, as feasible. This is what we have bought with The Great Information Highway in the sky.

And do not let anyone talk to you about records being anonymous. Most of the sites engaged in the tracking invite you to submit your email address or some other information with potential to allow your surfing to be linked to other information. Indeed, without that linkage it is extremely difficult to build the demographic and life-style profiles that give the marketers the leads they want on what to sell and to whom to sell it. The moment a firm has your web surfing patterns and your email address, they are off to the races on making meaningful use of that information by gathering other information about 'who you are'.

Probably next week, Arawak Net's Privacy Watch will be enhanced by a review of a few cookie management support programs, including some notes on the uses and limitations of the management functions already available in Internet Explorer. ("Time to play some catch-up, Netscape!") I am using the I.E. cookie management function a lot, and one thing I sorely miss is the ability to tell the computer to simply reject all third-party cookies that expire beyond a certain date (today, for example), and then let me examine the long-lasting ones that are coming from My Favorite Web Site.

On this point, someone should explain why such a high proportion of cookies are set to expire far into the future, and thus to clutter up your disk unless you take steps to delete them.

SITES TO VISIT FOR MORE DETAILS ABOUT WEB BUGS

Now for the sites you should visit, to learn more about Web Bugs. The discussion at these two sites is so clear there is not much point trying to repeat it here. They are deficient mainly in failing to be informative about some key steps in the mechanisms for using Web Bugs to capture information about your web surfing, and your computer. Go the sites of Smart Computing and that of Richard Smith .

A serious effort has been made here to respect peoples' copyrights. Any lingering violation will be corrected promptly, as soon as someone points out where the violation takes place. Contact lestone@arawak.net.

[ Return to Arawak Net's Home and click on the Privacy Watch link to find related analytical articles.]