Web Bugs: Nasty Little Critters?

Web bugs are not the same as software bugs, which cause your programs to perform badly or crash. These are bugs in the sense of surveillance and monitoring tools. Unfortunately, monitoring on the Web does not stop with cookies. Several companies and advertising agencies use Web bugs to track and log the time and page a user has visited. Not only that, but by spreading Web bugs out over various pages and sites, a company can trace your movements across the Web. You can find further details about Web bugs from the man who has raised widespread public awareness about the phenomena, Richard Smith, at http://www.privacyfoundation.org/resources/Webbug.asp.

Smith has also made a Web bug detector available free of charge. It is called Bugnosis, and you can get it from www.bugnosis.org. However, it is available only as a plug-in for Internet Explorer at the moment and works only with Web surfing. But there are plans to make it available for e-mail Web bug detection, too.

That is right; Web bugs can operate through HTML-enabled e-mail, too. Why would someone do this? If someone is using Web bugs to track your movements across a Web site, isn't that enough for her? No way! If I am a big marketing company, I can save a lot of money by doing e-mail advertisements rather than commercial TV ones. I might find an e-mail harvester or third-party spammer that will send out an e-mail ad to a select group of consumers I have pulled from the database.

After you open or preview your HTML-enabled e-mail message, the Web bug is activated, letting the originator know you have read the e-mail. After it's installed, the Web bug is known as a small or invisible graphic on a Web page or in an e-mail message meant to monitor who is visiting the Web page or reading the e-mail message. Indeed, Web bugs have even proven to be usable in applications such as Microsoft Word. This is because Microsoft Word, like many of today's applications, supports HTML. Because HTML provides for the useful functions of hyperlinks and sharable formatting, it is commonly supported.

Web bugs are typically delivered via an HTML hyperlink. Just as every image that pops up in your Web browser is linked to the page, so is a Web bug. Notice how the Web bugs in the following examples are delivered: 1) as an image using the <img src> HTML code, and 2) as a hyperlink using the "http://somesite.com" code. For example, the following is the HTML code of a Web bug we encountered recently on the home page of http://www.us.buy.com:

<img height="1" width="175" src="http://switch.avenuea.com/action/buy_homepage"> 

We know this is a Web bug because we are visiting Buy.com's Web site and an image is being loaded from a popular online marketing site, Avenuea.com. This Web bug is rather unassuming compared to the Web bug that Richard Smith encountered back in 1999 on www.quicken.com:

<img src="http://ad.doubleclick.net/ad/pixel.quicken/NEW" 
width=1 height=1 border=0><IMG WIDTH=1 HEIGHT=1 border=0
SRC= "http://media.preferences.com/ping?ML_SD=IntuitTE
Intuit_1x1_RunOfSite_Any&db
afcr=4B31-C2FB-10E2C&event=reghome&group=register&time=
1999.10.27.20.5 6.37">

This is a more obvious Web bug because it includes a reference to HTTP twice in the code and because image size is 1×1 pixels (width=1 height=1).

Web bugs can come in several variations, each serving a different purpose. Sometimes the Web bug is used to extend the privacy invasion to another function. In this way, a Web bug can do the job itself, or it can be the carrier, actually passing control off to some other program that does the job of watching you. Consider some of the following Web bug uses:

• Simple tracking— A Web bug comes as a transparent GIF that sends information to a third party about a user's travels across the Web.

• Executable bugs— These might tell your browser to download and run a small program that can be used to scan your hard drive for personal information. The program might scan for files containing the word “financial” and then send that information back to the bugger. This is basically the concept of a Web bug providing a means for spyware to get on your system.

• Script-based executable bugs— These nasty bugs use scripting features of certain operating systems and browsers to grab files off your hard drive. It has even been reported that these can use PC-attached Webcams and recording devices that are plugged in and running on your computer. This brings new meaning to the word spyware.

That is some scary stuff. The time has come to definitely secure our PCs and be aware of what is going on out there. As was discussed earlier in this chapter, in the section “Precautions for Web Surfing,” if you know your Web browsers, Web sites, and some basic security guidelines, you can have safe, enjoyable Internet experiences. Otherwise, prepare to be exploited.

We mentioned previously that Web bugs can sometimes provide a means for spyware to get on your system. That doesn't mean Web bugs are spyware, but they can be the delivery means for spyware. Spyware is usually a program on your computer that invades your privacy by sending personal information back to the program's inventor. By themselves, Web bugs can provide only the following information:

• The type of browser you use

• The time you accessed the Web bug

• The IP address of your computer

• The URL of the site from which you got the Web bug

• The URL of the Web bug image, which could be a third-party site

• An already saved cookie value

And it just keeps getting better. If the cookie contains valuable information about you, suddenly the third-party site that placed the Web bug has that information too. Imagine a site you have to log in to. You probably provided an e-mail address. Well, if you're hit with a Web bug through this site, that e-mail address can potentially be sent to the site that placed the Web bug. Not only that, but now that e-mail address can follow you around as you visit other sites, which means those other sites also have potential access to your e-mail address!

In February 2001, an Internet tracking and security company named Security Space released a report identifying large Web advertising networks, such as DoubleClick, LinkExchange, and Excite.com, as some of the top sites using Web bugs to track users across third-party Web pages.

Earlier in the same year, Intelytics, a company developing privacy-related software, scanned some 51 million Web pages with its privacy scanning tools. It found that 16 million of the pages had some type of Web bug set up from a third-party advertising agency. This all just proves that the activity is real, and growing.

Most people aren't concerned that their online activities are being tracked, but there is a larger picture to ponder. With all the useful profiling and tracking information the top organizations are capturing, you have to wonder just what potential that information gives them. They can, of course, correlate users' actions over time, distinguishing things such as what a user typically searches for to what types of sites a user frequents. They can also collect e-mail addresses and provide those addresses to third parties that might be interested. But you have to ask, what is the legal role of someone placing Web bugs across the Internet? What if he is able to determine that a household is frequently visiting sites about murder and bomb-making? Does he have a responsibility or right to turn that information over to law enforcement?

The next section includes descriptions of various programs to help you identify and block Web bugs, such as Bugnosis and WebWasher that give you some control over Web bugs. Some Web-based solutions include proxies, such as www.Junkbusters.com, which let you surf the Internet behind its shield of protection.