WEB BUGS

Web Bugs or Clear Graphical Interchange Format (Clear GIFs) files are a threat to the privacy of Web users, but they aren’t a new phenomenon. People have known about them for some time, but only recently have they received media attention as privacy experts hasten to educate Web users of the threats they pose.

Why would people want to use Web Bugs

Web bugs are used by large organisations that make financial gains by tracking user behaviour on the Web. They are used as a tool for tracking where individual users go on the Web and what they view. This way a profile of an anonymous user can be created over time, eventually providing rich detail about that user’s preferences and interests. Advertisers can use this data to target advertising banners and information specifically to that user.

Web bugs can also be used in conjunction with e-mail. When used with e-mail, they allow these same organisations to link or synchronise e-mail addresses with information the company has in its anonymous profiles about individual users. In this way your Web surfing history can be linked to your e-mail address. This poses a significant threat to your personal privacy.

What exactly is a Web Bug?

Any image can be used as a Web bug, but a Web bug is most often implemented as 1 x 1 pixel GIF format graphic or image files which has its colour set to transparent so it is effectively invisible on a Web page or in a Hypertext Markup Language (HTML) enabled e-mail program. The image file’s transparency is what gives it the name Clear GIF and Transparent GIF.

How does a Web Bug work?

These transparent images (or Web bugs) are embedded in a Web page or an e-mail message in the same way as any other image, inside what is called an HTML tag. The difference with these images is that they don’t reside on the same server as the Web page you are viewing.

Instead, they usually reside on the server of an Internet advertising company, such as DoubleClick or MatchLogic. When viewing, a call is made to the advertising company’s site for the GIF image to be downloaded. This tells the advertising company that someone is visiting the site and provides some detail about that visitor.

Are clear GIF’s and Web Bugs the same thing?

Clear GIFs aren’t new; they’ve been used for some time in Web pages. These small invisible images were originally used to accurately position images on a Web page, a page-formatting tool, and the images themselves reside on the same server as the Web page. In contrast, Web bugs are used to collect information about visitors’ Web browsing habits, and the image file generally resides on a different server than the one on which the Web page resides.

How can I see if a Web Bug is present?

You can check for bugs on a Web page by waiting until the page has loaded and then viewing the page’s source code -- choose View, Source in Internet Explorer. Search the page for an IMG tag that contains the attributes WIDTH=1 HEIGHT=1 BORDER=0 which indicate the presence of a small, transparent image. If the image that this tag points to is not on the current server (for example, the IMG tag contains the text SRC="http://"), you’ve most likely found a Web bug.

How much information can a Web Bug collect about me?

Quite a bit of information about you is collected by the server, which hosts the transparent GIF file. This information is similar to that which is routinely collected by most servers and stored in the visitor log files on a server.

The information includes the Internet Protocol (IP) address of the computer you are using, the Web address of the page you’re viewing, the time you are viewing it, and the type of browser and operating system you are using. Additionally, the value of a cookie, which is already stored on your computer, can be sent to the server. It is this last piece of information that is most threatening to your privacy.

Is there a relationship between Cookies & Web Bugs?

To understand why cookies and Web bugs are so potentially threatening, you need to understand one special fact about cookies. When a cookie is placed on your computer, the server that originally placed the cookie is the only one that can read it. In theory, if two separate sites each place a cookie on your computer, they can’t read the data stored in each other’s cookies. That means, for example, that one site can’t tell that you have recently visited the other site.

However, the situation is very different if the cookie placed on your computer contains information that is sent by that site to an advertising agency’s server, and that agency is used by both Web sites. If each of these sites places a Web bug on their page to report information back to the advertising agency’s computer, every time you visit either site, details about you will be sent back to the advertising agency utilising information stored on your computer in the agency’s cookie. This allows your computer to be identified as the computer that visited each of the sites.

Over time, an advertising agency can build up a detailed profile of your browsing habits. The result will be that you are likely to see that advertising served up on the Web sites you visit is closely aligned to your personal preferences because the advertising agency knows a lot about the sites you visit and what you view based on the information it has stored on you. At this point the agency knows a lot about you, but you are still anonymous because it doesn’t know who you are.

What is the relationship between Web Bugs & E-mail?

HTML e-mail is becoming more popular on the Web. One little known fact about HTML e-mail it is actually your Web browser and not you E-mail program that is used to read HTML e-mail, thus providing access to the cookies stored on your computer whenever you read HTML E-mail. Whenever e-mail that includes a Web bug is opened, the transparent image is retrieved from the e-mail sender’s server.

The sender then knows that the e-mail message has been read and knows the time that it was read, as well as your IP address. From this, the e-mail company can build a detailed record of the number of people who received and viewed its message.

In addition, the Web bug can include your e-mail address (regardless of whether it’s encoded) to allow the company to track whether you in particular have read your message. When the e-mail is read, the browser sends for the image to download and in the process sends your e-mail address to the server.

Now the sender knows that you have read your message, and this indicates that your e-mail address is still current. Web bugs provide a highly reliable alternative to read receipts. Read receipts aren’t supported by all e-mail software and can be easily disabled. In contrast, Web bugs are automatic and invisible to the user and cannot be disabled. Web bugs allow an e-mail sender to learn a lot about you even though they may have begun by only acquiring an e-mail address.

At this point, they not only know the sites you visit and what you view on those sites, but it also knows your e-mail address.

To see if the e-mail you’re receiving contains Web bugs, you can check the HTML code in the same manner as you would in a Web browser.

Web bugs in e-mail messages look much the same as a Web bug on a Web page.

How do I protect my privacy?

Web bugs are simply images downloaded from other servers, and you can’t do anything to stop the image from being downloaded, short of turning off image display for all the images on your Web page. For most users this will be too high a price to pay for maintaining anonymity.

However, you can be more selective about which companies you allow to place cookies on your computer, and it is recommended that you set the cookie controls on your browser at the very least to always ask you before a cookie is written to your computer. When you do this, you should also remove any existing cookies from your computer as they can be accessed even when you have cookies disabled.

Another way of preventing Web bugs from doing their work is not to read any HTML mail you receive from an unknown source. Deleting junk e-mail without having opened or read it will prevent the Web bug from signalling to the sender that you have read the message. Lastly you could use cookie management or ad filtering software.

Arthur Hissey
Computer Research & Technology
www.crt.net.au