Little Known Internet Security Threat: Web Bugs
Web Bugs are not always so small or invisible to a user. Any graphics that are used for monitoring may be considered a web bug. The advertising industry prefers to call web bugs a more sanitized name-“clear GIF.” Web bugs are also called “1 by 1 GIFs,” “beacon GIFs,” and “Invisible GIFs.”
Web bugs are used to gather viewing and usage statistics for a particular page, correlate user statistics between multiple websites, profile users of a website by gender, age zip code, and other demographics, and transfer personally identifiable information from the web site directly to an Internet marketing company. The bugs can also transfer search strings from a search engine to a marketing company, verify the statistics reported by a banner advertising company, to gauge the effectiveness of different banner advertisements; prepare web usage statistics for websites that do not have the technical capability to prepare their own statistics, see if users have enabled JavaScript, Java, ActiveX, and other technologies, detect copyright infringement, and check if e-mail messages are actually read, and see if they are forwarded.
The Colorado-based Privacy Foundation found two web bugs on a well known accounting website. The first bug causes a single 1 X 1 image to be fetched from the Doubleclick advertising server ad.doubleclick.net. The bug allows Doubleclick to be alerted to each individual that uses the home page of the accounting website. This monitoring is thus done without the use of a banner advertisement.
The second bug uses an image from the MatchLogic Mediapreferences.com server. This bug sends unique user identification, similar to that which might be found in a cookie. The web bug could potentially let the website and MatchLogic knit together their two separate databases.
Web bugs allow senders of various e-mail messages to determine if an e-mail has been read. When the e-mail message is viewed, the web bug is retrieved from a remote server. Each web bug is given a unique identifier and causes a cookie to be downloaded, so it can also be determined if an e-mail message is forwarded. E-mail based web bugs are only active if the e-mail message is read with a mail client that can display HTML messages, and even then, only if a computer is connected to the Internet.
The Privacy Foundation presented guidelines on September 13, 2000, at the Global Privacy Summit concerning web bugs. The recommendations included: a requirement that web bugs should be visible; the icon should identify the name of the company that placed the bug on the page; and the icon should state that it is a monitoring device; the icon should state what data is being collected; how the data will be used; what company will receive the data; what other data the web bug is combined with; and if a cookie is associated with the web bug. Users should be able to “opt-out” from any data collection done by web bugs. Finally, the recommendations included requesting web bugs not be used to collect information from web pages dealing with sensitive information, including those intended for children, about medical issues, about financial and job matters, and about sexual matters.
Short of petitioning Congress to create laws that would protect individuals from web bugs, there may be little an Internet user can do to protect himself from them, at least other than disabling cookies on your computer. If web bugs are the ones as small as the ones described in this article, the only way to see them may be to click View on your web browser and then source, to reveal the HTML code. A web bug would have an image tag and height and width parameters set to one. It might be valuable to at least know they exist and what they are used for. They are on the websites of such companies as Quicken, FedEx, Metamucil, Oil of Olay, and StatMarket.