Web Bugs

A little something I blundered into. It had interest to me so I thought I would bring it back for others to look at.


Why worry about Web bugs? Here's the real privacy threat

Two stories in the news this week deal with online privacy, but only one really matters.

Which one doesn't? The blow-up over so-called Web bugs. The flap illustrates what happens during the summer when news organizations are scratching around for something to report on (and I find myself writing essays about why this news doesn't matter but that news does).

WEB BUGS--the simplest form of which is a tiny transparent (i.e., invisible) image hidden on a Web page--have been around for years. They are making waves this week because a company called Cyveillance put out a study noting they've become much more common over the last three years and pointing out potential abuses by advertisers using the technique to gather user information.




(Cyveillance's interest in this, just to be clear, isn't in protecting your privacy but in keeping the good names of their big corporate clients from being tarnished by what other companies are doing.)

This same information can be gathered in other ways, like through visible banner ads. Web bugs also have the ability to interact with cookies that Web sites place on users' hard drives to store or collect bits of data from the user.

THE ISSUE HERE is that Web bugs are invisible, which somehow makes them appear sinister. They are not, however, a new threat to your privacy, just a variation on how user information is gathered by Web sites and their advertisers. There's nothing here that should really add to people's worries, as far as I can tell.

You can prove this to yourself using Bugnosis, an Internet Explorer add-on that will show you Web bugs on the pages you visit and, in some cases, give you links to the site's privacy policy and a place to send a letter of complaint.

Released by the Privacy Foundation, Bugnosis http://www.bugnosis.org/ has excellent descriptions of Web bugs, how they work, and what dangers they pose. After reading all the material and playing with the Bugnosis software, I left more concerned about people's news judgment than about any new attacks on my privacy.

THE TOOL FOUND, for example, a Web bug placed by DoubleClick, the online ad firm, and took me to a specific place in DoubleClick's privacy policy that refers to how they use the technology. I read it and didn't come away particularly frightened.

Running Bugnosis against the AnchorDesk site didn't turn up any Web bugs, nor did a look at our ZDNet News page. Checking out CNET's News.com turned up two bugs and seven "suspicious" cookies. Microsoft's MSN home page had two bugs, while The New York Times home page had one suspicious graphic that manipulated a cookie.

So you know, CNET Networks, the publisher of ZDNet, AnchorDesk, News.com, and other Web properties, talks about its use of Web bugs in its privacy policy and explains that it doesn't "aggregate or track personally identifiable information when using clear GIFs, only usage patterns."

THE PROBLEM WITH NON-ISSUES like Web bugs is that they amount to crying wolf. My concern is people will get tired of being churned by such tiny privacy threats and not pay attention to the big ones.

So what should you be worrying about? The biggest online privacy threats at this moment--and I know people will disagree with me on this--are employer snooping, Microsoft's .Net/Passport (especially its security holes), and the unauthorized combining of information among various companies that have bits and pieces of someone's personal information. This last issue is the most important offline threat as well, especially as it relates to medical data.

The one of these I can possibly do something about is Microsoft's Passport. I am not terribly concerned that Microsoft will use the information I give them against me. For all the evil people claim Microsoft does, Microsoft is not that stupid or arrogant.

BUT THE COMPANY IS--provably--arrogant enough to believe it can actually keep this information secure. Given Microsoft's track record, I feel quite confident that if the evildoers of the world realize that Microsoft is the single best place to get millions of credit card numbers and purchase histories, the company will find it impossible to protect the data.

Even if I am wrong about the real bad guys, there are plenty of others who'd hack the system just to prove it really isn't secure--these "white hat" hackers wouldn't actually use the card numbers, except to prove Microsoft's security claims to be in error.

Either way, I need a lot more than Bill's personal assurance--which he has given already--that Microsoft would be a good steward for this large, and this critical, a collection of data.

I HOPE THE SECURITY PROBLEM can be solved--what Microsoft wants to do with the data with its .Net strategy of Web applications that interact with one another is a real advance-- but I am not hopeful given the assurances so far.

I'd urge the privacy advocates who are taking on Microsoft not to dis the company so directly, and even to give Redmond credit for trying to be a good protector of people's data. Instead, I'd focus on the problems Microsoft (and the industry) have already had and ask what proof can Microsoft give us that the information will really be safe.

That's the real issue, not some silly Web bugs

So if you're curious about what companies want, or if it is there, check out the site. BTW it will only work for Internet Explorer 5.0 or higher. Nothing else.