Many site operators and Net advertising companies place Web bugs on their pages to collect information, such as which pages are being read most often. Too small for readers to see, the bugs also can be used in more invasive ways, capturing a visitor's Internet Protocol address or installing pernicious files, for example.
The bugs can also be matched with "cookies," the electronic files that are stored on a PC and can contain personal information such as name and e-mail address.
Concerned that visitors are often unaware that the bugs are being used to track their surfing habits, security companies are beginning to arm Web surfers with tools to find the pesky bugs.
"People don't understand the potential risks associated with Web bugs. With a Web bug, your computer can be fully exposed to malicious sites that can take any files or information from programs on your hard drive," said Tommy Wang of security start-up Intelytics. "People need to get educated on this stuff."
Internet tracking and security company Security Space issued a report last Thursday that identified Web advertising networks DoubleClick and Linkexchange.com, as well as Excite.com, as some of the top sites that use Web bugs to track consumers on third-party pages.
Meanwhile, Intelytics plans to unveil a free service in two weeks that surfers can use to spy on the spies. Its software, called Personal Sentinel, will alert consumers to the "risk level" of any given Web site by listing the number of Web bugs working behind the scenes.
Illustrating the growing presence of such technology, Intelytics issued a report over the holidays on major e-commerce sites that uncovered nearly 16 million pages (out of 51 million that were scanned) with at least one Web bug that had been attached from a third party, such as an advertising network.
Privacy on the Hill
Such surveillance tactics are beginning to take higher priority with lawmakers as well. Last Thursday, the Congressional Privacy Caucus, a bipartisan group of senators and congressmen charged with studying individuals' privacy, met to discuss the threat posed by online tracking technology.
In one such test, the Privacy Council and Intelytics showed how Web bugs, when used nefariously, can steal a computer user's entire e-mail address book merely by clicking on a bugged Web page.
"Through an insecurity in Windows, they showed how easy it is for people to get stuff off (a consumer's) hard drive," said Richard Smith, chief privacy officer at the Denver-based nonprofit group the Privacy Foundation, who testified at the Thursday hearing.
Meta Group says that privacy is a complex issue, and different individuals have different privacy expectations. Certainly individuals should not be expected to give up privacy without their knowledge.
In his testimony, Smith illustrated how simple it is to peer into other people's e-mail by attaching a Web bug to the message. According to Smith, a person can send an e-mail with a bug that secretly sends copies back to the sender when the e-mail is replied to or forwarded.
"If an e-mail can be wire-tapped in the halls of Congress, where else is e-mail safe? The answer is nowhere," Smith said.
Intelytics, in partnership with the Privacy Council, unveiled a similar Web bug-searching service in late January for companies to run reports on their own sites, assessing privacy risks to consumers. Intelytics plans to launch other corporate Web bug tools for e-mail and intranets.
The Message Sentinel, for example, is set up to check for privacy threats sent through e-mail, including so-called wiretaps. The product, which is already garnering interest from government agencies and financial services firms, is set to launch in early April. The price has not been set.
Personal Sentinel will be available March 15 and will be supported by companies that plan to sell services to "wash" the Web bugs off the page so the consumer can avoid prying eyes, according to Intelytics' Wang.
Varying strengths of venom
Through its research, the company has identified about five different types of Web bugs, Wang said. The simplest, most discussed bug is a small, clear GIF that works with cookies to send information to third parties about a visitor's online travels.
Other more malicious forms of Web bugs are "executable bugs," which can install a file onto people's hard drives to collect information whenever they are online. For example, one such bug can scan a person's machine to send information on every document that contains the word "financial."
Perhaps the most nefarious bugs are "script-based executable bugs that can go out and take any document from your computer" without notice, said Wang, who warned of programs that can track live, private recordings through Webcams or voice recorders hooked up to computers.
Other script-based bugs also execute files, but they're not installed on a person's PC. They can simply try to control the person's computer from its server, as well as track the consumer's travels on the Web from behind the scenes. An example of this can be found on a popular entertainment site, PassThisOn.com, which launches multiple browser windows when a person tries to exit the site.
While the Web Bug Report shines a light on the tags, most consumers "won't care" about it, said Thomas Reinke, director of technology for Security Space, which plans to publish the report monthly. But "it's important to understand how much information one or two organizations can get about Web traffic and user preferences as a whole," he said.
Security Space, a 5-year-old security and Internet tracking company, scans more than 100,000 active Web sites, or nearly 4 percent of total Web sites, to find the bugs. A so-called crawler automatically visits home pages and all links one level down.
It measures a site based on its "authoritativeness on the Web" or by how many sites are linked to it. For example, if Yahoo has 100,000 links to its site, it is weighted heavier than a site with only a hundred links to it.
DoubleClick registers as the top site that uses Web bugs with the highest-trafficked sites. The ad network uses roughly 535 Web bugs on third-party sites, compared with 326 from Weather.com and 306 from Netscape.com, according to another report that tracks the pure number of bugs issued by a company.
DoubleClick representatives could not be reached for comment.
"If you start collecting that information and correlate that information back to users...then you start being able to potentially abuse that information," said Reinke, who added that his company will start to sell such reports in the future.
"What if, as an ad company, you knew that a household was going to Web sites about firearms and bomb-making? What's the responsibility of that advertiser holding that information? Should they have to turn that over to law enforcement?" Reinke pondered.