Nearly undetectable tracking device raises concern

A widely used, yet virtually undetectable, means of tracking Net surfers' habits is joining its better-known cousin, the cookie, as the subject of lawsuits and a privacy initiative by the government.

Stefanie Olsen Staff writer, CNET News
Stefanie Olsen covers technology and science.
Stefanie Olsen
5 min read
A widely used, yet virtually undetectable, means of tracking people's Internet surfing habits is joining its better-known cousin, the cookie, as the subject of several lawsuits and a privacy initiative by the government.

The technology, often called Web bugs or 1-pixel gifs, is prompting further concern that the once-freewheeling Web is becoming more like an Orwellian Big Browser.

Like cookies, Web bugs are electronic tags that help Web sites and advertisers track visitors' whereabouts in cyberspace. But Web bugs are invisible on the page and are much smaller, about the size of the period at the end of this sentence.

A Web bug "is like a beacon, so that every time you hit a Web page it sends a ping or call-back to the server saying 'Hi, this is who I am and this is where I am,'" said Craig Nathan, chief technology officer for privacy start-up Meconomy.com and former technical liaison for Personify.

Most computers have cookies, which are placed on a person's hard drive when a banner ad is displayed or a person signs up for an online service. Savvy Web surfers know they are being tracked when they see a banner ad. But people can't see Web bugs, and anti-cookie filters won't catch them. So the Web bugs wind up tracking surfers in areas online where banner ads are not present or on sites where people may not expect to be trailed.

That was the case last month when the White House ordered its drug policy office to stop using Web bugs on the government's anti-drug site Freevibe.com. Following the mandate, the Clinton administration issued strict new rules regulating federal use of the technology, which can surreptitiously collect personal information.

Web bugs can Security, privacy issues make Net users uneasy"talk" to existing cookies on a computer if they are both from the same Web site or advertising company, such as DoubleClick, which uses bugs and dominates the online advertising market.

That means, for example, that if a person visited Johnson & Johnson's YourBaby Web site, which uses DoubleClick Web bugs, the bug would read the visitor's DoubleClick cookie ID number, which shows the past online behavior for that computer. The information would then go back to DoubleClick.

Ad networks and agencies say cookies and other tracking devices are used to help both consumers and Web sites. Under fire from privacy advocates, ad executives have consistently said the information collected is kept private and is the sole property of the company that is being advertised.

The "evil" of Web bugs
But privacy advocates see an insidious side to the tiny tag.

"The danger of that is that if you were going to a site on yeast infections, the second it loads up, before the screen loads, somewhere in the world the fact that you visited the site is now registered. That's the evil of Web bugs," said Ira Rothken, a lawyer at the technology-oriented Rothken Law Firm, based in San Rafael, Calif.

The problem is magnified, he said, when a company can tie your cookie number to personal identifying information such as a phone number and address.

This became a real concern last November when DoubleClick bought Abacus Direct, a company that holds detailed consumer profiles on more than 90 percent of U.S. households. Syncing DoubleClick's database about Net surfers with personally identifiable data set off a firestorm of criticism, as well as a government inquiry. DoubleClick has since dropped plans to link the databases until there is agreement between government and the industry on appropriate standards.

"Web bugs were developed to not let you know (you're being tracked) and for the simple design aspect of an invisible dot," Nathan said.

Rothken filed a see story: Probes are latest headache in e-commerceconsumer Internet privacy suit against DoubleClick in February, and there are three other similar suits against the ad network.

Also in February, the state attorney general in Michigan began legal proceedings against DoubleClick. The attorney general claimed the company had violated consumer protection laws by not telling Web visitors that DoubleClick regularly put cookies and Web bugs on their hard drives.

The other side of the coin is that Web bugs, like cookies, can be useful. For consumers, cookies can store passwords and other sign-on information. For Web sites, Web bugs can help better manage content by knowing what is effective. They also give online ad agencies a way to track campaigns when a banner isn't present.

Bang for their advertising buck
"Using traffic-log cookies or clear gifs is a way for advertisers to learn whether they're getting the most bang for their advertising dollar," said Jules Polonetsky, chief privacy officer at DoubleClick. "It's a tool that does not provide any personal information but allows the Web site to learn how users are visiting different areas of their site and learn which ads brought them to their site.

"We are contractually obligated to maintain that information solely for the use of the site; it's critically private information," Polonetsky said.

Web bugs have sparked much criticism from Net experts of late.

Click here to Play
Online privacy
Richard Smith, a computer security expert, said that a wide variety of medical and pornography sites are using the tags. He said there are Web bugs on such sites as Procrit, which has information about AIDS drugs, and iFriends.net, an online version of an adult peep show.

Smith has set up a Web site that searches for Web bugs. A quick search on that site for such bugs issued by DoubleClick, for example, returned more than 80,000 hits.

Web bugs can also be used in email. For example, companies can send a bulk HTML email newsletter that has Web bugs, which will determine how many people read the letter, how often they read it, and whether they forward it to anyone. The email "would include your email address in the URL or include a coded ID or encrypted email address to track when you opened it," Smith said.

"Web bugs are like carbon monoxide for Internet privacy," said Jason Catlett, a privacy advocate with Junkbusters. "You can't see them, but they can damage your privacy anyway."