Cookies have been the nemesis of privacy advocates for quite some time now, but cookies are relatively tame compared to their sneakier siblings, Web bugs, which stealthly track you as you view content from around the Internet. Web bugs are tiny little 1-pixel image files that you never see on the screen. In addition to relying on stored cookie information sent in association with a banner ad or other content, companies such as DoubleClick have added Web bugs to their arsenal of profling devices.

The way Web bugs work is simple: when a user visits a Web page that contains a Web bug, that page will have an HTML tag designed to request the bug (image file) from a specific server designed to gather information about the user. The image, usually 1-pixel in size, is so small that almost no one will notices it on the screen, particularly if it's matched to the background color of the Web page.

The tracking ability comes from the inherent inner workings of the Web browser itself, and the fact the almost every users allows graphics to be displayed in their Web browsers. As you know, when a Web browser sends a request for content to a Web server, it usually sends that request in conjunction with a some amount of detail with regard to the user's machine. For example, when asking for a Web page, Internet Explorer and Netscape both send the user's IP address, operating system type and version, browser type and version, the last Web page you visited, and more. In addition, the URL request itself can be encoded to include information that you had previously entered during a given Web site session. For example, Quicken's Web site had a Web bug that sent date-stamp session parameters back to DoubleClick and MatchLogic.

All of the information sent during a request is recorded by Web servers. In addition, while delivering a Web bug the server could read existing cookies to learn past surfing habits. Keep in mind that Web bugs work in any application capable of displaying HTML graphics, including email clients, newsgroup readers, chat clients, word processors, and more. Cookies can be disabled or the browser can be configured so that it prompts the user before automatically accepting them. But since almost everyone allows their browser to retrieve images embedded in Web pages, its incredibly difficult to stop the companies from spying through the use of Web bugs that take the form of 1-pixel images.

Cookies and Web bugs bother many people bad enough, but add to that the fact that in November of 1999 DoubleClick purchased Abacus Direct, holder of detailed consumer profiles on more than 90 percent of the households in the U.S., and there is plenty of room for heated conflict. DoubleClick's acquisition prompted one law firm to file suit against the company, which makes for a current total of four privacy-related suits against the advertising firm.

Security professional Richard M. Smith maintains a Web Bug FAQ to answer numerous common questions on the subject. But more interesting than the FAQ is the page of links Smith provides for locating Web bugs using the Altavista search engine (JavaScript required). Smith's search links locate Web bugs belonging to more almost two dozen companies that track your Web surfing habits without your direct knowledge. For example, a search using a URL formatted by Smith to locate DoubleClick Web bugs return some 178 bugged pages, including bugs which were located on the Web pages of several major pharmaceutical vendors, a major hotel chain, and money lenders.

Even Microsoft's own Windows 2000 Web site has a Web bug tracked by DoubleClick, as seen in the HTML tag in Figure 1 below. The tag was extracted from Microsoft's Windows 2000 default Web page on July 13th. Notice that this particular Web bug also tests your browser's SSL capabilities by requesting the Web bug via the HTTPS protocol instead of the usual HTTP protocol. By cross-referencing known IP address assignments, it may be possible to use such a Web bug to identify computers that are using 128-bit SSL in areas of the world where possession of that technology may be illegal either through local laws or through illegal export from the U.S.

Figure 1: Web bug code embedded on Microsoft's Windows 2000 Product Home Page
<IMG  SRC=
"https://ad.doubleclick.net/activity;src=370401;type=pview;cat=main;
boom=1;ord=0.2741205?" width=1 height=1>

Even major retailers are using Web bugs to secretly track your Web browsing habits. For example, Barnes and Noble (B&N), best known for selling books, is now receiving plenty of notoriety for their efforts to track unsuspecting users--many of whom may never buy a book from the company--on sites all around the Internet. A quick search using yet another URL formatted by Smith reveals that some 109,113 Web pages contain Barnes and Noble sanctioned Web bugs! Everything from ESPN's IronMan Coverage to the Virtual Resume Home page contain B&N Web bugs.

Take time to explore Smith's preformatted search URLs to locate yet other Web bugs in use around the Web. If Web bugs are a privacy concern for you and your environment provides a mechanism for site blocking or URL and content filtering then consider establishing rules that block the offending Web bugs. Use the URLs on Smith's page of search links as a baseline for developing your rules.