No easy way to exterminate 'Web bugs'

Personal firewalls and Microsoft's coming "cookie cutter" may help users squash these pests. But privacy regulation may be the ultimate answer
Written by Robert Lemos, Contributor

Consumers worried about privacy won't get a good solution to Internet "Web bugs" any time soon, privacy and security experts said Thursday. Web bugs -- special HTML coding that requests information over the Internet and returns information about the user -- allow online marketers to track consumers and corporations to protect proprietary data. "The benefits of the feature outweigh the tracking risks," said Richard Smith, chief technology officer for the Privacy Foundation in Denver.

On Wednesday, the foundation released a report that put all Internet-enabled applications -- not just Microsoft's Word, Excel and PowerPoint -- in the spotlight as new staging grounds from which marketers and employers can track users. By embedding HTML code in a document mailed to or downloaded by users, anyone can be identified by their Internet address.

"Companies might use this to locate any leaks, [and] marketing companies use Web bugs every day of the week," said Smith, who himself used the technique to identify virus writers and hackers several years ago. "As the distinction between Web applications and the desktop blur, [Internet tracking] will start happening more often."

The Web bugging technique is a creative application of HTML coding that was created so Webmasters could keep components of their pages in different places. For example, all images could be kept on a separate server, and as a user loaded a page, that server would supply the images.

The user is bugged when the server from which the content is being requested records who is requesting that content.

"A lot of junk email puts in an HTML Web bug that identifies you," said Jason Catlett, president of pro-privacy Junkbusters. "Other, hidden tracking numbers can tell them a great deal more."

For example, Microsoft Office applications can access the cookies created by Internet Explorer. "In many cases, the Web bug is an opportunity to get your cookies," said Catlett, who sees little means of defence.

While some banner ad-blocking software can stop Web bugs that try to contact servers owned by well-known data collectors, such as DoubleClick , the software fails to stop surveillance by lesser-known sites.

Several personal firewall products can prevent some of the effects of Web bugs.

Zone Labs's free ZoneAlarm can be used to prevent applications other than a user's browser from connecting to the Internet. And, new technology for Microsoft's Internet Explorer allows users to manage cookies, preventing some information from leaking out.

Neither solution completely solves the problem, however. A Web bug embedded in a Web page or email can still get by Zone Alarm, while Microsoft's new technology blocks only cookies, not simpler Web bugs.

"We are looking how to deliver enhanced privacy very quickly," said Fred Felman, vice president of marketing for Zone Labs. "We are not ready to announce new features, but they are on the table."

In the end, there may be no technological solution.

"The WWW is a perfect medium for surveillance," said Junkbuster's Catlett. "What needs to be done is that Americans need privacy rights. I don't see how you can stop the large swarm of Web bugs, otherwise." Ari Schwartz, policy analyst with the Centre for Democracy and Technology, a Washington, DC-based think tank, also believes that other -- non-technical -- solutions are needed.

"People should pressure companies to not to do this surreptitious collection of information," Schwartz said. "If we do need legislation, it could help people be alerted when this is going on and give them some choice."

As things stand, with no knowledge of what information their PCs are distributing over the Internet, Web users have little choice at all.

They can see you... Read about how and why in Surveillance, a ZDNet News Special

What do you think? Tell the Mailroom. And read what others have said.

Editorial standards