Microsoft: The Biggest Web Bugger

An unnamed reader writes: "A recently released web bug report shows that Microsoft (via Link Exchange) is bugging more web sites than any other organization. Less surprisingly, however, the same report shows that by making some rough traffic estimates, DoubleClick is probably bugging more web traffic than anyone else. (Except of course those big ISPs running proxy servers...wonder how long it will be before the ad agencies get into bed with the ISPs?)"

You are _not_ anonymous

Advertisers are very interested in connecting those anonymous statistics to real people. DoubleClick actually did so [usatoday.com], but stopped after a public backlash. But they will try again, it's just a matter of time. In the meantime, whenever you enter contact information for a web site, that site may decide to sell that information to someone like DoubleClick. Advertisers really want this information, and they'll keep trying until they get it.

Re:So um...

Perhaps because they have an effective wall between the editorial staff and the advertising staff, thus ensuring that editorial policy (as much as Slashdot has such a thing) is not tainted by advertisers?

Whodathunkit

Microsoft: The Biggest Web Bugger, eh?

Yeah, I think we can all agree that Microsoft has buggered the web...

Re:Associating e-mail addresses with cookies

You are correct.

Another way would be to put a web bug in the e-mail that the site uses to confirm the order.

--

Re:Who cares?

You may be right. After all It's not like Microsoft is some giant corporation with hundreds of subsidiaries, thousands of programmers, or terrabytes of storage at their disposal.

How could they ever muster enough money, processing power, database space, and brain power to try and corrolate the information they get from web bugs, sales at one of their subsidiaries, registrations at popular web sites like MSN or hotmail or msnbc, and product registrations of office and IE.
Why that would take millions of dollars and I really don't think MS can afford such a large outlay even if it means making tens of millions selling that information to others.

Re:Associating e-mail addresses with cookies

Actually, it doesn't even take a form with a GET request. Rather than use a cookie, many sites now encode a unique user id in the URL, often after a '$', like http://company.com/page.htm$USERID. (Sites do this so that they can track session data on you even if you deny their cookie and even if you move across servers or domains.) Since WebBugsAreEvil.com gets this full URL, they now have your USERID at the site you visited and can connect their data with the data collected by the site.

Re:Who cares?

A 1x1 pixel image slows your surfing? You still on a 9600 baud modem there?

Re:Info v Privacy

Whatever...in a toltalitarian police state crime effectively drops to zero, but who wants that?

By invading the private lives of every american household, and doubling the world's incarceration rate, the US can effectively wipe out marijuana use completely.

By warehousing consumer data large corporations can market more effectively, that is, convince you that you are not happy w/o their product.

Time to wake up the populace: Your well being is not a univariate function depending only on GDP growth. Crime prevention will not help your well being if the means outweigh the ends. Does nobody care about search and seizure rights?

Since I despise spam I find this from the FAQ

Particularly problamatic

from the web bugs FAQ [privacyfoundation.org]
11. Why are Web bugs used in "junk" Email messages?
To measure how many people have viewed the same Email
message in a marketing campaign.
To detect if someone has viewed a junk Email
message or not. People who do not view a
message are removed from the list for future mailings.
To synchronize a Web browser cookie to a
particular Email address. This trick allows a Web
site to know the identity of people who come to
the site at a later date.

Spam sucks

This is old news

They made a movie about it with Sandra Bollock. Industry just got smart after that and made it to where you couldn't see the pi, even if you held down control shift. ;)

God, that was a bad movie. Thankfully, I don't remember the title.

Google, too

Yeah, I noticed Google was on the list, too. A lot of people put the canned HTML code that Google provides on their pages to provide search capability. That includes an image, but it doesn't mean Google is tracking users. I think this survey needs more meat. I shouldn't be whether a page includes images from another domain, but only if cookies from other domains are going to the user from a page.

I could probably whip up a Perl script to do this with libwww pretty easily. I can't believe whoever did this survey didn't!

Confessions of a spammer

This is mostly work related so I am posting anonymously and am leaving out names. I've been with this company for a couple of years and I am working for one of thier clients who wants us to send email to customers as an advertisement. We are supposed to ask the customer first, but heres where problems come in. First of all we have to meet like a quota on this. This is often hard to do because of many reasons including but not limited to people not wanting the email sent to them or not having an email address. You get written up for not making quota, which may get you fired, so it goes without saying that people send the email without asking the customer's permission, or to send multiple emails to a customer so thier count increases and other craziness. When I learned of this policy I asked a friend what they do about this and they said I should do what everybody else does. Send them out to everyone because you'd get in more trouble for not sending them. I am very against the idea of sending people junkmail and I had already started getting in trouble for only sending to those who can get it and want it and missing my quota so I'm emberassed to say I've been doing the same thing as the others so that I can keep my job. I have done some things before I didn't agree with, but it bites being myself what I just about hate the most. A spammer. I'm sorry folks.

So, I was thinking about this and that today while I was sending my stupid spam off and something came to me. I know there was a proposal or something not too long ago that had to do with a unique identifier tagging unsolicited email. Now, if ISP's and telco's are supposed to be equivalent (right?), why is it that I hear you can block unknown callers/telemarketers and stuff on your telephone, but I can't block unsolicited email without trying to filter them individually with a spam filter which seems the equivalent of using your call blocking (which by the way has a limit of a few numbers at least in my area). Even if these aren't the same things I still believe it would be best if there was a unique ID on junk email because it is just as much of a problem to me when a phone rings and its junk or when my mail notify goes off and it's junk. How in the hell these two are different is beyond me but looks like that idea just didn't float anyway.

As far as web bugging goes, I could care less whatever doesn't steal from me or interfere with my time. Wading through junk does and it's just not fair. I may sound like a hypocrite for saying all this because of what I do at work, but I'm just following orders so I can make enough to feed myself and have something descent on my resume. I may have a fancy job with email, but i don't make much money and I'm a veteran employee. I'm not a moron, just stuck growing up in kind of a redneck area (with scarce IT jobs) and being taken advantage of by the hi tech that came to town. Cheap labor we are for them. I fully intend to get the fsck out out of dodge.

So um...

... why have I seen Doubleclick banner ads on Slashdot, if Web Bugs Are Bad?

- A.P.

--
* CmdrTaco is an idiot.

Bugger

My goodness. This headline truly made my day.

It's worth noting that Bugger [dictionary.com] has a few other meanings than "One who plants bugs."

Associating e-mail addresses with cookies

Suppose I have my own advertising web site, "WebBugsAreEvil.com", and your e-mail address is YOUR_EMAIL_ADDRESS@yourhost.com.

I place my bugs all over the internet. You visit a site with one of my bugs on it. This sends a new cookie to you. You now have a cookie from "WebBugsAreEvil.com" on your hard drive. Every time you visit another site with one of my web bugs in it, your cookie is sent to my host "WebBugsAreEvil.com" including the URL of the page that you are viewing. Thus, I build up a detailed profile of your web surfing habits.

Now suppose you place an order on one of these sites and leave your e-mail address and other personal information. The site sells your e-mail address and other personal info to "WebBugsAreEvil.com". I now have your personal information and your cookie, but the cookie ID is not yet associated with your personal information because these were collected by two different servers. I need to do one more thing to put them together.

I do a mass mail out with all the new e-mail addresses. The e-mails are HTML-enabled e-mails. Embedded at the bottom of the e-mail is this web bug:

<IMG WIDTH=1 HEIGHT=1 border=0 SRC="http://track.WebBugsAreEvil.com/cgi.bin/ping? email_ID=YOUR_EMAIL_ADDRESS@yourhost.com & sequence=1928d4ae1228">

It's a 1x1-pixel GIF that has a single clear pixel in it; this is where the euphemism "clear GIFs" comes from. You cannot see this GIF.

When you open the mail, this new web bug is sent to WebBugsAreEvil.com. Because the URL has your e-mail address in it, and it also sends your "WebBugsAreEvil.com" cookie with the HTTP GET request, I can now associate your personal details with your surfing habits.

In short, it is very easy to remove anonymity.

I don't know about you, but I find the idea of anyone having this amount of knowledge about me and my browsing habits to be uncomfortably close to Big Brother's surveillance from George Orwell's novel "1984". Is your telescreen on, Winston?

--

Defeating web bugs

Web bugs are usually used in conjunction with cookies to profile your surfing habits. I find this to be a gross invasion of privacy, so I have chosen to fight back.

It's not hard to stop a site from using cookies as a tracking tool. If they cannot store a cookie on your hard drive, that cookie cannot be used to profile you.

The way to defeat this is to prohibit the web sites that use web bugs from storing cookies on your computer. A good browser will have security settings that can be customised. I place all web sites that I trust in my collection of trusted sites. These sites can store cookies on my machine. Sites that are not in my collection of trusted sites must go through the default setting where I must approve each cookie with a click before it can be stored on my hard drive. Persistently annoying sites get placed in my collection of restricted sites, which are prohibited from storing cookies. Sometimes, a trusted site that I have omitted gets added to the trusted list.

If you want to start a database of restricted domains, a good place to start is your cookie collection. You will find a lot of sites that you never visited in that list. Add anything suspicious to the restricted list before deleting the cookie.

I have only been doing this for a few weeks, so I haven't got any good results to report so far. I'm sure I'll get good results doing this, and I invite others to try it. It does involve a little work, but eventually I hope to have reasonable web-bug-free privacy online.

--

Re:And a web bug is...?

See the web bug FAQ:

http://www.privacyfoundation.org/education/webbug. html [privacyfoundation.org]

Re:Associating e-mail addresses with cookies

Now suppose you place an order on one of these sites and leave your e-mail address and other personal information. The site sells your e-mail address and other personal info to "WebBugsAreEvil.com". I now have your personal information and your cookie, but the cookie ID is not yet associated with your personal information because these were collected by two different servers. I need to do one more thing to put them together.

I do a mass mail out with all the new e-mail addresses. The e-mails are HTML-enabled e-mails. Embedded at the bottom of the e-mail is this web bug:

Actually this extra step of sending a web-bug infested spam is not even needed in most cases. It's enough if the surfer enters his e-mail address into any form on the web which uses the GET method, and which leads to a page having a web bug/banner ad from WebBugsAreEvil.com. The site serving the form does not actually need to be in cahoots with WebBugsAreEvil, apart from the obvious contract for serving its banners. Indeed, with the GET method, form data (containing your E-mail address) will be part of the URL, and thus will be sent to WebBugsAreEvil in the Referer header field. Much more discreet and reliable than sending a webbugged spam, and much more far-reaching too: using the same method, WebBugsAreEvil can collect all kinds of interesting info: First name, last name, home address, all kinds of demographic info such as age, yearly income, hobbies (if user ever participated in a survey having such a form), credit card number (if merchant was foolish enough to have his order form submitted via GET rather than POST). N.B. Even https doesn't protect against this, as this is data that is "intentionnally" sent to WebBugsAreEvil, rather than intercepted...

Why does Microsoft do this?

I mean, they have better means.

Like forcing you to use cookies in Internet Explorer, or rather, transmitting cookies to *.msn.com sites no matter what you configured, containing personal information about your windows installation.

See also here (http://slashdot.org/yro/00/11/02/1639247.shtml) [slashdot.org]:

Think that's bad? How 'bout msid.msn.com cookies set as part of your install, and re-created even after deletion?

Grab a hex editor or other file viewing tool (e.g. LIST.COM) and examine MSIE's cookie files, you'll see that msid.msn.com has a cookie set even if you don't use IE. (Reproduce: Delete - from within DOS, not Windoze, all MSIE cookie files. Reboot. Do not connect to the 'net.

Observe that IE has re-created cookies pointing to msid.msn.com with your information in 'em, even though you never connected to the 'net. They're there on a clean install from CD-ROM, and they come back every time you delete 'em.

For the sake of the privacy of those who must use Internet Explorer: Firewall msid.msn.com. Forever.

Bad statistics

Looks to me like they are classifying any inline link to a different server as a "web bug".

This is quite bogus, as evidenced by the #2 ranking of akamai; the fact that many high-traffic sites have their images served from akamai's network does not mean that akamai is tracking where people go.

Who cares?

So, they collect some *anonymous* usage statistics. So what? They can track your web surfing. Who cares? These stats are *anonymous*, people. They can't be mapped to your physical address, phone number, etc. without a call to your ISP and a good reason. These stats help advertisers market products to you more efficently. It saves them money, and you get the see ads that might encourage you to buy something that is really useful to you. So my question is, why do you care?