Fearing a Plague of 'Web Bugs' Invisible Fact-Gathering Code Raises Privacy Concerns
By Robert O'Harrow Jr. Washington Post Staff Writer
In a scramble to monitor the behavior of consumers online, marketing companies on the World Wide Web are increasingly using a tool to surreptitiously track what computer users do on the network and automatically report the details to centralized advertising services.
The tool, known as a "Web bug," lets advertising services companies fetch data from multiple Web sites without computer users' knowledge and send it to databases for analysis and storage.
Online marketers have for several years gathered information through the use of "cookies"--a simple sort of computer code that serves as a unique identifier for each computer user at a Web site. Banner advertisements on Web sites routinely use cookies to record the number of people who view an ad or click on the ad itself.
But Web bugs, named by a computer privacy specialist suspicious of them, can gather information without a sophisticated computer user's knowledge, since they set cookies and gather information even on pages displaying no ads.
"If there's an ad on the page, there's a suggestion this page has an affiliation with some other site. You might expect that there was someone watching," Jason Catlett, president of Junkbusters Corp., a privacy advocacy and consulting company. "But the Web bug has no purpose but surveillance."
Until recently, almost no one but computer specialists had heard about Web bugs, often known in the trade as "clear GIFs." But with exploding interest in target marketing on the Internet--and several companies poised to begin identifying computer users by name--Web bugs have suddenly drawn the attention of advertisers, government officials and privacy advocates.
Officials at the Federal Trade Commission, who said they learned details about Web bugs at a workshop this week about online profiling, will examine the bug's impact on consumer privacy, according to David Medine, the FTC's associate director for financial practices.
Medine said the concern is that consumers--even those familiar with cookies--may never know that the information they agree to give a particular, trusted Web site may now be shared with a centralized advertising server that is gathering information about their activities. That's because few sites disclose they are deploying a Web bug even if a user has set his Web browser to alert him if a site is trying to place a cookie.
Computer users can configure their browsers to block the setting of a cookie. But if a user allows just one site in an advertising network to set a cookie, it enables all of the Web bugs in that network to perform.
Among the sites deploying the tool are <www.mentalwellness.com>, an "online resource for schizophrenia and other mental health information" operated by Janssen Pharmaceutica Products, L.P. The code, on a page with stories about famous people who suffered from mental illness, sends information to an online advertising service called DoubleClick Inc., which gathers and analyzes information about computer users at some 1,400 Web sites.
A spokesman for Janssen said its Web bug is used only to help the company identify the most popular material at the site.
With the help of a cookie, the Web bug typically identifies a machine, the page it opened, the time it arrived and other details. That information, sent to a company that provides advertising services such as DoubleClick, can then be used to determine if someone subsequently visits another company page in the same ad network to buy something or read other material.
"It's a way of collecting consumer activity at their online store," said David Rosenblatt, senior vice president for global technology at DoubleClick.
But for consumer watchdogs, Web bugs and other tracking tools represent a growing, sophisticated threat to the privacy and autonomy of online computer users. Although much of the information collected by ad servers now is not personally identified, it soon will be in many cases.
DoubleClick, the industry leader, has begun creating an "information alliance" of businesses that will share customer information in a vast digital pool. Once a computer user shares a name online with any alliance member, DoubleClick will be able to associate that name with cookies at all other participating members' sites. But DoubleClick and eight other leading advertising servers pledged this week to allow consumers to opt out of such practices.
Richard M. Smith is a computer security specialist who named the Web bugs, because he believes they perform somewhat like hidden microphones. He said the same kind of code as Web bugs is used in certain types of Web-related e-mail to bounce information from thousands of people--such as if a note was opened--back to a marketer who wants to know the effectiveness of the pitch. Next week he intends to post a paper about them on his own Web site, <www.tiac.net/users/smiths>, which now has posted a frequently asked questions paper on Web bugs.
"I don't think this stuff is properly disclosed by any stretch of the imagination," said Smith of Brookline, Mass., who has been asked by the FTC to write an analysis of the mechanism.