Spying and Tracking you on the Internet
© Zoes Network Consulting, 2004
Web advertisers are increasingly using surreptitious methods ("spyware", "web banners", "web bugs", and "cookies") to identify and track individuals on the Internet without the knowledge and consent of the individuals involved. The purpose is to build a database (a dossier) on web surfers and to use that information for their commercial purposes, including marketing both online and using direct mail. This white paper will discuss some of the ways they do this and will identify some tools and techniques to determine if you are a victim of this practice and how to block it. While many of the techniques used are operating system independent, this paper focuses on Windows systems.
This revised document has been updated to contain additional techniques that advertisers and others spy and track you on the Internet.
How they spy on you*
What do we do about it?*
The Internet has become, for some, a gold mine to be exploited where, in this era where information is power, your personal information is the coin of trade for the profit of others. In their pursuit of their profit, some vendors have taken the position, that not only are your browser viewing habits fair game for their demographic databases, but so are the contents of your hard drive.
Some vendors are open and out front about their belief that they have the right to track you and your use of your computer for their commercial purposes. Some take the position they have the right to put software on your machine that will transmit to them data about your personal habits, including information about your computer and the contents of your hard drive. These companies at least include a provision (which is unintelligible to most non-lawyers) in their End User License Agreement (EULA) that says that this is what they will do if you agree to the EULA. Of course, if you donít agree to their spying on you, you cannot use their software. They make it a condition of your use of software that you may have paid for, that they can spy on you.
Many, on the other hand, do not tell you that they have inserted "spyware" on your system or are tracking your web surfing habits, preferring instead to obtain the information they want about you, secretly and without your consent.
This information "mining" is justified by the industry as simply a means to "enhance your browsing experience" through the creation of such "online profiling." However, it is clear that such fine words are a rather lame attempt to justify being peeping Toms. They are really saying that by being peeping Toms, they can "target" you with "better" advertisements; ads that might make your more likely to purchase what they are selling.
Yes, ladies and gentlemen, itís all about making money off of you.
A number of the companies involved in this attempt at data collection have created an organization named the Network Advertising Initiative (NAI) in an attempt to head off legislation restricting their practices by creating "industry standards."
On 7/27/2000, the Federal Trade Commission released a statement of the status and direction of this groupís efforts, which can be read athttp://www.ftc.gov/opa/2000/07/onlineprofiling.htm The companies that comprise the NAI promise to do the following:
So, can you trust these companies to abide by a voluntary code of conduct? And what about those who do not join NAI?
There are several ways that advertising companies (and they are the one driving this phenomena) invade your privacy and get information about you. In combination or separately, they use techniques involving "cookies", "web banners", "web bugs", "pop ups" and plain out and out spyware that you have (perhaps unknowingly) installed on your computer that sends information to them behind your back.
Cookies were originally an invention of Netscape to provide a method of retaining "state" information in a connection that was originally designed to be "stateless." The ability to retain the current state of a web browser connection makes it possible for the server to customize the returned web page or provide content control. Cookies have since evolved into a way to retain information on the visitorís computer to identify the visitor and provide services such as "login" recollection of user preferences. They can even return "bookmarks" such as the "last page accessed" by the visitor in order for the user to continue where he left off later.
In addition, cookies can also be read to retrieve any data previously stored, such as logonid and password for the site, making it easier for the visitor to enter protected web sites. The New York Times web site is an example of this.
In fact, the "bookmark" feature was one of the early uses of cookies used by web advertisers. A web page designer would imbed a graphic with a link to an advertiser, which would select an advertisement to display when the web page was viewed by the customerís browser. The advertiserís link would request the browser to store a cookie on the web userís hard drive indicating the date and time as well as the information as to which advertisement was displayed. The next time the web surfer would encounter a banner advertisement from the same advertiser, the cookie would be read and the next advertisement in the sequence would be displayed. Note it would not be a requirement for the web surfer to display the same page at the original web site in order to get the next advertisement. Any web site that used the same advertiser would result in the next ad being shown because the cookie kept track of the last advertisement. Another name for this process is "clickstream data."
It is this feature that has evolved into the tracking of individual across the Internet using cookies.
It works like this: A surfer visits site "A" and a cookie from the advertiser is placed on the surferís computer and a record of the cookie is retained in the advertiserís database. This cookie has a unique identifier that is specific to that computer, as well as to the specifics of which web site and page was visited. The surfer then visits site "B" and another entry is made in the database. As time goes on, the advertiser builds a profile of web sites that the surfer visits. The figure below illustrates this flow of data.
So why is this a problem?
Because sooner or later, the surfer WILL leave identifiable data, such as name, address, email address, and so on, at a web site, because the surfer will "Register" to obtain information, product, and/or services. The minute this happens, either through an agreement with the owner of the web site where you "registered," via a direct reading of browser internal parameter values, or even by using other technical means, the advertiser will merge your identity with their profile and you are now captured on their database at the individually identifiable level. Once they merge this data with the other existing demographic databases out there, they have a powerful marketing database that they will sell to direct marketers or any other organization with the money to pay for it. This includes employers, insurance companies, and the IRS.
Sounds far fetched?
The company DoubleClick.com has been recording this information for years. In the fall of 1999, they merged with one of the largest commercial database marketing companies in the United States. In the spring of 2000, they announced that they would merge their online profiles with their newly acquired demographic database. This erupted into law suits, state investigations, and a Federal Trade Commission investigation as people rightly began to fear that their "anonymous" web surfing habits would not only be used to send junk mail (both snail and email), but by telemarketers and direct mail companies as well. At the gut level, the fear was that this information would be used to create a dossier on individuals. On you!
Akamaiís website contains a detailed description on how it all works in a white paper available at http://www.akamai.com/en/resources/pdf/sw_infra_wp.pdf. Please note, that what Akami does is not unique anymore. Further, we have only their word that they are NOT collecting personally identifiable information about you when you visit a subscriberís web site.
Knowledge is power, and these online advertisers want to have the knowledge about you, about your preferences, and intend to share this information with others once they have it. It is not a fanciful exercise of paranoia any more. It is real and it is already happening. In their minds, nobody has the right to privacy anymore.
More information on cookies and other web privacy issues can be found at: http://www.junkbusters.com/ht/en/cookies.html
A "web banner" is the advertisement that the advertiser displays on your screen. Itís the pitch for products and services that you see at the top, the sides, and the bottom of commercial web pages. If you click on them, you will be sent to the web site offering the goods of services being advertised.
So what is the problem with this? Whether or not you click on the banner, a cookie is read and written on your hard drive telling the advertiser that you viewed a particular banner ad on a particular web site. How this works is that the web banner is not part of the page you are downloading. It is an off page link to another website (the advertiserís) that records the fact that your web browser saw the web banner ad and from which website you linked from. An example of Information that can be recorded follows:
[This above is output from Steve Gibsonís "Shields Up!" security analysis web site. You can test your system and web browserís security (or discover the lack of it) at https://grc.com/x/ne.dll?bh0bkyd2]
All web servers receive the above information. Basically, it tells the servers what features the web browser supports, what kind of web browser was used, and the format of the information sent.
Specifically, this example tells the web server:
The browser used in this example was Internet Explorer 6 on a Windows XP system. The other information about the web browser is that it supports shockwave, gif, xbitmap, jpeg, pjpeg, MS Excel and MS Word data natively. The "Referer:" information tells the server the source of the link to it. Advertisers using web banners use the "Referer:" data to tell the EXACTLY where you were reading the web banner from.
For example, if you reading a senior citizen web site, the "Referer:" data sent to an web banner company could contain a value [fictional in this case] of "Referer: http://www.seniorcity.com/incontinence" guaranteeing that every future visit to a web site containing a banner ad from the same company would include an advertisement (either a web banner or a "pop up") for "Depends" or similar product.
In addition, the fact that you view the web page containing a web banner ad causes the stored cookie (that the web banner company put on your machine the last time, also known as a "third party cookie") to be transmitted to the advertiser.
What most people do not know, that in addition to the above browser information exampled above, the web server can get access to any and all information that you entered in a form for that particular browser session.
Read about one userís discovery of the data in banner advertisement that was owned by DoubleClick.com at:http://www.computerbytesman.com/privacy/banads.htm.
This is why many banks and financial services recommend that you specifically close the web browser session when you have finished doing business with them over the web. The author STRONGLY URGES you to heed their advice: When you finish your transaction, CLOSE THE BROWSER!
Remember, we have ONLY their word that they are not collecting personally identifiable information.
A "web bug" is a variation of the web banner described above. However, instead of a visible banner ad, a web bug is a graphic that is usually only 1 pixel in size, and hence essentially invisible. In other words, its only purpose is to track your visit to the page, not to pitch a product or service to you. Other than this, they operate exactly like the web banner advertisement and a visit to a web page with a web bug results in a cookie being placed or read on your machine and an update to the advertiserís database.
Advertisers and others use web bugs in HTML enabled mail and newsreaders to track people and verify email addresses. In this case, when you open a message that is HTML formatted, the 1x1 pixel graphic is loaded by the senders tracking website that confirms that YOUR email address is "good" and that you read their ad.
A FAQ on web bugs can be found at http://www.privacyfoundation.org/resources/webbug.asp. Read this FAQ carefully, because it identifies some companies that use web bugs on their web pages and in email advertising, as well as on USENET newsgroups.
The authors of this web page provide a method to use the Alta Vista search engine to identify web sites that use web bugs. See: http://www.computerbytesman.com/privacy/wbfind.htm. Unfortunately, not all web bug sites will be identified as not all such web pages are indexed.
Pop up or "Pop under" ads are very popular today. There are hardly any commercial news or entertainment web sites that do not use them. They either appear on top of what you are reading, or underneath it to be visible when you close the web page you were reading.
Pop up ads do EVERYTHING that the web banners do. They plant cookies, they transmit your IP address and goodness knows what else to the advertiser, and they carry one more annoying feature: You must deliberately, manually close them. Advertisers love them because they are "in your face." This is why they are almost universally despised by the rest of us.
Pop up ads are nothing more than a program on the web page telling your web browser to launch a new page either when you load a web site page or close it.
While most web sites only use one pop up ad at a time, some are now linking them together to make you look at several in a row.
Which leads toÖ.
But they other thing they can do is prevent you from escaping their clutches by turning off the "back" button, or reprogram it into a "launch more junk" button. This is called "mouse trapping." It is an attempt to prevent your leaving their web page. It is unethical and in some cases illegal. The Federal Trade Commission sued John Zuccarini (FTC v. John Zuccarini) for this practice.
"Spyware" are programs that you have installed on your computer that sends information about your computer to Internet servers in a, invisible background session. The authors of these programs refer to them as "adware," and claim that the are only used to control the display of advertisements on your monitor. Almost always, spyware is installed as part of the installation of a program or software package. Some times, the End User License Agreement (EULA) has a sentence buried deep inside somewhere telling you that data may be sent in the background to an outside Internet server. But most of the time, there is not a notice in the EULA, and the user has no knowledge that he is running a program that is sending information to a server somewhere, to be used for purposes unknown to him.
Many times, this spyware is installed such that it is started when you start your computer. And often, this software has conflicts with the operating system, causing system crashes. Clearly, running a hidden program that transmits data to others without your knowledge is unethical, at the least. It may be actionable in a civil suit as an invasion of privacy. It may even be criminal trespass or a violation of the Computer Security Act in some circumstances.
Finally, some spyware programs make changes to the operation of your computer. Some imbed themselves very deeply in the operating system by replacing operating system programs with their own versions. Some reset the defaults of Internet Explorer and override your home page setting to one point to their web site or change the search engine to insure that their customers get preference when you search the web.
Some imbed themselves deeply in the registry and automatically reinstall themselves if you uninstall the software or reset your default home page back to where they want it, after you manually set it. Some disable security controls to make future manipulation of your browser easier for their customer's web sites.
Who uses spyware?
You would be surprised. A number of major companies, such as Verizon, Motorola, Sprint, Bank of America, ORBITZ, and British Airways (among others) to advertise via pop-up ads and directed searches.
Some companies (like AOL and Earthlink) provide search engine tools that come complete with embedded spyware. For example AOL Instant Messenger bundles two spyware applicatons: Weatherbug and Wild Tangent. AOL automatically installs these two when you install the latest Instant messenger software. Wild Tangent is very difficult to remove from your system. It takes 24 separate steps, including registry modifications before it can be removed.
Some companies, such as YAHOO offer spyware removal tools that neither catch nor remove spyware that issue from their marketing partners.
Mattel Corporation owns the Broderbund software line. Certain childrenís games and utility programs included a program file "dssagent.exe" that surreptitiously sent data back to a Mattel server. The good news is that you are given a chance to turn this program off. The bad news is that they ignored your preference and ran the program in "stealth mode," anyway.
Mattel acknowledges that some customers of its products might be concerned at this invasion of privacy (though they claim that no individual identifiable data was transmitted to them), and provides a clean up program at:http://support.learningco.com/brodcastpatch.asp.
On the other hand, how can you trust a company to provide a de-installer when they (1) installed spyware software even though the customer explicitly said that they did not want to run it, (2) will not tell exactly what they were sending to their servers beyond some glowing platitudes.
Other major companies that use spyware include AOL/Netscape and RealPlayer by Real Networks. Both use a Real Networks product called "Netzip" which provides enhanced or "smart" file downloading from web sites. What it also does, is send a record, containing individual identifiable data AND the name of the file downloaded to a Netscape.com or Real.com file server on the Internet. A class action invasion of privacy lawsuit against AOL/Netscape was filed because of this "smart" download feature.
A report describing how Netscape 4.7 uses this spyware can be found athttp://www.tecchannel.de/internet/469/
Information about the lawsuit can be found athttp://www.wired.com/news/politics/0,1283,37435,00.html
RealPlayer uses the exact same software to spy on their customerís download habits. Steve Gibson, of Gibson Research, provides his commentary on "The Anatomy of File Download Spyware" athttp://grc.com/downloaders.htm
You can read MSNBCís report on Real Networks spyware athttp://www.msnbc.com/news/436070.asp?cp1=1
The reader should note that this is the second time that Real Networks has been caught using imbedded spyware in their products to record the activities of users of their software. See:http://www.wired.com/news/politics/0,1283,32459,00.html
Other companies that create spyware are:
[Note that this list is incomplete.]
A number of companies have distributed spyware, imbeded into freeware, shareware, or purchases/licensed products. A listing of known software programs containing imbedded spyware is at http://www.infoforce.qc.ca/spyware/enknownlistfrm.html Be advised that this list is incomplete and is growing as this practice spreads.
Links to other sites, discussion, and information about spyware can be found athttp://grc.com/oo/news.htm http://www.netrn.net/spywareblog/, and http://www.broadbandreports.com/?cat=spyware
Viral marketing is a technique to infect your machine into becoming a ad server. The functional effect is very much like that of sypware installed on your machine. The way it is installed, however, differs from spyware that you install that is piggy-backed as part of another program.
Windows Update, the technique that Microsoft uses to automatically install patches on your operating system and other Microsoft products, uses ActiveX to install new versions of the update program on your computer. While this is a good thing (and I strongly recommend that everybody run Windows Update" and install all security patches), it is being misused by characters that believe that YOUR computer is also THEIR computer Ė and THEIR advertising server.
ActiveX is only one such way that programs (called "malware") can be installed without your knowledge. It is sufficient to know and understand that people ARE trying to use YOUR computer to consume YOUR time to pitch THEIR products.
First of all, do not allow them to be recorded on your system. Most browsers have controls that can be used to stop the recording of cookies. If you are using a browser that does not allow you to stop cookies, dump it and get one that does. Warning: the Neoplanet browser is a spyware product.
Second, delete your cookie files. Netscape and Internet Explorer will allow the web server to READ existing cookies. Therefore, to prevent information contained in the cookies from being transmitted to the server asking for the information, do not leave them on disk in the first place.
Third, some web sites will not allow you to enter or navigate the site unless you allow cookies. These sites will give you some kind of error message telling you to turn cookies back on. If you neither need nor desire the information contained at that web site, move on. On the other hand, if you need to use the web site, then certain browsers allow you to create cookies in memory that are valid for the duration of the life of the web browser task. The remote server thinks that a cookie is being saved, but it will be thrown away the moment you end the browser task.
Alternatively, some web browsers like Internet Explorer allow you to categorize web sites in terms of trust or danger. In other words, if you are a user of certain stockbrokers and banks, you can consider those sites as "trusted" (after all they have got your money!) and allow cookies to be kept and read. That way, you can shut off cookies for all but the trusted sites, and retain the cookie functionality for a select few.
Both Microsoftís Internet Explorer 5.5 and current Netscape browsers have the capability to prevent advertiser cookies (also known as "third party cookies") from being stored on your system, while allowing the web siteís cookies to be processed separately.
Further information on turning off cookies can be found at the following:
Fourth, obtain "cookie management" software. This is software that blocks cookies, allows you to edit them, and/or allows you to delete them. Information of cookie management software can be found at:
Disabling cookies is the first line of defense.
There are several ways to stop web banners and bugs and pop ups from spying on you (and preventing online profiling). You can obtain banner blocking software, such as AdSubtractô at http://www.adsubtract.com/ and Norton Internet Security http://www.symantec.com, you can misdirect the attempt to connect to the web advertiserís server, or you can upgrade to a mail client (such as Outlook 2003) that strips such embedded graphics out and shows as separate images.
Banner blocking software works by intercepting the web browserís attempt to display the banner ad or the web bug, and discarding it. Hence, the banner is never displayed because the advertiser web site is never reached. In addition, the advertiser web site never gets to write a cookie on your hard drive and never updates its database to reflect your visit to the web page where the banner ad was. Hence, the attempt at online profiling gets defeated.
Pop up ads are similarly intercepted though advertisers work hard to prevent their ads from being intercepted by using Macromediaís Shockwave and Flash products.
Another way to put a monkey wrench into the advertiserís plans is to redirect the request to connect to the web advertiserís server (and record your visit to the web page). What this does is to trick the browser to go to an invalid server IP address, instead of the address of the web advertiserís server. Use of this techniques that you have a certain level of understanding on how TCP/IP (the communications protocol of the Internet) works and how to edit system files. If you do not have this knowledge, skip to the next section and purchase a good banner blocker or internet security package instead.
Advertisers like DoubleClick include the IP address in the "dot-com" or long format, relying upon the domain name translation mechanism to convert the address into the proper "dotted-decimal" format of "xxx.xxx.xxx.xxx" for navigation on the Internet. Usually a special "DNS" server performs this translation automatically. However, it is possible to manually specify specific addresses to be translated to the "local host" address of 127.0.0.1. This address is a special address. It always points to YOUR computer. In other words, if you can convince your system that the address of the web advertiserís server is your local host address, there will never be a connection to the web advertiser and profiling will be prevented.
You can fool the web browser into trying to connect to the advertiser by telling it to look on your local host address by manually editing a file called the "hosts" file. This file tells system to use the local host address instead of the real IP address. Before your computer requests a DNS server to translate the long form, it will search this "hosts" file first. All you have to do is include an entry for the machine names commonly used by the banner advertising site and point it to the local loop address and you achieve the same result as using an ad blocker.
For example, the following two entries will cause any web page containing a banner page from DoubleClick to scotch the presentation of the advertisement as well as preventing a cookie read/write and profiling database update:
For instructions in modifying your "hosts" file, please go to the following web site:
http://www.accs-net.com/hosts/ and select "how to use hosts." Note that the hosts file for Windows 9x and NT 4.0 are in different locations. A sample hosts file containing entries to block over 4000 known ad servers can be downloaded in text or zip format.
Both of the above techniques, banner ad blockers or using the hosts file, will put a major crimp in the ability of the web advertisers to collect profiling data. However, unless you are proficient with TCP/IP, I recommend you acquire a web banner blocker rather than manually update the hosts file.
At the present time (as of the date that this is written), the only ways to certainly defeat web bugs put in to determine if you have read a message is to use the hosts file to block the communication between your machine and the tracking server, or to upgrade to an email client that can suppress the automatic execution of the web bug in HTML formatted email messages.
An example of such a hosts file entry is:
Preprocessing email Ė used to check for spam, mostly Ė is another way to determine if email in your inbox might be an HTML formatted message that might have a web bug embedded. An example of a useful email preprocessor is mailwasher, a free trial program available fromhttp://www.mailwasher.net/ for standard POP email users. A "professional" version of mailwasher can be purchased for users of Hotmail, MSN, IMAP, and AOL users that also includes technical support. This author uses mailwasher to prescreen all incoming email.
The best way to avoid being "mouse trapped" and/or cascading page launches is to avoid the sites most likely to use them. These sites are typically "copycat" web sites, that have a URL that is just slightly different from a real web site so that a common spelling error of incorrect use of a domain identifier, will send you to a bogus web site that launches the mouse trapped/cascading pages. A famous example of such is mistakenly typing www.whitehouse.com" [DONíT GO THERE] instead of http://www.whitehouse.gov. The FTC case against Zuccarini contains specifics on how he did it. See: http://www.ftc.gov/opa/2001/10/cupcake.htm.
The author generally recommends that users consider configuring their browsers to either prompt when an ActiveX program is about to be run or to block all them entirely.
There is only one thing to do here. Track down the spyware programs and delete them. There are a number of free programs you can acquire that will scan your system, identify programs modules and registry entries that correspond to known spyware, and then automatically delete them.
Ad-Aware is one such free program from Lavasoft (http://www.lavasoft.de) that will track down and eliminate a number of the commonly found spyware programs. Lavasoft offers a more comprehensive version (Ad-Aware Pro) for purchase as well.
But equally important is preventing the spyware from contacting their Internet servers in the first place. In many aspects, spyware acts like a "Trojan horse" virus. Like a Trojan horse, the spyware program attempts to connect with its Internet server. Usually they are used to control the display of advertisements, but they also upload information about you, your computer, and maybe even what files you have on your system. A credible claim can be made that the only difference between a Trojan horse virus and a spyware program is how the collector intends to use the information.
However, if the spyware is deleted, the specific software you have that is infected with the spyware, may no longer work properly. This may not be what you want to do. Therefore, an alternate goal to complete removal may be to prevent the spyware program from "phoning home", instead. In that case, it may be necessary to install a firewall that will block it from doing that."
A firewall, such as ZoneAlarm from ZoneLabs.com, Norton Internet Security, or McAfee Personal Firewall, is the front line in preventing unauthorized communication to a web advertiserís server from a spyware program. These firewalls will present a pop-up message whenever an unauthorized application (ie, the spyware program) tries to make contact with a server on the Internet. The firewall user can prevent the application from ever contacting "home" with its load of data from your hard drive, and prevent it from being an "ad-server" and profiler. ZoneAlarm is currently free for personal use and available from:http://www.zonelabs.com/. Norton Internet Security is available from http://www.symantec.com and McAfee Personal Firewall is available from http://www.mcafee.com.
The author VERY STRONGLY recommends that every internet user installs either a hardware firewall (cable/DSL modem router) or a software one on every computer that access the Internet. In fact, the author uses both to provide a "defense in depth" against unauthorized attempts to enter his network. Not only does it keep out hackers and internet worms, but it prevents spyware from "phoning home."
In addition, the author also VERY STRONGLY recommends that ALL computer uses install and keep current a robust anti-virus program. Virus infected computers are causing billions of dollars damage each year in lost time and productivity, and clean up costs. If your ISP provides an antivirus-screen function for your email, this author VERY STRONGLY recommends that you use it!
Finally, the author VERY STRONGLY recommends that each Windows computer user enables and runs Windows Update and configures it to AUTOMATICALLY download fixes and patches. The MS Blaster and Sasser internet viruses are examples of two viruses that attacked machines that did not have the requisite Microsoft patches installed, but who were connected to the Internet. The same advice applies to Macintosh and Unix users: STAY CURRENT on your security patches.
While there are no guarantees that the web advertisers and other online profiling companies be permanently stopped, the diligent web surfer can take steps to prevent these companies from maintaining a profile on him. It will undoubted require federal legislation, with criminal penalties, to prevent these abuses of secret online profiling. For more information on the continuing struggle concerning online privacy, go to the following sitehttp://www.voiceofthepublic.com/vopwebfeeds/privacynews.html.
In the meantimeÖ
We are not helpless. We can prevent these privacy invaders and spies from succeeding in tracking our movements and maintaining online profiles. We can do something about it. Remember:
Copyright © 2011 ZoeS Network Consulting, Solar graphic image copyright © 2000 Christiana V.