December 12, 2000, 8:52 AM — Last week's announcement from the
Foundation raised new concerns about Web browsers and privacy.
You may already be aware of Web bugging, a technique used to determine who has read
a particular HTML document at a site other than the one from which the document was
downloaded. A developer inserts a reference to an image on the original site into the
HTML document. The browser that opens the HTML page sends a request to retrieve the
image, leaving a record in that Web server's logs. The image itself may be one pixel in
size, effectively invisible to the browser user.
Richard Smith, CTO of the Privacy Foundation,
3D1%26">reported a variation of Web bugging in Word, Excel, and PowerPoint
documents. The author of a document can embed an image in one of these documents as a
URL. This is a useful technique that makes a lot of sense when a document is
distributed internally within an organization; only one copy of the image is stored on
the network, and the copy gets fetched as needed.
You can also include a reference within a document to a tiny image using a unique
URL (for example, by sending the image reference to a script with an identifier
appended as an argument). Using this trick, a document's creator can log which people
(or, more accurately, which IP addresses) opened the document with Word, Excel, or
PowerPoint. This technique enables a kind of security monitoring; if the document was
not supposed to be distributed, the log would provide valuable information about where
the document had wandered. And if different identifiers were embedded in each version
of the document, the log would also disclose the person who shared his copy.
href="http://www.microsoft.com/technet/security/cookie.asp">its response to the Privacy
Foundation announcement, raised the associated issue of cookies. href="http://www.pc-help.org/privacy/ms_guid.htm">Brad Griffin of pc-help.org then
noted that if you visit different Websites run by Microsoft, you wind up with the
same GUID value in the cookies deposited by different servers. GUIDs, or globally
unique identifiers, allow the operators of Websites to monitor your activities,
something which most people consider a privacy violation. For example, your browsing
habits at one Website could lead to directed advertising for a Website that is
apparently unrelated, if the two share GUID information.