Web bugs and cookies

ITworld.com –

Last week's announcement from the Privacy Foundation raised new concerns about Web browsers and privacy.

You may already be aware of Web bugging, a technique used to determine who has read a particular HTML document at a site other than the one from which the document was downloaded. A developer inserts a reference to an image on the original site into the HTML document. The browser that opens the HTML page sends a request to retrieve the image, leaving a record in that Web server's logs. The image itself may be one pixel in size, effectively invisible to the browser user.

Richard Smith, CTO of the Privacy Foundation, reported a variation of Web bugging in Word, Excel, and PowerPoint documents. The author of a document can embed an image in one of these documents as a URL. This is a useful technique that makes a lot of sense when a document is distributed internally within an organization; only one copy of the image is stored on the network, and the copy gets fetched as needed.

You can also include a reference within a document to a tiny image using a unique URL (for example, by sending the image reference to a script with an identifier appended as an argument). Using this trick, a document's creator can log which people (or, more accurately, which IP addresses) opened the document with Word, Excel, or PowerPoint. This technique enables a kind of security monitoring; if the document was not supposed to be distributed, the log would provide valuable information about where the document had wandered. And if different identifiers were embedded in each version of the document, the log would also disclose the person who shared his copy.

Microsoft, in its response to the Privacy Foundation announcement, raised the associated issue of cookies. Brad Griffin of pc-help.org then noted that if you visit different Websites run by Microsoft, you wind up with the same GUID value in the cookies deposited by different servers. GUIDs, or globally unique identifiers, allow the operators of Websites to monitor your activities, something which most people consider a privacy violation. For example, your browsing habits at one Website could lead to directed advertising for a Website that is apparently unrelated, if the two share GUID information.

The collusion Griffin found across Microsoft sites should be impossible, but Microsoft manages it by using URL redirection. Griffin even provides an example of how you can send a request to an ASP file at Microsoft to deliver your Microsoft GUID to your own server.

Microsoft has created a working mechanism for using cookies to maintain user information across sites. Cookies are not dangerous in themselves, but do provide information that helps track users. Users concerned about the privacy of their browsing activity should take note of this development. It could let organizations track your shopping habits or file downloads.

Smith notes that the Web bug problem is not limited to Microsoft applications. He's prepared a FAQ on the topic.

How do you track or manage cookies? Netscape browser users can edit their cookies file by exiting Netscape, finding their cookies file (in the Netscape folder on Windows or the

<font face="courier">.netscape</font>
directory in the user's home on Unix), and deleting any lines they wish. Deleting cookies that were left under Internet Explorer is much more difficult, as the information is stored in structured binary files instead of text.

You can disable cookies, but if you do, you lose valuable functionality when visiting sites such as Amazon.com that use cookies to identify you. Internet Explorer lets you accept cookies only from trusted sites, but such sites very likely would include Microsoft, which leaves you just where the current problem started.

There are many third-party utilities for managing cookies, though I have not tested any of them. But the latest issues with Web bugs and cookies point out the more general need for better control of the security functions of our Web browsers. For example, browser vendors should offer a toolbar button that temporarily enables Java or JavaScript for a single site and disables them by default as soon as you visit a different site. Those developing the next generation of browsers need to make user security a primary goal.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon