Ch 158: Cookies and Web Bugs What They Are and How They Work Together

Ch 158: Cookies and Web BugsWhat They Are and How They Work Together

http://www.abine.com/tracking.php

Online Tracking

• !privacy• easy it• Tracker– ISPs, Websites, advertising networks

• To– Provide: targeted advertising– Classify: you into a demographic group– Resell: information about you to other companies

Tracking Techniques• Cookies, IP Addresses, Web Bugs, browsing history, others.

Cookie–Small unique text file –Created by: a Web site

–Sent to: computer’s hard drive.

–Record: client mouse-clicking choices each time you get on the Internet.

Cookie

–Browser •contacts a server and requests the specific Web site.•searches your hard drive to see if it already have a cookie file from the site.

every time you visit that site they know its you

Cookie• If NO– an ID is assigned to you – this initial cookie file is saved on your hard drive.

• If YES– the unique identifier code, previously recorded in your cookie

file, is identified and your browser will transfer the cookie file contents back to that site.

– Now the server has a history file of actually what you selected when you previously visited that site.

– You can readily see this because your previous selections are highlighted on your screen.

• if somebody has access to your computer– they can often use cookies to see what sites you

have visited in the past

Cookie

Types of Cookie • HTTP Cookies - persistent • "Session" Cookies• Third Party Cookies• Flash cookieshttp://en.wikipedia.org/wiki/HTTP_cookie• A visitor cookie• A preference cookie • A shopping basket cookie • A tracking cookie.

HTTP Cookie• come from the Web site – that you are visiting

• usually intended to stay around permanently and each time you are online.

• Recommendation– To be deleted at the end of each browser session.

Session Cookies

• Expire when you close your browser.• Some sites, such as Gmail, require the use of

cookies during a session in order to function properly, but they don't need to have cookies stored permanently on your computer.

• Recommendation – allow session cookies – to avoid breaking functionality on certain Web

sites.

Third Party Cookies

• Web pages often have pieces of content from more than one source – such as ads posted along the sidebar of a Web page you are

viewing. • set the cookies – Domains other than the main page you are viewing – third parties.

• used by advertisers to track users across multiple Web sites.

• Recommendation – block third part cookies.

Flash cookies• Unlike the other cookies with are controlled through the cookie

& privacy controls in your Web browser• activated through a feature in Adobe's Flash plug-in called

"Local Shared Objects" (LSOs). • This means that

– even if a user has cleared his or her cookie settings (by directing your browser to “block” or “delete” cookies),

– sites can still use a feature of Flash to track your online behavior.

• Among other things, Flash cookies are used to ensure smooth playback on sites that stream music and video.

• Recommendation – delete all Flash LSOs at the end of each browser session. – Note that this is not done the way other cookies are deleted; instead, a

user must visit Adobe’s site for the deletion controls or use other software.

A visitor cookie. • The most common type .• keeps track of how many times you

return to a site. • alerts the Webmaster of which pages

are receiving multiple visits.

A preference cookie• stores a user’s chosen values on how to

load the page.• it is the basis of customized home pages

and site personalization. • It can remember which color schemes

you prefer on the page or how many results you like from a search.

• is a popular one with online ordering. • It assigns an ID value to you through a

cookie. • As you select items, it includes that

item in the ID file on the server.

A shopping basket cookie

A tracking cookie. • The most notorious and controversial .• It resembles – the shopping basket cookie, but instead of adding

items to your ID file, it adds sites you have visited. • Your buying habits – are collected for targeted marketing.

• companies can save e-mail addresses supplied by the user and spam you on products based on information they gathered about you.

Cookie Usage• After you type a URL in your browser,– it contacts that server – requests that Web site. – The browser looks on your machine • to see if you already have a cookie file from the site. • If a cookie file is found

– your browser sends all the information in the cookie to that site with the URL.

– When the server receives the information, it can now use the cookie to discover your shopping or browsing behavior.

• If no cookie is received– an ID is assigned to you and sent to your machine in the form of a

cookie file to be used the next time you visit.

Cookie Usage

• Cookies: left on your computer generally store

–a unique serial number –used to identify you –to keep track of all your visits to a certain

Web site and any "network" of sister sites.

• If third party cookies be stored– Network = several advertising company sites– each time you visit a Web site in the cookies

"network“ can track you as you travel among these different sites. –Advertisers can • create a profile of you • based on your browsing behavior – as well as store your browsing history as long as they

like.

Cookie Usage

IP Address• Websites – receive your computer's current IP address – can • figure out where you are geographically• keep track of all connections from the same IP address.

– if your IP address doesn't change then they have a good idea it's you -- every time you visit.

– If you use a cable modem you may have a dynamically assigned IP-address, but these tend not to change very often.

– Most other forms of Internet access use static IP addresses.

• To prevent – proxy : Proxy does see all of your traffic.

Web Bug

• Web bug = beacons• a graphic: on a Web page or in an HTML-based e-mail message

• to: track who is viewing the page (or email).

• can provide – IP address– Time– recipient wishes that information disclosed or not. – how often a message is being forwarded and read. – More

can track you as you move among Web sites within their network

Web Bug

Web Bugs Usage• Web Bugs: notify their server each time their page is accessed.

• The site: knows that the page with the bug on it has been accessed, and by what IP address

• Advertisers: can correlate your visits to their sites

–by • looking at the timestamps of the requests from the Web

bugs you triggered

• use – your IP addresses – browsing sessions on their sites to build up their

profile.

Web Bugs Usage

–HTML-based emails: • they can tell if you've opened their email and where you were

when you opened it.

Tracking Methods

• JavaScript trackers. – pieces of JavaScript –usually come from other sites. –When the Web page loads in your

browser • it makes a request to include a piece

of code from the tracking server.

• One-pixel images and other SRC tags. – Images tags

• in HTML pages • actually directions that tell your browser where to find the

image it is supposed to display to you.

– This means that when your browser displays a Web page to you it makes a request to the tracking server for the image.

– the image is a transparent 1-pixel image• it is not really mean to be viewed• it's really just a tracking method.

Tracking Methods

• Browser Fingerprinting. – It is also possible to identify a specific browser by

looking at details about the browser software and components directly.

– Currently • not aware whether this is being done by Web sites in

the field• it does represent the next frontier in online privacy.

– Visit to get your browser fingerprinted and see how unique your browser fingerprint may be.

Tracking Methods

Browser History• Websites can – look at your browsing history

• through : JavaScript , CSS technique

– to see: portions of your browsing history. – To do this the Web site has a list of all of the sites it is

interested in• if you are keeping a browsing history• they can learn whether that you have visited those target sites in

the past.

– used by advertising groups – to put you into a demographic bucket

• did you visit sites about guns, cars and girls or Disney, toys, and motherhood.

Web bugs and cookies• Can be merged and even synchronized with a

person’s e-mail address. • Issues may • Positive • Negative • Illegal • Unethical

Cookie Contents• rumors – cookies could • scan information off your hard drive • collect details about you

– passwords, credit card numbers, a list of SW on your computer.

–Rejected: • a cookie is not an executable program • can do nothing directly to your computer. • small, unique text files created by a Web site and sent to a

computer’s hard drive.

Cookie Contents

• Contain: – a name, a value, an expiration date, and the

originating site. – The header • contains this information • removed from the document before the browser displays it.

• Cant be viewed : even if you execute the view or document source commands in your browser.

• is part of the cookie when it is created: When it is put on your hard drive, the header is left off.

• The only information left of the cookie is relevant to the server and no one else.

Cookie Contents• Header: example

Set-Cookie: NAME=VALUE;

expires=DATE;

path=PATH;

domain=DOMAIN_NAME;

secure

Cookie Contents• The NAME=VALUE:

– is required. NAME is the name of the cookie. VALUE has no relevance to the user; it is anything the origin server chooses to send.

• DATE – determines how long the cookie will be on your hard drive. – No expiration date indicates that the cookie will expire when you quit the Web

browser.

• DOMAIN_NAME – contains the address of the server that sent the cookie and that will receive a copy of

this cookie when the browser requests a file from that server. It specifies the domain for which the cookie is valid.

• PATH – used to further define when a cookie is sent back to a server.

• Secure – specifies that the cookie only be sent if a secure channel is being used.

Where it is store• Netscape Navigator users– C:/Program Files/ Netscape/Users/default or user

name/cookie.txt)• Explorer users – C:\Documents and Settings\<user-name\Cookies

Delete, disallowed & block

• Web browsers have options that alert users before accepting cookies.

• there is software that allows users to block cookies, – Get one and report

Reading ASS

??Cookie Poisoning

Cookies creation• Cookies are stored as a text string– a cookie can be manipulated like any other string literal

• scripting to – set the cookie – allow the trouble-free flow of information back and forth

between the server and client.

• languages– Perl CGI script ( common). – JavaScript, Livewire, ASP, or VBScript

Cookies creation• Here is an example of a JavaScript cookie:

<SCRIPT language=JavaScript>function setCookie (name, value, expires, path, domain, secure) {document.cookie = name + “=“ + escape(value) +((expires) ? “; expires=“ + expires : ““) +((path) ? “; path=“ + path : ““) +((domain) ? “; domain=“ + domain : ““) +((secure) ? “; secure” : ““);}</SCRIPT>.

Cookie Creation

• cookie is written in a different languages– the content includes the same name-value pairs. – Each is used to set and retrieve only their unique

cookie and they are very similar in content. – The choice of which one to use is up to the

creators’ personal preference and knowledge

View the cookie

– to see from the file is very limited and not easily readable.

– is only readable in its entirety by the server that set the cookie. • what you see looks mostly like indecipherable numbers or

computer noise.

– cookie viewer program - Winmag.com • free program • locate and display all of the cookies on “Windows “

computer.

Reading Ass

Do you think there are positive things about

Cookies?

Negative Issues Regarding Cookies• security and privacy issues– Are cookies a security risk? Are cookies ethical? • is based on –how the information about users is collected,

–what information is collected,

–how this information is used.

• information such as – service provider, OS , browser type, monitor specifications,

CPU type, IP address, and what server last logged on.– shared Computer

• at an Internet café• people can snoop into the last user’s cookie file

Negative Issues Regarding Cookies

• things that cookies cannot do:– Steal or damage information from a user’s hard drive– Plant viruses that would destroy the hard drive– Track movements from one site to another site– Take credit card numbers without permission– Travel with the user to another computer– Track down names, addresses, and other information unless

consumers have provided such information voluntarily

Negative Issues Regarding Cookies• personalization – On January 27, 2000

• a California woman filed suit against DoubleClick• accusing the Web advertising firm of unlawfully obtaining and selling

consumers’ private information.

– The lawsuit alleges that • DoubleClick employs sophisticated computer tracking technology,

known as cookies, to identify Internet users and collect personal information without their consent as they travel around the Web.

– In June 2000• DoubleClick purchased Abacus Direct Corporation• a direct marketing service that maintains a database of names,

addresses, and the retail purchasing habits of 90 percent of American households.

• DoubleClick’s –new privacy policy states that • the company plans to use the information collected

by cookies to build a database profiling consumers.–defends the practice of profiling, insisting that • it allows better targeting of online ads which in turn

makes the customer’s online experiences more relevant and advertising more profitable. • The company calls it “personalization.”


• GOOD policy: – “Companies must tell consumers they’re collecting

personal information, let them know what will be done with it and give them an opportunity to opt out, or block collection of their data.”


What Is a Web Bug?• A Web bug is– a graphic (1X1)• on a Web page or in an e-mail message

– To monitor• who is reading the Web page or an e-mail msg.

What Is a Web Bug?• Like cookie – electronic tags –help Web sites and advertisers track

visitors’ whereabouts in cyberspace.

• call-back to the server

What Is a Web Bug?• check for bugs–Search the page source code• for an IMG tag • attributes WIDTH=1 HEIGHT=1 BORDER=0• it is quite likely a Web bug.

http:www.investorplace.com.

<IMG SRC=“http:ad.doubleclick.net/activity;src=328142; type=mmti; cat=invstr;ord=<Time>?”WIDTH=1 HEIGHT=1 BORDER=0>

Privacy and Other Web Bug Issues• Directed Advertising - Advertising networks– DoubleClick or Match Point – Use Web bugs = “Internet tags” • to develop an “independent accounting” of the number of

people in various regions of the world, as well as various regions of the Internet, who have accessed a particular Web site.

Privacy and Other Web Bug Issues• Account for – the statistical page views within the Web sites. – helpful in planning and managing the effectiveness of

the content because it provides a survey of target market information (i.e., the number of visits by users to the site).

– use Web bugs to build a personal profile of sites a person has visited. • This information can be warehoused on a database server

and mined to determine what types of ads are to be shown to that user.

Privacy and Other Web Bug Issues

Web bugs used in e-mail messages

more invasive

Privacy and Other Web Bug Issues• In Web-based e-mail Web bugs can be used to

• Determine– if and when an e-mail message has been read.

• provide –the IP address of the recipient

• whether or not –the recipient wishes that information disclosed.


• Within an organization a Web bug can – give an idea: of how often a message is being forwarded

and read. • helpful in direct marketing to return statistics on the

effectiveness of an ad campaign.

–be used to detect • if someone has viewed a junk e-mail message or not. • People who do not view a message can be removed

from the list for future mailings

Privacy and Other Web Bug Issues• With the help of a cookie the Web bug can – Identify• a machine, the Web page it opened, the time the

visit began, and other details. –sent to : a company that provides advertising services.

–used to: determine if someone subsequently visits another company page in the same ad network to buy something or to read other material.


• for consumer –Web bugs and other tracking tools –represent a growing threat to the

privacy and autonomy of online computer users.

Privacy and Other Web Bug Issues• Web bugs and Microsoft Word documents – It is also possible to add Web bugs to Microsoft Word

documents. – A Web bug could allow an author to • to track where a document is being read. • watch how a document is passed from one person to

another or from one organization to another.


• Some possible uses of Web bugs in Word documents include:– Detecting and tracking leaks of confidential

documents from a company– Tracking possible copyright infringement of

newsletters and reports– Monitoring the distribution of a press release– Tracking the quoting of text when it is copied from

one Word document to a new document


• Web bugs are made possible by the ability in Microsoft Word for a document to – link to an image file that is located on a remote Web

server.


• URL of the Web bug is stored in a document and not the actual image– Microsoft Word must fetch the image from a Web server each and

every time the document is opened. – This image-linking feature then puts a remote server in the position

to monitor when and where a document file is being opened. – The server knows the IP address and host name of the computer

that is opening the document. – host name

• will typically include the company name of a business. • has the name of a user’s ISP


• Web bugs can be used in • Word documents• Excel 2000 • PowerPoint 2000

ASS

how to removing the feature of including the bug’s linking to

in Microsoft Documents?

Synchronization of Web Bugs and Cookies

synchronized to a particular e-mail

address

• This trick allows a Web site to know – the identity of people • plus other personal information about them

–who come to the site at a later date


• if two separate sites place a separate unique cookie on your computer– they cannot read the data stored in each

other’s cookies. – if the cookie placed on your computer • contains information that is sent by that site to an

advertising agency’s server and that agency is used by both Web sites.


• If each of these sites • Places a Web bug on its page: to report

information back to the advertising agency’s computer

• every time you visit either site– details about you

» will be sent back to the advertising agency » utilizing information stored on your computer» relative to both sets of cookie files.

– This allows your computer » to be identified as a computer that visited each of the sites.


• When Bob (the Web surfer) loads – a page or opens an e-mail that contains a Web bug, • information is sent to the server housing the

“transparent GIF.” • Common information being sent includes – the IP address of Bob’s computer, his type of browser,

the URL of the Web page being viewed, the URL of the image, and the time the file was accessed.

• Also potentially being sent to the server– the thing that could be most threatening to Bob’s

privacy, is a previously set cookie value, found on his computer.

example

•Depending on the nature of the preexisting cookie– it could contain a whole host of

information from usernames and passwords to e-mail addresses and credit card information.

example

• Bob may receive – a cookie • upon visiting Web Site #1 that contains a transparent GIF

– is hosted on a specific advertising agency’s server.

– another cookie • when he goes to Web Site #2 that contains a transparent GIF

– is hosted on the same advertising agency’s server.

• Then the two Web sites– would be able to cross-reference Bob’s activity – through the cookies that are reporting to the

advertiser.

example

• As this activity continues–the advertiser is able to • stockpile what is considered to be non-

personal information on Bob’s preferences and habits• there is the potential for the

aggregation of Bob’s personal information

example

• Technically possible– different servers • could synchronize their cookies and Web bugs

– enabling this information to be shared across the World Wide Web.

– If this were to happen• just the fact that a person visited a certain Web site

could be spread throughout many Internet servers, and the invasion of one’s privacy could be endless.


Reading and reporting

• Page 3016: 224.3 Tracking Web Sites Visited

LAB

• Create two sites with cookie and bugs technologies to cross a reference to the visitors of both through a third party server.– Creating a profile for each visitor