Ch 158: Cookies and Web Bugs What They Are and How They Work Together http://www.abine.com/tracking.php

Online Tracking !privacy easy it Tracker To ISPs, Websites, advertising networks To Provide: targeted advertising Classify: you into a demographic group Resell: information about you to other companies

Tracking Techniques Cookies, IP Addresses, Web Bugs, browsing history, others.

Cookie Small unique text file Created by: a Web site Sent to: computer’s hard drive. Record: client mouse-clicking choices each time you get on the Internet.

Cookie Browser contacts a server and requests the specific Web site. every time you visit that site they know its you Browser contacts a server and requests the specific Web site. searches your hard drive to see if it already have a cookie file from the site.

Cookie If NO If YES an ID is assigned to you this initial cookie file is saved on your hard drive. If YES the unique identifier code, previously recorded in your cookie file, is identified and your browser will transfer the cookie file contents back to that site. Now the server has a history file of actually what you selected when you previously visited that site. You can readily see this because your previous selections are highlighted on your screen.

Cookie if somebody has access to your computer they can often use cookies to see what sites you have visited in the past

Types of Cookie HTTP Cookies - persistent "Session" Cookies Third Party Cookies Flash cookies http://en.wikipedia.org/wiki/HTTP_cookie A visitor cookie A preference cookie A shopping basket cookie A tracking cookie.

HTTP Cookie come from the Web site that you are visiting usually intended to stay around permanently and each time you are online. Recommendation To be deleted at the end of each browser session.

Session Cookies Expire when you close your browser. Some sites, such as Gmail, require the use of cookies during a session in order to function properly, but they don't need to have cookies stored permanently on your computer. Recommendation allow session cookies to avoid breaking functionality on certain Web sites.

Third Party Cookies Web pages often have pieces of content from more than one source such as ads posted along the sidebar of a Web page you are viewing. set the cookies Domains other than the main page you are viewing third parties. used by advertisers to track users across multiple Web sites. Recommendation block third part cookies.

Flash cookies Unlike the other cookies with are controlled through the cookie & privacy controls in your Web browser activated through a feature in Adobe's Flash plug-in called "Local Shared Objects" (LSOs). This means that even if a user has cleared his or her cookie settings (by directing your browser to “block” or “delete” cookies), sites can still use a feature of Flash to track your online behavior. Among other things, Flash cookies are used to ensure smooth playback on sites that stream music and video. Recommendation delete all Flash LSOs at the end of each browser session. Note that this is not done the way other cookies are deleted; instead, a user must visit Adobe’s site for the deletion controls or use other software.

A visitor cookie. The most common type . keeps track of how many times you return to a site. alerts the Webmaster of which pages are receiving multiple visits.

A preference cookie stores a user’s chosen values on how to load the page. it is the basis of customized home pages and site personalization. It can remember which color schemes you prefer on the page or how many results you like from a search.

A shopping basket cookie is a popular one with online ordering. It assigns an ID value to you through a cookie. As you select items, it includes that item in the ID file on the server.

A tracking cookie. The most notorious and controversial . It resembles the shopping basket cookie, but instead of adding items to your ID file, it adds sites you have visited. Your buying habits are collected for targeted marketing. companies can save e-mail addresses supplied by the user and spam you on products based on information they gathered about you.

Cookie Usage After you type a URL in your browser, it contacts that server requests that Web site. The browser looks on your machine to see if you already have a cookie file from the site. If a cookie file is found your browser sends all the information in the cookie to that site with the URL. When the server receives the information, it can now use the cookie to discover your shopping or browsing behavior. If no cookie is received an ID is assigned to you and sent to your machine in the form of a cookie file to be used the next time you visit.

Cookies: left on your computer generally store Cookie Usage Cookies: left on your computer generally store a unique serial number used to identify you to keep track of all your visits to a certain Web site and any "network" of sister sites.

Cookie Usage If third party cookies be stored Advertisers can Network = several advertising company sites each time you visit a Web site in the cookies "network“ can track you as you travel among these different sites. Advertisers can create a profile of you based on your browsing behavior as well as store your browsing history as long as they like.

IP Address Websites To prevent receive your computer's current IP address can figure out where you are geographically keep track of all connections from the same IP address. if your IP address doesn't change then they have a good idea it's you -- every time you visit. If you use a cable modem you may have a dynamically assigned IP-address, but these tend not to change very often. Most other forms of Internet access use static IP addresses. To prevent proxy : Proxy does see all of your traffic.

can track you as you move among Web sites within their network Web Bug can track you as you move among Web sites within their network Web bug = beacons a graphic: on a Web page or in an HTML-based e-mail message to: track who is viewing the page (or email). can provide IP address Time recipient wishes that information disclosed or not. how often a message is being forwarded and read. More

Web Bug

Web Bugs Usage Web Bugs: notify their server each time their page is accessed. The site: knows that the page with the bug on it has been accessed, and by what IP address Advertisers: can correlate your visits to their sites by looking at the timestamps of the requests from the Web bugs you triggered use your IP addresses browsing sessions on their sites to build up their profile.

Web Bugs Usage HTML-based emails: they can tell if you've opened their email and where you were when you opened it.

Tracking Methods JavaScript trackers. pieces of JavaScript usually come from other sites. When the Web page loads in your browser it makes a request to include a piece of code from the tracking server.

Tracking Methods One-pixel images and other SRC tags. Images tags in HTML pages actually directions that tell your browser where to find the image it is supposed to display to you. This means that when your browser displays a Web page to you it makes a request to the tracking server for the image. the image is a transparent 1-pixel image it is not really mean to be viewed it's really just a tracking method.

Tracking Methods Browser Fingerprinting. It is also possible to identify a specific browser by looking at details about the browser software and components directly. Currently not aware whether this is being done by Web sites in the field it does represent the next frontier in online privacy. Visit to get your browser fingerprinted and see how unique your browser fingerprint may be.

Browser History to see: portions of your browsing history. Websites can look at your browsing history through : JavaScript , CSS technique to see: portions of your browsing history. To do this the Web site has a list of all of the sites it is interested in if you are keeping a browsing history they can learn whether that you have visited those target sites in the past. used by advertising groups to put you into a demographic bucket did you visit sites about guns, cars and girls or Disney, toys, and motherhood.

Web bugs and cookies Can be merged and even synchronized with a person’s e-mail address. Issues may Positive Negative Illegal Unethical

Cookie Contents rumors cookies could Rejected: scan information off your hard drive collect details about you passwords, credit card numbers, a list of SW on your computer. Rejected: a cookie is not an executable program can do nothing directly to your computer. small, unique text files created by a Web site and sent to a computer’s hard drive.

Cookie Contents Contain: a name, a value, an expiration date, and the originating site. The header contains this information removed from the document before the browser displays it. Cant be viewed : even if you execute the view or document source commands in your browser. is part of the cookie when it is created: When it is put on your hard drive, the header is left off. The only information left of the cookie is relevant to the server and no one else.

Cookie Contents Header: example Set-Cookie: NAME=VALUE; expires=DATE; path=PATH; domain=DOMAIN_NAME; secure

Cookie Contents The NAME=VALUE: DATE DOMAIN_NAME PATH Secure is required. NAME is the name of the cookie. VALUE has no relevance to the user; it is anything the origin server chooses to send. DATE determines how long the cookie will be on your hard drive. No expiration date indicates that the cookie will expire when you quit the Web browser. DOMAIN_NAME contains the address of the server that sent the cookie and that will receive a copy of this cookie when the browser requests a file from that server. It specifies the domain for which the cookie is valid. PATH used to further define when a cookie is sent back to a server. Secure specifies that the cookie only be sent if a secure channel is being used.

Where it is store Netscape Navigator users Explorer users C:/Program Files/ Netscape/Users/default or user name/cookie.txt) Explorer users C:\Documents and Settings\<user-name\Cookies

Delete, disallowed & block Web browsers have options that alert users before accepting cookies. there is software that allows users to block cookies, Get one and report

Reading ASS ??Cookie Poisoning

Cookies creation Cookies are stored as a text string scripting to a cookie can be manipulated like any other string literal scripting to set the cookie allow the trouble-free flow of information back and forth between the server and client. languages Perl CGI script ( common). JavaScript, Livewire, ASP, or VBScript

Cookies creation Here is an example of a JavaScript cookie: <SCRIPT language=JavaScript> function setCookie (name, value, expires, path, domain, secure) { document.cookie = name + “=“ + escape(value) + ((expires) ? “; expires=“ + expires : ““) + ((path) ? “; path=“ + path : ““) + ((domain) ? “; domain=“ + domain : ““) + ((secure) ? “; secure” : ““); } </SCRIPT>.

Cookie Creation cookie is written in a different languages the content includes the same name-value pairs. Each is used to set and retrieve only their unique cookie and they are very similar in content. The choice of which one to use is up to the creators’ personal preference and knowledge

View the cookie to see from the file is very limited and not easily readable. is only readable in its entirety by the server that set the cookie. what you see looks mostly like indecipherable numbers or computer noise. cookie viewer program - Winmag.com free program locate and display all of the cookies on “Windows “ computer.

Do you think there are positive things about Cookies? Reading Ass Do you think there are positive things about Cookies?

Negative Issues Regarding Cookies security and privacy issues Are cookies a security risk? Are cookies ethical? is based on how the information about users is collected, what information is collected, how this information is used. information such as service provider, OS , browser type, monitor specifications, CPU type, IP address, and what server last logged on. shared Computer at an Internet café people can snoop into the last user’s cookie file

Negative Issues Regarding Cookies things that cookies cannot do: Steal or damage information from a user’s hard drive Plant viruses that would destroy the hard drive Track movements from one site to another site Take credit card numbers without permission Travel with the user to another computer Track down names, addresses, and other information unless consumers have provided such information voluntarily

Negative Issues Regarding Cookies personalization On January 27, 2000 a California woman filed suit against DoubleClick accusing the Web advertising firm of unlawfully obtaining and selling consumers’ private information. The lawsuit alleges that DoubleClick employs sophisticated computer tracking technology, known as cookies, to identify Internet users and collect personal information without their consent as they travel around the Web. In June 2000 DoubleClick purchased Abacus Direct Corporation a direct marketing service that maintains a database of names, addresses, and the retail purchasing habits of 90 percent of American households.

Negative Issues Regarding Cookies DoubleClick’s new privacy policy states that the company plans to use the information collected by cookies to build a database profiling consumers. defends the practice of profiling, insisting that it allows better targeting of online ads which in turn makes the customer’s online experiences more relevant and advertising more profitable. The company calls it “personalization.”

Negative Issues Regarding Cookies GOOD policy: “Companies must tell consumers they’re collecting personal information, let them know what will be done with it and give them an opportunity to opt out, or block collection of their data.”

What Is a Web Bug? A Web bug is a graphic (1X1) To monitor on a Web page or in an e-mail message To monitor who is reading the Web page or an e-mail msg.

call-back to the server What Is a Web Bug? Like cookie electronic tags help Web sites and advertisers track visitors’ whereabouts in cyberspace. call-back to the server

What Is a Web Bug? check for bugs Search the page source code for an IMG tag attributes WIDTH=1 HEIGHT=1 BORDER=0 it is quite likely a Web bug. http:www.investorplace.com. <IMG SRC=“http:ad.doubleclick.net/activity;src=328142; type=mmti; cat=invstr;ord=<Time>?”WIDTH=1 HEIGHT=1 BORDER=0>

Privacy and Other Web Bug Issues Directed Advertising - Advertising networks DoubleClick or Match Point Use Web bugs = “Internet tags” to develop an “independent accounting” of the number of people in various regions of the world, as well as various regions of the Internet, who have accessed a particular Web site.

Privacy and Other Web Bug Issues Account for the statistical page views within the Web sites. helpful in planning and managing the effectiveness of the content because it provides a survey of target market information (i.e., the number of visits by users to the site). use Web bugs to build a personal profile of sites a person has visited. This information can be warehoused on a database server and mined to determine what types of ads are to be shown to that user.

Privacy and Other Web Bug Issues Web bugs used in e-mail messages more invasive

Privacy and Other Web Bug Issues In Web-based e-mail Web bugs can be used to Determine if and when an e-mail message has been read. provide the IP address of the recipient whether or not the recipient wishes that information disclosed.

Privacy and Other Web Bug Issues Within an organization a Web bug can give an idea: of how often a message is being forwarded and read. helpful in direct marketing to return statistics on the effectiveness of an ad campaign. be used to detect if someone has viewed a junk e-mail message or not. People who do not view a message can be removed from the list for future mailings

Privacy and Other Web Bug Issues With the help of a cookie the Web bug can Identify a machine, the Web page it opened, the time the visit began, and other details. sent to : a company that provides advertising services. used to: determine if someone subsequently visits another company page in the same ad network to buy something or to read other material.

Privacy and Other Web Bug Issues for consumer Web bugs and other tracking tools represent a growing threat to the privacy and autonomy of online computer users.

Privacy and Other Web Bug Issues Web bugs and Microsoft Word documents It is also possible to add Web bugs to Microsoft Word documents. A Web bug could allow an author to to track where a document is being read. watch how a document is passed from one person to another or from one organization to another.

Privacy and Other Web Bug Issues Some possible uses of Web bugs in Word documents include: Detecting and tracking leaks of confidential documents from a company Tracking possible copyright infringement of newsletters and reports Monitoring the distribution of a press release Tracking the quoting of text when it is copied from one Word document to a new document

Privacy and Other Web Bug Issues Web bugs are made possible by the ability in Microsoft Word for a document to link to an image file that is located on a remote Web server.

Privacy and Other Web Bug Issues URL of the Web bug is stored in a document and not the actual image Microsoft Word must fetch the image from a Web server each and every time the document is opened. This image-linking feature then puts a remote server in the position to monitor when and where a document file is being opened. The server knows the IP address and host name of the computer that is opening the document. host name will typically include the company name of a business. has the name of a user’s ISP

Privacy and Other Web Bug Issues Web bugs can be used in Word documents Excel 2000 PowerPoint 2000

ASS how to removing the feature of including the bug’s linking to in Microsoft Documents?

Synchronization of Web Bugs and Cookies synchronized to a particular e-mail address

Synchronization of Web Bugs and Cookies This trick allows a Web site to know the identity of people plus other personal information about them who come to the site at a later date

Synchronization of Web Bugs and Cookies if two separate sites place a separate unique cookie on your computer they cannot read the data stored in each other’s cookies. if the cookie placed on your computer contains information that is sent by that site to an advertising agency’s server and that agency is used by both Web sites.

Synchronization of Web Bugs and Cookies If each of these sites Places a Web bug on its page: to report information back to the advertising agency’s computer every time you visit either site details about you will be sent back to the advertising agency utilizing information stored on your computer relative to both sets of cookie files. This allows your computer to be identified as a computer that visited each of the sites.

example When Bob (the Web surfer) loads a page or opens an e-mail that contains a Web bug, information is sent to the server housing the “transparent GIF.” Common information being sent includes the IP address of Bob’s computer, his type of browser, the URL of the Web page being viewed, the URL of the image, and the time the file was accessed. Also potentially being sent to the server the thing that could be most threatening to Bob’s privacy, is a previously set cookie value, found on his computer.

Depending on the nature of the preexisting cookie example Depending on the nature of the preexisting cookie it could contain a whole host of information from usernames and passwords to e-mail addresses and credit card information.

example Bob may receive Then the two Web sites a cookie another cookie upon visiting Web Site #1 that contains a transparent GIF is hosted on a specific advertising agency’s server. another cookie when he goes to Web Site #2 that contains a transparent GIF is hosted on the same advertising agency’s server. Then the two Web sites would be able to cross-reference Bob’s activity through the cookies that are reporting to the advertiser.

example As this activity continues the advertiser is able to stockpile what is considered to be non-personal information on Bob’s preferences and habits there is the potential for the aggregation of Bob’s personal information

Synchronization of Web Bugs and Cookies Technically possible different servers could synchronize their cookies and Web bugs enabling this information to be shared across the World Wide Web. If this were to happen just the fact that a person visited a certain Web site could be spread throughout many Internet servers, and the invasion of one’s privacy could be endless.

Reading and reporting Page 3016: 224.3 Tracking Web Sites Visited

LAB Create two sites with cookie and bugs technologies to cross a reference to the visitors of both through a third party server. Creating a profile for each visitor