You’re probably familiar with the ongoing debate about your Web browser using cookies. At their best, they enable customized Web pages. At their worst, they can be used to track a limited amount of your online activities. However, at least you can easily control how your browser reacts when a Web site tries to offer it a cookie.

It will come as a surprise to many to learn that there is a similar, yet even more dangerous, mechanism on the Internet for tracking your online activities. Web bugs, as these little demons have been labeled, are far less known to the system administrators and the general public, but they pose a very real threat to the privacy of Internet activity and the security of the data on information systems.

What is a Web bug?
Web Bugs are images, frames, and other objects embedded on a Web site that cause part of the Web page to be retrieved from a completely different Web site. Since the piece retrieved may be as small as a single pixel, you won’t normally realize this is happening, but the bug lets the second Web site know that you visited the original Web site. Banner ads are often tagged with Web bugs just to count the number page views they receive. But there can also be invisible GIF files that work with cookies to track your ongoing surfing habits, not just report that you visited a page where a particular ad was displayed.

What makes Web bugs far worse than cookies isn’t just the fact that you don’t know they are there and your browser can’t be set to block them the way it can block or restrict cookies. Web bugs can also carry an executable that can search for files on your hard drive and forward the contents to someone else on the Web. This capability even extends to Webcam and voice traffic. In a nutshell, it’s possible to visit a Web page containing a hidden Web bug that will begin tracking your online activity or even search your files and send them to unknown individuals on the Web. Since the bugs can exist in banner ads, their presence and their activities may be completely unknown to the owner of the Web page.

As mentioned above, the most benign Web bugs simply exist to track the page views on a Web site. If this activity doesn’t attempt to identify the visitor in some unique way, no one should object to it, since it helps Web designers improve site performance. However, since visitors aren’t notified that there is any bug at all, the average person has no way to learn if a bug exists, much less to determine it’s innocuous, malicious, or invading their privacy.

Various species of Web bugs
One type of invasive Web bug is an empty (1 pixel-by-1 pixel) GIF. It’s invisible to you but it can work in conjunction with cookies to monitor your surfing. Consider that if a site carries banner advertising, a surf monitor bug can be contained in any or all advertisements without the Web site owner even being aware of it. Merely visiting some sites could mean that you will be trailed around the Web the rest of the day by multiple advertisers or others.

A malicious Web bug called an executable bug can actually install a program on your system to track your online activities or search your files for interesting documents, perhaps ones containing the word account as in bank account, credit card account, etc. Some versions of these bugs can track voice mail, Webcam views, and other traffic, then transmit these documents or recordings to another machine across the Internet.

Script-based bugs (these and several similar critters were identified by Pittsburgh-based Intelytics Inc.) are found on Perl, Java, ActiveX, or JavaScript coded pages. Such script-based applications can be configured to run on your system and do everything a cookie can do—and they will work even if you have tuned your browser’s security to reject cookies.

Another type of Web bug is an executable file that can run remotely on a Web site and try to keep you viewing the site by automatically launching multiple browser windows when you attempt to exit the site. And they can do much worse than merely annoy you; they can also use some of the nefarious tactics mentioned above.

Still other varieties of Web bugs can infiltrate your system through programs that include a handy automatic update feature that goes out on the Web to see if there are any changes to the software (such as a virus scanner) and then downloads the changes. The really scary thing about this is that accounting programs often include this feature.

Of course, there’s also the good old HTML e-mail that can easily host Web bugs. Someone can send you spam in HTML format, and you can get hit by the Web bug simply by opening the spam message to delete it.

What can you do?
If you run Internet Explorer, you can install Bugnosis, a Web bug tracker published by The Privacy Foundation. It’s currently available only for IE 5, but other versions are reportedly in the works. The Bugnosis program, as described on New Scientist’s Web page, spots each Web bug and places an icon onscreen when you surf the page.

If you don’t run IE, there isn’t much you can do about Web bugs at the moment except keep informed and keep an eye out for new Web bug blocker programs. You can find out more about these programs by reading CNET’s “New tools hatch for sniffing out Web bugs.”

What’s being done about Web bugs?
Several companies are working to keep you informed. A good place to start is Intelytics Inc.’s Web site, which has scanned 50 million-plus Web pages for hidden bugs and found third-party Web bugs on an astounding (and frightening) 16 million pages. Of course, the company has an ulterior motive; it wants to sell you various security packages that will protect individuals and/or companies against information theft. However, that doesn’t mean it isn’t right about Web bugs being dangerous, and it offer some interesting observations on what it found.

Security Space Inc. also tracks Web bugs on the Internet and has published two reports on what it has found. The Web Site Bug Count Report lists the top 100 Web Bug count sites. The Web Bug Traffic Count Report offers a rough estimate of just how much traffic the particular bugged site gets. Both reports list the kinds of bugs located.

Congress has also expressed interest in the danger of Web bugs, especially after a recent meeting with The Privacy Foundation and Intelytics, who explained just how easy it is to use Web bugs to capture a visitor’s e-mail address book and other data.

Did you know about Web bugs?

Are you going to install Bugnosis on the machines on your network? We look forward to getting your input and hearing about your experiences regarding this topic. Join the discussion below or send the editor an e-mail.