[LINK] Web bug swarm grows 500 percent

Craig Sanders cas@taz.net.au
Wed, 15 Aug 2001 18:43:10 +1000 

On Wed, Aug 15, 2001 at 04:20:01PM +1000, Jack Gilding wrote:
> Is it possible that just accessing a graphic on a different server as
> part of a page would pass on coookie information to a different server
> than the one serving the HTML for the page?

not directly. but that's no real obstacle to web spies. it's easy enough
to encode the information that needs to be passed from site to site in
the URL of the web bug. (i.e. analagous to passing a pointer which can
be dereferenced at need)

for example:

say you subscribe to a web site because it's useful, and you've given them
your name and address and other personal details.  say your userid on this
site is fbloggs.

now whenever you login to that site their system can generate web pages
for you which contain a web bug that looks like:

<IMG SRC = "http://www.web-bugs.com/fbloggs.gif" HEIGHT=1 WIDTH=1>

now that's pretty obvious and easy to spot for anyone who looks at the
HTML, so they won't make it that easy to spot. what they'll probably do is
encode the userid so it's not immediately obvious that it's passing your
userid to the web bug site...so maybe it'll look like:

<IMG SRC = "http://www.web-bugs.com/X738x8HHJXL1723H" HEIGHT=1 WIDTH=1>

web-bugs.com sets a cookie when you fetch that web bug.

now say you subscribe to another site. and your member id on that site
is fredb. when you login, they can do the same thing as the first site
and generate web bugs with your userid encoded. e.g. maybe it would look
like:

<IMG SRC = "http://www.web-bugs.com/dhd7632891kzyq1" HEIGHT=1 WIDTH=1>

when your browser fetches that web-bug, your existing cookie is what
lets web-bugs.com know that user fbloggs at site1 is the same person as
fredb at site2.

but wait, it gets worse!

part of the contract between site1 and web-bugs.com and between site2
and web-bugs.com is that they give all collected personal data to
web-bugs.com. this may be done via some shady "outsourcing" deal so that
they can still pretend they're not giving personal private data to a
third party.

now web-bugs.com not only has your username on various sites, they also
have whatever personal information you gave to any of those sites (e.g.
phone number, address, email address, marital status, number of kids,
sexual orientation, hobbies, interests, income, expenses, whatever).
they also know how often and when you visit particular sites.

another part of the deal is that not only do web-bugs.com collect
information from all participating sites, they also share it
with them. what this means is that, e.g., even though you only
told some-bondage-magazine.com about your sexual preferences,
your-professional-association.com or your-employer.com ends up with the
information.

remember, this isn't just for two example sites. it could be any number
of sites, each collecting some of the same information and some unique
information about you. all of that is collated and consolidated into one
central database at web-bugs.com.  

now imagine an internet where almost every site makes a deal with
doublecl^H^H^H^H^H oops, i mean web-bugs.com and think about what level
of privacy or anonymity you have.

then realise that this isn't science fiction, this is not describing a
possible *future*. this is describing the past and the present.

craig

-- 
craig sanders <cas@taz.net.au>

Fabricati Diem, PVNC.
 -- motto of the Ankh-Morpork City Watch