Who is tracking what you do online?

Who is tracking what you do online?

I frequently hear about Internet users who always clean all of their cookies, citing fears of privacy issues or identity theft. If I ask some of those users what an Internet cookie is, I receive a variety of replies indicating a multiplicity of definitions varying from somewhat accurate to wildly inaccurate. There is equal misunderstanding about the functions of cookies and the degree of risk they pose to the user. I sometimes ask if they also delete their LSO or “Local Shared Object” cookies as well, which is typically responded to with a blank stare.

Cookies have been around since the early days of the World Wide Web, first used in beta version of Netscape in 1994, and are by default saved by most browsers. According to Wikipedia, “A cookie, also known as an HTTP cookie, Web cookie, or browser cookie, is usually a small piece of data sent from a website and stored in a user’s Web browser while a user is browsing a website.” These are small text files, not to exceed 4kb in size. By themselves, cookies are inert pieces of data that cannot transmit viruses and cannot infect the computer with malware. Some cookies are beneficial for the user while other cookies may be used to track the users’ Web surfing habits, a major privacy concern.

Some of the good or beneficial cookies are used as shopping carts, which temporarily store a list of items being purchased online from a particular website; other beneficial cookies are referred to in the trade as “authentication cookies,” which indicate to a website the authenticity of a user, often including an encrypted username and password when a user clicks “Remember Me” on a website, allowing the user future access without the need to login. In some cases, if an authentication cookie is not properly encrypted, it can be read by a hacker, which will then give the hacker access to the user’s Web account on that particular site; while this has indeed occurred, it is not considered to be a common threat at present due to the security enhancements built into all modern browsers.

The most controversial type of cookie, one that has attracted the ire of regulators in the U.S. and Europe, is the tracking cookie, called by some a “persistent cookie.” Wikipedia describes them as “third-party tracking cookies commonly used as ways to compile long-term records of individuals’ browsing histories. ... Advertising companies use third-party cookies to track a user across multiple sites. In particular, an advertising company can track a user across all pages where it has placed advertising images or Web bugs. Knowledge of the pages visited by a user allows the advertising company to target advertisements to the user’s presumed preferences.” Many users actually benefit to some degree by having some tracking cookies on their computers, as the advertisers who financially support the websites that we visit (and keep them free for us) can better and more efficiently target advertising to the user. A recent study by McCann Truth Central covering Internet tracking found that 69 percent of respondents surveyed indicated that they believe that they get better discounts and promotions; 42 percent appreciate the targeted advertising that displays items of interest to them; 32 percent appreciate the convenience and ease of checkout because sellers already have information on them; and 24 percent like the fact that these targeted advertisements display items of interest that the users were unaware of. According to McCann, “Folks around the globe are more than willing to share their personal information as long as there’s something in it for them. The more the benefits, the more information they’ll share.” Seven out of 10 people asked said they were willing to share their personal information when it meant they had access to promotions and discounts.

There are also inherent risks with tracking cookies, in that they might be used to violate the Web surfer’s privacy, in that third parties often compensate Web sites for planting their cookies on users’ computers. It is the compilation of the websites visited and unknowingly disclosed to third parties that invokes privacy fears, in that your personal profile is being developed and read by others for a variety of legitimate and illicit purposes. With tracking cookies, it is easy to determine many of an individual’s demographic characteristics including race, gender, income, marital status, political affiliation, sexual orientation, hobbies and interests, religion and other facets of life that we prefer to keep private.

Some tracking cookies are sneaky in the way that they are placed on the computer by websites that have been visited. These “web bugs” are also called Web beacons, tracking bugs, tags and other somewhat descriptive names. In order to slip through some forms of browser security, a Web bug is actually a tiny GIF file, consisting of a single pixel (the tiny dots that make up the image on your monitor are pixels or “picture elements”). The miniscule images are sometimes called a tracking pixel, pixel tag, or a 1×1 gif. Since browsers are designed to display GIF and other common image formats, a Web bug or GIF image of a single pixel will be virtually invisible to the user when displayed on a Web page. Most users are oblivious to the fact that most browsers, again by default, respond to images displayed by transmitting back to the sender of the Web bug information culled from the user’s browser, including operating system, IP address, and other information that in some cases could also include the user’s name. Since almost all e-mail programs support HTML based e-mail, Web bugs are frequently used by spammers to report back to them when the recipient of the spam e-mail opens the spam before deleting it. Now the spammer has a confirmation of the target’s e-mail address, as well as the ability to gather additional information from the recipient’s computer.

Another type of tracking cookie, the one that most Internet users are totally unaware of, is the LSO or “Local Shared Objects,” which are not the typical text based cookie, or the common variety of Web bug, but instead are cookies written in Adobe Flash, undetectable by most users and cookie cleaning utilities. According to Wikipedia, “Local shared objects contain data stored by individual Web sites. With the default settings, the Flash Player does not seek the user’s permission to store local shared objects on the hard disk.” While the traditional text based cookie is generally limited to 4kb in size, these LSO or flash cookies can be up to 100kb in size, thus capable of storing much more information about the user and the websites visited. Unlike common cookies, which are all connected to a specific browser, the one which wrote them to the hard drive, LSO cookies are independent of the browser, thus can be shared (read) by any browser on the computer. For example, if I receive an LSO cookie while browsing with Firefox, and later open Internet Explorer, the LSO cookies written by Firefox will also be accessible to Internet Explorer. With Internet Explorer open, Web sites can read the LSO cookies received earlier by Firefox, allowing targeted advertising, dynamic content, or other forms of targeting just as if I still had Firefox open.

Almost all contemporary browsers offer a “Do Not Track” function (also listed as “DNT”) in their privacy settings. In theory, this tells Web sites not to track this particular user; while some websites honor this request, many do not, making this function somewhat dubious but still appropriate to select. 

Since I value my privacy, and primarily use the latest version of Firefox on all of my PC’s, I use a variety of utilities to control the placement of tracking cookies, Web bugs, and LSO cookies on my computer. A cute little free program called Ghostery (www.ghostery.com) can detect the different varieties of Web bugs and Web beacons as well as the tracking cookies on any Web site visited, displaying all of them to the user immediately after opening a Web page, thus allowing the user to take control over what is placed on a computer. Ghostery is available (free) for Firefox, Safari, Chrome, Opera, Internet Explorer and iOS devices (iPhone and iPad versions). I also use a Firefox add-on BetterPrivacy (addons.mozilla.org/en-US/firefox/addon/betterprivacy) which deletes any LSO or Flash cookies that may have been loaded during a session, automatically deleting them when closing Firefox.

Being aware of the types of privacy issues that may arise from online tracking and how tracking devices may be used or abused by others, users can better control who has access to their Internet website history and what they can do with it.