Your personal information is worth money to companies. Some of them are prepared to spy on you to get it.
Let me introduce myself. I'm 800000022a0c2aa. Or at least, that's how marketing firm DoubleClick manages to pick me out from among all other Internet users. RealPlayer has its own number for me, as do several other companies. You, too, are almost certain to have your own tracking numbers, whether you know it or not.
Despite the fall of the Berlin Wall and the distant death of the cold war, the spy business is alive, well and thriving on the Internet. And you are its target.
The list of companies keen to know more about you than you may realise includes marketing firms, advertisers, search engines, software companies and Web site owners. Such companies as DoubleClick, Real, Radiate (formerly Aureate), Conducent, Netscape, Microsoft, 24/7 Media, Digital Impact, Responsys, InfoBeat, Web3000, and others.
Many other companies, while not directly spying on you, provide a conduit for the digital spooks. Shareware authors have become major players in the spyware business, bundling their products with invasive adware that does quite a bit more than simply display advertisements.
The reason for all this behind-the-scenes activity is simple: Companies want to know what you like, what you dislike, what you buy. The more data they can collect on your reactions, responses, browsing and buying patterns, the more closely they can target advertising and marketing campaigns. The aim is to get to know as much about you as possible so they can sell you more, or so they can sell what they know about you to someone else.
This is not a new activity for business. Companies have been gathering 'marketing intelligence' about consumers for many years. What is new is the technology being employed to obtain data and the ways in which that data can be cross-referenced.
Two technological trends have played a major part in bringing such common business practices under scrutiny – and complaint. The first is the ubiquity of the Internet, which has fostered the development of Web-enabled applications. Such applications provide a direct link between a company and each copy of its software installed on users' machines.
This first trend has led to the second trend, the emergence of adware. Adware is 'free' software subsidised by in-built advertising updated via the Internet. In the past two years there has been an explosion of adware, with hundreds of shareware authors signing on for the system.
If displaying ads were all that adware did, it would be a reasonable deal. But that's not the end of it. Adware targets ads, and in order to do that, it collects information on how often you view an ad and which ads you click. In order to track your usage, it assigns you a unique ID. This ID, your ad usage data and often additional data is sent to the adware company's servers each time you connect to the Internet.
Adware isn't the only way companies track your whereabouts and habits. Commercial software sometimes includes components that do a little more than their stated purpose. Mattel Interactive, for example, came under scrutiny for including Brodcast – an advertising and marketing tool – in hundreds of titles. Brodcast is supposed to provide a way for consumers to obtain additional content and automatically update their software, but as Mattel failed to inform users fully about its purpose and as it was used in children's software, it quite understandably caused concern. While Mattel claims Brodcast was intended for purely innocent uses, the fact that it was automatically installed on hard drives even when the consumer removed the check from the Use Brodcast option when installing the program did little to allay suspicions.
Web sites, too, have long used cookies – little pieces of identifying information dropped onto your hard disk – to help track and identify users. A more recent trend is the use of Web bugs on Web sites and in e-mail. A Web bug is a graphic embedded in a Web page or an HTML e-mail message. Web bugs are frequently invisible because they are designed to be a single pixel square in size. They're used to:
| Geekgirl.technote: Web bugs in the wild |
| Here are some real-world examples of Web bugs. The first comes from eTrade's US site:
<IMG SRC="https://ad.doubleclick.net/activity;src=232445;type=ethp;cat=hpv; Note the width='1' height='1' tags, which render the graphic virtually invisible. Single pixel graphics are frequently used as spacers on Web sites, but that's not the purpose of this one. It's collecting information about your visit for DoubleClick. Web bugs also lurk in e-mail, such as this one documented by Richard Smith on his Internet Privacy Issues site: <IMG WIDTH='1' HEIGHT='1' SRC="http://www.m0.net/m/logopen02.asp? vid=3&catid=370153037&email=SMITHS%40tiac.net" alt=" "> Note how this Web bug includes Smith's e-mail address. Here's another, with the e-mail address encrypted: <IMG SRC="http://email.bn.com/cgi-bin/flosensing?x=ABYoAEhouX"> |
Companies who use such technologies to gather data are quick to assure users that the only information gathered is "non personally identifiable information" and that data is aggregated to provide mass marketing statistics. If you read the privacy policies included in adware and on Web sites – and you really should – you'll see these terms used repeatedly.
But that's not the whole story. Read further in those privacy policies and you'll find that many of the companies do, in fact, store and use personally identifiable information if you provide them with it.
Netscape got itself into hot water recently for just this type of activity: transmitting usage and personally identifying data with all files downloaded using its SmartDownload program. Not only did SmartDownload transmit a unique identifier, but for those users who had also registered with NetCenter it included the e-mail address and NetCenter login. After several people filed a lawsuit against the company, it removed the capability while denying, all along, that the feature was intended for anything other than "technical support purposes".
Perhaps the biggest online threat is DoubleClick. DoubleClick ads pepper the Internet. The first time you view a DoubleClick ad it installs a cookie on your system. DoubleClick also uses Web bugs to monitor your visits to certain sites and it also receives all the search strings you enter at search sites such as Altavista. DoubleClick uses this information to create profiles of consumers.
DoubleClick's privacy policy is worth reading as it has the flavour of so many online privacy policies, which seem to tell you more about how you will lose your privacy rather than how it will be protected.
The policy starts off fairly innocuously: "In the course of delivering an ad to you, DoubleClick does not collect any personally-identifiable information about
you."
One might quibble about "In the course of delivering an ad to you". What, then, about data collection via non-ads such as Web bugs?
It gets worse when you read further: "non-personally identifiable information collected by DoubleClick in the course of ad delivery
can be associated with a user's personally identifiable information if that user has agreed to receive personally-tailored
ads." (The italics are mine.)
It gets worse still: "If you have chosen on any of the Web sites with which Abacus [a division of DoubleClick] does business to receive ads tailored to you personally as part of Abacus Online's services, the cookie will allow DoubleClick and Abacus Online to recognize you online in order to deliver you a relevant message."
That last, it appears, means that if on any single occasion you accept a cookie, click an ad or fill in an ad-related form or survey, DoubleClick will from then on recognise you at any and all of the thousands of sites infiltrated by its tentacles.
The kicker is that most consumers have no clue that they're viewing a DoubleClick ad or that the sweepstakes entry they submitted is a DoubleClick entry point.
Type a search word into Excite Australia and the search string is handed over to DoubleClick, which serves up a relevant advertisement. (Click screenshot for a full-size image.)
This leads us to the real problem with spyware, whether online or offline. It's not that the information being gathered is a problem, nor that it's being used in an abusive way – although both those points may be argued. The real problem is the underhanded way this information is obtained. Until pressured by privacy advocates, few companies own up to the full extent of their information gathering practices. Even when forced to come clean, ad and marketing companies continue to hide behind the shareware and Web site companies who act as the information conduits.
Advertisers frequently do not ask users' permission to gather information; nor are most advertisers entirely forthcoming when saying how they will use information they do gather. Web bugs are a clear example of stealth monitoring, and any site that doesn't state up front that it's using cookies is also guilty of sneakiness.
Caught out! After uninstalling all shareware supplied with Conducent/Timesink's TSADBOT adware, the TSADBOT remained on the system running continuously. (Click screenshot for a full-size image.)
When it comes to companies claiming that they'll never use personally identifiable data with other tracking data, those companies are asking consumers to take a very great deal on faith. Especially given the track record. Real Networks, Netscape, Amazon, Microsoft, Conducent, Radiate, Broderbund, Mattel – all these companies and many more have been forced to improve their accountability after they were found with their hand in the biscuit tin. Some of the infractions have been minor; others have been gross.
Apart from issues of trust and consent, there are other worrisome aspects to all this data gathering:
Data persists even after a company goes belly up, which means privacy policies have a limited lifespan. Take the example of Toysmart.com. This US-based toy company had a privacy policy which stated it would never sell customer information to a third party. It was also a TRUSTe member, having signed an agreement to protect the privacy and security of customers. When Toysmart filed for bankruptcy, it tried to sell its assets including its database of customer names. TRUSTe and several US state district attorneys filed suit to stop the sale. Regardless of the outcome in this specific case, the bankruptcy court certainly has the power to overturn any agreements, making any privacy policies flimsy and ephemeral.
Companies frequently collect much more information than they use. While their privacy policies may state that information will be put to limited uses, they have the potential to do much more. Such policies rarely address what is done with the 'excess' data or what protections are in place to prevent personally identifying information from being cross matched with other data.
Laws lag behind technology. That's especially the case when legal issues cross international boundaries, as happens frequently when dealing with Internet privacy.
Companies often are not aware of the extent of their own information gathering procedures and capabilities. As privacy advocate Richard Smith puts it, "The people responsible for writing privacy policies do not really understand the technical and business processes that are in place. They write policies where everything is black and white such as 'we never give out email addresses' while businesses, like real life, are usually different shades of gray."
Not all this prying is necessarily a bad thing, of course. If you feel happy about allowing ads to be run on your system and data gathered about your ad watching habits in return for free software, then adware is a real boon. It makes available hundreds of programs that you would otherwise have to pay for. And, after all, once you have Conducent, Radiate or some other adware program installed via a single shareware application, it doesn't make much difference if you go ahead and install several dozen adware-enabled programs.
Similarly, cookies and Web bugs can improve your surfing experience. After all, you're going to face a diet of banner ads on Web sites no matter what, so why not let DoubleClick and similar companies feed you ads that may interest you, rather than an irrelevant hotchpotch? In addition, many cookies are quite handy, such as those which remember your site logins and save you from having to enter this information each time you visit a site.
If you don't feel quite so blasé about all this snooping and want to keep prying eyes out of your digital existence, what can you do? Here are some starting points:
Read licence agreements. They may be boring and almost impenetrable, but they're important. By blithely clicking I Agree to software licence agreements you hand companies permission to do all sorts of nasty things to you. In particular, read licence agreements for any adware you install and for any programs which you know to have Internet updating capabilities, such as multimedia and MP3 players, system updaters, and so on.
Turn off tracking features in programs. For example, when you install a program such as RealPlayer, say no to every option that increases traffic between your computer and the Real Networks. There are some options you may want to keep – such as the automatic lookup of CD names and tracks – but junk all the others. Do the same with other software that asks permission to communicate with you.
Be careful what you agree to. Internet-enabled programs such as RealPlayer will gossip about you constantly with their mother servers if you let them. Make sure you say No to such options when installing, or use the Preferences to turn them off. (Click screenshot for a full-size image.)
Pay for shareware. Many shareware authors are very sensitive to users' concerns about adware. You'll find an increasing number of authors make two versions available – a free adware version and an ad-free, paid-for version. Opt for the latter to keep adware out of your system. It's also the smart thing to do; after all, it's largely because consumers have ripped off shareware developers in the past that we're now deluged with adware.
Look for freeware or commercial alternatives to adware. Try searching a site such as Completely Free Software, Tucows, ZDNet's Software Library or CNet's Download.com for alternatives. These sites usually, although not always, report when a program contains adware.
Set your browser to refuse cookies. In Internet Explorer 4:
From the View Menu select Internet Options.
Click the Advanced tab and scroll down to Security.
In the Cookies section, select Disable All Cookie Use. Alternatively, you may select Prompt Before Accepting Cookies if you'd like to allow some cookies but disable all the rest. If you use the first, brute force option, you may find you can't gain access to some of your favourite sites. In that case, change the setting to Prompt Before Accepting Cookies.
Click OK.
In Internet Explorer 5:
Click the Security tab.
You can create settings for four different categories of sites. Select the Internet icon and click Custom Level.
Scroll down the list of security settings to the Cookies section.
Disable the Allow Cookies That Are Stored On Your Computer and the Allow Per-Session Cookies options.
Click OK twice to exit.
Preventing your Web browser from accepting cookies is a good first step in stopping online spying. (Click screenshot for a full-size image.)
In Netscape Navigator/Communicator:
Select Preferences from the Edit Menu.
Click the Advanced category.
Select Disable Cookies to completely disable cookies or select Warn Me Before Accepting A Cookie to selectively disable cookies.
Click OK.
Delete existing cookies. Disabling cookies doesn't work for those cookies already on your system. Once you've disabled cookies, you should then delete any existing cookies. If you're using Netscape, close your browser then open your personal folder in Program Files\Netscape\Communicator\Users and delete the file cookies.txt. If you're using Internet Explorer:
Close IE then open the Windows\Temporary Internet Files folder.
Select View Menu, Details.
Click the Internet Address column header to sort the files and place all the cookies at the top.
Click the first cookie, scroll down the list until you find the last cookie and press the Shift key while selecting it.
Press Delete to delete the cookies.
Just for good measure, check to make sure the Windows\Cookies folder is entirely empty. If it isn't, delete anything in it.
Use a cookie manager. Because some cookies are useful, you may want to use a cookie manager instead of disabling cookies completely in your browser. Check out Burnt Cookies, Cookie Pal or the freeware CookieWall.
Provide the minimum amount of information at all times. Adware usually comes with a 'survey' which you're asked to fill in before using the software. Provide the least amount of information you can. The same goes for Web sites and software registrations. There's no need for these companies to know your income or even your gender, so don't provide such information or other unnecessary details.
Surf anonymously. Your computer can be uniquely identified by its IP (Internet Protocol) address when you surf. Although this address is often assigned dynamically (that is, you get a different IP address each time you surf), in many cases it's static, providing a pointer to your computer. If you'd like to visit sites without being tagged by an IP address, use an anonymous surfing service such as Anonymizer or Rewebber. These services cover your traces and deliver you to a site anonymously. They can be a bit of a pain to use, as you need to go through the service first to get to your destination, but if you're really hankering to surf incognito, they're the way to go.
To make such services easier to use, each time you use one to visit a favourite site, bookmark the site or add it to your Favourites. Then, when you use the bookmark in the future, it will automatically direct you to the site via the service.
Another trick with Rewebber is to simply prefix a Web address with:
http://www.rewebber.de/surf_encoded/
For example, if you want to visit Excite Australia's site anonymously use:
http://www.rewebber.de/surf_encoded/http://www.excite.com.au
Use Web-based e-mail. Get yourself a free Web-based e-mail account and use that address as your general contact point. If possible, set up the e-mail account using a public library or Internet café computer, to ensure your IP address is not stored with the account.
Install a firewall. Firewalls let you monitor and block unwanted communication between your PC and other computers. You're particularly at risk if you have an always-on connection to the Internet via cable modem of DSL. You'll need to spend some time when you initially install the Firewall training it to recognise which contacts are welcome and which are unwanted. After that initial period, your firewall will do the job pretty much on its own. There are some excellent firewalls available, including ZoneAlarm and Sygate Personal Firewall, both free for personal and non-profit use and designed for cable and DSL connections. Other worthwhile products are ZoneAlarm Pro, McAfee Personal Firewall and Norton Personal Firewall.
An Internet firewall, such as ZoneAlarm, can help you monitor who's monitoring you and stop them in their tracks. (Click screenshot to see a full-size image.)
To rid yourself of persistent adware you can use one of the third-party utilities available or try techniques recommended by the adware companies themselves. Here are some eradication solutions:
Third-party adware uninstallers. OptOut eliminates Radiate/Aureate adware. Ad Aware can eliminate most adware, including Radiate, Timesink, Cydoor, Comet Cursor, and others.
The Ad-Aware utility lets you selectively delete adware and suspicious cookies. (Click screenshot to see a full-size image.)
Radiate/Aureate. The most recent versions of Radiate adware include an uninstallation routine. The routine should run automatically when you uninstall all programs which contain the adware; otherwise you should find an uninstall line in Control Panel, Add/Remove Programs. If that doesn't work, or if you have an early version of Radiate's adware on your system, here's what to do:
If you're not sure which shareware contains Radiate adware, you'll find out once you run the Remove program, as these shareware programs will stop functioning.
Conducent/Timesink. To eliminate Conducent's Timesink Tsadbot adware you must delete a folder and some Registry keys. If you're not familiar with editing the Registry, get someone with experience to do it for you. Make sure you backup your Registry before making any changes:
HKEY_CURRENT_USER\Software\TimeSink
HKEY_LOCAL_MACHINE\Software\TimeSink
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Run\TimeSink
DoubleClick. To opt out of DoubleClick's online tracking, visit the company's opt-out page and click the Opt-Out Click Here button. This will replace your DoubleClick cookie, which contains your unique ID, with an OPTOUT ID.
Guidescope (advertising and cookie blocker)
The Spyware Infested Software List
Gibson Research Corporation (excellent resource on spyware and security, author of OptOut)
Richard Smith's Tipsheets (good info on Web bugs and many other privacy issues)
© 2000 Rose Vines, www.geekgirls.com