Spyware
Cookies are tracking objects,
little notes that show where a person has been or what a person has done. The
only information they can gather is what you give them by entering data or
selecting an object on a web page. As we see in the next section, spyware is
far more powerfuland potentially dangerous.
Cookies are passive files
and, as we have seen, the data they can capture is limited. They cannot, for
example, read a computer's registry, peruse an e-mail outbox, or capture the
file directory structure. Spyware is active code that can do all these things
that cookies cannot, generally anything a program can do because that is what
they are: programs.
Obviously for sensitive
information, such as credit card number or even name and address, the site
should encrypt or otherwise protect the data in the cookie. It is up to the
site what kind of protection it wants to apply to its cookies. The user never
knows if or how data are protected.
The path and domain fields
protect against one site's being able to access another's cookies. Almost. As
we show in the next section, one company can cooperate with another to share
the data in its cookies.
Third-Party Cookies
When you visit a site, its
server asks your browser to save a cookie. When you visit that site again your
browser passes that cookie back. The general flow is from a server to your
browser and later back to the place from which the cookie came. A web page can
also contain cookies for another organization. Because these cookies are for
organizations other than the web page's owner, they are called third-party cookies.
DoubleClick has built a
network of over 1,500 web sites delivering content: news, sports, food,
finance, travel, and so forth. These companies agree to share data with
DoubleClick. Web servers contain pages with invisible ads from DoubleClick, so
whenever that page is loaded, DoubleClick is invoked, receives the full
invoking URL (which may also indicate other ads to be loaded), and is allowed
to read and set cookies for itself. So, in essence, DoubleClick knows where you
have been, where you are going, and what other ads are placed. But because it
gets to read and write its cookies, it can record all this information for
future use.
Here are some examples of
things a third-party cookie can do.
Count the number of times
this browser has viewed a particular web page.
Track the pages a visitor
views, within a site or across different sites.
Count the number of times a
particular ad has appeared.
Match visits to a site with
displays of an ad for that site.
Match a purchase to an ad a
person viewed before making the purchase.
Record and report search
strings from a search engine.
Of course, all these counting
and matching activities produce statistics that the cookie's site can also send
back to the central site any time the bug is activated. And these collected
data are also available to send to any other partners of the cookie.
Let us assume you are going
to a personal investing page which, being financed by ads, contains spaces for
ads from four stockbrokers. Let us also assume eight possible brokers could
fill these four ad slots. When the page is loaded, DoubleClick retrieves its
cookie, sees that you have been to that page before, and also sees that you
clicked on broker B5 sometime in the past; then DoubleClick will probably
engineer it so that B5 is one of the four brokers displayed to you this time.
Also assume DoubleClick sees that you have previously looked at ads for very
expensive cars and jewelry. Then full-priced brokers, not discount brokerages,
are likely to be chosen for the other three slots. DoubleClick says that part
of its service is to present ads that are the most likely to be of interest to
the customer, which is in everybody's best interest.
But this strategy also lets
DoubleClick build a rich dossier of your web surfing habits. If you visit
online gambling sites and then visit a money-lending site, DoubleClick knows.
If you purchase herbal remedies for high blood pressure and then visit a health
insurance site, DoubleClick knows. DoubleClick knows what personal information
you have previously supplied on web forms, such as political affiliation,
sexual matters, religion, financial or medical status, or identity information.
Even without your supplying private data, merely opening a web page for one
political party could put you on that party's solicitation list and the other
parties' enemies lists. All this activity goes under the general name of online profiling. Each of these pieces
of data is available to the individual firm presenting the web page; DoubleClick
collects and redistributes these separate data items as a package.
Presumably all browsing is
anonymous. But as we have shown previously, login IDs, e-mail addresses, and
retained shipping or billing details can all lead to matching a person with this
dossier, so it is no longer an unnamed string of cookies. In 1999, DoubleClick
bought Abacus, another company maintaining a marketing database. Abacus
collects personal shopping data from catalog merchants, so with that
acquisition, DoubleClick gained a way to link personal names and addresses that
had previously been only patterns of a machine, not a person.
Cookies associate with a
machine, not a user. (For older versions of Windows this is true; for Unix and
Windows NT, 2000, and XP, cookies are separated by login ID.) If all members of
a family share one machine or if a guest borrows the machine, the apparent
connections will be specious. The second problem of the logic concerns the
correctness of conclusions drawn: Because the cookies associate actions on a
browser, their results are incomplete if a person uses two or more browsers or
accounts or machines. As in many other aspects of privacy, when the user does
not know what data have been collected, the user cannot know the data's
validity.
Web Bugs: Is There an Exterminator?
The preceding discussion of
DoubleClick had a passing reference to an invisible image. Such an image is
called a clear GIF, 1 x 1 GIF, or web bug. It is an image file 1 pixel by 1 pixel, so it is far too
small to detect by normal sight. To the web browser, an image is an image, regardless of size; the browser will
ask for a file from the given address.
The distinction between a
cookie and a bug is enormous. A cookie is a tracking device, transferred
between the user's machine and the server. A web bug is an invisible image that
invites or invokes a process. That process can come from any location. A
typical advertising web page might have 20 web bugs, inviting 20 other sites to
drop images, code, or other bugs onto the user's machine. All this occurs
without the user's direct knowledge or certainly control.
Unfortunately, extermination
is not so simple as prohibiting images smaller than the eye can see, because
many web pages use such images innocently to help align content. Or some
specialized visual applications may actually use collections of minute images
for a valid purpose. The answer is not to restrict the image but to restrict
the collection and dissemination of data.
Spyware
Cookies are tracking objects,
little notes that show where a person has been or what a person has done. The
only information they can gather is what you give them by entering data or
selecting an object on a web page. As we see in the next section, spyware is
far more powerfuland potentially dangerous.
Cookies are passive files
and, as we have seen, the data they can capture is limited. They cannot, for
example, read a computer's registry, peruse an e-mail outbox, or capture the
file directory structure. Spyware is active code that can do all these things
that cookies cannot, generally anything a program can do because that is what
they are: programs.
Spyware is code designed to
spy on a user, collecting data (including anything the user types). In this
section we describe different types of spyware.
Keystroke Loggers and Spyware
We have previously referred
to keystroke loggers, programs that reside in a computer and record every key
pressed. Sophisticated loggers discriminate, recording only web sites visited
or, even more serious, only the keystrokes entered at a particular web site
(for example, the login ID and password to a banking site.)
A keystroke logger is the computer equivalent of a telephone wiretap.
It is a program that records every key typed. As you can well imagine,
keystroke loggers can seriously compromise privacy by obtaining passwords, bank
account numbers, contact names, and web search arguments.
Spyware is the more general term that includes keystroke loggers and also
programs that surreptitiously record user activity and system data, although not necessarily at the
level of each individual keystroke. A form of spyware, known as adware (to be
described shortly) records these data and transmits them to an analysis center
to present ads that will be interesting to the user. The objectives of general
spyware can extend to identity theft and other criminal activity.
In addition to the privacy
impact, keystroke loggers and spyware sometimes adversely affect a computing
system. Not always written or tested carefully, spyware can interfere with
other legitimate programs. Also, machines infected with spyware often have
several different pieces of spyware, which can conflict with each other,
causing a serious impact on performance.
Another common characteristic
of many kinds of spyware is the difficulty of removing it. For one spyware
product, Altnet, removal involves at least twelve steps, including locating
files in numerous system folders [CDT03].
Hijackers
Another category of spyware
is software that hijacks a program installed for a different purpose. For
example, file-sharing software is typically used to share copies of music or
movie files. Services such as KaZaa and Morpheus allow users to offer part of
their stored files to other users. According to the Center for Democracy in
Technology [CDT03], when a user
installed KaZaa, a second program, Altnet, was also installed. The
documentation for Altnet said it would make available unused computing power on
the user's machine to unspecified business partners. The license for Altnet
grants Altnet the right to access and use unused computing power and storage.
An ABC News program in 2006 [ABC06]
reports on taxpayers whose tax returns were found on the Internet after the
taxpayers used a file-sharing program.
The privacy issue for a service
such as Altnet is that even if a user authorizes use of spare computing power
or sharing of files or other resources, there may be no control over access to
other sensitive data on the user's computer.
Adware
Adware displays selected ads
in pop-up windows or in the main browser window. The ads are selected according
to the user's characteristics, which the browser or an added program gathers by
monitoring the user's computing use and reporting the information to a home
base.
Adware is usually installed
as part of another piece of software without notice. Buried in the lengthy
user's license of the other software is reference to "software x and its
extension," so the user arguably gives permission for the installation of
the adware. File-sharing software is a common target of adware, but so too are
download managers that retrieve large files in several streams at once for
faster downloads. And products purporting to be security tools, such as
antivirus agents, have been known to harbor adware.
Writers of adware software
are paid to get their clients' ads in front of users, which they do with pop-up
windows, ads that cover a legitimate ad, or ads that occupy the entire screen
surface. More subtly, adware can reorder search engine results so that clients'
products get higher placement or replace others' products entirely.
180Solutions is a company
that generates pop-up ads in response to sites visited. It distributes software
to be installed on a user's computer to generate the pop-ups and collect data
to inform 180Solutions of which ads to display. The user may inadvertently
install the software as part of another package; in fact, 180Solutions pays a
network of 1,000 third parties for each installation of its software on a
user's computer. Some of those third parties may have acted aggressively and
installed the software by exploiting a vulnerability on the user's computer [SAN05]. A similar product is Gator or Claria or
GAIN from the Gator Corporation. Gator claims its software is installed on some
35 million computers. The software is designed to pop up advertising at times
when the user might be receptive, for example, popping up a car rental ad right
after the user closed an online travel web site page.
There is little analysis of
what these applications collect. Rumors have it that they search for name,
address, and other personal identification information. The software privacy
notice from Gain's web site lists many kinds of information it may collect:
Gain Privacy Statement
WHAT INFORMATION DOES GAIN COLLECT?
GAIN Is
Designed to Collect and Use Only Anonymous Information. GAIN collects and
stores on its servers anonymous information about your web surfing and computer
use. This includes information on how you use the web (including the URL addresses
of the web pages you view and how long you view them), non-personally
identifiable information you provide on web pages and forms (including the
Internet searches you conduct), your response to online ads, what software is
on the computer (but no information about the usage or data files associated
with the software), system settings, and information about how you use
GAIN-Supported Software. For more information about the data we collect, click:
www.gainpublishing.com/rdr/73/datause.html.
"What software is on the
computer" and "system settings" seem to cover a wide range of
possibilities.
Drive-By Installation
Few users will voluntarily
install malicious code on their machines. Authors of spyware have overcome
suspicions to get the user to install their software. We have already discussed
dual-purpose software and software installed as part of another installation.
A drive -by installation is a means of tricking a user into
installing software. We are familiar with the pop-up installation box for a new
piece of software, saying "your browser is about to install x from y. Do
you accept this installation? Yes / No." In the drive-by installation, a
front piece of the software has already been downloaded as part of the web
page. The front piece may paste a different image over the installation box, it
may intercept the results from the yes / no boxes and convert them to yes, or
it may paste a small image over the installation box obliterating "x from
y" and replace it with "an important security update from your
browser manufacturer." The point is to perform the installation by
concealing from the user the real code being installed.
38 percent correctly thought
it was legal for an online merchant to charge different people different prices
at the same time of day.
36 percent correctly thought
it was legal for a supermarket to sell buying habit data.
32 percent correctly thought
a price-shopping travel service such as Orbitz or Expedia did not have to
present the lowest price found as one of the choices for a trip.
29 percent correctly thought
a video store was not forbidden to sell information on what videos a customer
has rented.
A fair market occurs when
seller and buyer have complete knowledge: If both can see and agree with the
basis for a decision, each knows the other party is playing fairly. The
Internet has few rules, however. Loss of Internet privacy causes the balance of
knowledge power to shift strongly to the merchant's side.
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.