DEFENDING YOURSELF
AGAINST "TRACKING FILES"
by Dave Bilgray,
This is a
follow-up to Paul Scott's item at the Friday Computer Professionals SIG
breakfast, regarding tracking information which is placed on people's computers
when they visit a website. This information is then used to customize ads when
they visit other websites.
I did a
little digging on the web to get more details. Based on what I found, with
help from TCS members Francis Chao and Ken Sandock, it looks like this is how it's done:
A downloaded web page contains a beacon, which is a
one-pixel gif image, not noticed by the user. As with any image, its presence
on the page causes a request to a server. That server saves info from Flash
cookies, which are like traditional cookies, except that they are not typically
deleted by browser privacy controls.
Data about
the computer user, from multiple sessions and webpages,
is correlated, using a unique id assigned to each computer, even if the
person's name is not known. It then is sent to a clearing house, which operates
like a stock exchange. Data is auctioned within seconds of the person's website
visit.
This happens even if the user deletes traditional cookies at
the end of a session, because Flash cookies can be used in the next session to
restore traditional cookies.
The beacon file is specified as non-cacheable, so the server
is always notified, whenever any page containing the beacon is displayed.
As a
result, any product you show an interest in is likely to re-appear in ads on
many websites. In a radio interview, a Wall Street Journal reporter said she
looked online at a pair of shoes, when then "followed me around" for
a month, until she finally bought them.
The same applies to keywords. Her WSJ article mentioned words
associated with depression or other health issues.
More than
100 companies are involved in this business. A WSJ survey of 50 large websites
resulted in 3000 of these files being placed on a test computer. Some companies include "personally
identifying information" in their data, some don't. There's
good money in it. Targeted ads sell for twice the price of untargeted ads.
"Flash
cookies" are also known as Local Shared Objects,
which "Wired" mag
says are a "little
known capability of Adobe’s Flash plug-in". Beacons and Flash cookies
get onto computers via free software, ads, or other methods. Sometimes the
website isn't aware that it's distributing the files.
Beacons have been used for many years to monitor how often
ads get displayed. Also by vendors who want to associate a specific ad with a
sale. What's different now is that info is being gathered and correlated re the
user's activity on multiple websites.
This looks
like a major extension of what we knew that cookies were being used for. Not
new, obviously, but a WSJ article calls it "One of the fastest-growing
businesses on the Internet". This paragraph sums it up:
"The
new technologies are transforming the Internet economy. Advertisers once
primarily bought ads on specific Web pages—a car ad on a car site. Now,
advertisers are paying a premium to follow people around the Internet, wherever
they go, with highly-specific marketing messages."
Side note: Beacons are also used in email, to tell a sender
whether the email was read. Some email programs, including gmail,
prevent this from being used by spammers, by not automatically displaying
images in email.
Here are links with more info.
This WSJ article, "The
Web's New Gold Mine: Your Secrets", describes what's being done.
This WSJ
article, "How
to Avoid the Prying Eyes" tells you defensive techniques that can be
used to prevent the spying of "Flash cookies".
This WSJ
article, "What
They Know About You", provides links to
Web-based forms where you can unlist
yourself from the databases of audience data gathers.
This "Infoworld" article, "Block
'Flash cookies' to thwart zombies" describes legal and privacy issues
re Local Shared Objects.