Transcript Cookie

Ch 158: Cookies and Web Bugs
What They Are and How They Work Together
http://www.abine.com/tracking.php
Online Tracking
• !privacy
• easy it
• Tracker
– ISPs, Websites, advertising networks
• To
– Provide: targeted advertising
– Classify: you into a demographic group
– Resell: information about you to other companies
Tracking Techniques
• Cookies, IP Addresses, Web Bugs, browsing history, others.
Cookie
–Small unique text file
–Created by: a Web site
–Sent to: computer’s hard drive.
–Record: client mouse-clicking choices
each time you get on the Internet.
Cookie
every time you visit that site they know its you
–Browser
•contacts a server and requests
the specific Web site.
•searches your hard drive to see
if it already have a cookie file
from the site.
Cookie
• If NO
– an ID is assigned to you
– this initial cookie file is saved on your hard drive.
• If YES
– the unique identifier code, previously recorded in your
cookie file, is identified and your browser will transfer the
cookie file contents back to that site.
– Now the server has a history file of actually what you
selected when you previously visited that site.
– You can readily see this because your previous selections
are highlighted on your screen.
Cookie
• if somebody has access to your computer
– they can often use cookies to see what sites you
have visited in the past
Types of Cookie
• HTTP Cookies - persistent
• "Session" Cookies
• Third Party Cookies
• Flash cookies
http://en.wikipedia.org/wiki/HTTP_cookie
• A visitor cookie
• A preference cookie
• A shopping basket cookie
• A tracking cookie.
HTTP Cookie
• come from the Web site
– that you are visiting
• usually intended to stay around permanently
and each time you are online.
• Recommendation
– To be deleted at the end of each browser session.
Session Cookies
• Expire when you close your browser.
• Some sites, such as Gmail, require the use of
cookies during a session in order to function
properly, but they don't need to have cookies
stored permanently on your computer.
• Recommendation
– allow session cookies
– to avoid breaking functionality on certain Web
sites.
Third Party Cookies
• Web pages often have pieces of content from
more than one source
– such as ads posted along the sidebar of a Web page
you are viewing.
• set the cookies
– Domains other than the main page you are viewing
– third parties.
• used by advertisers to track users across multiple
Web sites.
• Recommendation
– block third part cookies.
Flash cookies
• Unlike the other cookies with are controlled through the cookie
& privacy controls in your Web browser
• activated through a feature in Adobe's Flash plug-in called
"Local Shared Objects" (LSOs).
• This means that
– even if a user has cleared his or her cookie settings (by directing your
browser to “block” or “delete” cookies),
– sites can still use a feature of Flash to track your online behavior.
• Among other things, Flash cookies are used to ensure smooth
playback on sites that stream music and video.
• Recommendation
– delete all Flash LSOs at the end of each browser session.
– Note that this is not done the way other cookies are deleted; instead, a
user must visit Adobe’s site for the deletion controls or use other
software.
A visitor cookie.
• The most common type .
• keeps track of how many times you
return to a site.
• alerts the Webmaster of which pages
are receiving multiple visits.
A preference cookie
• stores a user’s chosen values on how to
load the page.
• it is the basis of customized home pages
and site personalization.
• It can remember which color schemes
you prefer on the page or how many
results you like from a search.
A shopping basket cookie
• is a popular one with online ordering.
• It assigns an ID value to you through a
cookie.
• As you select items, it includes that
item in the ID file on the server.
A tracking cookie.
• The most notorious and controversial .
• It resembles
– the shopping basket cookie, but instead of
adding items to your ID file, it adds sites you
have visited.
• Your buying habits
– are collected for targeted marketing.
• companies can save e-mail addresses supplied
by the user and spam you on products based
on information they gathered about you.
Cookie Usage
• After you type a URL in your browser,
– it contacts that server
– requests that Web site.
– The browser looks on your machine
• to see if you already have a cookie file from the site.
• If a cookie file is found
– your browser sends all the information in the cookie to that site
with the URL.
– When the server receives the information, it can now use the
cookie to discover your shopping or browsing behavior.
• If no cookie is received
– an ID is assigned to you and sent to your machine in the form of a
cookie file to be used the next time you visit.
Cookie Usage
• Cookies: left on your computer generally store
–a unique serial number
–used to identify you
–to keep track of all your visits to a certain
Web site and any "network" of sister sites.
Cookie Usage
• If third party cookies be stored
– Network = several advertising company sites
– each time you visit a Web site in the cookies
"network“ can track you as you travel among these
different sites.
– Advertisers can
• create a profile of you
• based on your browsing behavior
– as well as store your browsing history as long as they
like.
• Websites
IP Address
– receive your computer's current IP address
– can
• figure out where you are geographically
• keep track of all connections from the same IP address.
– if your IP address doesn't change then they have a good idea it's
you -- every time you visit.
– If you use a cable modem you may have a dynamically assigned IPaddress, but these tend not to change very often.
– Most other forms of Internet access use static IP addresses.
• To prevent
– proxy : Proxy does see all of your traffic.
Web Bug
can track you as you move among Web sites within their network
•
•
•
•
Web bug = beacons
a graphic: on a Web page or in an HTML-based e-mail message
to: track who is viewing the page (or email).
can provide
– IP address
– Time
– recipient wishes that information disclosed or not.
– how often a message is being forwarded and read.
– More
Web Bug
Web Bugs Usage
• Web Bugs: notify their server each time their page is accessed.
• The site: knows that the page with the bug on it has been accessed,
and by what IP address
• Advertisers:
can correlate your visits to their sites
– by
• looking at the timestamps of the requests from the Web
bugs you triggered
• use
– your IP addresses
– browsing sessions on their sites to build up their
profile.
Web Bugs Usage
–HTML-based emails:
• they can tell if you've opened their email and where you were
when you opened it.
Tracking Methods
• JavaScript trackers.
– pieces of JavaScript
–usually come from other sites.
–When the Web page loads in your
browser
• it makes a request to include a piece
of code from the tracking server.
Tracking Methods
• One-pixel images and other SRC tags.
– Images tags
• in HTML pages
• actually directions that tell your browser where to find the
image it is supposed to display to you.
– This means that when your browser displays a Web
page to you it makes a request to the tracking server
for the image.
– the image is a transparent 1-pixel image
• it is not really mean to be viewed
• it's really just a tracking method.
Tracking Methods
• Browser Fingerprinting.
– It is also possible to identify a specific browser by
looking at details about the browser software and
components directly.
– Currently
• not aware whether this is being done by Web sites in
the field
• it does represent the next frontier in online privacy.
– Visit to get your browser fingerprinted and see
how unique your browser fingerprint may be.
Browser History
• Websites can
– look at your browsing history
• through : JavaScript , CSS technique
– to see: portions of your browsing history.
– To do this the Web site has a list of all of the sites it is
interested in
• if you are keeping a browsing history
• they can learn whether that you have visited those target sites in
the past.
– used by advertising groups
– to put you into a demographic bucket
• did you visit sites about guns, cars and girls or Disney, toys, and
motherhood.
Web bugs and cookies
• Can be merged and even synchronized with a
person’s e-mail address.
• Issues may
•
•
•
•
Positive
Negative
Illegal
Unethical
Cookie Contents
• rumors
– cookies could
• scan information off your hard drive
• collect details about you
– passwords, credit card numbers, a list of SW on your computer.
– Rejected:
• a cookie is not an executable program
• can do nothing directly to your computer.
• small, unique text files created by a Web site and sent to a
computer’s hard drive.
Cookie Contents
• Contain:
– a name, a value, an expiration date, and the
originating site.
– The header
• contains this information
• removed from the document before the browser displays it.
• Cant be viewed : even if you execute the view or document
source commands in your browser.
• is part of the cookie when it is created:
When it is put
on your hard drive, the header is left off.
• The only information left of the cookie is relevant to the
server and no one else.
Cookie Contents
• Header: example
Set-Cookie: NAME=VALUE;
expires=DATE;
path=PATH;
domain=DOMAIN_NAME;
secure
Cookie Contents
• The NAME=VALUE:
– is required. NAME is the name of the cookie. VALUE has no relevance to the
user; it is anything the origin server chooses to send.
• DATE
– determines how long the cookie will be on your hard drive.
– No expiration date indicates that the cookie will expire when you quit the
Web browser.
• DOMAIN_NAME
– contains the address of the server that sent the cookie and that will receive
a copy of this cookie when the browser requests a file from that server. It
specifies the domain for which the cookie is valid.
• PATH
– used to further define when a cookie is sent back to a server.
• Secure
– specifies that the cookie only be sent if a secure channel is being used.
Where it is store
• Netscape Navigator users
– C:/Program Files/ Netscape/Users/default or user
name/cookie.txt)
• Explorer users
– C:\Documents and Settings\<user-name\Cookies
Delete, disallowed & block
• Web browsers have options that alert users
before accepting cookies.
• there is software that allows users to block
cookies,
– Get one and report
Reading ASS
??Cookie Poisoning
Cookies creation
• Cookies are stored as a text string
– a cookie can be manipulated like any other string literal
• scripting to
– set the cookie
– allow the trouble-free flow of information back and forth
between the server and client.
• languages
– Perl CGI script ( common).
– JavaScript, Livewire, ASP, or VBScript
Cookies creation
• Here is an example of a JavaScript cookie:
<SCRIPT language=JavaScript>
function setCookie (name, value, expires, path, domain, secure) {
document.cookie = name + “=“ + escape(value) +
((expires) ? “; expires=“ + expires : ““) +
((path) ? “; path=“ + path : ““) +
((domain) ? “; domain=“ + domain : ““) +
((secure) ? “; secure” : ““);
}
</SCRIPT>.
Cookie Creation
• cookie is written in a different languages
– the content includes the same name-value pairs.
– Each is used to set and retrieve only their unique
cookie and they are very similar in content.
– The choice of which one to use is up to the
creators’ personal preference and knowledge
View the cookie
– to see from the file is very limited and not easily
readable.
– is only readable in its entirety by the server that set
the cookie.
• what you see looks mostly like indecipherable numbers or
computer noise.
– cookie viewer program - Winmag.com
• free program
• locate and display all of the cookies on “Windows “
computer.
Reading Ass
Do you think there
are positive
things about
Cookies?
Negative Issues Regarding Cookies
• security and privacy issues
– Are cookies a security risk? Are cookies ethical?
• is based on
–how the information about users is collected,
–what information is collected,
–how this information is used.
• information such as
– service provider, OS , browser type, monitor
specifications, CPU type, IP address, and what server
last logged on.
– shared Computer
• at an Internet café
• people can snoop into the last user’s cookie file
Negative Issues Regarding Cookies
• things that cookies cannot do:
–
–
–
–
–
–
Steal or damage information from a user’s hard drive
Plant viruses that would destroy the hard drive
Track movements from one site to another site
Take credit card numbers without permission
Travel with the user to another computer
Track down names, addresses, and other information unless
consumers have provided such information voluntarily
Negative Issues Regarding Cookies
• personalization
– On January 27, 2000
• a California woman filed suit against DoubleClick
• accusing the Web advertising firm of unlawfully obtaining and
selling consumers’ private information.
– The lawsuit alleges that
• DoubleClick employs sophisticated computer tracking
technology, known as cookies, to identify Internet users and
collect personal information without their consent as they travel
around the Web.
– In June 2000
• DoubleClick purchased Abacus Direct Corporation
• a direct marketing service that maintains a database of names,
addresses, and the retail purchasing habits of 90 percent of
American households.
Negative Issues Regarding Cookies
• DoubleClick’s
– new privacy policy states that
• the company plans to use the information collected
by cookies to build a database profiling consumers.
– defends the practice of profiling, insisting that
• it allows better targeting of online ads which in
turn makes the customer’s online experiences
more relevant and advertising more profitable.
• The company calls it “personalization.”
Negative Issues Regarding Cookies
• GOOD policy:
– “Companies must tell consumers they’re collecting
personal information, let them know what will be
done with it and give them an opportunity to opt
out, or block collection of their data.”
What Is a Web Bug?
• A Web bug is
– a graphic (1X1)
• on a Web page or in an e-mail message
– To monitor
• who is reading the Web page or an e-mail msg.
What Is a Web Bug?
• Like cookie
– electronic tags
–help Web sites and advertisers track
visitors’ whereabouts in cyberspace.
• call-back to the server
What Is a Web Bug?
• check for bugs
–Search the page source code
• for an IMG tag
• attributes WIDTH=1 HEIGHT=1 BORDER=0
• it is quite likely a Web bug.
http:www.investorplace.com.
<IMG SRC=“http:ad.doubleclick.net/activity;src=328142; type=mmti;
cat=invstr;ord=<Time>?”WIDTH=1 HEIGHT=1 BORDER=0>
Privacy and Other Web Bug Issues
• Directed Advertising - Advertising networks
– DoubleClick or Match Point
– Use Web bugs = “Internet tags”
• to develop an “independent accounting” of the number of
people in various regions of the world, as well as various
regions of the Internet, who have accessed a particular Web
site.
Privacy and Other Web Bug Issues
• Account for
– the statistical page views within the Web sites.
– helpful in planning and managing the effectiveness of
the content because it provides a survey of target
market information (i.e., the number of visits by users
to the site).
– use Web bugs to build a personal profile of sites a
person has visited.
• This information can be warehoused on a database server
and mined to determine what types of ads are to be shown
to that user.
Privacy and Other Web Bug Issues
Web bugs used in
e-mail messages
more invasive
Privacy and Other Web Bug Issues
• In Web-based e-mail Web bugs can be used to
• Determine
– if and when an e-mail message has been read.
• provide
–the IP address of the recipient
• whether or not
–the recipient wishes that information disclosed.
Privacy and Other Web Bug Issues
• Within an organization a Web bug can
– give an idea: of how often a message is being forwarded
and read.
• helpful in direct marketing to return statistics on the
effectiveness of an ad campaign.
– be used to detect
• if someone has viewed a junk e-mail message or not.
• People who do not view a message can be removed
from the list for future mailings
Privacy and Other Web Bug Issues
• With the help of a cookie the Web bug can
– Identify
• a machine, the Web page it opened, the time the
visit began, and other details.
–sent to : a company that provides advertising services.
–used to: determine if someone subsequently visits another
company page in the same ad network to buy something or to read
other material.
Privacy and Other Web Bug Issues
• for consumer
–Web bugs and other tracking tools
–represent a growing threat to the
privacy and autonomy of online
computer users.
Privacy and Other Web Bug Issues
• Web bugs and Microsoft Word documents
– It is also possible to add Web bugs to Microsoft Word
documents.
– A Web bug could allow an author to
• to track where a document is being read.
• watch how a document is passed from one person to
another or from one organization to another.
Privacy and Other Web Bug Issues
• Some possible uses of Web bugs in Word
documents include:
– Detecting and tracking leaks of confidential
documents from a company
– Tracking possible copyright infringement of
newsletters and reports
– Monitoring the distribution of a press release
– Tracking the quoting of text when it is copied from
one Word document to a new document
Privacy and Other Web Bug Issues
• Web bugs are made possible by the ability in
Microsoft Word for a document to
– link to an image file that is located on a remote Web
server.
Privacy and Other Web Bug Issues
• URL of the Web bug is stored in a document and not
the actual image
– Microsoft Word must fetch the image from a Web server each and
every time the document is opened.
– This image-linking feature then puts a remote server in the position
to monitor when and where a document file is being opened.
– The server knows the IP address and host name of the computer that
is opening the document.
– host name
• will typically include the company name of a business.
• has the name of a user’s ISP
Privacy and Other Web Bug Issues
• Web bugs can be used in
• Word documents
• Excel 2000
• PowerPoint 2000
ASS
how to removing the feature of
including the bug’s linking to
in Microsoft Documents?
Synchronization of Web Bugs and Cookies
synchronized to a
particular e-mail
address
Synchronization of Web Bugs and Cookies
• This trick allows a Web site to know
– the identity of people
• plus other personal information about them
– who come to the site at a later date
Synchronization of Web Bugs and Cookies
• if two separate sites place a separate
unique cookie on your computer
– they cannot read the data stored in each
other’s cookies.
– if the cookie placed on your computer
• contains information that is sent by that site to an
advertising agency’s server and that agency is used by both
Web sites.
Synchronization of Web Bugs and Cookies
• If each of these sites
• Places a Web bug on its page:
to report
information back to the advertising agency’s computer
• every time you visit either site
– details about you
» will be sent back to the advertising agency
» utilizing information stored on your computer
» relative to both sets of cookie files.
– This allows your computer
» to be identified as a computer that visited each of the sites.
example
• When Bob (the Web surfer) loads
– a page or opens an e-mail that contains a Web bug,
• information is sent to the server housing the
“transparent GIF.”
• Common information being sent includes
– the IP address of Bob’s computer, his type of browser,
the URL of the Web page being viewed, the URL of the
image, and the time the file was accessed.
• Also potentially being sent to the server
– the thing that could be most threatening to Bob’s
privacy, is a previously set cookie value, found on his
computer.
example
• Depending on the nature of
the preexisting cookie
– it could contain a whole host of
information from usernames and
passwords to e-mail addresses
and credit card information.
example
• Bob may receive
– a cookie
• upon visiting Web Site #1 that contains a transparent GIF
– is hosted on a specific advertising agency’s server.
– another cookie
• when he goes to Web Site #2 that contains a transparent GIF
– is hosted on the same advertising agency’s server.
• Then the two Web sites
– would be able to cross-reference Bob’s activity
– through the cookies that are reporting to the
advertiser.
example
• As this activity continues
–the advertiser is able to
• stockpile what is considered to be nonpersonal information on Bob’s
preferences and habits
• there is the potential for the
aggregation of Bob’s personal
information
Synchronization of Web Bugs and Cookies
• Technically possible
– different servers
• could synchronize their cookies and Web bugs
– enabling this information to be shared across the
World Wide Web.
– If this were to happen
• just the fact that a person visited a certain Web site
could be spread throughout many Internet servers,
and the invasion of one’s privacy could be endless.
Reading and reporting
• Page 3016: 224.3 Tracking Web Sites Visited
LAB
• Create two sites with cookie and bugs
technologies to cross a reference to the
visitors of both through a third party server.
– Creating a profile for each visitor