Web ‘Bug’s’ Impact on Privacy Draws Scrutiny

In a scramble to monitor the behavior of consumers online, marketing companies on the World Wide Web have begun deploying a virtually invisible tool that records activity at a site and reports the details to advertisers and others.

The tool, sometimes called a Web “bug,” is a modest code that can identify a particular computer and help advertising services far removed from the site determine whether electronic promotions are well-read and effective in prompting someone to buy a product.

Many computer users are already familiar with “cookies”--another simple sort of code that serves as a unique identifier at a Web site. Web bugs work in tandem with cookies to greatly enhance the ability of outside observers to track and analyze activity, most often without a computer user’s knowledge.

Until recently, almost no one but Web page creators and computer scientists had heard about Web bugs, known in the trade as “clear GIFs.” But with exploding interest in target marketing on the Internet--and several companies poised to begin identifying computer users by name--Web bugs have suddenly drawn the attention of advertisers, government officials and privacy advocates.

The Federal Trade Commission, which learned about Web bugs at a workshop about online profiling last week, intends to examine their impact on consumer privacy, according to David Medine, the FTC’s associate director for financial practices.

Medine said the concern is that consumers may never know that both a Web site and a centralized advertising server are gathering information about their activities--in part because few sites disclose that they are deploying a Web bug.

Computer users can configure their Web browsers to block the setting of a cookie. But if just one site in an advertising network sets a cookie, it enables all of the Web bugs in that network to perform.

“This is another tracking technology that, while it may have considerable benefits, also raises significant privacy concerns,” Medine said. “Is this essentially a back door? . . . It is literally buried in the Web site. It is virtually impossible for the average consumer to detect it is happening.”

Among the sites deploying the tool are https://www.mentalwellness.com, an “online resource for schizophrenia and other mental health information” operated by Janssen Pharmaceutica Products. The code, on a page with stories about famous people who suffered from mental illness, sends information to an online advertising service called DoubleClick.

A spokesman for Janssen said the mechanism is used only to help the company identify the most popular material at the site.

A company called MatchLogic monitors traffic on a Web page at https://www.tlounge.com, an interactive advertising site maintained by Procter & Gamble that provides information to girls about Tampax. Other sites sporting Web bugs focus on new parents, investing, news and other matters.

For a new breed of online marketers, the Web bug is just one of a growing number of ways to track computer users and, on behalf of clients, analyze the effectiveness of promotional campaigns in a still-fledgling medium. Advertisers believe that many consumers welcome the personalized products and services that come with this kind of technology.

With the help of a cookie, the Web bug typically identifies a machine, the page it opened, the time the visit began and other details. That information, sent to a company that provides advertising services, can then be used to determine if someone subsequently visits another company page in the same ad network to buy something or read other material.

“We want to figure out what they do so we can optimize those actions,” said Mike Griffiths, MatchLogic’s chief technology officer.

“It’s a way of collecting consumer activity at their online store,” said David Rosenblatt, senior vice president for global technology at DoubleClick.

But for consumer watchdogs, Web bugs and other tracking tools represent a growing, sophisticated threat to the privacy and autonomy of online computer users. Although much of the information collected by ad servers is not personally identified, it soon will be in many cases.

DoubleClick, the industry leader, has begun creating an “information alliance” of businesses that will share customer information in a vast digital pool. Once a computer user shares a name online with any alliance member, DoubleClick will be able to associate that name with cookies at all other participating members’ sites. But DoubleClick and eight other leading advertising servers pledged last week to allow consumers to opt out of such practices.

DoubleClick is near to closing a $1-billion deal to buy Abacus Direct Corp., which maintains a giant database of information about off-line consumer purchases. The company plans to merge this information with its online data.

Richard Smith, a computer security specialist, said the same kind of code as Web bugs is used in certain types of Web-related e-mail to bounce information from thousands of people--such as if a note was opened--back to a marketer who wants to know the effectiveness of the pitch. This week he intends to post a paper about them on his own Web site, https://www.tiac.net/users/smiths.

“I don’t think this stuff is properly disclosed by any stretch of the imagination,” said Smith, of Brookline, Mass., who has been asked by the FTC to write an analysis of the mechanism.

Jason Catlett, another computer specialist, warned computer users might share sensitive information without realizing it. “Once you give your name and address to any Web site, the technology is there so that when you visit another Web site it could know who you are and call up a huge dossier,” said Catlett, president of Junkbusters Corp., a privacy advocacy and consulting company.