In a series of three previous questions, What
can a website I visit tell about me? and
What are browser cookies and how are they used? and
What are tracking cookies and should they concern me? I discussed
some of the information that websites get automatically, or through
legitimate means by virtue of using cookies, and then how cookies can
be used “behind the scenes” by networks of websites to track your
visits to sites in the network.
In this article, I’m going to cover three loose ends that while
unrelated to each other, are other ways that websites can get
information you probably didn’t realize you were giving them.
Become a Patron of Ask Leo! and go ad-free!
The biggest risk by far for getting information from your computer into
the hands of others is malware.
Forget all the IP address information, cookies and cookie tracking
I’ve discussed in the previous articles. While perhaps annoying,
they’re typically legitimate and have access to only a limited subset
of your information.
Malware can get it all.
I know it seems a little out of place to be discussing malware, and
particularly spyware, when discussing what information you might be
giving to websites, but I need to make clear that spyware is
by far the bigger risk. To focus on the perceived dangers of surfing
otherwise legitimate sites while ignoring the very real risks of
spyware and viruses is a huge mistake and can result in much, much
bigger issues of information theft.
With that important reminder out of the way, we return to the
“mostly legitimate”.
•
Toolbars
your surfing habits.”
Toolbars frustrate me no end. It seems like every time I download
some new utility or update, the setup also wants to install an
additional toolbar in my browser. I don’t want them.
Fortunately, most well-behaved sites and utilities will let you turn off
a new toolbar install. I have to say, though, that having it install by
default unless you tell it not to is, in my opinion, at best rude and
at worst down right malicious.
Why is everyone so interested in getting additional toolbars
installed in your browser? Because many toolbars collect information
about your surfing habits.
Think about it – toolbars sit in your browser and have easy access
to everything you might be doing – even the very keystrokes you might
be typing. Most are not truly malicious (i.e. they’re not
capturing your passwords), but many can report to some third party the
sites you visit for more data collection, without relying on cookies to
do it.
I have exactly two toolbars installed in FireFox: Roboform
and Delicious. On some machines I also have the Google toolbar
installed. In each case, those are choices I made for specific
functionality I want, and they’re toolbars from folks I trust.
•
Cloaked Links
This gets back to cookies, and the difference between “first party”
and “third party cookies”.
It’s possible to place a link on a web site that goes “through” a
third party and by doing so, give that third party the ability to place
a cookie as if it were a first party. Redirection services link like
tinyurl or snipurl let you replace a long URL with a short one. You go
to the tinyurl.com address and it immediately and transparently
redirects you to the actual destination. This redirection technology is
very simple, very common, and fairly powerful.
Let’s look at an example, and exactly how it affects cookies.
That’s a link, here on ask-leo.com, that takes you to microsoft.com,
but through my redirector on mttips.com (mttips.com is another of my
sites, by the way, so it’s safe in this example).
Let’s look at what happens:
-
You’re on ask-leo.com, and by virtue of that ask-leo.com can place
first party cookies. -
You click on that link, http://mttips.com/d-ms, which takes you
first to mttips.com. -
Because you visited it directly, mttips.com now has “first party”
status. That means that mttips.com can place cookies on your machine
even if you have your browser set to disable third party cookies. -
mttips.com uses a tinyurl-like redirector to send you off to
microsoft.com without ever displaying a page.
The upshot? mttips.com had the opportunity to place a first party
cookies, even though you never saw a page on mttips.com.
This looks like a number of hoops to jump through, just to place a
cookie, and it is.
But it’s a hoop that advertisers are willing to jump through.
When you’re shopping, or even when you’re responding to offers on
other websites, you’ll often see that a link you click on for a product
or offer doesn’t look like it goes to that product’s page at all. If
you look at the link before you click on it, you’ll see that it goes to
an advertising provider or other third party.
I have to stress that there are many valid reasons for this
to be the case – I do it myself. And I’m not even saying that placing a
tracking cookie isn’t a valid reason – though it’s not
something I do.
What I am saying is that this is a subtle, yet common, approach to
additional data collection – be it through cookie placement for
subsequent use, or simply counting the clicks (for example, that link to
Microsoft.com used elsewhere on ask-leo.com has been clicked on 155
times this month).
•
So what’s the real bottom line of what started with a simple
question: “What can a website I visit tell about me?”
-
All websites get very basic information that identifies some of your
characteristics, but nothing truly or easily personally
identifiable. -
Websites have many ways to remember what you tell them.
-
Advertising networks can track you, but only your visits to sites in
their network, or links taken through their services or network. -
Advertising networks use this data in aggregate – meaning they
likely don’t even bother to identify you as an individual. -
Toolbars and other installed software can provide information to
third parties. -
Malware in the form of spyware and viruses trumps everything: they
can see and report anything they want to whomever they want.
Naturally, the paranoid will see this as a big brother situation. And
in fact, it’s hard to argue otherwise since with all this potential
tracking going on, it’s impossible to prove that it’s not
happening.
However, I don’t let it get to me. I know I’m just not that
interesting.
I leave third party cookies enabled, I watch what toolbars I
install, and I make sure to keep myself clean of malware.
And I surf and shop quite securely.
BrowserSpy – http://browserspy.dk/ is great. It shows you just how much information can be retrieved from your browser just by visiting a page.
Isn’t it strange? AOL, which purports to be an anti spyware and anti spam ISP, uses cookies that track your computer and then sends you advertising you didn’t ask for. (They also ignore your continued complaints about this.)
To compound spam, they sign your name to any comment you make on one of their pages. It’s pretty easy for a spammer to add “@AOL.com” I should think.
No wonder they are loosing subscribers.
Leo: One thing I’ve noticed looking at cookie files is that they feature your windows login name in the file name itself. Do websites see your windows login name by virtue of their cookies? If so, do they record it or correllate it with other data, such as IP addresses?
I believe the username is an artifact of an old approach to identification used by websites that required a particular type of login. If a website required a particular type of login you used to be able to go to http://username@somerandomservice.com/ and be logged in as username (or be prompted for a password). Cookies would then be tracked separately for that username. For sites not requiring authentication I believe this is ignored. This approach is no longer supported in Internet Explorer, as it was being exploited by phishers.
03-Oct-2008
And that’s why I convert all my email to clear text in outlook :)
Amazing what information can be gathered by putting HTML into email spam…