Langa Letter: The Web-Bug BoondoggleLanga Letter: The Web-Bug Boondoggle

Overall Privacy Is The Issue; Web Bugs Are Not
I said the fear fantasy "mostly evaporates" when you look closely at it. But it is true that a Web company that gets the right personal information from you, either directly or via collusion with another company, could learn a lot about you, if it wanted to invest the time and money.

So, isn't this a major new security problem? To analyze the risk, let's first establish a context by looking at non-Web, paper-based transactions.

If you order something via a paper catalog, the catalog company will know your name, address, and payment method. They'll know what you bought, and from that they can infer something about your other interests or needs. If the company wants to go to the expense and bother, it can determine your income, either by running a credit check or by using census data to see what the average income is for your zip code. It can (via a credit check) also see your banks and credit cards, your payment history, and what other companies you deal with. It can learn about your mortgage and car loans, and from that, how much you paid for your house and cars. It can get additional info from the Department of Motor Vehicles--or from any other public source of information. And, of course, the paper-catalog company can sell your name to other companies, who can perform the same kind of research. Again: if a paper-catalog company is willing to spend the time and money, it can find out a lot about you.

Now let's look at Web bugs. What's the very worst that can happen if you get involved with E-companies that gather and share your personal data? The very worst case is that you'll be no more exposed than you already are in your paper-based dealings.

Web bugs afford no additional risk beyond what has existed for many years in the paper-based world--and to me, that's where the problem really lies. The true solution to privacy invasion is in limiting the amount of personal information that any company--not just Web-based companies--can access and share.

Long-time readers know I take online security and privacy very, very seriously. But I don't regard Web bugs as a very serious matter at all. To sum it all up:

First, there's nothing inherently special about Web bugs, because exactly the same information can be obtained from any graphic or link.

Second, any kind of "tracking" or information sharing is fairly difficult to pull off, and requires your voluntary input of information. If you're careful with the information you give out, most of the Web-bug risk vanishes.

Third, even in the worst-case scenarios, your Web-bug privacy risk is about the same as what it already is with (for example) paper-catalog companies. Again, Web bugs pose no additional privacy risk.

Bottom line: Even if you use Bugnosis (or a similar tool) and you eliminate every Web bug you run into, you gain essentially nothing in terms of meaningful privacy. That's why I don't use Bugnosis or similar software; that's why I surf with cookies fully enabled. But I do check the privacy policies of all sites where I enter personal data, and I never enter more data that really is needed to complete the transaction. I'm similarly careful about the paper-based companies I deal with.

So, I rank Web bugs (and cookies) near the bottom of the pile of "things to worry about." You can use bug trackers and cookie trackers if you want to, but doing so is almost always a waste of effort.

What's your take? Does Fred have his head in the sand about Web bugs and cookies, or do you agree that the security risks are mostly overblown? Are Web bugs a central issue in online privacy, or--as Fred suggests--just a minor sideshow? Does your company's E-commerce site use Web bugs? If you use bug filters and "cookie crushers," have you encountered problems with them? Join in the discussion!