Pixel-high privacy spy

Big Brother is getting smaller all the time

By BBC News Online internet reporter Mark Ward

Spies too small to see are keeping an eye on you while you browse the world wide web.

If the bugs are put in an e-mail there is no real defence against them

David Banisar, Epic

The "web bugs" hide computer codes behind images only a pixel in size to gather information about surfing habits.

The bugs are almost impossible to defend against. Privacy experts say the hidden images are the first of a new generation of "spyware" designed to watch what people do on the web without them knowing.

Many websites use invisible images to ensure the graphics they want people to see sit in the right position.

Bugged browsers

But now some companies are putting invisible images only a pixel square on web pages that have a more sinister use.

"They are a secret way of gathering information about someone," said David Banisar, a civil liberties expert from the Electronic Privacy Information Centre (Epic).

The image usually matches the background colour of the page it sits on to ensure they are completely invisible. Every image or letter on a computer screen is drawn by filling in, leaving blank or colouring pixels or picture elements.

Common resolutions for computer screens are 1024 by 768, 800 by 600 or 640 by 480 pixels. The bugs may be invisible to surfers but as far as a computer is concerned they are just another image.

Packed pixels

Because of this, HTML code can be hidden behind them, and that HTML code can be used to gather information about your surfing habits.

Data web bugs can gather

IP address of your computer

web location of bug

web page bug is attached to

Time the bug was viewed

Which browser you are using

Any cookies already on your computer

When you visit a webpage, your browser requests all the images, text, boxes and adverts that make up the page from several different computers.

Typically the request for the invisible "web bug" image goes to a server that has the job of collating information on lots of web users.

When a browser such as Netscape communicator or Internet Explorer requests data it usually sends information about the machine and person using it.

The HTML code hidden in the image can request additional information from that computer or the past visits to that site.

The web bugs can mine information about who owns the site you are surfing from as well as details about your computer such as what data is held in the Windows registry.

The bugs work best in conjunction with cookies - files that log what you do on a website - and can interrogate them to find out more about you.

No defence

While many people turn off cookies, few are aware that there are other ways for them to be watched.

The only way to stop them completely is to turn off the graphics on all the websites you browse.

But Mr Banisar says that this does not mean that people avoid the attention of web bugs. Anything that can read HTML, such as e-mail programs, Usenet readers, instant chat programs and word processors, can be bugged.

"If the bugs are put in an e-mail, there is no real defence against them," said Mr Banisar.

Some companies are now peppering all the web pages that they advertise on with web bugs. Visiting one bugged page will mean that all the pages in that network will gather information about you.

Consumer consent

Some websites such as Privacy.net allow users to check how leaky their computer is and what information it is giving out.

A lot of pages are bugged. Using search engines to ferret out the tell-tale HTML code returns thousands of hits.

If you are browsing behind a firewall you can make sure that tiny images are stripped out before the pages are served up.

The data being collected is usually sent to online advertising services such as Doubleclick, Engage Technologies and MatchLogic.

The US Federal Trade Commission is known to be investigating the use of web bugs and is worried that people are being watched without their consent.

"In the absence of any legal protection, it is up to the consumer to figure it out for themselves," said Mr Banisar. "Unfortunately it is too complex for anyone short of a PhD programmer to work out."