Leslie Walker

• The Privacy Council • FAQ: Web Bugs • .com • .com Transcripts • Tech Thursday • Washtech.com

Leslie Walker's .com Live
Discussion with The Privacy Council's Steven Lucas.

Thursday, March 8, 2001; 1 p.m. to 2 p.m. EST

Steven Lucas

We’re putting “Web bugs” under the microscope to gauge how serious a threat these software tricks pose to consumer privacy. Our guest on Thursday, March 8 will be Steven Lucas, chief privacy officer for The Privacy Council.

Lucas holds a law degree as well as a PhD in computer science. He was among the team of software experts who gave a startling demonstration of Web bugs last week to the Congressional Privacy Council. (Read Newsbytes.com coverage of the hearing).

At the hearing, software engineers at a remote Web site showed how easy it was to invade a laptop computer being used in the hearing room by a colleague of Lucas’s. When the laptop owner visited the Web site via a phone line, the engineers were able to instantly and surreptitiously copy a list of every file on his hard drive and snatch a copy of his e-mail address book, including all 1,800 personal entries in it. The laptop was running the latest versions of virus protection and personal-firewall security software, which failed to block the data snatching.

Sen. Richard Shelby (R-Ala.) co-chairman of the Congressional Privacy Caucus, called the display “frightening.” Others testified that use of Web bugs is growing rapidly. The Privacy Council is among the companies developing software and services companies can use to monitor and guard against such data snooping.

Join us from 1 p.m. to 2 p.m. Thursday for an in-depth look at “Web bugs” -- also known as “spyware” -- and a discussion of their possible legitimate as well as illegitimate uses.

Submit your questions and comments before or during Thursday's discussion.

Editor's Note: Washingtonpost.com moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions.

To read the most recent responses, click "Get New Text" or select "Automatically Update Page."

Leslie Walker: Hello everyone and welcome to Dr. Steven Lucas from The Privacy Council. We’re glad he could be with us today.

Dr. Lucas was on the team that showed Congress what “Web bugs” can do. Now he’s going to answer your questions about this rapidly developing technology. We’ll start in a few minutes, so start sending your questions by clicking on one of the links above.

Leslie Walker: Web “bug” has many meanings these days. Please start by explaining the nature of Web “bugs” used for monitoring people online (as opposed to software “bugs” that are errors in programming.) What are Web “bugs” and how do they work?

Steven Lucas: Web bugs are pieces of software that are downloaded to a computer usually without the knowledge or consent of the computer user. They can be used for several purposes. They can be used to track access to web sites and documents. They can also be used to execute programs remotely. For example, a web bug could be placed on a computer and could be programmed to start the microphone and begin recording conversations. The web bug could also take the contents of your hard drive, including email contacts, and send them to a website. The types of web bugs include clear gifs (used for tracking purposes on web pages/banner ads), scripts downloaded with permission (usually via a javascript warning if enabled in the browser), scripts downloaded without permission (no warning given), document tracking bugs (placed in MS Word documents for tracking purposes), email web bugs (bugs attached to email messages - the trojan horse approach), and chat room web bugs (bugs that copy content of chat sessions).

Leslie Walker: Tell us more about the ways companies and Web sites are using Web bugs. Also, how prevalent are Web bugs?

Steven Lucas: The predominant use of Web bugs is by network advertisers who use them to track where and when a consumer access a Web page or banner. They are used to track what is called reach and frequency in the advertising world. They are also used in MS Word documents to track who receives documents, where they are forwarded to, and if any content is changed. In this role, they are used to track a companies intellectual property. We did a scan of 51 million web pages recently and found over 15 million Web bugs. On one site alone, we found over 30 Web bugs on a single page. DoubleClick has placed the majority of the Web bugs on the Internet today.

Leslie Walker: What do you recommend that people do to guard against Web bugs?

Steven Lucas: There is very little that can be done with current technology. Web bugs can penetrate most corporate firewalls. Even if disclosure were to be required in privacy policies, by the time you would open a privacy policy, you would be infected. The only real defense is to have the browser notify you if someone is trying to download Java or to simply turn Java off. This may be impractical for some users. Technology is being released soon that will scan for bugs and block them. However, as with any intrusion detection mechanism, as soon as it is released, someone will probably figure out a way to work around it.

Washington DC: Hello. I want to know the best way to block cookies on my computer without blocking key functions at sites I like to use--Amazon.com, Yahoo and ebay are examples.
Is there a way to prevent these sites from monitoring me excessively, without losing my ability to see my book recommendations at Amazon, and also the the "myebay" and "myyahoo" pages I have set up to monitor my auctions and stock portfolio?

Steven Lucas: There are some cookies that are useful as there are Web bugs that are useful. Cookies that are non-persistent or not stored on your computer are usually ok. However, web bugs are different and a browser cannot block them today.

Silver Spring MD: Are Web bugs the same thing as spyware? If not, what are the differences?

Steven Lucas: Web bugs are a form of spyware. The can be used to conduct surveillance on a computer and are placed without the knowledge or consent of the owner of the system.

Alexandria, Va.: I just got a cable modem and have it hooked up to my Mac G4. The computer stays on all the time. Should I be worried that people are going to try to access my computer? What are the dangers I face in leaving the system on and plugged into the Web all the time? What steps should I take to protect myself?

Steven Lucas: A web bug can be placed on your system anytime you access any content on the Internet. You can also get them from infected email messages and Word documents. I have seen Web bugs placed on startup pages and they will work in the background while your computer is turned on. There is very little you can do to protect yourself. That is why this is such a serious issue.

Arlington, Va.: In what areas would the Internet be growing if users were assured of their privacy?

Steven Lucas: There are statistics that indicated the losses in the area of ecommerce due to the lack of consumer control over the collection and use of their data and and concerns over privacy are in the hundreds of millions of dollars. It is difficult to measure the lost productivity and personal growth that is impacted by the privacy concerns of people who are reluctant to use the Web. Over 80% of people surveyed list privacy as the reason they do not use the Web.

Mt. Vernon, Virginia: How do I find out if I'm being bugged, like on my computer at home?

Steven Lucas: There is very little you can do right now. Several companies are developing technology to assist in this area and I expect it out shortly. I would continue to read publications (especially the Washington Post!) and search the Internet for information on new developments in this area. Also check out Richard Smith's web site at http://www.privacyinstitute.org for more information.

Ballston, Virginia: How do you, Dr. Lucas, see any difference as to using Web bugs depending
on where that computer is based. For example, is it okay to bug a computer at a public library versus (I assume) not okay for someone's home PC? Or a company's bugging of its computers versus someone's home PC?

Steven Lucas: I see no difference at all. Anytime I am tracked without my knowledge or consent, it carries the same level of potential harm and consitutes the same violation of my Constitutional rights.

Arlington, Va.: Has the Bush administration made any explicit statements on the privacy issue? Do they favor strong steps to protect privacy, or are they reluctant to take on big business on this?

Steven Lucas: I believe the administration is looking for business to work with government to adopt responsible practices. I think the Bush administration may be more pro-business than the previous administration where Gore commented on this issue quite often. I do not believe any administration will be able to withstand the public presure around privacy and do nothing. Also this is a very hot topic in the legislatures at the Federal and State level. Last year there were over 1000 privacy related bills debated at the State level and over 100 at the Federal level. This means that over 51 days of the legislative agenda was spent in the discussion of privacy.

Leslie Walker: We are halfway through today’s talk, folks. Keep those questions rolling in!

Leslie Walker: Whatlaws, if any, currently govern use of Web bugs? What kind of regulations/laws do you think we need in the future?

Steven Lucas: I believe that legislation needs to start at the level of requiring sites to adhere to basic Fair Information Practices. By this I mean that sites should have to disclose what information they are collecting, what they intend to do with it, who they will share it with, and how I can opt out of any future collection. I would also like to see an access provision but I think that since there are no common standards for authentication and non-repudiation, there are some risks associated with access today. I would like to see severe restrictions on the collection and sharing of any sensitive data without consumer consent before data is collected (opt-in). Sensitive data includes medical, financial, political, religious, and sexual preference related data. Unless we see legislation at a Federal level that preempts state legislation, we will have a very difficult regulatory environment to work in. Having 50 different statues around the same issue to deal with would be problematic.

Alexandria VA: What e-mail program--if any--do you recommend as the most secure? Any tips to offer on how to safeguard our email?

Steven Lucas: No email program is safe. There are patches that may come out to correct some of the security loopholes but for now, you can do very little to protect yourself other than watch the media for reports on sites that are tracking consumers and search the Web for more information. I anticipate technology being released very soon to address this issue.

Alexandria VA: Have you tried that "freedom" program that lets you surf anonymously. Do you recommend it? Will it help guard against web bugs?

Steven Lucas: I am very familiar with Freedom and it will not prevent a Web bug from infecting your system. It will however, limit the amount of identifiable information that can be collected about you because you are anonymous using it. However, if the Web bugs access programs or files on your system that identify you, then your identity will be compromised.

Washington, D.C.: Is the threat that Web bugs pose overblown? Is this just the latest thing the media can seize on needlessly to scare people about the Web?

Steven Lucas: Absolutely not. This is a serious issue that could erode the confidence of consumers who might want to use the Web. It could also have national security implications. While I do agree that most Web bugs that we have found today are not dangerous, the potential is certainly there for them to be used as Trojan Horse type transport mechanisms that could be used to infect millions of computers on the Web. The media has been very responsible and measured in their reporting of this issue. As a matter of fact, I think the problem has been understated. Anytime technology is used to violate our rights I am concerned, even if the technology is not widely deployed. Even the potential use of this type of technology concerns me.

Leslie Walker: Please elaborate on your previous answer. What did you mean you “would like to see an access provision?” A a regulation governing the kind of access companies can have to your computer?

Steven Lucas: I believe that when companies collect data about and individual for the purposes of developing a "profile" about them, consumers should have the ability to ask the company what type of data they have collected and be able to restrict the use of it if they feel it is not in their best interests. This is especially true when companies merge data that has been collected from multiple sources or when data in a profile has been imputed or derived. Derived and imputed information is only at best about 60% accurate. I think that it is most important for access to be required when data is sensitive or used to make a decision about you that effects what goods and services you have access to. Like credit reports.

Leslie Walker: Let’s make sure no one is confused about your own employer. The Privacy Council is not an advocacy group or nonprofit foundation, but a for-profit consultancy that sells advice and counseling on privacy issues, right? What, exactly, is your job?

Steven Lucas: I am the Chief Privacy Officer here at Privacy Council. My responsibilities are to lead our public policy and legislative efforts. Since I have a technical background, in addition to being a lawyer, I am also involved in the technology direction for the products we are building. I also do consulting work around privacy and securiy for our clients.

Leslie Walker: Thanks for the clarification.

Baltimore, MD: As an expert in this field, what do you practice, personally on the web? Do you buy things online with a credit card, for instance? Or send emails with any specific type of information in them? I hate to think these web bugs will put a limit on the wonderful benefits of the internet.

Steven Lucas: Yes I have purchased on the Web. I am very selective about the Web sites I do business with. They must have a secure connection and I must agree with the privacy practices they post in their privacy policies. I am very careful about any information I send over the Web, including emails. Data on the Web lives forever! I share your concern about the Web bugs. With the current state of the economy on the Internet with respect to companies leaving the on-line market, I a concerned about anything that sheds a negative light on this critical national resource.

ny: are you watching me?!!!

Steven Lucas: No. However, if a Web bug was placed on this page, I could be reading all of your email by now, have every one of your contacts in any contact manager, listening to anything the microphone on your computer could pick up, and I could do the same to anyone in the contact list I stole from you.

Washington DC: Does adoption of a security architecture like PKI do anything to control Web bugs?

Steven Lucas: No because Web bugs simply take advantage of the basic architecture of the Web i.e. the send/request nature of the two way communication of the web. Encryption will not help.

Leslie Walker: We are almost out of time for today. Just a few more questions.

Washington, DC: You mention the need for laws and regulations to govern these practices. However, aren't there currently laws on the books that prohibit companies from using "webbugs" in a nefarious manner?

Steven Lucas: There are Federal Wiretap laws that could be applied in some cases. Some states have laws that restict anyone from placing or removing (altering the state in any way) anything from a computer system without permission. In addition, states like Texas have anti-stalking laws which in my opinion may be applicable. If data is taken without permission, certainly laws would apply in that area also.

District of Columbia: Are web bugs being used by identity thieves? Does anyone know this for sure or have documented examples/proof?

Steven Lucas: I know of no known cases but you raise a very important point. Identity theft is one of the fastest growing crimes in our nation. The percentages of increase are enormous. It now takes an average of 18 months before an individual even knows they are a victim and 3 years to resolve it. Web bugs could easily be used to gain access to data that would facilitate identity theft. This is especially true where an individual keeps financial records on there computer like bank account, credit card, Social Security number, and demographic information on there computers.

Falls Church: Is the growing wireless Web an area where privacy is at risk for users?

Leslie Walker: What I wonder is, can a "bug" be sent to your cellphone to monitor your calls!?!!

Steven Lucas: Yes. Richard Smith demonstrated the ability of a Web bug to dial a telephone number.

Tysons Corner, Va.: As a systems administrator, I would like to know if there is a published list of these redirectors or "Web bugs" as you call them.

Steven Lucas: There is no conmprehensive list that I know of today. Several sites devoted to Web bugs list the companies/sites that they know contain Web bugs today. However, the only way to avoid your domain from being attacked is to completely restict outside access (not very practical! Until technology is released that can scan the source code of a Web page for the code associated with Web bugs (BEFORE the access by the computer) will you be safe.

D,C.: I heard there was a movement at the Internet Engineering Task Force to change some of the basic Web protocols to tighten security. Is that true? Would anything afoot there help guard against web bugs?

Steven Lucas: Both the IETF and IEEE are looking into the issue of stronger security standards. I participate in both, being Co-Chair of the IEEE Internet Security Best Practices Working Group. None of the work I have seen would address this issue. It needs to be address by the companies that are using them and we need reasonable codes of conduct by these companies or I believe regulation with strong sanction will be necessary.

Leslie Walker: That’s all we have time for today. Thanks to everyone who sent in such good questions. And a special thanks to Dr. Steven Lucas for his in-depth answers. Hope to see you again next week.

Leslie Walker:

Stay tuned on Live Online:
Home Front at 2 p.m. EST
Dirda on Books at 2 p.m. EST
Oscars Producer at 2 p.m. EST
Hollywood and Vine at 3 p.m. EST

Keep up with the latest in news, sports, politics and entertainment with washingtonpost.com e-mail newsletters.

   |       |