Spoutin' Off: It's time to revisit Web beacon scenarios
By Michael E. Rau
May 30 2005
Since I wrote the column a couple of months ago about Yahoo's Web beacons, I've learned more about them and received input from readers which I believe you'd like to consider.
A note I received from Scott D. said:
"I read your piece in the Fort Walton Beach, Florida Daily News and immediately shared with my friends and co-workers (I use Yahoo as my desktop news home page at work!)
"We use Bluelight as our ISP at home. They're affiliated with K-Mart. After your Yahoo piece I checked the privacy agreement of their user agreement and discovered they too are collecting and reporting all kinds of web data. The trick with them is you can only opt out of the promotional e-mails they offer you at registration. You cannot opt out of them collecting your web page data and sharing it with their "affiliates" and others with whom they have a business relationship. Guess I'll be reevaluating my ISP provider!"
As it turns out, this is nothing unique. Usage of Web beacons has been stealthily permeating the Internet for many years. If you enter the term "Web beacons" into Google, it yields over 40,000 results. Many of these link to the privacy policies of Web sites and subscription e-mail lists.
Any Web page or e-mail that contains graphics can contain a Web beacon. It generally manifests as a transparent GIF image, as small as one pixel by one pixel (or about the size of the period at the end of this sentence). The beacon's executable code is contained within the code of the GIF itself.
By the time you've gone through all this, you've already visited the Web page or opened the e-mail containing the beacon, which means whatever data the beacon is programmed to gather has already been relayed to the receiving entity.
Even Microsoft appears to have concerns. I found this definition of Web beacons on their Web site: "Just as a lighthouse beacon beams a message with light, pictures in e-mail messages - also called Web beacons - can be adapted to secretly send a message back to the sender. Spammers rely on information returned by these images to locate active e-mail addresses. Images can also contain harmful code embedded inside them and be used to deliver a spammer's message in spite of the filters."
Unlike cookies, which you can set your browser or e-mail client to reject, you have only one basic method to protect yourself from Web beacons. You can set the security level on your applications to download no images without your explicit permission - thus giving you the opportunity to search the page for beacons before you load the images.
Now in all fairness, the vast majority of information collected is probably benign enough, and most of the originating organizations probably have no malicious intent. Perhaps it's programmed to only collect data such as the number of times you visit a specific site, but how would you know?
If collection of this data is so harmless and as claimed by some, actually enhances the consumer's Web browsing experience, why are the utilizers of Web beacons so disingenuous about upfront disclosure? Why not give the consumer the choice of whether or not to share this data? The very idea that anyone would have such a cavalier attitude about invading my privacy and collecting my personal data really ticks me off.
It's time for two things:
The first is to advocate for the creation of a realtime database of known employers of Web beacons, similar to the databases of known spammers and exploiters maintained by Spamhaus. Such a database would allow consumers to set up block lists in their browser's security settings, as well as filters in their e-mail clients to block formatted e-mails from those on the list.
Perhaps the applications could be programmed to display a warning such as: "You are about to visit a Web site or open an e-mail from a known user of Web beacons."
The second is to advocate for an industry-wide redefinition of Web beacons as spyware. After all, if you're not given the opportunity to opt out of having your data collected BEFORE it's too late, how can this not be considered invasive and malicious?
In the meantime, the only way you can be sure Web beacons aren't collecting any data from your system is to block all incoming images on your browser and in your e-mails.
Just what we were all hoping for - an Internet where no Web page or e-mail containing graphics can be completely trusted.
Mike Rau is a mass-communications consultant in Virginia Beach. To send feedback or view past columns, visit http://dailypress.asoundidea.com.
Copyright © 2005, Daily Press