Problems with Web Bugs

Pervasive Yet Invisible

Our analysis of user expectations found that users are concerned about data collection and want greater control over the process, but they only voice their concerns when they perceive an invasion of privacy. Users have little control over the data collection by web bugs, but web bugs are essentially invisible to users, and therefore have not garnered much attention among average users.

Self-regulation is based on the premise that if users do not like a website’s practices, they can simply avoid the website. However, third-party trackers are not governed by a website’s privacy policy. Therefore, they have no incentive to allow users to view or delete information collected about them.

In addition to this lack of participation, users have no ability to avoid third-party tracking. There is no opt-out, let alone opt-in. The Network Advertising Initiative (NAI), a “cooperative of online marketing and analytics companies” [NAI, 2009], currently has an opt-out mechanism that requires users to download a cookie, which will let direct advertisers know not to install any third-party tracking cookies on the user’s computer.  This method of opt-out is unacceptable.  First, it only governs members of the NAI; tracking companies that are not members will still be able to use cookies and web bugs to collect data about users.  Second, users that decide to delete cookies on their machine may delete the NAI cookie inadvertently and open up their machine to third-party tracking again.

Users cannot avoid trackers by avoiding websites that use them; our data shows that trackers are ubiquitous on the web.  Many browsers give the user the option to block third party cookies, but this does not block JavaScript web bugs.  Browser technology could create a system by which users could block content coming from a server other than the one serving the web page.  However, that would also block a lot of desired content, such as embedded videos, or framed websites that result from a Google image search, and would totally disrupt web advertising norms.  This is a case of market failure, as users have no options to protect their privacy. 

Recommendations

Transparency

We recommend that the practice of third-party tracking be made more transparent. It currently operates in a policy loophole, by which neither the website nor the tracker are clearly accountable for the data collected. We recommend that websites define the policies of the third party trackers it allows on its site, or at a minimum, link to the appropriate policies on the tracking companies’ websites and specify which practices fall under each policy.

Access

We recommend regulation by which third-party trackers must allow users to see all the data that has been collected about them.

Salience

The presence and purpose of third party tracking should also be made more salient in the minds of users. We recommend that all browser developers provide a Ghostery-like function in their browsers that alerts users to the presence of third-party trackers.