homewho are hackers?the riskswho's responsibleprotecting yourselfinterviews

hacked  by  a corporation?

Kevin Callahan began working with mainframes as a freshman at Dartmouth College in 1976. He began his professional computing career as an Assembler and LISP programmer with a startup building artificial intelligence systems. Concurrently, he developed his skills as a classical and jazz guitarist, performing and recording with the Seattle Symphony, Dave Koz, Arnold McCuller and others. The advent of the web marked a shift in emphasis and Kevin began to work almost exclusively in online technologies including e-commerce, privacy and security. He left Intel Corp. in May of 1999 to found Quavera.
While the term "cookie" in programmer parlance has been with us since pre-world wide web days, today, the term commonly refers to a text file containing a unique identifier that is sent to your computer by web servers as they serve up pages of text, graphics, and advertising banners. Cookies allow web sites, ad agencies and other organizations to track your online behavior, to ascertain your interests, and ultimately to create a detailed personal profile on you as a consumer. The expressed purpose is to provide a better browsing experience, better personalization, and better targeted marketing.

Your profile information, however, is routinely bought and sold many times over by companies and organizations seeking to know the more intimate details of your life.

Imagine having a barcode stamped across your forehead. It's 11:14:36am and you are downtown window-shopping (ping!). At 11:29:54 you stop in at your favorite bookstore to browse the new releases (ping!). It's now 11:31:13 and you notice a book on cancer that might be important to a friend who's fighting the disease (ping!). You read three pages (ping! ping! ping!) At 11:39:46 you decide to buy the book (ping!). While standing in line, an old college date notices you and asks you to lunch at your favorite caf (ping!). At 2:01:33, you are sitting in a movie theatre taking in "Mission Impossible" (ping!). And at 3:48:12, you hop a bus for home (ping!). You arrive at 4:19:32 (ping!). You're thirsty, so you pop open the refrigerator and grab a cold beer (ping!).

In the above scenario, the barcode across your forehead enables you to be monitored minute by minute, movement by movement and in essence, thought by thought. Similarly, cookies can help generate detailed profiles on you, without your knowledge, as you freely surf the web.

Cookies are not inherently sinister surveillance tools, however. In fact, they were created by Netscape (and supported by Internet Explorer and other browsers) as a way to overcome some of the functional limitations of the web protocols. In order to make it more convenient for you to log onto a site, to shop online, or to provide a more personalized experience, cookies can store your login and password, your credit card information and your personal preferences. Or, cookies can be used simply to send information back to a web site and allow the server to dynamically generate text and images more specific to your interests and surfing habits.

Now, however, there is a preponderance of cookies from third parties (mostly ad agencies) being sent to your computer. For example, you may be visiting a health care site and viewing a section on parenting and pregnancy. If cookies are turned on in your browser, the site may write several cookies to your hard drive and assign a unique identifier to you. These cookies will track you as you move throughout the site, track you when you leave, and track you when you return. Using cookies, the site can build a profile on you and permanently store it in its database. But while you might accept this particular site's cookies, you may also be sent cookies from ad agencies and other tracking firms. So, while you're viewing private and sensitive information about health care, third party advertising agencies may be following your every move.

If you've been sent a cookie from an ad agency at a health care site and next visit a different site where you encounter an ad banner from the same ad agency, your browser will communicate back to the agency saying: "Here I am! Remember me? I was just at so-and-so.com viewing information about prostate cancer, and now I am here." The ad agency knows your surfing itinerary. Because cookies from ad agencies and others are sent to your computer as you visit thousands of sites, a comprehensive and detailed profile of you can be generated.

Many ad agencies and web sites claim they do not collect personally identifiable information. However, you need only provide your identifiable information once, in one web form, for example, and your online personal information may be cross-related and matched up with perhaps even more detailed information about you from other data sources.

In the offline world, companies and organizations have been gathering information about you for years. There's always been a hue and cry about this sort of invasion of our privacy. However, the online world poses new and perhaps more serious concerns. Never before have so many companies and organizations been able to set up such powerful surveillance networks that monitor not only your purchasing habits, but exactly where you've been, when you've been there, and what you are doing at any given moment.

web bugs

Before we understand what a web bug is, we need to review the fundamentals of how information is presented to you on a web page.

In simple terms, when you click on a hyperlink, you are making a request to a web server identified by the address in the URL for a particular web page. Typically, a web page consists of text, graphics and advertising banners or images. The contents of the requested page, however, often don't come from one source. That is, the text may come from one server, the graphics from another and the advertising banners from yet another. In other words, when you make a request to view a web page, the content returned to you may come from multiple servers--not solely from the server identified in the original hyperlink you clicked. Ad banners, for example, generally are pulled from third party ad servers. Oftentimes, web bugs lurk hidden on the page sending information off to third-party servers without your knowledge.

A web bug is just like any graphic image or ad on a page, but it's called a web bug because it's invisible. Web bugs, sometimes referred to euphemistically as clear gifs, generally are only 1x1 pixel in size, about the size of the period at the end of this sentence. They're clear in color, so you can't see them. They function as a hidden tracking device.

As your computer is making a connection with each of the servers providing the various components of the page (including web bugs), certain information is being transmitted back to the servers: your IP address, what browser you use, your operating system, the date and time the text or image is being viewed, cookies and other information. This information may be cross-referenced and matched up with personal information that has previously been collected and analyzed by the main site you are visiting, by third parties that are serving content on the page or by tracking firms, ad consortia and perhaps even your internet service provider (ISP).

Web bugs are not only used in web pages, but in email and other documents. Trackers embed web bugs in email in order to know exactly when you've read your mail. If you forward an email to someone, the web bug can send information about those recipients back to the server and a time-stamped trail of communication can be recorded. In fact, the actual content of the email can be sent back to the server where those tracking you can read your conversation. Web bugs aren't limited to web pages or email. They can be embedded in documents, for example, in order to track who has opened the document, and when. Essentially, anything that is capable of HTML can contain an embedded web bug that pings a server to let the server know when a document has been opened or read.


Common scripting languages such as JavaScript and Microsoft's JScript and VBScript make it very easy to steal even more information about you. With a couple of simple lines of code embedded in a web page or in an email, virtually any document or file on your hard drive can be grabbed and sent back to a server. Your complete browser history that may contain your online behavior for the past several years can be uploaded to a server without your knowledge. The history will contain a time-stamped record of every link you've ever clicked, every image you've viewed and can include such information as search criteria that you've entered in numerous search engines. These simple scripts can steal your address book, your business and financial documents and other sensitive and private information--virtually any file on your system. Further, the scripts can write files to your hard drive including viruses.

what you can do

Unfortunately, the internet was not designed with privacy and security in mind. Further, businesses and organizations thrive on information about you and have engineered numerous ways to profile you without your permission. The solution is not entirely a technological one. There are societal issues at play here, too. However, there are some technical steps that can be taken to help minimize the invasion of your privacy and reduce the amount of tracking and profiling being done.

Browsers offer limited control over cookies. By default, most browsers set cookie preferences to "Never ask." With this setting, your browser accepts all cookies sent to you. You can set your cookie preferences to "Reject all cookies," in which case, you may not be able to use various features of a site, shop online, and in some cases, you may be unable to access the site at all. You can also set your browser to "Ask for each cookie," in which case you'll be notified when a new cookie will be written or an existing cookie will be updated.

Web bugs are more difficult and, in fact, are nearly impossible to manage. Yet, with image filtering tools, you can attempt to keep your browser from receiving some of the more obvious web bugs. However, these filtering tools tend to interfere with advertising that you may wish to receive. So, they are not the perfect solution.

To protect yourself further, turn all scripting OFF in your web and email browsers. However, with scripting OFF you'll find many sites don't work properly.

home · who are hackers? · risks of the internet · who's responsible · how to be vigilant · interviews
discussion · video excerpts · synopsis · press · tapes · credits
FRONTLINE · wgbh · pbs online

some photos copyright ©2001 photodisc
web site copyright 1995-2014 WGBH educational foundation