Helping people with computers... one answer at a time.

We look at three additional ways that web sites, and others, might gain access to information you might not realize you're providing.

In a series of three previous questions, What can a website I visit tell about me? and What are browser cookies and how are they used? and What are tracking cookies and should they concern me? I discussed some of the information that websites get automatically, or through legitimate means by virtue of using cookies, and then how cookies can be used "behind the scenes" by networks of websites to track your visits to sites in the network.

In this article, I'm going to cover three loose ends that while unrelated to each other, are other ways that websites can get information you probably didn't realize you were giving them.

Malware

The biggest risk by far for getting information from your computer into the hands of others is malware.

Forget all the IP address information, cookies and cookie tracking I've discussed in the previous articles. While perhaps annoying, they're typically legitimate and have access to only a limited subset of your information.

Malware can get it all.

I know it seems a little out of place to be discussing malware, and particularly spyware, when discussing what information you might be giving to websites, but I need to make clear that spyware is by far the bigger risk. To focus on the perceived dangers of surfing otherwise legitimate sites while ignoring the very real risks of spyware and viruses is a huge mistake and can result in much, much bigger issues of information theft.

With that important reminder out of the way, we return to the "mostly legitimate".

Toolbars

"... many toolbars collect information about your surfing habits."

Toolbars frustrate me no end. It seems like every time I download some new utility or update, the setup also wants to install an additional toolbar in my browser. I don't want them. Fortunately, most well-behaved sites and utilities will let you turn off a new toolbar install. I have to say, though, that having it install by default unless you tell it not to is, in my opinion, at best rude and at worst down right malicious.

Why is everyone so interested in getting additional toolbars installed in your browser? Because many toolbars collect information about your surfing habits.

Think about it - toolbars sit in your browser and have easy access to everything you might be doing - even the very keystrokes you might be typing. Most are not truly malicious (i.e. they're not capturing your passwords), but many can report to some third party the sites you visit for more data collection, without relying on cookies to do it.

I have exactly two toolbars installed in FireFox: Roboform and Delicious. On some machines I also have the Google toolbar installed. In each case, those are choices I made for specific functionality I want, and they're toolbars from folks I trust.

Cloaked Links

This gets back to cookies, and the difference between "first party" and "third party cookies".

It's possible to place a link on a web site that goes "through" a third party and by doing so, give that third party the ability to place a cookie as if it were a first party. Redirection services link like tinyurl or snipurl let you replace a long URL with a short one. You go to the tinyurl.com address and it immediately and transparently redirects you to the actual destination. This redirection technology is very simple, very common, and fairly powerful.

Let's look at an example, and exactly how it affects cookies.

http://mttips.com/d-ms

That's a link, here on ask-leo.com, that takes you to microsoft.com, but through my redirector on mttips.com (mttips.com is another of my sites, by the way, so it's safe in this example).

Let's look at what happens:

  • You're on ask-leo.com, and by virtue of that ask-leo.com can place first party cookies.

  • You click on that link, http://mttips.com/d-ms, which takes you first to mttips.com.

  • Because you visited it directly, mttips.com now has "first party" status. That means that mttips.com can place cookies on your machine even if you have your browser set to disable third party cookies.

  • mttips.com uses a tinyurl-like redirector to send you off to microsoft.com without ever displaying a page.

The upshot? mttips.com had the opportunity to place a first party cookies, even though you never saw a page on mttips.com.

This looks like a number of hoops to jump through, just to place a cookie, and it is.

But it's a hoop that advertisers are willing to jump through.

When you're shopping, or even when you're responding to offers on other websites, you'll often see that a link you click on for a product or offer doesn't look like it goes to that product's page at all. If you look at the link before you click on it, you'll see that it goes to an advertising provider or other third party.

I have to stress that there are many valid reasons for this to be the case - I do it myself. And I'm not even saying that placing a tracking cookie isn't a valid reason - though it's not something I do.

What I am saying is that this is a subtle, yet common, approach to additional data collection - be it through cookie placement for subsequent use, or simply counting the clicks (for example, that link to Microsoft.com used elsewhere on ask-leo.com has been clicked on 155 times this month).

So what's the real bottom line of what started with a simple question: "What can a website I visit tell about me?"

  • All websites get very basic information that identifies some of your characteristics, but nothing truly or easily personally identifiable.

  • Websites have many ways to remember what you tell them.

  • Advertising networks can track you, but only your visits to sites in their network, or links taken through their services or network.

  • Advertising networks use this data in aggregate - meaning they likely don't even bother to identify you as an individual.

  • Toolbars and other installed software can provide information to third parties.

  • Malware in the form of spyware and viruses trumps everything: they can see and report anything they want to whomever they want.

Naturally, the paranoid will see this as a big brother situation. And in fact, it's hard to argue otherwise since with all this potential tracking going on, it's impossible to prove that it's not happening.

However, I don't let it get to me. I know I'm just not that interesting.

I leave third party cookies enabled, I watch what toolbars I install, and I make sure to keep myself clean of malware.

And I surf and shop quite securely.

Article C3515 - September 29, 2008 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

4 Comments
Rob Dimbleby
September 30, 2008 11:54 AM

BrowserSpy - http://browserspy.dk/ is great. It shows you just how much information can be retrieved from your browser just by visiting a page.

Cat Moves
October 1, 2008 2:13 PM

Isn't it strange? AOL, which purports to be an anti spyware and anti spam ISP, uses cookies that track your computer and then sends you advertising you didn't ask for. (They also ignore your continued complaints about this.)
To compound spam, they sign your name to any comment you make on one of their pages. It's pretty easy for a spammer to add "@AOL.com" I should think.
No wonder they are loosing subscribers.

Matthew Mapleton
October 2, 2008 12:11 PM

Leo: One thing I've noticed looking at cookie files is that they feature your windows login name in the file name itself. Do websites see your windows login name by virtue of their cookies? If so, do they record it or correllate it with other data, such as IP addresses?

Excellent observation. No they do not. That's simply the filename used by the browser.

I believe the username is an artifact of an old approach to identification used by websites that required a particular type of login. If a website required a particular type of login you used to be able to go to http://username@somerandomservice.com/ and be logged in as username (or be prompted for a password). Cookies would then be tracked separately for that username. For sites not requiring authentication I believe this is ignored. This approach is no longer supported in Internet Explorer, as it was being exploited by phishers.
- Leo
03-Oct-2008

MrGroove
October 4, 2008 1:24 AM

And that's why I convert all my email to clear text in outlook :)

Amazing what information can be gathered by putting HTML into email spam...

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.