Browser Spyware: Watching Where You Linger

An Anonymous Coward writes: "Just when you you'd installed Junkbuster and thought it was safe to go back onto the web, the BBC runs this story which tells you that webshites will soon(?) be able to tell whether you are reading the page, what parts of it are of interest to you, etc. Guess we can expect porn sites to be the first to take advantage of this." Or perhaps someone else is already doing this, and hasn't told you.

Use smart settings to avoid this:

[hardaker]

If you carefully configure your web browser I would think you could avoid being tracked:

• Turn off javascript support. This is likely how their doing their "what part of the page you're looking at" tricks (watching the scrollbar usage).
  
• Don't accept cookies. Don't go to sites that force you to accept them.
  
• Turn off auto-loading of images. This is the one that no-one does, but with the increasing frequency of single pixel tracking images, it might be a wise thing to do. Junkbuster is certainly a good alternative, but it won't catch everything.
  
• Konqueror has the ability to change your user agent. It'd be cool to write a "random" mode to it where it randomly selected from it's list of user agents to send to the remote site ;-)
  

Re:Use smart settings to avoid this:

[Grishnakh]

It seems like it'd be a good idea if Konqueror added an option to ignore single-pixel tracking images... should we submit this to bugs.kde.org?

Re:Use smart settings to avoid this:

[UM_Maverick]

have you actually used the web lately? Your ideas are great in theory, but in practice they take you back about 6 years. E-commerce goes out the window w/out cookies. Many sites become unusable w/out javascript (Not just sites that do "onclick=location.href", but there are many sites that actually use javascript *well*). Turning off images means that you won't see half of most sites...and the list goes on...

Now I know what you're going to say: "If site X won't let me browse my way, then I don't need site X". Well, damn near every site out there is becoming site X. Whether you like it or not, that's the way the world is moving, and you can either accept their way of doing things, or stay in 1995.

Hmm...just re-read that, and it sounds like a flame...I really didn't intend it to be...just meant it to be more of a wake-up call.

Re:Use smart settings to avoid this:

[cyberdonny]

have you actually used the web lately? Your ideas are great in theory, but in practice they take you back about 6 years. E-commerce goes out the window w/out cookies. Many sites become unusable w/out javascript (Not just sites that do "onclick=location.href", ...

Actually, I usually surf with javascript turned off, and the sites where this causes problems can be counted on the fingers of one hand. And for those rare sites I have the choice of

• not there going again
• just allowing those sites in my konqueror browser's javascript ACL.

Of course, if you're in the habit of surfing to porn sites, you might be somewhat more dependant on javascript...

...but there are many sites that actually use javascript *well*).

Actually, using javascript well should mean to not make an obligation out of it, but to use it solely to provide additional and optional functionality. The site should still stay useable even if the user doesn't want or isn't able to use javascript. You know, blind people who are bound to surf using lynx (because their braille lines, or text-to-speech engines only support text browsers) cannot just turn on javascript, even if they wanted!

Re:Use smart settings to avoid this:

[mosch]

No, because single pixel gifs have legitimate purposes too. Not to mention the fact that any image can be a "tracking" image.

Example: Let's say you want to draw a horizontal bar with a rounded edge, ala slashdot. You can make an image that has the rounded edge, then a seperate image that's simply a one pixel gif of the same color, that you then stretch by using height and width attributes on the img tag.

This will prevent the color differences between the two images, as they'll both be using the same graphics library to display. This however also minimizes download time, because all you really need to make a colored bar is one pixel of the exact color you want.

Be less paranoid.

Re:Use smart settings to avoid this:

[Ed+Avis]

We really need a browser that lets you *selectively* disable Javascript. I think the default setting should be to have JS turned on, but with a few particularly obnoxious features (popping up new windows, adding hooks to the scrollbar or mouse movement) turned off. You should be able to adjust these preferences on a site-by-site basis.

Online molesters are targetting OUR KIDS!

[BillyGoatThree]

For crying out loud, /., lighten up. Remember back in '95 when you couldn't turn on the TV or read a news magazine without some lame story about online stalking or pedophiles in chatrooms? And we all mocked them by saying "that's no different than real-life, what's all the hullabaloo"?

"Brick and mortar" stores do exactly this same thing. Many have cameras, the rest use "secret shoppers" (people who look like they are shopping but are really watching YOU) to discourage shoplifting, check competitor prices AND research in-store "migratory patterns". For instance, haven't you ever noticed that ALL grocery stores have the fresh fruits and vegetables right by the door?

This isn't "Your Rights Online". This is "Translating Nothing Cares About In RealLife Into A Scare Story About 'The Net' In Order To Attract Eyeballs To Slashdot."

Eh?

[stripes]

"I can tell because when you read a webpage, you do one of a couple of things. You either shovel the mouse off to the right so that it is out of the way, or you will walk down the page with your mouse," he told the BBC's Go Digital programme.

Yeah....or I'm one of the 5% of the computer market with a Mac and I'm one of the 90% of Mac users that have discovered that when I type the mouse goes away. So I press down arrow and *poof* I don't need to move the mouse out of the way, and my finger is right where I need it to scroll down to read more of the story.

(Or I could turn off JavaScript, which is a good idea because it gets rid of a lot of irritating popup and popunder ads -- which is a pretty good idea, even 'tho it breaks a few sites)

Re:Is it just me or is the web becoming too annoyi

[Greyfox]

Konqueror and Mozilla both allow you to disable popups while allowing JavaScript to run. I believe that at least Konqueror and possibly Mozilla as well will allow you disable or enable features on a site by site basis. The web has become a whole lot less obnoxious since I set Mozilla up to disable popups and animation. I highly recommend running a browser that will let you do this. Mozilla is now fast enough that I can actually tolerate using it and has been since a CVS build about a month and a half ago.

Re:What's so bad about direct marketing?

[UberOogie]

Personally, if companies can direct moderate amounts...

Stop right there, because that's your answer. It will never be moderate. As soon as they can, it is in the marketers best interest to get as much advertising to you as they can in the shortest amount of time, and the more they know, the more they will.

It is sad, but in the future, we'll probably look back fondly on things like PeoplePC which gave only one advertiser the keys to the car...

I don't get this...

[update()]

The story is interesting, and but the description of it here seems so far off that I briefly wondered if I'd hit the wrong link.

Look, since day one of the commercial web, sites have obsessively tracked how many hits they get, where they're coming from, how a user moves through the pages, where they spend time and how often they return. (As if Andover/OSDN isn't doing all of those things -- or is this like with web bugs where we're just supposed to care about them on other sites?) That's one of the great edges the net was going to have over other media. To the degree that people are bothered by that and to the degree that they're technically sophisticated, they turned off cookies and otherwise interfered. And what does Junkbuster have to do with anything?

What this seems to be is an incremental advance in tracking how pages are read -- there's a little added feedback about mouse movements and maybe scrolling. As always, if this takes off it will be trivial to block for those who know and care about such things. And everyone else has far more important privacy invasion being done to them.

Weaknesses in the Theory

[martyb]

Though what they propose probably has some application to the majority of users, I'm just as sure there are others who would not fit their expectations:

• Keyboard-centric:Though most users primarily use a mouse, I've found in many cases it is much faster for me to keep my hands on the keyboard and navigate with page-up/page-down and cursor keys. Menu navigation can be much quicker too as I can make choices with keyboard shortcuts and mnemonics without first having to wait for each menu and submenu to paint.
  
• Large display: Use a 21" monitor running at 1600 x 1200. That means there are many pages where there's no need to scroll; and those that need it, well, just use the page-down or arrow keys.
  
• Touch screens There's no "hovering" or mouse trail; just TAP and you are there, with no record of any "path" across the screen. This will become more prevalent with PDAs.
  

Besides, cheese is often placed in a mousetrap. This kind of technology feels like users are the ones being tempted by the cheese; what kind of trap are we getting into?

Excite may already be doing this

[Compulawyer]

I have noticed that when I log into Excite, some pages I view have been loading a 1 X 1 Applet that is transmitting information (at least time spent on the page) back to servers. As far as I am concerned the only uses for a 1 X 1 ANYTHING on a web page are no good.

I have not yet grabbed the applet and tried to decompile it (mostly for lack of time), so I do not know exactly what it is doing in addition to sending time information, but it struck me as extremely obnoxious.

I am stuck using Win98 and Netscape 4.7 at work, so I cannot use a more enlightened browser that selectively grants/denies JavaScript and Java access by domain name. So...I am stuck being watched to a certain extent.

Is it just me or is anyone else sick and tired of being treated like some company's asset? I am tired of the companies I deal with trying to suck every possible dime out of the relationship they have with me -- ESPECIALLY when it comes to selling my personal information.

Re:Client side cooperation required

[stikves]

No it is not necessary. The site can have two "frames". One of them would be the main frame filling the entire window, the other will be the tracking frame, which is insivible (or 1 pixel high).

Then the javascript code in the main window will fill a string with your mouse movement like:

(100,100)-(110,100)-(110,109)-...

After the buffer is filled enough, it will update the hidden frame with a code like:

TrackerFrame.URL = "http://server/track.cgi?" + str;

That's it. That's all. Your tracking is complete.

Re:Sinister...

[Isofarro]

If a JavaScript or a Java applet can subtly catch your mouse movements, then they can be imbedded in hidden inputs on the web page

No ifs about it. Javascript has quite a number of mouse dependant event-handlers, onMouseOver, onMouseOut, onMove, onClick, onMouseDown, onMouseUp.

Getting the details back to the server is even easier, just condense mousemovements into a bunch of characters (like Logo commands), stick them into a query string.

Now use a hidden image (a transparent 1x1 gif), useing javascript you can change this object on the fly - change the src attribute of that image to a cgi script, with the query string attached, plus a timestamp (making the url unique, thus not cached). The cgi-script then stores/analyses/ignores the data presented, and returns a status 204 - No change.

Its too simple, really.

On the plus side, hopefully it will convince more and more people to disable Javascript - and then boycott any websites that rely/insist on having it enabled. There's enough sites out there as competition to safely avoid intrusive websites - if not, then there's a niche market you can join.

The bread, milk, and fresh fruits are scattered.

[laetus]

Just because a store researches something doesn't mean they're going to make the shopping experience better for the consumer.

Case in point: The grocery store you referenced. Haven't YOU ever noticed that the dairy, bread, and fresh vegetables/fruits are scattered at different corners of the store.

And you know why, to make you wander the other aisles to get you to buy crap you didn't originally walk in to get.

Several answers

[Croaker]

I have a mutli-level armored approach to browsing:

1. I installed Bugnosis which is designed specifically to deal with single pixels images that might be web bugs.
2. I use Proxomitron to do Javascript filtering. It cuts out the worst examples of Javascript annoyances (popups, leaving the page triggers, etc.) The filters are editable, so you can customize them yourself to filter out things like this spy script.
3. I route everything through Junkbuster, which gets rid of the ads that Proxomitron misses.

All of the above besides Junkbuster are Windows-only. The first one is specific to IE, but I end up using that anyhow, since it's the most stable Windows browser.

I can browse most sites that don't do stupid shit like refuse to serve pages to me if they cannot detect my browser (in which case, they are probably crap, anyhow). For shopping sites, I can just add the site to Junkbuster, or bypass the protection through Proxomitron. I am pop-up ad free, and I give out minimal information about myself. The other better way of browsing I could see would be to use an anonymous proxy, which would protect my IP addess.

Of course, this would bet better implemented via the browser. I was using Konqueror a lot at home under Linux, but it began crashing too much for my tastes. There, I've just stuck to using Mozilla with Junkbuster. Javascripts still sometimes get through, though.