A web beacon[note 1] is a technique used on web pages and email to unobtrusively (usually invisibly) allow checking that a user has accessed some content.[1] Web beacons are typically used by third parties to monitor the activity of users at a website for the purpose of web analytics or page tagging.[2] They can also be used for email tracking.[3] When implemented using JavaScript, they may be called JavaScript tags.[4] Web beacons are unseen HTML elements that track a webpage views. Upon the user revisiting the webpage, these beacons are connected to cookies established by the server, facilitating undisclosed user tracking.[5]

Using such beacons, companies and organizations can track the online behavior of web users. At first, the companies doing such tracking were mainly advertisers or web analytics companies; later social media sites also started to use such tracking techniques, for instance through the use of buttons that act as tracking beacons.

In 2017, W3C published a candidate specification for an interface that web developers can use to create web beacons.[6]

Overview

edit
 
An innocuous web beacon embedded in a email

A web beacon is any of several techniques used to track who is visiting a web page. They can also be used to see if an email was read or forwarded or if a web page was copied to another website.[7]

The first web beacons were small digital image files that were embedded in a web page or email. The image could be as small as a single pixel (a "tracking pixel") and could have the same colour as the background, or be completely transparent.[8] When a user opens the page or email where such an image is embedded, they might not see the image, but their web browser or email reader automatically downloads the image, requiring the user's computer to send a request to the host company's server, where the source image is stored. This request provides identifying information about the computer, allowing the host to keep track of the user.

This basic technique has been developed further so that many types of elements can be used as beacons. Currently, these can include visible elements such as graphics, banners, or buttons, but also non-pictorial HTML elements such as the frame, style, script, input link, embed, object, etc., of an email or web page.

The identifying information provided by the user's computer typically includes its IP address, the time the request was made, the type of web browser or email reader that made the request, and the existence of cookies previously sent by the host server. The host server can store all of this information, and associate it with a session identifier or tracking token that uniquely marks the interaction.

Use by companies

edit

Once a company can identify a particular user, the company can then track that user's behavior across multiple interactions with different websites or web servers. As an example, consider a company that owns a network of websites. This company could store all of its images on one particular server, but store the other contents of its web pages on a variety of other servers. For instance, each server could be specific to a given website, and could even be located in a different city. But the company could use web beacons requesting data from its one image server to count and recognize individual users who visit different websites. Rather than gathering statistics and managing cookies for each server independently, the company can analyze all this data together, and track the behavior of individual users across all the different websites, assembling a profile of each user as they navigate through these different environments.

Email tracking

edit

Web beacons embedded in emails have greater privacy implications than beacons embedded in web pages. Through the use of an embedded beacon, the sender of an email – or even a third party – can record the same sort of information as an advertiser on a website, namely the time that the email was read, the IP address of the computer that was used to read the email (or the IP address of the proxy server that the reader went through), the type of software used to read the email, and the existence of any cookies previously sent. In this way, the sender – or a third party – can gather detailed information about when and where each particular recipient reads their email. Every subsequent time the email message is displayed, the same information can be sent again to the sender or third party.

"Return-receipt-to" (RRT) email headers can also trigger sending of information and these may be seen as another form of a web beacon.[9]

Web beacons are used by email marketers, spammers, and phishers to verify that an email is read. Using this system, they can send similar emails to a large number of addresses and then check which ones are valid. Valid in this case means that the address is actually in use, that the email has made it past spam filters, and that the content of the email is actually viewed.

To some extent, this kind of email tracking can be prevented by configuring the email reader software to avoid accessing remote images.

One way to neutralize such email tracking is to disconnect from the Internet after downloading email but before reading the downloaded messages. (Note that this assumes one is using an email reader that resides on one's own computer and downloads the emails from the email server to one's own computer.) In that case, messages containing beacons will not be able to trigger requests to the beacons' host servers, and the tracking will be prevented. But one would then have to delete any messages suspected of containing beacons or risk having the beacons activate again once the computer is reconnected to the Internet.

Web beacons can also be filtered out at the server level so that they never reach the end-user.

Beacon API

edit

The Beacon API (application programming interface) is a candidate recommendation of the World Wide Web Consortium, the standards organization for the web.[10] It is a standardized API that directs the web client to silently send tracking data back to the server, i.e. without alerting the user and thus disturbing their experience.[citation needed]

Use of this Beacon API enables user tracking and profiling without the end-user's awareness, as it is invisible to them, and without delaying or otherwise interfering with navigation within or away from the site.[11] Support for the Beacon API was introduced into Mozilla's Firefox browser in February 2014[12] and in Google's Chrome browser in November 2014.[13]

Notes

edit
  1. ^ Also called web bug, tracking bug, tag, web tag, page tag, tracking pixel, pixel tag, 1×1 GIF, spy pixel, or clear GIF.

References

edit
  1. ^ Stefanie Olsen (January 2, 2002). "Nearly undetectable tracking device raises concern". CNET News. Archived from the original on November 7, 2014. Retrieved May 23, 2019.
  2. ^ Richard M. Smith (November 11, 1999). "The Web Bug FAQ". EFF.org Privacy Archive. Archived from the original on June 29, 2012. Retrieved July 12, 2012.
  3. ^ Richard Lowe Jr And Claudia Arevalo-Lowe. "Email web bug invisible tracker collects info without permission". mailsbroadcast.com. Archived from the original on December 3, 2017. Retrieved August 22, 2016.
  4. ^ "Negrino, Tom; Smith, Dori. JavaScript para World Wide Web. Pearson Education, 2001. accessed 1 October 2015". Archived from the original on May 12, 2016. Retrieved October 1, 2015.
  5. ^ Payton, Anne M. (September 22, 2006). "A review of spyware campaigns and strategies to combat them". Proceedings of the 3rd annual conference on Information security curriculum development. InfoSecCD '06. New York, NY, USA: Association for Computing Machinery. pp. 136–141. doi:10.1145/1231047.1231077. ISBN 978-1-59593-437-6.
  6. ^ Jatinder Mann; Alois Reitbauer (April 13, 2017). "Beacon". W3C Candidate Recommendation. W3C. Archived from the original on October 27, 2019. Retrieved November 7, 2019.{{cite web}}: CS1 maint: multiple names: authors list (link)
  7. ^ Bouguettaya, A. R. A.; Eltoweissy, M. Y. (2003). "Privacy on the Web: facts, challenges, and solutions". IEEE Security Privacy. 1 (6): 40–49. doi:10.1109/MSECP.2003.1253567. ISSN 1558-4046. Archived from the original on August 25, 2021. Retrieved March 29, 2021.
  8. ^ Nielsen, Janne (April 27, 2021). "Using mixed methods to study the historical use of web beacons in web tracking". International Journal of Digital Humanities. 2 (1–3): 65–88. doi:10.1007/s42803-021-00033-4. ISSN 2524-7832. S2CID 233416836.
  9. ^ See Internet Engineering Task Force memorandum RFC 4021.
  10. ^ "Beacon W3C Candidate Recommendation 13 April 2017". Archived from the original on March 3, 2021. Retrieved July 26, 2017.
  11. ^ Squeezing the Most Into the New W3C Beacon API Archived October 3, 2017, at the Wayback Machine - NikCodes, 16 December 2014
  12. ^ Navigator.sendBeacon Archived April 30, 2021, at the Wayback Machine - Mozilla Developer Network
  13. ^ Send beacon data in Chrome 39 Archived April 13, 2021, at the Wayback Machine - developers.google.com, September 2015
edit