Until recently, the term “bug,” when used in computer parlance, meant a glitch or programming error in a software product, such as the “Y2K bug.”
Today, the term is being used in a more traditional manner, such as “to eavesdrop.” Web site operators and e-mail marketers use “Web bugs” to track an individual’s activity on a Web site and when opening, reading and forwarding an e-mail. The use of these bugs, however, raises serious legal concerns.
A Web bug is embedded in a Web page or in an e-mail’s HTML code. Also known in the industry as “invisible GIFs,” “clear GIFs” or “1-by-1 pixels,” Web bugs are efficient because they take up little space and are virtually invisible. Because they are not easily detectable, however, critics refer to them by the less flattering term “spyware.”
Web bugs are primarily used to provide their users with information about how others behave on a Web site or their activity with respect to an e-mail. However, they may also be used for less suspect activities, such as to verify that a PC has the latest patches and fixes issued by a software vendor.
Web bugs typically use scripting language such as JavaScript, Flash and ActiveX to collect information. Among the types of information typically collected are the IP address of the computer that the Web bug is being sent to, the URL of the page the Web bug comes from and the time it was viewed. Similarly, a Web bug embedded in an HTML e-mail enables the text to be secretly returned to its original sender every time the e-mail (containing the bug) is forwarded to other recipients.
Because Web bugs are placed in HTML coding on a Web page or e-mail, they are often invisible – unlike cookies, which are visible on a user’s hard drive. This invisibility, coupled with the failure to disclose their use, has, not surprisingly, given rise to several legal actions. Class-action suits have been brought against software companies, including RealNetworks and Netscape, for violations of the Electronic Communications Privacy Act (which generally prohibits the interception of electronic communications of others) as well as the Computer Fraud and Abuse Act (which generally prohibits the unauthorized access to and use of a computer).
Though no law specifically addresses the use of Web bugs, legislation in this area (and for Internet privacy in general) may not be far off. In January 2001 alone, the Spyware Control and Privacy Protection Act was introduced in the Senate and the Congressional Privacy Caucus (a bipartisan group of legislators interested in privacy matters) announced that it would conduct hearings to investigate the privacy issues raised by Web bugs. The Federal Trade Commission has also held hearings on the use of Web bugs and is considering whether their undisclosed use may be harmful to consumers and e-commerce in general.
On the public relations front, companies that use Web bugs, or that use the services of a third party that uses the technology, have received an increasing number of complaints from consumers and consumer groups alleging that the practice invades their privacy under a number of legal theories, such as the common law tort of trespass, wiretapping, conversion and breach of contract, as well as violations of the ECPA and CFAA mentioned above.
Some well-known companies have stopped using Web bugs in light of this backlash. In one of the first cases reported on the use of Web bugs, Toysrus.com announced that it would not use them on its site after consumers became aware that Coremetrics, San Francisco, a market research company hired by the toy retailer, was using Web bugs to collect and analyze data from the Toysrus.com site, contrary to a representation in the Toysrus.com privacy policy that consumer information collected on the site would be kept “completely confidential.” Shortly after this information became public, a notice appeared on the site explaining that Toysrus had “a trial relationship” with Coremetrics and that the relationship would cease at the end of the trial test.
More recently, some tech-savvy users of online games became aware that certain Web sites they frequent use Web bugs for similar purposes. Faced with consumer criticism and a decline in business, one online game site host, Verant Interactive, San Diego, a division of Sony Online Entertainment, chose to eliminate its practice of using Web bugs completely.
Similarly, when eGames Inc., Langhorne, PA, an online vendor of family oriented game software, incorporated technology for advertising-supported software from Conducent Technologies Inc., Sterling, VA, that contained Web bugs, the attorney general of Michigan initiated an investigation into the company’s online data collection and use practices. In a settlement, eGames agreed to revise its software and to provide full disclosure of its data collection and use practices. EGames is also making a software utility available online that will remove the Conducent software (and the Web bugs) from existing installations of the games.
Even the highly publicized FTC investigation of DoubleClick concluded with the giant ad serving network voluntarily promising that it would modify its privacy policy to disclose its use of Web bugs.
What guidance may be gleaned from these cases?
If you are going to use Web bugs on your Web site or in connection with your e-mail tracking activities, consider disclosing such use in your privacy policy or other medium so as to lessen the likelihood of a legal action based on failure to disclose.
You should also consider requiring users of your Web site and recipients of your e-mails to read and agree to your privacy policy as consideration for their use of the site or receipt of the e-mail.
