It was almost shocking when I first installed a browser add-on called Ghostery and began to click on various articles at The Guardian. With each click, I discovered that this news publication, which has been primarily tasked with reporting on Edward Snowden and top secret surveillance operations conducted by the National Security Agency, has been surveilling its own readers.
I’ve intermittentlynoted the existence of “web bugs,” “web beacons” or “corporate trackers” embedded within articles at The Guardian, Salon.com and elsewhere but I’ve never given this phenomenon its own write-up. So here it is. Of course the point of this exercise ought to be clear: these publications, while taking on the pious, sanctimonious role of privacy purists, are using multiple third party resources to collect detailed information about nearly every visitor who reads one of the various posts about how the use of digital technology should be a completely private affair.
Programmers for sites like The Guardian, and even here at The Daily Banter, have embedded tiny, invisible file objects within each page. When you view a page, web bugs are automatically downloaded to your computer along with everything else that appears on the page. From there, the objects send information back to servers owned by various corporate analytics and ad networks tasked with gathering, compiling and analyzing the data. Web bugs differ from “cookies,” small text files containing information about how you browse through a particular site, but can function in conjunction with cookies as a means of more thoroughly collecting your data and creating a profile of how you get to a particular site along with what you do once you’re there.
By gathering details about you and your internet browsing habits, the sales and marketing teams for each publication are not only capable of observing, among other things, who’s reading, but also where each reader lives along with each reader’s trail of clicks through the site. The goal is to know who’s clicking and how to best deliver targeted advertising that will encourage readers to click more often, thus increasing revenue.
Boiled down to an elevator pitch: it’s spying for profit.
On the page containing Glenn Greenwald’s latest post, “NSA encryption story, Latin American fallout and US/UK attacks on press freedoms,” 92 web bugs were embedded in the article as of Sunday evening, including bugs from alleged PRISM collaborators Google and Facebook. From what I’ve observed, 92 bugs is an unusually high number. Most of the time, there are generally 20-30 bugs actively gathering your information at The Guardian — each bug delivered by a different corporation. On the low end, the new Der Spiegel article co-authored by Snowden/Greenwald colleague Laura Poitras, titled “Privacy Scandal: NSA Can Spy on Smart Phone Data,” contained 14 web bugs. Meanwhile, The Guardian‘s iteration of the newest Snowden revelations exposing how NSA breaks encryption codes happened to have downloaded 36 web bugs onto my computer. When the article was freshly posted last week, Ghostery counted 47 web bugs.
But merely counting the web bugs only provides half of the story. What, specifically, are these bugs collecting about us? What does The Guardian and the other self-declared privacy purists want so desperately to know about you?
Let’s take a look at a post on The Guardian written by cryptology expert and pro-Snowden advocate Bruce Schneier. The article is titled, “The US government has betrayed the internet. We need to take it back.” The article begins like so:
Government and industry have betrayed the internet, and us. By subverting the internet at every level to make it a vast, multi-layered and robust surveillance platform, the NSA has undermined a fundamental social contract.
Ironically, The Guardian embedded a massive 95 web bugs on Schneier’s post in which he discusses how the government and industry have “betrayed” the internet.
So what exactly is The Guardian collecting about everyone who reads this article?
According to Ghostery, a fairly typical bug from AudienceScience embedded within Schneier’s article collects the date and time of your visit. It also collects your “Demographic Data,” but neither Ghostery or AudienceScience specifies the extent of the demographic data that’s collected. AudienceScience also collects “Interaction Data,” which includes whether you reloaded the page or stopped the page mid-download and so forth. Additionally, the bug gathers the number of page views you generate while on the site. Notably, AudienceScience grabs your IP address, which can identify your location as narrowly as the building in which you work, and it can retain all of this information for 18-24 months.
There are 21 similar beacons on Schneier’s article at The Guardian, not including advertising and analytics bugs. Most of these corporations can share your information with third parties, none of which are dislosed by name anywhere.
Perhaps the most invasive bug on this article, and which is contained on nearly every page at The Guardian, is provided by an Adobe service called Omniture. This tracker collects your analytics data, your browser information, demographic data, hardware/software type, your interaction data, your page views, your IP address and, interestingly enough, your search history. On the Adobe website, it defines search history as: “The searches you have performed, including searches that led you to that company’s website.”
In addition to all of that, the Omniture bug at The Guardian is potentially capable of collecting your: “Social network profile information, including photos, fan and like status, user IDs, age, and gender.” Neither The Guardian nor Ghostery specifies whether this information is actually being collected. But it can be.
By the way, there’s another tracker on The Guardian provided by Experian Marketing Service, a branch of, yes, that Experian: the credit reporting agency. According to Ghostery, the Experian bug collects the same wide array of information as Omniture.
Unless one of the trackers collects your social media details, which is unclear, nothing that’s collected about you contains your name, address or other specifics about you. Put it this way: there’s nothing collected that’s any more or less intrusive than the email or phone metadata that’s collected, anonymized and eventually destroyed by NSA.
Make no mistake, this isn’t perfectly analogous to NSA surveillance. First and foremost, NSA is considerably more secretive, chiefly because it has to be given the astronomically high stakes of international espionage. However, as I’ve written before, it’s purely hypocritical to single out NSA while ignoring corporate invasiveness, especially given how corporations utterly lack the kind of government accountability provided by the Constitution. It defies intellectual honesty to pick and choose which form of surveillance is acceptable and which form is egregious and outrage-worthy — worse yet, it’s highly questionable to at once condemn Google and Facebook for invading our privacy via NSA’s PRISM database, while ignoring the fact that a civil liberties reporter’s very own publication uses Google and Facebook (and dozens of other bugs) to invisibly collect information about its readers, then pays that reporter handsomely with the fruits of said data collection.
In other words, if your goal is to shame other organizations for violating your privacy rights, you’d better make sure your house is in order because, in the final analysis, privacy is privacy.
(By the way, the Snowden t-shirt featured with this article comes from the Wikileaks store. There are three web bugs on that page, including one from Google and one from Omniture.)