Yahoo’s privacy policy regarding web bugs


Here's Yahoo's privacy policy regarding so-called web bugs (or as they call them "web beacons") - these are the little 1x1 images that web sites use to keep track of where you're going.

Halfway down the page (at least as of the time I wrote this, which is not the same as the time this gets posted since I write stuff in advance...) in the section "Outside the Yahoo! Network" there is a link to opt out of sharing the information with companies outside the Yahoo! Network.

Maybe it's time to start surfing with images off again, or perhaps somebody can write a plug-in that blocks all 1x1 images.

[Raymond is currently on vacation; this message was pre-recorded.]

Comments (10)
  1. Ben Hutchings says:

    Various proxies can do that, such as Privoxy.

  2. David Cumps says:

    Blocking them will also render sites that use 1×1 images for layout useless. They sometimes can be handy to have something in a table cell, but not a  

  3. Daniel says:

    Use Proxomitron. Best thing on earth.

  4. Darrell says:

    Mozilla (or one of its plugins, adaware) will block specified image sizes, images from specified ad servers, block cookies and images from 3rd-party web sites (ie, not the site you’re connecting to), etc.

  5. Alexey Shmelev says:

    AdShield does that

  6. Centaur says:

    You cannot block an image by its dimensions, because at the moment you know the dimensions, the evil HTTP query has already happened.

    You can (with some help from the browser) prevent giving away cookies if the query is from an <img>. This will block some evil image scripts, and some good image scripts.

    You can (again with some help from the browser) strip script query strings (‘?’ and following), if the query is from an <img>. Again, it will block some evil image scripts, and many good image scripts.

    You can block images matching specific blacklist regexps. But at the time you know you should have added it to your blacklist, you may have already stepped on it.

    You can block all images except those that match specific whitelist regexps. But then browsing is a pain.

  7. Raymond Chen says:

    Often these "bugs" specify their height and width in the source HTML so the page layout does not jump as the image loads. So you do know the size of the image before you issue the "evil" request.

  8. Centaur says:

    Okay, you can block <img width="1" height="1" src=…>. This does not solve the problem, as a page can refer to a number of external URIs which are loaded automatically, such as:

    * <body background=…>,

    * <link ref="stylesheet" href=…>,

    * <script src=…>,

    * <img style="display: none" src=…> (which some browsers will still load, despite the fact they are not displayed initially and may never be made displayed via scripting),

    and certain kinds of CSS images like:

    <style type="text/css"><!–

    body { background-image: url(…); }

    ul li { list-style-image: url(…); }

    –></style>

    And, specifying a dynamic page background is not going to be more expensive to the server than a single-pixel gif — in fact, nothing prevents the server from returning the same transparent single pixel for the background. And a stylesheet may be downright empty, saving the server ~35 bytes per hit.

    I cannot say for sure that most browsers will give away their cookie when asked to import a stylesheet, but I suspect so. After all, it’s that server that gave us the cookie, why shouldn’t we give it back?

  9. Louis Parks says:

    You can take the Spybot Search & Destroy approach and simply block all known evil hosts. That would protect you from the HTTP requests for .js, .jpg, .gif, etc. I’d also block all 3rd party cookies as part of a privacy defense in depth strategy.

  10. Alec Soroudi says:

    To expand on what Louis Parks said, we can also use things like PeerGuardian for that.

    If we have a list of known offenders, whether it be industry networks trying to monitor "piracy", advertisers trying to monitor our surfing patterns, or spammers trying to serve up garbage that nobody wants, we can use it to avoid those systems altogether. While they will no doubt keep moving around to avoid being caught, all we need is to keep the list up to date. What we are left with is a program we regularly update that will block network transactions with unpleasent people. Not really a big deal when you liken it to anti-virus software. ;)

    So what’s the count now? Anti-virus, anti-trojan, firewall, and ip blocker. Good thing CPUs are getting faster.

Comments are closed.