Web - hitbox.com

Another exclusive story from The Spy Swat


There has been much talk of net 'spying' lately.  Companies selling on lists of email addresses, cookies, or other software that secretly installs itself on your computer and monitors your online activity.  Here's another one for the list: hitbox.com, run by WebSideStory.

hitbox.com purports to be a web statistics company, based in the United States.   As everybody knows, the internet is truly global, so their activities will affect users everywhere.

hitbox.com operate a service where they collect data about software installed on your computer without your knowledge.  

How do they do this?   Simple... there is a line of embedded Javascript encoded into webpages.  You never know the code is there, it doesn't tell you it's doing anything, but in the background, your browser is sending their server a list of browser plugins installed on your computer.

There is no way of knowing if any standard web page has the hitbox.com code within it unless you look at the HTML source code of the page - I could already have the data about you.  I don't... relax! 

On any affected page you will see a section similar to the following in the HTML source:

The large section is all one line of code.

I have highlighted areas of interest.  This code is compiled on the fly by your browser and reports what plug-ins you have installed.

<!-- Start Hitbox.com Tracking Code -->
<script language="javascript">

var test=0;

</script> <IMG src='http://hg1.hitbox.com/HG?hc=w124&hb=WE591214AHZB62EN3
%3ANetscape%20Default%20Plug-in%3A&cd=1&jf=7' border=0 height=1 width=1>

Essentially, this section is the same as typing 'about:plugins' into your browser (without the quotes).  However it also reports your screen size (ss=800*600), colour depth (sc=16 - 16-bit colour) and language (ln=en  - English).

Effectively, this code loads a single pixel image - one you won't actually see in your browser. 

This single pixel trick was formerly used by web designers to allow more control over page layout than HTML alone would allow.  Now it's being used to cover up snooping.

Hitbox Pro, their commercial offering, does not show any banner or warning on the originating web page.  The information above, along with your IP address, what path you take through a web site and some 500 other items of information are passed on to Hitbox.com without your knowledge.

They advertise the stealth features of the service quite actively on their web pages... "You embed a HitBox Pro sensor in your web page source code (the sensor is not visible to the viewer and does not affect page performance). Each time a visitor accesses that page, the sensor sends a signal to the WebSideStory servers. This method allows us to collect hundreds of statistics in real time, available 24 hours a day."

Regular web servers do have access logs and these do provide some of the same details that WebSideStory are collecting, such as, your IP, your path through the site, the browser and operating system you're using and the time of your visit, but that's about it.   Hitbox.com seems to be offering a lot more information. 

They offer a demonstration view of collected stats at http://get.hitbox.com/content/demo_frame.html.   Check out the subheadings under Site Statistics, particularly the 'visitors' tag.

Unlike cookies, you can't really stop this information being sent out without disabling Javascript support, which could affect the operation of some other, more benign webpages.

If you're serious about your privacy, you might want to consider switching off Javascript support.

Back to main index
This text copyright 2000 The Spy SwatNo reproduction without permission.  All rights reserved.
Vendemen - 2 May 2000