Internet Tracking and Tracing

Internet Tracking and Tracing


Electronic passage through the Internet leaves a trail that can be traced. Tracing is a process that follows the Internet activity backwards, from the recipient to the user. As well, a user's Internet activity on web sites can also be tracked on the recipient site (i.e., what sites are visited and how often). Sometimes this tracking and tracing ability is used to generate email to the user promoting a product that is related to the sites visited. User information, however, can also be gathered covertly.

Techniques of Internet tracking and tracing can also enable authorities to pursue and identify those responsible for malicious Internet activity. For example, on February 8, 2000, a number of key commercial Internet sites such as Yahoo, Ebay, and Amazon were jammed with incoming information and rendered inoperable. Through tracing and tracking techniques, law enforcement authorities established that the attacks had arisen from the computer of a 15-year-old boy in Montreal, Canada. The youth, whose Internet identity was "Mafiaboy," was arrested within months of the incidents.

Law enforcement use of Internet tracking is extensive. For example, the U.S. Federal Bureau of Investigation has a tracking program designated Carnivore. The program is capable of scanning thousands of emails to identify those that meet the search criteria.

Tracking Tools

Cookies. Cookies are computer files that are stored on a user's computer during a visit to a web site. When the user electronically enters the web site, the host computer automatically loads the file(s) to the user's computer.

The cookie is a tracking device, which records the electronic movements made by the user at the site, as well as identifiers such as a username and password. Commercial web sites make use of cookies to allow a user to establish an account on the first visit to the site and so to avoid having to enter account information (i.e., address, credit card number, financial activity) on subsequent visits. User information can also be collected unbeknownst to the user and subsequently used for whatever purpose the host intends.

Cookies are files, and so can be transferred from the host computer to another computer. This can occur legally (i.e., selling of a subscriber mailing list) or illegally (i.e., "hacking in" to a host computer and copying the file). Also, cookies can be acquired as part of a law enforcement investigation.

Stealing a cookie requires knowledge of the file name. Unfortunately, this information is not difficult to obtain. A survey, conducted by a U.S. Internet security company in 2002, on 109, 212 web sites that used cookies found that almost 55 percent of them used the same cookie name. Cookies may be disabled by the user, however, this calls for programming knowledge that many users do not have or do not wish to acquire.

Bugs or Beacons. A bug or a beacon is an image that can be installed on a web page or in an email. Unlike cookies, bugs cannot be disabled. They can be prominent or surreptitious. As examples of the latter, graphics that are transparent to the user can be present, as can graphics that are only 1x1 pixels in size (corresponding to a dot on a computer monitor). When a user clicks onto the graphic in an attempt to view, or even to close the image, information is relayed to the host computer.

Information that can be gathered by bugs or beacons includes:

  • the user's IP address (the Internet address of the computer)
  • the email address of the user
  • the user computer's operating system (which can be used to target viruses to specific operating systems
  • the URL (Uniform Record Locator), or address, of the web page that the user was visiting when the bug or beacon was activated
  • the browser that was used (i.e., Netscape, Explorer)

When used as a marketing tool or means for an entrepreneur to acquire information about the consumer, bugs or beacons can be merely an annoyance. However, the acquisition of IP addresses and other user information can be used maliciously. For example, information on active email addresses can be used to send "spam" email or virus-laden email to the user. And, like cookies, the information provided by the bug or beacon can be useful to law enforcement officers who are tracking down the source of an Internet intrusion.

Active X, Java Script. These computer-scripting languages are automatically activated when a site is visited. The mini-programs can operate within the larger program, so as to create the "pop-up" advertiser windows that appear with increasing frequency on web sites. When the pop-up graphic is visited, user information such as described in the above sections can be gathered.

Tracing email. Email transmissions have several features that make it possible to trace their passage from the sender to the recipient computers. For example, every email contains a section of information that is dubbed the header. Information concerning the origin time, date, and location of the message is present, as is the Internet address (IP) of the sender's computer.

If an alias has been used to send the message, the IP number can be used to trace the true origin of the transmission. When the message source is a personally owned computer, this tracing can often lead directly to the sender. However, if the sending computer serves a large community—such as a university, and through which malicious transmissions are often routed—then identifying the sender can remain daunting.

Depending on the email program in use, even a communal facility can have information concerning the account of the sender.

The information in the header also details the route that the message took from the sending computer to the recipient computer. This can be useful in unearthing the identity of the sender. For example, in the case of Mafiaboy, examination of the transmissions led to a computer at the University of California at Santa Barbara that had been commandeered for the prank. Examination of the log files allowed authorities to trace the transmission path back to the sender's personal computer.

Chat rooms. Chat rooms are electronic forums where users can visit and exchange views and opinions about a variety of issues. By piecing together the electronic transcripts of the chat room conversations, enforcement officers can track down the source of malicious activity.

Returning to the example of Mafiaboy, enforcement officers were able to find transmissions at certain chat rooms where the upcoming malicious activity was described. The source of the transmissions was determined to be the youth's personal computer. Matching the times of the chat room transmissions to the malicious events provided strong evidence of the youth's involvement.

Tracking, tracing, and privacy. While Internet tracking serves a useful purpose in law enforcement, its commercial use is increasingly being examined from the standpoint of personal privacy. The 1984 Cable Act in the United States permits the collection of such information if the information is deemed to aid future commercial developments. User consent is required, however, if the information that is capable of being collected can exceed that needed for commerce.



Bosworth, Seymour, and Michel E. Kabay, eds. Computer Security Handbook. New York: John Wiley & Sons, 2002.

National Research Council, Computer Science and Telecommunications Board. Cyber Security Today and Tommorrow: Pay Now or Pay Later. Washington, DC: The National Academies Press, 2002.

Northcutt, Stephen, Lenny Zeltser, Scott Winters, et al. Inside Network Perimeter Security: The Definitive Guide to Firewalls, Virtual Private Networks (VPNs), Routers, and Intrusion Detection Systems. Indianapolis: New Riders Publishing, 2002.


Computer Hackers
Computer Keystroke Recorder
Information Security

User Contributions:

Comment about this article, ask questions, or add new information about this topic:

Internet Tracking and Tracing forum