Skip Navigation

Web Beacons

A web beacon is a resource that is loaded within a web page or an email message. This resource may consist of a tiny transparent image that is invisible to the person viewing the page or message. Since the beacon is normally loaded from a unique web address that is tied to a particular user, it can be used to verify that the person has loaded the page or message in which the beacon is placed.

Page Contents

Video Lecture


Watch at Internet Archive

Beacon Mechanisms

Several mechanisms exist to implement a web beacon, and there is even a reference standard for beacons from the World Wide Web Consortium (W3C)1 that is implemented in the Mozilla Firefox2 and Google Chrome3 browsers. An early and common mechanism uses a nearly invisible image, typically tiny (1x1 pixels) and transparent, that is embedded in a page or email message. Whenever the user loads the page or message, the image is requested from the server, and server software can detect when this occurs to confirm that the message has been loaded. Using the W3C Beacon API eliminates the need to use a transparent image, as it provides a method for JavaScript code to transmit a background confirmation message without any notification to the user.1

To illustrate how the first type of beacon might work in an email message or Web page, consider a tiny image that is too small for a person to see on the screen. The URL of this image might contain some sort of unique identifier. If this unique identifier is generated automatically and is different for every user who loads the image, then the server will know when a specific user has loaded this nearly invisible resource, since it will see the unique identifier in the request. One common use of this exact implementation is to track whether or not a specific email has been opened.

Uses of Beacons

Beacons do have some legitimate uses that are not necessarily privacy-invasive. On websites, for example, beacons can be used to confirm that pages are loading completely, for benchmarking page load performance, and for analyzing server operation. In emails, beacons can be embedded in HTML messages to confirm that an email message has been received and opened.

While beacons are normally associated with first-party connections, third-party beacons are possible to implement. In the simplest case, a website that embeds third-party content via ordinary or inline frames will typically load any beacons that are embedded in that third-party content. A website operator can also choose to load beacons directly from a third party source, and third-party beacons can be embedded in email messages as part of coordinated marketing, spam, scam, and malware campaigns.

User Tracking

Since beacons are typically sent with unique resource URLs, all the user needs to do is load whatever contains the beacon. Upon loading the email or page, the user is tracked immediately, without the need to set a cookie or use another tracking mechanism. If beacons are included on all pages in a website, or by a third party for inclusion into a large number of websites, a user can be tracked across sites using only server-side technologies. This tracking therefore works even if the user disables cookies.

One frequent use of beacons is to embed them into HTML-formatted email. If a user opens an email containing a beacon, and their email client or service permits the beacon to be loaded, the sender of the email will receive confirmation that the user has opened the message. Companies can use this information to verify that users have received important and legitimate communications, such as bank statements or appointment reminders. However, they can also use these technologies for marketing campaigns by tracking which emails a person reads. This information can be used to target specific individuals, or it can be aggregated to determine which message subjects are most likely to trigger the largest number of customer views.

Beacons also may be used by unlawful actors. Spam email may contain beacons to verify that an email address is both a valid address and has a recipient willing to open the message. Scammers can use the same technique to identify potential victims who are willing to open the deceptive messages. Whenever a user willing to open these kinds of messages can be identified, working addresses of potential victims can be traded in a sort of underground data brokerage, enabling the criminals to identify and target the most vulnerable individuals with additional spam and scams.

References and Further Reading

  1. Beacon. W3C Candidate Recommendation. April 13, 2017. 

  2. Mozilla Developer Network. Navigator.sendBeacon()

  3. Eva Gasperowicz. Send beacon data in Chrome 39. Google Developers. 

Cookies

Online Tracking
Fingerprinting
Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.