According to security experts, the next major threat to consumer privacy online could be the use of so-called "Web bugs," tiny nefarious scripts that Web sites can use to surreptitiously access a visitor's computer and install or copy virtually any program.

The conceptual program, demonstrated at this year's first meeting of the Congressional Privacy Caucus, can operate in complete secrecy, evading virus detection software and flying beneath most Internet and e-mail firewalls, said Gary Clayton, CEO of the Privacy Council.

Using a Web site designed with the help of technology developer Intelytics, Clayton showed how the otherwise plain-looking site loaded a program that made a copy of all 1,800 names, phones numbers and e-mail addresses contained in his Microsoft Outlook address book, and sent them to a third party - without any indication of the transaction.

The demo, reminiscent of the technology used in the "Melissa" and "I Love You" viruses that infected millions of computers, clearly had an effect on one of the caucus' founding members.

"This is frightening," said Sen. Richard Shelby, R-Ala., following the demonstration. "This is somewhat like commercial espionage."

Christine Varney, a former commissioner for the Federal Trade Commission (FTC) and now counsel to the industry-led Online Privacy Alliance, said she was flabbergasted by the demonstration.

"I am appalled," Varney said. "There's nothing that will deter this behavior faster than putting some of the CEOs doing this in jail."

Richard Smith, chief technology officer for the Privacy Foundation, noted that while the type of Web bugs depicted by Clayton were still extremely rare on the Internet, many companies use a more benign form of the programs to track Web site visitors.

Using a soon-to-be-released technology for detecting Web bugs, Smith showed how sites use them to relay data to third-party marketers. Tower Records' Web site, for example, uses an invisible Web bug to forward transaction data in the form of a customer ID number on to Cogit Inc., a third-party marketer. Shortly thereafter, Smith said, Cogit will ask Tower for name and address information, and proceed to mesh that information with demographic data from another source to create a more complete picture of the Tower customer.

"I have a real question as to whether they're allowed to do that under their privacy policy," Smith said. "But if I go to another site (that uses Cogit's ad services), they'll know it's me and start changing the look of the Web site based on my demographic profile."

Smith said many of these new ad-tracking schemes were invented after click-through rates on banner ads plummeted, and that businesses want these correlation statistics so they can feel better about all the money they spend on Internet advertising.

Clayton urged Congress to consider legislation to prohibit the use of Web bug technology without the explicit consent by a consumer, employee or business.

"As demonstrated in today's hearing, the ability to pull information directly from a computer can penetrate even into the computers used by Congress, staff and governmental and judicial officers," he said.

But Varney noted that such nefarious uses of Web bugs are already prosecutable as a felony under the Electronic Communications Privacy Act.

Varney noted that while there clearly are wrong ways to use technology, "Web beacons" as she called them, can have positive uses for consumers and businesses alike.

"Web beacons are neither good nor bad, the issue is how they are being used," she said. "Like all other matters related to privacy online, it is essential that Web sites tell visitors that Web beacons are being used and give them the option of saying ‘no.’"