In most cases, Web bugs are nothing more than a simple counting mechanism that involves no tracking of any personal user information whatsoever. They're used most often in banner ads, placed there by the advertiser. The bug is an HTML or script snippet that calls an invisible graphic from the advertiser's own Web server at the same time as the rest of the ad is displayed. The bug's purpose is to enable the advertiser to verify that the ad was seen/delivered the number of times the Web site owner says it was. If the site owner claims far more hits than were registered by the bug, the advertiser knows something is fishy with the counts.
As such, a Web bug is usually no more evil than the rubber tubes that highway engineers stretch across roadways to count cars, or a turnstile in a public space designed to count how many people enter or leave.
What's more, any graphic--any graphic at all--can be used as a Web bug; almost any link can be used as a Web bug. Any time a text or graphic is called from any Web server, the server can collect all the information mentioned in the Bugnosis quote above, and more. Web bugs have no special powers or abilities. They're just static GIFs, and they're usually invisible for no reason other than to make them unobtrusive.
On the face of it, it's silly to focus on Web bugs as nefarious evil things when they provide no information that can't be given by another graphic or link.
The Cookie Connection
Of course, the great cookie scare turned out to be almost entirely groundless. Cookies are just static text files (you can open any cookie with NotePad or your favorite text editor), and they normally record prosaic information such as "this person already saw ad number X from us today, don't show him the same one again." Or: "Here's a returning visitor who's previously logged in. Instead of asking for her password again, use the password stored in this private cookie."
Most cookies are not only benign; they're helpful. But because they normally use space-saving codes (example: a "1" might mean "returning visitor who's previously registered"), they seem mysterious, and thus cause some people to freak out.
Likewise, Web bugs are unknown, invisible, and mysterious, so they must be evil, right?
A second time: Baloney.
Yes, The Dark Side Is There
Can cookies and Web bugs be used for evil intent? Sure. Almost any technology can be subverted. But it's rather difficult for a site to do harm using a Web bug.
Let's look at the worst-case scenario, where a Web bug could be used to send personal information about you from one site to another. The Bugnosis site describes it this way, and it sounds terrifying:
Companies use Web bugs to ... transfer previously input personally identifiable information (name, address, phone number, E-mail address, etc.) about visitors of a Web site to an Internet marketing company. This information is typically used for online profiling purposes. It also can be combined with other offline demographic data such as household income, number of family members, type(s) of car(s) owned, mortgage balance, etc.
But note the first key phrase: "previously input." There's no way for a Web bug (or a cookie) to scour your system for information you don't intend to reveal, and then secretly send that stolen info to some outside source.
For anything like the above worst-case scenario to happen, you would have to voluntarily provide sensitive personal information to an evil site in the first place. If you don't do so, the site has nothing to share with anyone. The Bugnosis fear fantasy collapses and the Web bug is just like any other Web graphic or link. It carries zero--that's zero, zip, nada, zilch--additional security risk. Your "hit" from a Web bug is just one more anonymous data point in the server logs. Big deal.