IP: DoubleClick tracks porn sites, from Brills Content, by Mark Boal

[Dave Farber <farber@cis.upenn.edu>]

>
>From: "Mark Boal" <mboal@nyc.rr.com>
>To: "Declan McCullagh" <declan@well.com>
>Subject: DoubleClick story from Brills Content
>Date: Wed, 28 Jun 2000 17:57:04 -0400
>
>Declan-
>thought this might be good for politech posting. It's about how 
>DoubleClick has web bugs on some porn sites.
>best,
>mark
>
>
>
>Brills Content, July 2000
>DoubleClick watches Porn/Medical Sites
>By Mark Boal
>
>We all know by now that when we log on to the Internet and surf the World 
>Wide Web from the privacy of our homes, such privacy is largely an 
>illusion. After all, websites keep track of their visitors, bulletin-board 
>postings are archived, and even e-mail is not safe from prying eyes.
>
>But the state of privacy on the Web may be worse than you imagine. A new 
>generation of technology is making it easier for marketers and Web hosts 
>to track us without our knowledge. Moreover, these tracking devices are 
>showing up in places where many people may be most sensitive about 
>guarding their privacy: pornography and medical sites.
>
>I realized how hard it is to keep up with the rapidly changing online 
>privacy terrain when I paid a visit recently to Richard Smith, an expert 
>on computer privacy who prides himself on uncovering Internet practices he 
>considers abusive. Turns out even Smith was surprised by what we would 
>discover.
>
>Smith was tutoring me on what you might call online countersurveillance, 
>giving me a lesson in how to watch the watchers on the Web. We were in his 
>of ce overlooking downtown Boston. Our laptops were on. On screen, we were 
>looking at a popular porn site called iFriends. We looked at the coding 
>that creates the page, when suddenly a line jumped out at Smith:
>
>IMGSRC="http://ad.doubleclick.net/activity;
>src=104085;type=views;cat=ifdpge;ord= 00509100200118?"
>
>WIDTH=1 HEIGHT=1 BORDER=0
>
>"It s a Web bug!" he exclaimed. Web bugs are the latest innovation in the 
>art of monitoring people moving through websites. They are computer code, 
>nearly identical in structure to the code for a picture or a banner ad. 
>Except they are invisible, due to that last line: WIDTH=1 HEIGHT=1 
>BORDER=0. That describes an image one pixel wide and one pixel high, with 
>no border. (The period at the end of this sentence would be represented on 
>a typical screen as a four-pixel square.) A one-by-one pixel square can 
>not be seen by the naked eye.
>
>Smith had found a Web bug, but what really struck him was that rst line of 
>code: IMGSRC="http://ad.doubleclick.net/activity.
>That clued him in to the fact that DoubleClick Inc., the most successful 
>Internet advertising agency, was collecting information about our visit to 
>a porn-related site.
>DoubleClick is an online advertising agency that buys and places banner-ad 
>space for its clients. But it adds another layer of service, too it keeps 
>track of who views and clicks on those banners, and now, with Web bugs, it 
>can track people on pages without banner ads. DoubleClick s pioneering 
>role on the Internet has earned it the adoration of Wall Street, but the 
>enmity of privacy advocates, who are concerned that the company is 
>building a mammoth database that pro les people s lives on the Web in 
>elaborate detail.
>"In general, DoubleClick s whole strategy of tracking Internet users 
>invades the expectation of privacy people have when they re browsing," 
>says Andrew Shen, a policy analyst at the watchdog Electronic Privacy 
>Information Center. "But when you re talking about particularly sensitive 
>areas such as health or pornography sites, which are only accessed under 
>the assumption that the person s visit remains unknown, tracking is 
>especially objectionable. These are places where the preservation of 
>privacy is vital."
>
>Indeed, DoubleClick s reach is so broad that even casual browsing in the 
>most sensitive corners of the Net leaves a data trail the company can 
>follow, as Smith and I discovered.
>
>Head over to the search engine at the Internet portal Lycos, the 
>fth-most-popular destination on the Web in May, and type the word sex into 
>the query box. DoubleClick takes note. Or click on About.com, a site that 
>gathers many pages under one umbrella and is one of the Web s most popular 
>destinations, with about 4.4 million visitors in April. Thousands of sites 
>are listed under About.com s adult section, and DoubleClick has the 
>ability to monitor many of them.
>
>Smith and I also discovered that DoubleClick operates Web bugs at 
>procrit.com, a site for the HIV-related drug Procrit, and that it monitors 
>mentalwellness.com, an online resource for schizophrenia. Both sites are 
>owned by Johnson & Johnson.
>
>The question for privacy advocates is what does DoubleClick do with the 
>data it collects? Company of cials say emphatically that it won t link 
>information about an individual s website visits with his or her name. Yet 
>the sort of Web bug coding Smith found DoubleClick using on various porn 
>and health sites is ideally suited to linking a person s name to his or 
>her computer.
>
>This use of Web bugs, also sometimes called transparent GIFs (for graphics 
>interchange format) seems to violate DoubleClick s own privacy pledge to 
>be "fully committed to offering online consumers notice about the 
>collection and use of personal information about them, and the choice not 
>to participate." (The italics are DoubleClick s.)
>
>Jules Polonetsky, DoubleClick s chief privacy of cer and a former New York 
>City consumer-affairs commissioner, says the company s privacy policy was 
>"in no way" contradicted by DoubleClick s deployment of Web bugs, because 
>names are not linked to sensitive online activities such as health and 
>porn sites.
>
>Polonetsky stresses that the company has "made a commitment that we won t 
>ever use sensitive information to target ads or to build a pro le," 
>although he says that could change with the development of government 
>standards. In the meantime, he adds, it s the clients responsibility to 
>disclose DoubleClick s Web bugs. "All the sites we do business with," he 
>says, "we wish [them] to be as transparent as possible in explaining what 
>happens on their site."
>
>However, none of the sites where we found Web bugs revealed that fact in 
>their privacy policies.
>
>When asked about this, iFriends initially denied that DoubleClick had Web 
>bugs on the sensitive parts of the site. But when presented with a log le 
>showing that DoubleClick recorded a visit to a "girl-girl" fetish room, 
>labeled in the computer code as room "5," Allan Rogers, a company 
>spokesman, replied by e-mail, "While DoubleClick does indeed record, [it] 
>does not know that room 5 is equivalent to girls home alone." This 
>explanation comes down to saying that while DoubleClick collects the 
>information, it does not have the technical skill to understand it an 
>assertion that Smith and others nd hard to believe.
>
>The other sites where Smith and I found Web bugs also downplayed their 
>privacy implications. A Johnson & Johnson spokesman says the information 
>gathered by Web bugs is used in-house to help the company re ne and manage 
>its sites. Consumers have nothing to worry about because DoubleClick is 
>contractually prohibited from using the information for any other purpose, 
>says the spokesman, Josh McKeegan. "The contract that Doubleclick signed 
>with us speci cally stipulates that they won t use it for any of the 
>purposes which have gotten them into trouble which is tying the aggregate 
>data to speci c cookies. That is speci cally banned within our contract," 
>says McKeegan.
>
>Similarly, John Caplan, general manager of About.com, acknowledges that 
>DoubleClick collects data on About.com users, but said "DoubleClick does 
>not have the right to use any data it has on About.com users in any way. 
>They serve our ads that s it."
>
>But critics note that DoubleClick s deal with its clients could change and 
>it could acquire the right to disseminate data it currently collects. 
>Moreover, a subpoena in a divorce proceeding, a warrant from a law 
>enforcement agency, a malicious hacker, a mistake on DoubleClick s part to 
>name just a few scenarios could drag DoubleClick s les into public view.
>
>And regardless of who uses the data under which circumstances, the 
>practice of covert data collection violates standards of online privacy 
>endorsed by the Federal Trade Commission and by the industry-supported 
>watchdog group TRUSTe. These guidelines specify that data-mining ought to 
>occur only when the user is fully informed, and individuals are given some 
>control over the information gathered about them.
>
>One popular medical site, drkoop.com, took these concerns so seriously 
>that in March it severed a long-standing relationship with DoubleClick. 
>"We had a lot of concerns. There was also a perception problem," explains 
>Laura Hicks, a spokeswoman for drkoop.com. "So we made a decision...that 
>for the protection of our consumers, we would not use any third-party ad 
>networks."
>
>For many privacy advocates, the very existence of Web bugs and the data 
>collection they facilitate constitute an invasion of privacy, leaving 
>aside questions about how that information could be disseminated. Think of 
>a Peeping Tom who installs a video camera in a clothing-store dressing 
>room. Even if he never views the footage, the people captured on lm will 
>feel invaded.
>
>"It s unacceptable for DoubleClick to be monitoring people s movements 
>without their consent," says privacy advocate Jason Catlett, of the 
>Junkbusters Corp., a group that opposes the proliferation of commercial 
>messages. "If they tried this in the physical world it would be like 
>having men in white coats standing outside X-rated movie theaters taking 
>down your license plate number."
>
>Catlett is particularly concerned about the lack of disclosure at porn 
>sites, but a lawsuit led against DoubleClick in California alleges that 
>the rm s deployment of Web bugs at a great many sites is a violation of 
>consumer-protection statutes. The class-action suit, led in January by San 
>Rafael, California, lawyer Ira Rothken, seeks an injunction to force 
>DoubleClick to stop data mining via Web bugs and to give people a chance 
>to see their dossiers.
>
>"If DoubleClick doesn t change their strategy of attempting to tie name 
>and address information with private click stream data...it will have a 
>chilling effect on all Web users no one will take risks in viewing 
>sensitive sites, and Web users First Amendment rights will be impaired," 
>Rothken says.
>
>While the suit has garnered little press attention, it is being closely 
>watched by privacy groups. If the case gets to the discovery stage, 
>DoubleClick could be forced to reveal the business deals and strategy 
>behind its data warehousing, and the nature of the les it has gathered on 
>millions of Californians. That, in turn, could open the rm to a host of 
>new questions that the lawsuit raises. What is in the log les? How far 
>back do they go? Do they contain every website you or I have ever visited 
>on the DoubleClick network? When asked for a response to these questions, 
>a company spokeswoman repeated DoubleClick s assurances that it is 
>"absolutely committed to protecting the privacy of all Internet users."
>
>Why would a Wall Street darling like DoubleClick get involved in 
>monitoring porn sites and health sites at the risk of alienating privacy 
>advocates even more? To answer that we need to rewind to 1996. That was 
>when Kevin O Connor founded the rm, with the idea of cashing in on the 
>rush to all things e. Back then, companies were curious about advertising 
>online, but few knew how to navigate the Web. It was unpredictable and 
>chaotic, and choosing the right advertising format was like throwing darts 
>blindfolded.
>
>DoubleClick simpli ed the task by gathering hundreds of the most popular 
>sites in a network and then offering the ability to place banner ads 
>across all, or some, of the network. The idea t the times like
>
>a latex glove. The Fortune 500 turned their ad accounts over to 
>DoubleClick, and soon it became the one-stop shop for online ads.
>
>Today, DoubleClick s client roster reads like a who s who of corporate 
>America. The company places ads on websites for AT&T, CBS, Ford Motor 
>Company, Motorola, Inc., and hundreds of others. And its revenue is up 
>sharply; in the rst quarter of this year, it took in $110 million, a 179 
>percent increase over the same period last year, according to the company.
>
>Every month, DoubleClick places 50 billion banner ads across its network, 
>which the company says covers about half of the Internet s total traf c. 
>As the company s annual report boasts, "Move your mouse over any ad on the 
>Web, and there s a good chance you ll see ad.doubleclick.net at the bottom 
>of your browser window. DoubleClick didn t create the ad, but we did place 
>it there."
>
>And all of those ads are automatically monitored; DoubleClick gauges their 
>effectiveness by tracking the number of people who click on them versus 
>the number who view them. This so-called click-through rate is a metric 
>only the Internet can offer, and it is the argument for why online 
>advertising is more precise than TV, print, or radio advertising.
>
>But click-through tracking yields another dividend, too. As DoubleClick 
>quickly discovered after it began marketing the service, click-through 
>technology opens the door to tracking individuals as they move from one 
>site to another. If you can track whether someone clicks on one ad, why 
>not track whether the same person clicks on any ad in a given network? Why 
>not see exactly what an individual does online, where she goes, what she buys?
>
>It s no wonder that from the start, privacy advocates objected to such 
>tracking, but DoubleClick and other rms in the online marketing world 
>pressed ahead. To make the tracking work, DoubleClick used cookie les. 
>Cookies are random number strings like ngerprints that identify one 
>computer to another. As you visit a page with a DoubleClick ad, the 
>company places a cookie on your computer. After that, DoubleClick can 
>track your movements through its network even if you do not click on its 
>banner ads.
>
>And now, with Web bugs, DoubleClick can track you even when there are no 
>banner ads on a page. And if you make a purchase or ll out a questionnaire 
>on a site with a DoubleClick ad, the rm will more than likely collect that 
>information from the Web bug and link it to your cookie.
>
>Last year, DoubleClick tried to take the next step, and link its cookie 
>les with actual names and identities. It merged with the consumer-database 
>rm Abacus Direct, and announced a new division designed to create 
>elaborate pro les of more than 90 percent of American households. The plan 
>attracted an army of critics, including privacy advocates, who said 
>DoubleClick would usher in a new age of surveillance. The Federal Trade 
>Commission began investigating the company; investors, who got skittish, 
>started to dump DoubleClick stock.
>
>When the blows and bad PR had cost DoubleClick half its market value, CEO 
>O Connor backpedaled. "I made a mistake," he said. O Connor pledged to 
>delay the database until there was "agreement between government and 
>industry on privacy standards."
>
>Despite its public disavowals, DoubleClick nevertheless continues to lay 
>the groundwork for the database by collecting vast amounts of information 
>about where people go online. And the news that they are employing their 
>invisible tracking devices on health and porn sites could cause them new 
>political, public relations, and legal woes. The FTC has asked Congress 
>for more authority to sue companies who are in violation of consumer 
>privacy, although Congress is not expected to enact new laws anytime soon.
>
>If DoubleClick ever chooses to merge the data from the Web bugs and cookie 
>les with its existing consumer dossiers, it will create a database of 
>unprecedented depth. The rm will not only have purchasing history and 
>demographic information of some 100 million Americans at its ngertips, but 
>also information about their sexual preferences and health conditions. For 
>now, the records are not merged. But they lie there on servers, waiting. e
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>_________________________________
>Mark Boal > Senior Writer > Brills Content
><mailto:mboal@nyc.rr.com>mboal@nyc.rr.com
>
>
>--------------------------------------------------------------------------
>POLITECH -- the moderated mailing list of politics and technology
>To subscribe, visit http://www.politechbot.com/info/subscribe.html
>This message is archived at http://www.politechbot.com/
>--------------------------------------------------------------------------