IP: DoubleClick tracks porn sites, from Brills Content, by Mark Boal

[Dave Farber <farber () cis upenn edu>]

> From: "Mark Boal" <mboal () nyc rr com>
> To: "Declan McCullagh" <declan () well com>
> Subject: DoubleClick story from Brills Content
> Date: Wed, 28 Jun 2000 17:57:04 -0400
>
> Declan-
> thought this might be good for politech posting. It's about how 
> DoubleClick has web bugs on some porn sites.
> best,
> mark
>
>
>
> Brills Content, July 2000
> DoubleClick watches Porn/Medical Sites
> By Mark Boal
>
> We all know by now that when we log on to the Internet and surf the World 
> Wide Web from the privacy of our homes, such privacy is largely an 
> illusion. After all, websites keep track of their visitors, bulletin-board 
> postings are archived, and even e-mail is not safe from prying eyes.
>
> But the state of privacy on the Web may be worse than you imagine. A new 
> generation of technology is making it easier for marketers and Web hosts 
> to track us without our knowledge. Moreover, these tracking devices are 
> showing up in places where many people may be most sensitive about 
> guarding their privacy: pornography and medical sites.
>
> I realized how hard it is to keep up with the rapidly changing online 
> privacy terrain when I paid a visit recently to Richard Smith, an expert 
> on computer privacy who prides himself on uncovering Internet practices he 
> considers abusive. Turns out even Smith was surprised by what we would 
> discover.
>
> Smith was tutoring me on what you might call online countersurveillance, 
> giving me a lesson in how to watch the watchers on the Web. We were in his 
> of ce overlooking downtown Boston. Our laptops were on. On screen, we were 
> looking at a popular porn site called iFriends. We looked at the coding 
> that creates the page, when suddenly a line jumped out at Smith:
>
> IMGSRC="http://ad.doubleclick.net/activity;
> src=104085;type=views;cat=ifdpge;ord= 00509100200118?"
>
> WIDTH=1 HEIGHT=1 BORDER=0
>
> "It s a Web bug!" he exclaimed. Web bugs are the latest innovation in the 
> art of monitoring people moving through websites. They are computer code, 
> nearly identical in structure to the code for a picture or a banner ad. 
> Except they are invisible, due to that last line: WIDTH=1 HEIGHT=1 
> BORDER=0. That describes an image one pixel wide and one pixel high, with 
> no border. (The period at the end of this sentence would be represented on 
> a typical screen as a four-pixel square.) A one-by-one pixel square can 
> not be seen by the naked eye.
>
> Smith had found a Web bug, but what really struck him was that rst line of 
> code: IMGSRC="http://ad.doubleclick.net/activity.
> That clued him in to the fact that DoubleClick Inc., the most successful 
> Internet advertising agency, was collecting information about our visit to 
> a porn-related site.
> DoubleClick is an online advertising agency that buys and places banner-ad 
> space for its clients. But it adds another layer of service, too it keeps 
> track of who views and clicks on those banners, and now, with Web bugs, it 
> can track people on pages without banner ads. DoubleClick s pioneering 
> role on the Internet has earned it the adoration of Wall Street, but the 
> enmity of privacy advocates, who are concerned that the company is 
> building a mammoth database that pro les people s lives on the Web in 
> elaborate detail.
> "In general, DoubleClick s whole strategy of tracking Internet users 
> invades the expectation of privacy people have when they re browsing," 
> says Andrew Shen, a policy analyst at the watchdog Electronic Privacy 
> Information Center. "But when you re talking about particularly sensitive 
> areas such as health or pornography sites, which are only accessed under 
> the assumption that the person s visit remains unknown, tracking is 
> especially objectionable. These are places where the preservation of 
> privacy is vital."
>
> Indeed, DoubleClick s reach is so broad that even casual browsing in the 
> most sensitive corners of the Net leaves a data trail the company can 
> follow, as Smith and I discovered.
>
> Head over to the search engine at the Internet portal Lycos, the 
> fth-most-popular destination on the Web in May, and type the word sex into 
> the query box. DoubleClick takes note. Or click on About.com, a site that 
> gathers many pages under one umbrella and is one of the Web s most popular 
> destinations, with about 4.4 million visitors in April. Thousands of sites 
> are listed under About.com s adult section, and DoubleClick has the 
> ability to monitor many of them.
>
> Smith and I also discovered that DoubleClick operates Web bugs at 
> procrit.com, a site for the HIV-related drug Procrit, and that it monitors 
> mentalwellness.com, an online resource for schizophrenia. Both sites are 
> owned by Johnson & Johnson.
>
> The question for privacy advocates is what does DoubleClick do with the 
> data it collects? Company of cials say emphatically that it won t link 
> information about an individual s website visits with his or her name. Yet 
> the sort of Web bug coding Smith found DoubleClick using on various porn 
> and health sites is ideally suited to linking a person s name to his or 
> her computer.
>
> This use of Web bugs, also sometimes called transparent GIFs (for graphics 
> interchange format) seems to violate DoubleClick s own privacy pledge to 
> be "fully committed to offering online consumers notice about the 
> collection and use of personal information about them, and the choice not 
> to participate." (The italics are DoubleClick s.)
>
> Jules Polonetsky, DoubleClick s chief privacy of cer and a former New York 
> City consumer-affairs commissioner, says the company s privacy policy was 
> "in no way" contradicted by DoubleClick s deployment of Web bugs, because 
> names are not linked to sensitive online activities such as health and 
> porn sites.
>
> Polonetsky stresses that the company has "made a commitment that we won t 
> ever use sensitive information to target ads or to build a pro le," 
> although he says that could change with the development of government 
> standards. In the meantime, he adds, it s the clients responsibility to 
> disclose DoubleClick s Web bugs. "All the sites we do business with," he 
> says, "we wish [them] to be as transparent as possible in explaining what 
> happens on their site."
>
> However, none of the sites where we found Web bugs revealed that fact in 
> their privacy policies.
>
> When asked about this, iFriends initially denied that DoubleClick had Web 
> bugs on the sensitive parts of the site. But when presented with a log le 
> showing that DoubleClick recorded a visit to a "girl-girl" fetish room, 
> labeled in the computer code as room "5," Allan Rogers, a company 
> spokesman, replied by e-mail, "While DoubleClick does indeed record, [it] 
> does not know that room 5 is equivalent to girls home alone." This 
> explanation comes down to saying that while DoubleClick collects the 
> information, it does not have the technical skill to understand it an 
> assertion that Smith and others nd hard to believe.
>
> The other sites where Smith and I found Web bugs also downplayed their 
> privacy implications. A Johnson & Johnson spokesman says the information 
> gathered by Web bugs is used in-house to help the company re ne and manage 
> its sites. Consumers have nothing to worry about because DoubleClick is 
> contractually prohibited from using the information for any other purpose, 
> says the spokesman, Josh McKeegan. "The contract that Doubleclick signed 
> with us speci cally stipulates that they won t use it for any of the 
> purposes which have gotten them into trouble which is tying the aggregate 
> data to speci c cookies. That is speci cally banned within our contract," 
> says McKeegan.
>
> Similarly, John Caplan, general manager of About.com, acknowledges that 
> DoubleClick collects data on About.com users, but said "DoubleClick does 
> not have the right to use any data it has on About.com users in any way. 
> They serve our ads that s it."
>
> But critics note that DoubleClick s deal with its clients could change and 
> it could acquire the right to disseminate data it currently collects. 
> Moreover, a subpoena in a divorce proceeding, a warrant from a law 
> enforcement agency, a malicious hacker, a mistake on DoubleClick s part to 
> name just a few scenarios could drag DoubleClick s les into public view.
>
> And regardless of who uses the data under which circumstances, the 
> practice of covert data collection violates standards of online privacy 
> endorsed by the Federal Trade Commission and by the industry-supported 
> watchdog group TRUSTe. These guidelines specify that data-mining ought to 
> occur only when the user is fully informed, and individuals are given some 
> control over the information gathered about them.
>
> One popular medical site, drkoop.com, took these concerns so seriously 
> that in March it severed a long-standing relationship with DoubleClick. 
> "We had a lot of concerns. There was also a perception problem," explains 
> Laura Hicks, a spokeswoman for drkoop.com. "So we made a decision...that 
> for the protection of our consumers, we would not use any third-party ad 
> networks."
>
> For many privacy advocates, the very existence of Web bugs and the data 
> collection they facilitate constitute an invasion of privacy, leaving 
> aside questions about how that information could be disseminated. Think of 
> a Peeping Tom who installs a video camera in a clothing-store dressing 
> room. Even if he never views the footage, the people captured on lm will 
> feel invaded.
>
> "It s unacceptable for DoubleClick to be monitoring people s movements 
> without their consent," says privacy advocate Jason Catlett, of the 
> Junkbusters Corp., a group that opposes the proliferation of commercial 
> messages. "If they tried this in the physical world it would be like 
> having men in white coats standing outside X-rated movie theaters taking 
> down your license plate number."
>
> Catlett is particularly concerned about the lack of disclosure at porn 
> sites, but a lawsuit led against DoubleClick in California alleges that 
> the rm s deployment of Web bugs at a great many sites is a violation of 
> consumer-protection statutes. The class-action suit, led in January by San 
> Rafael, California, lawyer Ira Rothken, seeks an injunction to force 
> DoubleClick to stop data mining via Web bugs and to give people a chance 
> to see their dossiers.
>
> "If DoubleClick doesn t change their strategy of attempting to tie name 
> and address information with private click stream data...it will have a 
> chilling effect on all Web users no one will take risks in viewing 
> sensitive sites, and Web users First Amendment rights will be impaired," 
> Rothken says.
>
> While the suit has garnered little press attention, it is being closely 
> watched by privacy groups. If the case gets to the discovery stage, 
> DoubleClick could be forced to reveal the business deals and strategy 
> behind its data warehousing, and the nature of the les it has gathered on 
> millions of Californians. That, in turn, could open the rm to a host of 
> new questions that the lawsuit raises. What is in the log les? How far 
> back do they go? Do they contain every website you or I have ever visited 
> on the DoubleClick network? When asked for a response to these questions, 
> a company spokeswoman repeated DoubleClick s assurances that it is 
> "absolutely committed to protecting the privacy of all Internet users."
>
> Why would a Wall Street darling like DoubleClick get involved in 
> monitoring porn sites and health sites at the risk of alienating privacy 
> advocates even more? To answer that we need to rewind to 1996. That was 
> when Kevin O Connor founded the rm, with the idea of cashing in on the 
> rush to all things e. Back then, companies were curious about advertising 
> online, but few knew how to navigate the Web. It was unpredictable and 
> chaotic, and choosing the right advertising format was like throwing darts 
> blindfolded.
>
> DoubleClick simpli ed the task by gathering hundreds of the most popular 
> sites in a network and then offering the ability to place banner ads 
> across all, or some, of the network. The idea t the times like
>
> a latex glove. The Fortune 500 turned their ad accounts over to 
> DoubleClick, and soon it became the one-stop shop for online ads.
>
> Today, DoubleClick s client roster reads like a who s who of corporate 
> America. The company places ads on websites for AT&T, CBS, Ford Motor 
> Company, Motorola, Inc., and hundreds of others. And its revenue is up 
> sharply; in the rst quarter of this year, it took in $110 million, a 179 
> percent increase over the same period last year, according to the company.
>
> Every month, DoubleClick places 50 billion banner ads across its network, 
> which the company says covers about half of the Internet s total traf c. 
> As the company s annual report boasts, "Move your mouse over any ad on the 
> Web, and there s a good chance you ll see ad.doubleclick.net at the bottom 
> of your browser window. DoubleClick didn t create the ad, but we did place 
> it there."
>
> And all of those ads are automatically monitored; DoubleClick gauges their 
> effectiveness by tracking the number of people who click on them versus 
> the number who view them. This so-called click-through rate is a metric 
> only the Internet can offer, and it is the argument for why online 
> advertising is more precise than TV, print, or radio advertising.
>
> But click-through tracking yields another dividend, too. As DoubleClick 
> quickly discovered after it began marketing the service, click-through 
> technology opens the door to tracking individuals as they move from one 
> site to another. If you can track whether someone clicks on one ad, why 
> not track whether the same person clicks on any ad in a given network? Why 
> not see exactly what an individual does online, where she goes, what she buys?
>
> It s no wonder that from the start, privacy advocates objected to such 
> tracking, but DoubleClick and other rms in the online marketing world 
> pressed ahead. To make the tracking work, DoubleClick used cookie les. 
> Cookies are random number strings like ngerprints that identify one 
> computer to another. As you visit a page with a DoubleClick ad, the 
> company places a cookie on your computer. After that, DoubleClick can 
> track your movements through its network even if you do not click on its 
> banner ads.
>
> And now, with Web bugs, DoubleClick can track you even when there are no 
> banner ads on a page. And if you make a purchase or ll out a questionnaire 
> on a site with a DoubleClick ad, the rm will more than likely collect that 
> information from the Web bug and link it to your cookie.
>
> Last year, DoubleClick tried to take the next step, and link its cookie 
> les with actual names and identities. It merged with the consumer-database 
> rm Abacus Direct, and announced a new division designed to create 
> elaborate pro les of more than 90 percent of American households. The plan 
> attracted an army of critics, including privacy advocates, who said 
> DoubleClick would usher in a new age of surveillance. The Federal Trade 
> Commission began investigating the company; investors, who got skittish, 
> started to dump DoubleClick stock.
>
> When the blows and bad PR had cost DoubleClick half its market value, CEO 
> O Connor backpedaled. "I made a mistake," he said. O Connor pledged to 
> delay the database until there was "agreement between government and 
> industry on privacy standards."
>
> Despite its public disavowals, DoubleClick nevertheless continues to lay 
> the groundwork for the database by collecting vast amounts of information 
> about where people go online. And the news that they are employing their 
> invisible tracking devices on health and porn sites could cause them new 
> political, public relations, and legal woes. The FTC has asked Congress 
> for more authority to sue companies who are in violation of consumer 
> privacy, although Congress is not expected to enact new laws anytime soon.
>
> If DoubleClick ever chooses to merge the data from the Web bugs and cookie 
> les with its existing consumer dossiers, it will create a database of 
> unprecedented depth. The rm will not only have purchasing history and 
> demographic information of some 100 million Americans at its ngertips, but 
> also information about their sexual preferences and health conditions. For 
> now, the records are not merged. But they lie there on servers, waiting. e
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _________________________________
> Mark Boal > Senior Writer > Brills Content
> <mailto:mboal () nyc rr com>mboal () nyc rr com
>
>
> --------------------------------------------------------------------------
> POLITECH -- the moderated mailing list of politics and technology
> To subscribe, visit http://www.politechbot.com/info/subscribe.html
> This message is archived at http://www.politechbot.com/
> --------------------------------------------------------------------------