FC: iFriends replies to Brill's Content article on privacy, web bugs

[Declan McCullagh <declan () well com>]

In this unusually long politech message, I'm including three parts:

1. A brief statement from Doubleclick, forwarded to me by apfn () apfn org, 
who had sent the politech message to the company.
2. A lengthy response to the Brill's Content piece by Allan Rogers of iFriends
3. A response to Rogers from Mark Boal, author of the Brill's Content 
article I forwarded to politch last week.

-Declan

***********

-------- Original Message --------
Subject: FW: [Fwd: FC: DoubleClick tracks porn sites, from Brills 
Content,by  MarkBoal]
Date: Wed, 5 Jul 2000 16:21:44 -0400
From: "Blum, Jennifer" <jblum () doubleclick net>
To: "'apfn () apfn org'" <apfn () apfn org>

About 99% of this article is completely inaccurate.  We will be responding
to Brills.

Jennifer Blum
Corporate Communications
DoubleClick Inc. (NASDAQ: DCLK)
450 W.33rd St. 16th Floor
New York, NY 10001
http://www.doubleclick.net
direct # 212-381-5705; fax 212-287-9755
jblum () doubleclick net

DoubleClick is the leading provider of comprehensive Internet advertising
solutions for web advertisers and publishers.

**********

Date: Sat, 01 Jul 2000 19:17:37 -0400
To: declan () well com
From: Allan Rogers <arogers () ifriends net>
Subject: Brill's Content Privacy Article on Politech list

To: Declan McCullagh, Wired

Declan, Allan Rogers at iFriends here.  We noticed that
you forwarded Mark Boal's privacy article for Brill's
Content to the Politech list.
(http://www.politechbot.com/p-01250.html )

You may be interested in the *entirety* of the
email correspondence exchange between iFriends
and Mark Boal (reproduced at bottom), which ...
tells a quite different story than the final Brill
article.  In short, Mr. Boal mischaracterized in
the extreme.  (The email interview/exchange took place
a few months ago and was limited to email; there
were no phone calls, so Boal had no additional opportunity
to distort beyond what the email record below reflects)

In his article, it's noteworthy that Mr. Boal found it
necessary to use a "porn site"  -- Boal's characterization
(obviously not our own) -- to paint his research with the dark
and devious hues that his *facts* failed to portray.
(When the evidence isn't on your side, demogogue and spin)

At the end of the day, Mr. Boal's thesis rests upon
two crucial assumptions, the first of which *may* be valid
(the world awaits DoubleClick's answer), and the second
of which is simply impossible on this planet, and with this
internet:

Brills Content and the author Boal are *right* if the following
two  conditions are true:

1.) IF DoubleClick logs the referrer, i.e.,
"http://www.ford.com/default.asp?pageid=471";
when a 1x1 doubleclick-served gif link exists
within such a page.

<and>

2.) *IF* DoubleClick is retaining the logged referral URL,
then the only way to *harness* *useful* information from the
referral URL is to employ thousands of employees that do nothing
more than translate the referral gibberish into meaningful
information, without any assistance from the third-party websites
themselves.  Since there are 5,000 corporate website clients
in the doubleclick umbrella, each with their own
URL gibberish and tracking codes specific to each site's
internal purposes (see example URL list below) and which
none of the sites will bother to actually *decipher* for
DoubleClick's sake, DoubleClick's referralURL-analyst
department must consist of thousands.  (And what happens
when one of the 5,000 websites changes internal codes that
they use?  What happens when Amazon makes an internal change
from "store=1" (books) to "store=b" (books)?  How is
DoubleClick informed of the change?  Answer:
They're *NOT*.)

In a world where even search engines can't get relevancy
engines to produce useful results pages, does anyone other than
the clueless actually believe that DoubleClick drones (computers or
humans) are actually capable of *understanding* the gibberish
presented in the following  referral URLs and translating it
to database information that reflects the surfer's tastes, likes,
dislikes, etc?   (domain names themselves notwithstanding)

http://www.ford.com/default.asp?pageid=471
http://www.amazon.com/exec/obidos/subst/home/home.html/103-8217645-7053444
http://www-1.ibm.com/servlet/support/manager?rt=1&rs=0&v=9&m=k&lang=en&cc=us&realm=Support&q=mainframe
http://nbc.snap.com/search/directory/results/1,61,nbc-0,00.html?keyword=friends&category=60975%3Ad-et%3ANBC&rfr=60975%3Ad-et%3ANBC&tag=nbc.com
http://apps7.ifriends.net/~wsapi/ifBrowse.dll?filter=a&style=norm&room=7

(Again, reminder, none of the above sites disclose to DoubleClick
what anything in the above URLs actually means.  No rosetta stones
are furnished!)

As the iFriends/Brills transcript reveals, we made several other
points with Mr. Boal, *disproving* his hypothesis that "Doubleclick
knows you like Fetish chatrooms on iFriends, etc",  but Mr. Boal
apparently felt that such *facts* did not support his pre-formed
conclusion, so these aspects of the interview were discarded.

We'd love to see DoubleClick speak to these issues, but until
their lawyers permit them to do so, we're stuck in a world where
many people *think* "webbugs" are being used to collect "personal
information" but they're *not*.  All iFriends is trying to accomplish
is to have DoubleClick tell us which banners produce more customer
signups, and that's all that DoubleClick is *capable* of telling
us.

Hopefully, someone with a clue will speak up someday and
explain the technical nuances to the masses.  Boal concludes that
iFriends exposes to DoubleClick "information about [its users] sexual
preferences".  All we expose to DoubleClick is a gibberish
referral URL, and our contract with DoubleClick forbids them
from doing anything with this or other information (see PS below).

There may very well be *serious* privacy issues underlying
DoubleClick's plans for the integration of Abacus Direct
data, and these need to be explored by regulators.  iFriends
will certainly abide by any regulations that evolve.  But this
"web bug" issue is being *dreadfully* misunderstood, misreported
and miscommunicated.   I'm at your service if ever you should
be in the mood for clues about *why* advertisers like iFriends
use this stuff, *what* information gets collected,
and *how* it is actually *used*.   Call me, email me, etc,
I'm all yours.

Regards,

Allan Rogers (with a little help from the executive & tech staff)
iFriends Spokesperson
800-243-9726 x140

PS:  iFriends' contract with DoubleClick gives ownership of
all data to iFriends and forbids DoubleClick to mine it for
any purposes other than for reporting aggregate information
to us.  (i.e., which ads get clicked more often & which
ads produce more customers).  Is that a crime?


> >From mboal () nyc rr com Mon May 22 14:26:40 2000
> Reply-To: "Mark Boal" <mboal () nyc rr com>
> From: "Mark Boal" <mboal () nyc rr com>
> To: "Allan Rogers" <arogers () ifriends net>
> Subject: Re: press interview
> Date: Mon, 22 May 2000 14:24:47 -0400
> X-Mailer: Microsoft Outlook Express 5.00.2314.1300
> X-SLUIDL: 424FF142-2FDF11D4-82EB0060-083E0560
>
> allan,
> hi there -- my story is closing today. i've incorporated your responses in 
> these emails.
> thanks for the help.
>
>
>
>
>
>
>
>
>
> _________________________________
> Mark Boal > Senior Writer > Brills Content
> p1: 212-366-4348
> cell: 646-325-7230
> fax: 212-366-1939
> <mailto:mboal () nyc rr com>mboal () nyc rr com
> > ----- Original Message -----
> > From: <mailto:arogers () ifriends net>Allan Rogers
> > To: <mailto:mboal () nyc rr com>Mark Boal
> > Sent: Friday, May 12, 2000 6:06 PM
> > Subject: Re: press interview
> >
> > Hi Mark,
> >
> > Sorry for the super-late reply.  I have been out of the
> > office for most of the day.  (recovering from spending
> > too much time with programmers learning the mind-numbing
> > intricacies of "referral urls", "parameter strings" and
> > cookies, I suppose ;-).  I'm at 1-800-243-9726 x140.
> > I'll also be in and out of the office over the weekend
> > for voice mails and emails.
> >
> > - Allan
> >
> > At 04:47 PM 5/11/00 , you wrote:
> > > allan,
> > > yes, sorry for the delay. can we talk tomorrow just to get closure on 
> > > the doubleclick issue. i'll also have some softball questions about the 
> > > site and-
> > > -its backers
> > > -number of hits
> > > -vistors
> > > -strategic partners
> > >
> > > stuff like that.
> > >
> > > pls. tell me when and how to call you.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > _________________________________
> > > Mark Boal > Senior Writer > Brills Content
> > > p1: 212-366-4348
> > > cell: 646-325-7230
> > > fax: 212-366-1939
> > > <mailto:mboal () nyc rr com>mboal () nyc rr com
> > > > ----- Original Message -----
> > > > From: <mailto:arogers () ifriends net>Allan Rogers
> > > > To: <mailto:Mark Boal (by way of Tim )>Mark Boal (by way of Tim 
> > > > <Tim () webpower com>)
> > > > Cc: <mailto:apleven () brillscontent com>apleven () brillscontent com
> > > > Sent: Thursday, May 11, 2000 3:05 PM
> > > > Subject: Re: press interview
> > > >
> > > > Mark, are we still communicating?  Let me know if you
> > > > want to move it to phone.
> > > >
> > > > - Al
> > > >
> > > > cc: to Anick Pleven
> > > >
> > > > ================================================
> > > >
> > > > Mark, I did not get a response to my email at 6pm last
> > > > night.  Please confirm your receipt, and let me know if
> > > > there is more than I can help with.
> > > >
> > > > I believe we have demonstrated the flaw in your thesis
> > > > that DoubleClick is privy to the various rooms
> > > > and categories of rooms that iFriends users visit.
> > > > (Doubleclick has no mechanism for deciphering the
> > > > referral gibberish, and iFriends does not furnish
> > > > DoubleClick with a rosetta stone).
> > > >
> > > > Please let me know if this issue is resolved to your
> > > > satisfaction, and please advise if my 6pm response
> > > > to you last night missed deadline (in which case
> > > > I need to have someone in corporate contact your
> > > > editor)
> > > >
> > > > Thanks again,
> > > >
> > > > Al
> > > >
> > > > =================================================
> > > >
> > > > (Mark .. how's the deadline picture?)
> > > >
> > > > Thanks for the technical walkthrough.  Now
> > > > we see where you're coming from.
> > > >
> > > > Two items:
> > > >
> > > > First, it was just brought to my attention that
> > > > our contract with DoubleClick provides iFriends with a password-protected
> > > > area where WebPower can examine data, and that no other party --
> > > > not even DoubleClick -- can examine this data.  (Obviously,
> > > > if you need more on this topic, I will need to involve legal
> > > > as there are no doubt non-disclosure issues).
> > > >
> > > > Second, we think #1 is academic, for the following reasons:
> > > > While DoubleClick does indeed record, as a part of the *referer*
> > > > line exposed by 1x1 IMG SRC syntax you observed,
> > > > certain elements that iFriends recognizes as "Girls Home Alone"
> > > > (room=5), DOUBLECLICK DOES NOT KNOW THAT ROOM=5 IS EQUIVALENT
> > > > TO GIRLS HOME ALONE.  IFriends has not furnished DoubleClick
> > > > with an index of what the room numbers correlate to, which based
> > > > on what you have shared so far, can be your only rationale to justify
> > > > your thesis (which presumably is that "DoubleClick knows you like
> > > > Fetish, and God knows with whom they will share this information")
> > > >
> > > > As noted before, the purpose of this mechanism is not to
> > > > alert Doubleclick about the surfing interests of visitors
> > > > to iFriends, but to give iFriends a very sophisticated,
> > > > sliced-and-diced picture of the general non-personally-identifiable
> > > > characteristics of the same audience (i.e., what browsers they
> > > > are running, what resolutions their monitors are set at, etc).
> > > >
> > > > When you ran your packet sniffer, DoubleClick noted what
> > > > browser you were running and other basic information.
> > > > Doubleclick also (probably) recorded the referral URL,
> > > > which contains the "room=5" notation.   But iFriends
> > > > has never provided anyone at DoubleClick with an index
> > > > of what the room numbers relate to, so DoubleClick has
> > > > no way of knowing where you were surfing iFriends.
> > > >
> > > > ...Unless you're suggesting that DoubleClick employs
> > > > a dedicated staff of thousands to study the internal
> > > > linking nomenclature used by the tens of thousands of sites
> > > > that use DoubleClick -- a nomenclature system that
> > > > will be extremely diverse from site to site ---
> > > > *changes* their internal nomenclature "mirror" every
> > > > time the site changes its own mechanisms (iFriends
> > > > has undergone dozens of such changes over the years),
> > > > and, last but not least, actually *does* anything with the
> > > > data produced by such a Herculean and Sisyphean effort.
> > > >
> > > > Mark, let me know if we need to do more to get
> > > > the correct facts to you -- I can make programmers
> > > > and technicians available to you (or your team
> > > > of programmers and technicians) -- to better
> > > > elucidate if I am failing in my effort to
> > > > correct your misinformation.
> > > >
> > > > Regards,
> > > >
> > > > Al
> > > >
> > > > - Al
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > At 05:05 PM 5/9/00 , you wrote:
> > > > > Allan, I still don't understand how your response  about the type of 
> > > > > pages can be that the information does get sent to  DoubleClick. 
> > > > > Below, you can see the output from a packet sniffer running  while 
> > > > > visting your site. You can see it in the referring URL.  DoubleClick 
> > > > > tracks the click-thru on  the banner ad:
> > > > > > >
> > > > > > > GET
> > > > > > 
> > > > > /jump/altavista.digital.com/result_front;kw=sex;cat=totext;ord=9461269?
> > > > > >  > HTTP/1.0
> > > > > > > Referer:
> > > > > > >
> > > > > > 
> > > > > &hl=on&kl=XX&pg=q&text">http://www.altavista.com/cgi-bin/query?sc=on&hl=on&kl=XX&pg=q&text 
> > > > >
> > > > > >  =yes&q=sex
> > > > > > > &search=Search
> > > > > > > Host:  ad.doubleclick.net
> > > > > > > Cookie: id=852de2b1
> > > > > > >
> > > > > > >  DoubleClick redirects the click-thru to ifriends.net:
> > > > > > >
> > > > > > >  HTTP/1.0 302 Moved Temporarily
> > > > > > > Content-Type: text/html
> > > > > > >  Location: http://www.ifriends.net/warning/altavista/test1.htm
> > > > > >  >
> > > > > > > Ifriends.net passes the AltaVista search string off
> > > > > >  > to Webpower.com (the parent company of ifriends.net)
> > > > > > > using a  Web Bug:
> > > > > > >
> > > > > > > GET
> > > > > > >
> > > > > >  /cgi/iftrack.exe?ref=http://www.altavista.com/cgi-bin/query?sc=on&;
> > > > > hl=on&kl=X
> > > > > >  >
> > > > > >  X&pg=q&text=yes&q=sex&search=Search[qry&IFSE=AltaVista&IFSEArea=Ke
> > > > > >  ywords&IFS
> > > > > > > kip=Standard&IFSESpecial=General&IFaff=None  HTTP/1.0
> > > > > > > apps.webpower.com
> > > > > > >
> > > > > > > Webpower  records this information in their cookie:
> > > > > > >
> > > > > > >
> > > > > >  IFTRACKFIRST=dt=20000116&tm=19:09:01&ip=199.3.129.167&ref=http://a
> > > > > >  d.doublecl
> > > > > > >
> > > > > >  ick.net/adi/altavista.digital.com/result_front:kw=xxx:cat=stext:or
> > > > > >  d=50342703
> > > > > > >
> > > > > >  2[qry&IFSE=AltaVista&IFSEArea=Keywords&IFSkip=Standard&IFSESpecial
> > > > > >  =General&I
> > > > > > > Faff=None;
> > > > > > >
> > > > > >  IFTRACKRECENT=dt=20000502&tm=12:22:52&ip=141.154.81.154&ref=http:/
> > > > > >  /www.altav
> > > > > > >
> > > > > >  ista.com/cgi-bin/query?sc=on&hl=on&kl=XX&pg=q&text=yes&q=%2Bimage%
> > > > > >  3Ahitbox.c
> > > > > > >
> > > > > >  om+%2Bsex&search=Search[qry&IFSE=AltaVista&IFSEArea=Keywords&IFSki
> > > > > >  p=Standard
> > > > > > > &IFSESpecial=General&IFaff=None
> > > > > >  >
> > > > > > > A DoubleClick Web page tracks at the ifriends.net
> > > > > > >  home page:
> > > > > > >
> > > > > > > GET
> > > > > >  /activity;src=104085;type=views;cat=ifapge;ord=957371490140? HTTP/1.0
> > > > > >  > Referer: http://www.ifriends.net/homeSE.htm
> > > > > >  > Host: ad.doubleclick.net
> > > > > > > Cookie: id=852de2b1
> > > > > >  >
> > > > > > > Now DoubleClick sees us at the Web Cam directory
> > > > > > >  page:
> > > > > > >
> > > > > > > 
> > > > > GET  /activity;src=104085;type=views;cat=ifdpge;ord=%2000503123326924?
> > > > > > >  HTTP/1.0
> > > > > > > Referer: http://apps6.ifriends.net/~wsapi/ifbrowse.dll
> > > > > >  > Host: ad.doubleclick.net
> > > > > > > Cookie: id=852de2b1
> > > > > >  >
> > > > > > > Now DoubleClick tracks us to room #5 (Girls home  alone):
> > > > > > >
> > > > > > > 
> > > > > GET  /activity;src=104085;type=views;cat=ifdpge;ord=%2000503123511464?
> > > > > > >  HTTP/1.0
> > > > > > > Referer:
> > > > > > > 
> > > > > &type=L&filter=e">http://apps6.ifriends.net/~wsapi/ifbrowse.dll?room=5&type=L&filter=e 
> > > > >
> > > > > >  > Host: ad.doubleclick.net
> > > > > > > Cookie: id=852de2b1
> > > > > >  >
> > > > > > > Room #7 (Girl-Girl):
> > > > > > >
> > > > > > > 
> > > > > GET  /activity;src=104085;type=views;cat=ifdpge;ord=%2000503123704587?
> > > > > > >  HTTP/1.0
> > > > > > > Referer:
> > > > > > > 
> > > > > &type=L&filter=e">http://apps6.ifriends.net/~wsapi/ifbrowse.dll?room=7&type=L&filter=e 
> > > > >
> > > > > >  > Host: ad.doubleclick.net
> > > > > > > Cookie: id=852de2b1
> > > > > >  >
> > > > > > > Room #9 (Couples):
> > > > > > >
> > > > > > > 
> > > > > GET  /activity;src=104085;type=views;cat=ifdpge;ord=%2000503123745726?
> > > > > > >  HTTP/1.0
> > > > > > > Referer:
> > > > > > > 
> > > > > &type=L&filter=e">http://apps6.ifriends.net/~wsapi/ifbrowse.dll?room=9&type=L&filter=e 
> > > > >
> > > > > >  > Host: ad.doubleclick.net
> > > > > > > Cookie: id=852de2b1
> > > > > >  >
> > > > > > > Room #10 (Groups):
> > > > > > >
> > > > > > > 
> > > > > GET  /activity;src=104085;type=views;cat=ifdpge;ord=%2000503123902817?
> > > > > > >  HTTP/1.0
> > > > > > > Referer:
> > > > > > > 
> > > > > &type=L&filter=e">http://apps6.ifriends.net/~wsapi/ifbrowse.dll?room=10&type=L&filter=e 
> > > > >
> > > > > >  > Host: ad.doubleclick.net
> > > > > > > Cookie: id=852de2b1
> > > > > >  >
> > > > > > > Room #13 (Interracial):
> > > > > > >
> > > > > > > 
> > > > > GET  /activity;src=104085;type=views;cat=ifdpge;ord=%2000503123944327?
> > > > > > >  HTTP/1.0
> > > > > > > Referer:
> > > > > > > 
> > > > > &type=L&filter=e">http://apps6.ifriends.net/~wsapi/ifbrowse.dll?room=13&type=L&filter=e 
> > > > >
> > > > > >  > Host: ad.doubleclick.net
> > > > > > > Cookie: id=852de2b1
> > > > > >  >
> > > > > > > Room #16 (Fetish):
> > > > > > >
> > > > > > > 
> > > > > GET  /activity;src=104085;type=views;cat=ifdpge;ord=%2000503124018235?
> > > > > > >  HTTP/1.0
> > > > > > > Referer:
> > > > > > > 
> > > > > &type=L&filter=e">http://apps6.ifriends.net/~wsapi/ifbrowse.dll?room=16&type=L&filter=e 
> > > > >
> > > > > >  > ad.doubleclick.net
> > > > > > > Proxy-Connection: Keep-Alive  crunch!
> > > > > > > Cookie: id=852de2b1
> > > > > > >
> > > > > >  >
> > > > >
> > > > > _________________________________
> > > > > Mark Boal > Senior Writer >  Brills Content
> > > > > p1: 212-366-4348
> > > > > cell: 646-325-7230
> > > > > fax:  212-366-1939
> > > > > <mailto:mboal () nyc rr com>mboal () nyc rr com
> > > > >
> > > > > > ----- Original Message 
> > > > > > -----    From:    <mailto:arogers () ifriends net>Allan    Rogers    To: 
>>>>>>   title=mboal () nyc rr com>Mark Boal    Sent: Tuesday, May 09, 2000 
> > > > > > 3:17 PM   Subject: Re: press interview
> > > > > >   RE:  "Also, the cookie was tracking the      *type* of page I went 
> > > > > > to, whether it was girl-girl or fetish or whatever. I      don't see 
> > > > > > how that fits under the list mentioned above. Can you      explain?"
> > > > > > Mark,
> > > > > >
> > > > > > I am not sure which cookie you    observed, but
> > > > > > there are two kinds of cookies in use on iFriends, as
> > > > > > illustrated below (view your email in text-only mode,
> > > > > > if    possible):
> > > > > >
> > > > > >
> > > > > > <PRE>
> > > > > >
> > > > > > A.) DoubleClick    Cookie:
> > > > > >
> > > > > > <IMG 
> > > > > > SRC="http://ad.doubleclick.net/activity;src=104085;type=views;cat=ifdpge;ord= 
> > > > > > 00509151332318?" WIDTH=1 HEIGHT=1 BORDER=0>
> > > > > >
> > > > > > B.) iFriends    Cookie:
> > > > > > <IMG 
> > > > > > src="http://apps.webpower.com/cgi/iftrack.exe?ref=http://search.yahoo.com/bin/search?p=bbw[qry&IFSE=YahooKeywords&IFSEArea=BBW&IFSkip=BBW&IFSESpecial=BBWKyWds&IFaff=None"; 
> > > > > > width=1 height=1 border=0 align=right>
> > > > > >
> > > > > > As you can see, it's the    iFriends cookie (B) -- and not the 
> > > > > > Doubleclick
> > > > > > cookie (A) - makes note    of  the *area* of iFriends that you may be
> > > > > > surfing.  This    information is used by IFriends management to compare
> > > > > > with iFriends signup    and iFriends sale information to determine which
> > > > > > areas of iFriends produce    greater revenue.  None of this data
> > > > > > is available or otherwise exposed    to DoubleClick.  Every top-1000
> > > > > > e-commerce site in the world uses    similar techniques as in
> > > > > > example A.  (iFriends is one of the most    popular 1000 sites in the
> > > > > > world, according to PCDataOnline.com)
> > > > > >
> > > > > > The    DoubleClick cookie, as I observed earlier, is of greater utility
> > > > > > in the    areas of determining broad-sweep, non-personally-identifiable
> > > > > > demographic    information.
> > > > > >
> > > > > > </PRE>
> > > > > >
> > > > > > I hope this has shed greater    light on the subject for you.
> > > > > > If you have an interest in pursuing the    technical nuances
> > > > > > further, I will be happy to help you, but I would    recommend
> > > > > > pushing the deadline off until at least    tomorrow.
> > > > > >
> > > > > > Regards,
> > > > > >
> > > > > > Al
> > > > > >
> > > > > >
> > > > > > ============================================
> > > > > >
> > > > > > Mark,
> > > > > >
> > > > > > I    just now realized I didn't address the *type*-of-page
> > > > > > concern you    raise.  I am getting with management and
> > > > > > programmers and will respond    within 10    minutes.
> > > > > >
> > > > > > Thanks,
> > > > > >
> > > > > > Al
> > > > > >
> > > > > > At    02:12 PM 5/9/00 , you wrote:
> > > > > >
> > > > > > > size=2>   Allan,
> > > > > > > Thanks.
> > > > > > >
> > > > > > > You wrote:
> > > > > > >
> > > > > > > ""broad-sweep"      non-personally-identifiable esoterica as
> > > > > > > browser type, computer OS, etc,      and the information is
> > > > > > > shared with no other entity other than      iFriends.  "
> > > > > >
> > > > > > > This part I don't understand since it was      a DoubleClick cookie 
> > > > > > > in play on iFriends pages which means that DoubleClick      gets the 
> > > > > > > info and iFriends gets it as well. Or by  "no other entity"      did 
> > > > > > > you mean to include DoubleClick?
> > > > > > >
> > > > > > > Also, the cookie was tracking the *type*      of page I went to, 
> > > > > > > whether it was girl-girl or fetish or whatever. I don't      see how 
> > > > > > > that fits under the list mentioned above. Can you      explain?
> > > > > > >
> > > > > > >
> > > > > > > Your prompt reply is      appreciated.
> > > > > > >
> > > > > > > thanks again,
> > > > > > > mark      boal
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > _________________________________
> > > > > > > Mark      Boal > Senior Writer > Brills Content
> > > > > > > p1: 212-366-4348
> > > > > > > cell:      646-325-7230
> > > > > > > fax: 212-366-1939
> > > > > > > mboal () nyc rr com
> > > > > > >
> > > > > > > > ----- Original Message -----
> > > > > > > > From: 
> > > > > > > > <<mailto:arogers () ifriends net>mailto:arogers () ifriends net>Allan Rogers
> > > > > > > > To: Mark Boal
> > > > > > > > Sent: Tuesday, May        09, 2000 1:38 PM
> > > > > > > > Subject: Re: press interview
> > > > > > > >
> > > > > > > > Hi        Mark,
> > > > > > > >
> > > > > > > > To reiterate clause three of our privacy policy posted
> > > > > > > > at 
> > > > > > > > eudora="autourl">http://www.ifriends.net/legal/privacy.htm,
> > > > > > > >
> > > > > > > > "Non-Personally-Identifiable        Information Collected
> > > > > > > > Automatically: In some cases, we may collect        information
> > > > > > > > about you that is not personally-identifiable. Examples of
> > > > > > > > this type of information include the type of Internet Browser
> > > > > > > > you        are using, the type of computer operating system you are
> > > > > > > > using, and        the domain name of the website from which you
> > > > > > > > linked to our        site."
> > > > > > > >
> > > > > > > > To iFriends knowledge, any DoubleClick link        mechanisms
> > > > > > > > embedded within iFriends pages meet this criteria,        because
> > > > > > > > the information collected is limited to such general
> > > > > > > > "broad-sweep" non-personally-identifiable esoterica as
> > > > > > > > browser        type, computer OS, etc, and the information is
> > > > > > > > shared with no other        entity other than iFriends.
> > > > > > > >
> > > > > > > > As to DoubleClick's privacy        controversy, I'm sure you recognize
> > > > > > > > that there are many, many        thousands of sites that 
> > > > > > > > participate in
> > > > > > > > the DoubleClick network, and I        assume that each of these 
> > > > > > > > thousands
> > > > > > > > of sites anxiously awaits        DoubleClick's ultimate response to
> > > > > > > > concerns expressed by Privacy        advocates.  To our knowledge, any
> > > > > > > > limitations in the DoubleClick        ad-serving methodology also 
> > > > > > > > exist
> > > > > > > > in other marketing networks.
> > > > > > > >
> > > > > > > > The foregoing is on the record.  If you quote me, 
> > > > > > > > the        appropriate
> > > > > > > > designation is iFriends' spokesperson.
> > > > > > > >
> > > > > > > > Good luck        with the story, and I hope I got this to 
> > > > > > > > you        before
> > > > > > > > deadline.
> > > > > > > >
> > > > > > > > Regards,
> > > > > > > >
> > > > > > > > Allan Rogers
> > > > > > > >
> > > > > > > > At 08:23 AM        5/9/00 , you wrote:
> > > > > > > > >       A,
> > > > > > > > > I'm writing about ifriends and          privacy on the site. I was 
> > > > > > > > > recently running some privacy tests on          various pages on 
> > > > > > > > > ifriends and found that information was being sent 
> > > > > > > > > to          Doubleclick. This is not mentioned in the site privacy 
> > > > > > > > > policy. So I'd          like to know what the company's policy is 
> > > > > > > > > regarding this sort of          disclosure.
> > > > > > > > >
> > > > > > > > > My          deadline is today.
> > > > > > > > >
> > > > > > > > > Thanks.
> > > > > > > > > mark
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > _________________________________
> > > > > > > > > Mark          Boal > Senior Writer > Brills Content
> > > > > > > > > p1: 212-366-4348
> > > > > > > > > cell:          646-325-7230
> > > > > > > > > fax: 212-366-1939
> > > > > > > > > mboal () nyc rr com
> > > > > > > > >
> > > > > > > > > > ----- Original Message -----
> > > > > > > > > > From: 
> > > > > > > > > > <<mailto:arogers () ifriends net>mailto:arogers () ifriends net>Allan 
>>>>>>>>>>         Rogers
> > > > > > > > > > To: 
> > > > > > > > > > <<mailto:mboal () nyc rr com>mailto:mboal () nyc rr com>Mark            Boal
> > > > > > > > > > Sent: Monday, May 08, 2000 3:58            PM
> > > > > > > > > > Subject: Re: press interview
> > > > > > > > > >
> > > > > > > > > > Hi Mark,
> > > > > > > > > >
> > > > > > > > > > How            goes it?  I am on the run today, but drop me a note
> > > > > > > > > > with the            nature of the story (thesis) and the site that
> > > > > > > > > > interests you (we            have several), and I can get back in 
> > > > > > > > > > touch
> > > > > > > > > > with you ASAP, armed            with the facts you may need.
> > > > > > > > > >
> > > > > > > > > > Regards,
> > > > > > > > > >
> > > > > > > > > > - Al
> > > > > > > > > >
> > > > > > > > > > At            01:53 PM 5/8/00 , you wrote:
> > > > > > > > > >
> > > > > > > > > > > Hi,
> > > > > > > > > > > I'm writing a reporter with Brills              Content, the 
> > > > > > > > > > > media magazine, and I'm writing a story that deals 
> > > > > > > > > > > with              your site, among other things.
> > > > > > > > > > >
> > > > > > > > > > > Can we talk              telephonically?
> > > > > > > > > > >
> > > > > > > > > > > My number              below.
> > > > > > > > > > >
> > > > > > > > > > > thanks,
> > > > > > > > > > > mark
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >             size=2>_________________________________
> > > > > > > > > > > Mark Boal > Senior              Writer > Brills Content
> > > > > > > > > > > p1: 212-366-4348
> > > > > > > > > > > cell:              646-325-7230
> > > > > > > > > > > fax: 212-366-1939
> > > > > > mboal () nyc rr com

***********

From: "Mark Boal" <mboal () nyc rr com>
To: "Declan McCullagh" <declan () well com>
Subject: Brill's Story
Date: Tue, 4 Jul 2000 00:55:44 -0400

Declan,

I'm glad Mr. Rogers forwarded our entire email exchange, for it reveals his 
past strategies of obfuscation in vivid detail. Mr. Rogers initially denied 
DoubleClick had ANY presence on his site. But when I presented him with log 
files proving the contrary, his story changed. Unfortunately, his latest 
letter follows the same pattern. What I reported--that iFriends sends 
information to DoubleClick, and that the information can be used to 
interpret the sexually identity of a person browsing its site--still stands.

Let's begin with the obvious misstatements. Mr. Rogers says I never called 
him, but I did. My message was not returned.  He complains about my 
characterization of iFriends as a porn site, but it *is* a porn site. On 
iFriends, one sees naked men and women in sexually suggestive poses. If 
that's not porn, what is?

He says that only the "clueless" believe DoubleClick is capable of 
translating referring URL coding. I, for one, translated the relevant 
portions of iFriend's coding in about the time it takes to read this 
sentence. So clearly, DoubleClick can do it, too. Remember that DoubleClick 
was contractually obligated not to glean mortgage data from Intuit's 
Quicken site, but was discovered to be doing precisely that.

The uncontested conclusion here is that according to commonly accepted 
privacy practices sensitive information should never be routed to 
DoubleClick in the first place, or at least not without disclosure to the 
public.  But I fear Mr. Roger's position as the spokesperson for a company 
that uses web bugs without disclosure makes his agreement with this 
conclusion unlikely.


--Mark Boal

p.s. For those who asked, below and attached, is the original article, 
hopefully without the ligatures problem.


 ==============================================================
Brills Content, July 2000
Click, Click, Trick
DoubleClick Web Bugs on Porn/Medical Sites

By Mark Boal

We all know by now that when we log on to the Internet and surf the World 
Wide Web from the privacy of our homes, such privacy is largely an 
illusion. After all, websites keep track of their visitors, bulletin-board 
postings are archived, and even e-mail is not safe from prying eyes.

But the state of privacy on the Web may be worse than you imagine. A new 
generation of technology is making it easier for marketers and Web hosts to 
track us without our knowledge. Moreover, these tracking devices are 
showing up in places where many people may be most sensitive about guarding 
their privacy: pornography and medical sites.

I realized how hard it is to keep up with the rapidly changing online 
privacy terrain when I paid a visit recently to Richard Smith, an expert on 
computer privacy who prides himself on uncovering Internet practices he 
considers abusive. Turns out even Smith was surprised by what we would 
discover.

Smith was tutoring me on what you might call online countersurveillance, 
giving me a lesson in how to watch the watchers on the Web. We were in his 
of ce overlooking downtown Boston. Our laptops were on. On screen, we were 
looking at a popular porn site called iFriends. We looked at the coding 
that creates the page, when suddenly a line jumped out at Smith:

IMGSRC="http://ad.doubleclick.net/activity;

src=104085;type=views;cat=ifdpge;ord= 00509100200118?"

WIDTH=1 HEIGHT=1 BORDER=0

"It s a Web bug!" he exclaimed. Web bugs are the latest innovation in the 
art of monitoring people moving through websites. They are computer code, 
nearly identical in structure to the code for a picture or a banner ad. 
Except they are invisible, due to that last line: WIDTH=1 HEIGHT=1 
BORDER=0. That describes an image one pixel wide and one pixel high, with 
no border. (The period at the end of this sentence would be represented on 
a typical screen as a four-pixel square.) A one-by-one pixel square can not 
be seen by the naked eye.

Smith had found a Web bug, but what really struck him was that rst line of 
code: IMGSRC="http://ad.doubleclick.net/activity.

That clued him in to the fact that DoubleClick Inc., the most successful 
Internet advertising agency, was collecting information about our visit to 
a porn-related site.

DoubleClick is an online advertising agency that buys and places banner-ad 
space for its clients. But it adds another layer of service, too it keeps 
track of who views and clicks on those banners, and now, with Web bugs, it 
can track people on pages without banner ads. DoubleClick s pioneering role 
on the Internet has earned it the adoration of Wall Street, but the enmity 
of privacy advocates, who are concerned that the company is building a 
mammoth database that pro les people s lives on the Web in elaborate detail.

"In general, DoubleClick s whole strategy of tracking Internet users 
invades the expectation of privacy people have when they re browsing," says 
Andrew Shen, a policy analyst at the watchdog Electronic Privacy 
Information Center. "But when you re talking about particularly sensitive 
areas such as health or pornography sites, which are only accessed under 
the assumption that the person s visit remains unknown, tracking is 
especially objectionable. These are places where the preservation of 
privacy is vital."

Indeed, DoubleClick s reach is so broad that even casual browsing in the 
most sensitive corners of the Net leaves a data trail the company can 
follow, as Smith and I discovered.

Head over to the search engine at the Internet portal Lycos, the 
fth-most-popular destination on the Web in May, and type the word sex into 
the query box. DoubleClick takes note. Or click on About.com, a site that 
gathers many pages under one umbrella and is one of the Web s most popular 
destinations, with about 4.4 million visitors in April. Thousands of sites 
are listed under About.com s adult section, and DoubleClick has the ability 
to monitor many of them.

Smith and I also discovered that DoubleClick operates Web bugs at 
procrit.com, a site for the HIV-related drug Procrit, and that it monitors 
mentalwellness.com, an online resource for schizophrenia. Both sites are 
owned by Johnson & Johnson.

The question for privacy advocates is what does DoubleClick do with the 
data it collects? Company of cials say emphatically that it won t link 
information about an individual s website visits with his or her name. Yet 
the sort of Web bug coding Smith found DoubleClick using on various porn 
and health sites is ideally suited to linking a person s name to his or her 
computer.

This use of Web bugs, also sometimes called transparent GIFs (for graphics 
interchange format) seems to violate DoubleClick s own privacy pledge to be 
"fully committed to offering online consumers notice about the collection 
and use of personal information about them, and the choice not to 
participate." (The italics are DoubleClick s.)

Jules Polonetsky, DoubleClick s chief privacy of cer and a former New York 
City consumer-affairs commissioner, says the company s privacy policy was 
"in no way" contradicted by DoubleClick s deployment of Web bugs, because 
names are not linked to sensitive online activities such as health and porn 
sites.

Polonetsky stresses that the company has "made a commitment that we won t 
ever use sensitive information to target ads or to build a pro le," 
although he says that could change with the development of government 
standards. In the meantime, he adds, it s the clients responsibility to 
disclose DoubleClick s Web bugs. "All the sites we do business with," he 
says, "we wish [them] to be as transparent as possible in explaining what 
happens on their site."

However, none of the sites where we found Web bugs revealed that fact in 
their privacy policies.

When asked about this, iFriends initially denied that DoubleClick had Web 
bugs on the sensitive parts of the site. But when presented with a log le 
showing that DoubleClick recorded a visit to a "girl-girl" fetish room, 
labeled in the computer code as room "5," Allan Rogers, a company 
spokesman, replied by e-mail, "While DoubleClick does indeed record, [it] 
does not know that room 5 is equivalent to girls home alone." This 
explanation comes down to saying that while DoubleClick collects the 
information, it does not have the technical skill to understand it an 
assertion that Smith and others nd hard to believe.

The other sites where Smith and I found Web bugs also downplayed their 
privacy implications. A Johnson & Johnson spokesman says the information 
gathered by Web bugs is used in-house to help the company re ne and manage 
its sites. Consumers have nothing to worry about because DoubleClick is 
contractually prohibited from using the information for any other purpose, 
says the spokesman, Josh McKeegan. "The contract that Doubleclick signed 
with us speci cally stipulates that they won t use it for any of the 
purposes which have gotten them into trouble which is tying the aggregate 
data to speci c cookies. That is speci cally banned within our contract," 
says McKeegan.

Similarly, John Caplan, general manager of About.com, acknowledges that 
DoubleClick collects data on About.com users, but said "DoubleClick does 
not have the right to use any data it has on About.com users in any way. 
They serve our ads that s it."

But critics note that DoubleClick s deal with its clients could change and 
it could acquire the right to disseminate data it currently collects. 
Moreover, a subpoena in a divorce proceeding, a warrant from a law 
enforcement agency, a malicious hacker, a mistake on DoubleClick s part to 
name just a few scenarios could drag DoubleClick s les into public view.

And regardless of who uses the data under which circumstances, the practice 
of covert data collection violates standards of online privacy endorsed by 
the Federal Trade Commission and by the industry-supported watchdog group 
TRUSTe. These guidelines specify that data-mining ought to occur only when 
the user is fully informed, and individuals are given some control over the 
information gathered about them.

One popular medical site, drkoop.com, took these concerns so seriously that 
in March it severed a long-standing relationship with DoubleClick. "We had 
a lot of concerns. There was also a perception problem," explains Laura 
Hicks, a spokeswoman for drkoop.com. "So we made a decision...that for the 
protection of our consumers, we would not use any third-party ad networks."

For many privacy advocates, the very existence of Web bugs and the data 
collection they facilitate constitute an invasion of privacy, leaving aside 
questions about how that information could be disseminated. Think of a 
Peeping Tom who installs a video camera in a clothing-store dressing room. 
Even if he never views the footage, the people captured on lm will feel 
invaded.

"It s unacceptable for DoubleClick to be monitoring people s movements 
without their consent," says privacy advocate Jason Catlett, of the 
Junkbusters Corp., a group that opposes the proliferation of commercial 
messages. "If they tried this in the physical world it would be like having 
men in white coats standing outside X-rated movie theaters taking down your 
license plate number."

Catlett is particularly concerned about the lack of disclosure at porn 
sites, but a lawsuit led against DoubleClick in California alleges that the 
rm s deployment of Web bugs at a great many sites is a violation of 
consumer-protection statutes. The class-action suit, led in January by San 
Rafael, California, lawyer Ira Rothken, seeks an injunction to force 
DoubleClick to stop data mining via Web bugs and to give people a chance to 
see their dossiers.

"If DoubleClick doesn t change their strategy of attempting to tie name and 
address information with private click stream data...it will have a 
chilling effect on all Web users no one will take risks in viewing 
sensitive sites, and Web users First Amendment rights will be impaired," 
Rothken says.

While the suit has garnered little press attention, it is being closely 
watched by privacy groups. If the case gets to the discovery stage, 
DoubleClick could be forced to reveal the business deals and strategy 
behind its data warehousing, and the nature of the les it has gathered on 
millions of Californians. That, in turn, could open the rm to a host of new 
questions that the lawsuit raises. What is in the log les? How far back do 
they go? Do they contain every website you or I have ever visited on the 
DoubleClick network? When asked for a response to these questions, a 
company spokeswoman repeated DoubleClick s assurances that it is 
"absolutely committed to protecting the privacy of all Internet users."

Why would a Wall Street darling like DoubleClick get involved in monitoring 
porn sites and health sites at the risk of alienating privacy advocates 
even more? To answer that we need to rewind to 1996. That was when Kevin O 
Connor founded the rm, with the idea of cashing in on the rush to all 
things e. Back then, companies were curious about advertising online, but 
few knew how to navigate the Web. It was unpredictable and chaotic, and 
choosing the right advertising format was like throwing darts blindfolded.

DoubleClick simpli ed the task by gathering hundreds of the most popular 
sites in a network and then offering the ability to place banner ads across 
all, or some, of the network. The idea t the times like a latex glove. The 
Fortune 500 turned their ad accounts over to DoubleClick, and soon it 
became the one-stop shop for online ads.

Today, DoubleClick s client roster reads like a who s who of corporate 
America. The company places ads on websites for AT&T, CBS, Ford Motor 
Company, Motorola, Inc., and hundreds of others. And its revenue is up 
sharply; in the rst quarter of this year, it took in $110 million, a 179 
percent increase over the same period last year, according to the company.

Every month, DoubleClick places 50 billion banner ads across its network, 
which the company says covers about half of the Internet s total traf c. As 
the company s annual report boasts, "Move your mouse over any ad on the 
Web, and there s a good chance you ll see ad.doubleclick.net at the bottom 
of your browser window. DoubleClick didn t create the ad, but we did place 
it there."

And all of those ads are automatically monitored; DoubleClick gauges their 
effectiveness by tracking the number of people who click on them versus the 
number who view them. This so-called click-through rate is a metric only 
the Internet can offer, and it is the argument for why online advertising 
is more precise than TV, print, or radio advertising.

But click-through tracking yields another dividend, too. As DoubleClick 
quickly discovered after it began marketing the service, click-through 
technology opens the door to tracking individuals as they move from one 
site to another. If you can track whether someone clicks on one ad, why not 
track whether the same person clicks on any ad in a given network? Why not 
see exactly what an individual does online, where she goes, what she buys?

It s no wonder that from the start, privacy advocates objected to such 
tracking, but DoubleClick and other rms in the online marketing world 
pressed ahead. To make the tracking work, DoubleClick used cookie les. 
Cookies are random number strings like ngerprints that identify one 
computer to another. As you visit a page with a DoubleClick ad, the company 
places a cookie on your computer. After that, DoubleClick can track your 
movements through its network even if you do not click on its banner ads.

And now, with Web bugs, DoubleClick can track you even when there are no 
banner ads on a page. And if you make a purchase or ll out a questionnaire 
on a site with a DoubleClick ad, the rm will more than likely collect that 
information from the Web bug and link it to your cookie.

Last year, DoubleClick tried to take the next step, and link its cookie les 
with actual names and identities. It merged with the consumer-database rm 
Abacus Direct, and announced a new division designed to create elaborate 
pro les of more than 90 percent of American households. The plan attracted 
an army of critics, including privacy advocates, who said DoubleClick would 
usher in a new age of surveillance. The Federal Trade Commission began 
investigating the company; investors, who got skittish, started to dump 
DoubleClick stock.

When the blows and bad PR had cost DoubleClick half its market value, CEO O 
Connor backpedaled. "I made a mistake," he said. O Connor pledged to delay 
the database until there was "agreement between government and industry on 
privacy standards."

Despite its public disavowals, DoubleClick nevertheless continues to lay 
the groundwork for the database by collecting vast amounts of information 
about where people go online. And the news that they are employing their 
invisible tracking devices on health and porn sites could cause them new 
political, public relations, and legal woes. The FTC has asked Congress for 
more authority to sue companies who are in violation of consumer privacy, 
although Congress is not expected to enact new laws anytime soon.

If DoubleClick ever chooses to merge the data from the Web bugs and cookie 
les with its existing consumer dossiers, it will create a database of 
unprecedented depth. The rm will not only have purchasing history and 
demographic information of some 100 million Americans at its ngertips, but 
also information about their sexual preferences and health conditions. For 
now, the records are not merged. But they lie there on servers, waiting. e




_________________________________
Mark Boal > Senior Writer > Brills Content
p1: 212-366-4348
cell: 646-325-7230
fax: 212-366-1939
<mailto:mboal () nyc rr com>mboal () nyc rr com


--------------------------------------------------------------------------
POLITECH -- the moderated mailing list of politics and technology
To subscribe, visit http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
--------------------------------------------------------------------------