I Know What You Did Last Week - But I'll Never Tell

  • Written By: D. Geller
  • Published: February 14 2000

Event Summary

Abacus Direct was a direct marketing specialist that had a great deal of information about individuals - more than two billion records of catalog transactions. Do you buy from the Sharper Image catalog? Did you send money when you received those free address labels in the mail? Do you use your supermarket's affinity card to buy organic yogurt and diet Dr. Pepper? Chances are that Abacus Direct or a similar company knows all about it. So, when Internet advertising leader DoubleClick bought Abacus Direct for $1.7 billion, alarm bells went off for privacy advocates, as well as in the offices of the Federal Trade Commission.

Before the acquisition DoubleClick knew you by a coded number. It knew that you visited this bookstore site, that health information site, and, yes, even the online gaming site. The first time you visited any of the 11,500 Web sites using DoubleClick to serve ads, DoubleClick dropped a cookie on your machine and made an entry for you in its database. It could then follow you as you visited other sites served by DoubleClick.

Not only would it know what sites you had visited, it would also be able to tell which ads had been so interesting that you clicked on them to find out more. If you visit health information sites and click on ads for BMW sedans, DoubleClick draws conclusions about your age, interests, and socioeconomic status, and will adapt its ad serving appropriately. You'll be seeing more ads for drugstore sites, high-end clothing, and possibly retirement communities. You'll see fewer ads for hip-hop CD's and fewer offers for trips to Daytona Beach during Spring break.

Some privacy advocates saw even this much data collection as cause for concern. The advertising industry suggests that it benefits those consumers who are interested in viewing ads, since they will see more ads of value to them. As the debate continued, advertising agencies competed to develop technology for gleaning more information from this "impersonal" data since advertisers will want to have their ads shown to people who are prequalified as interested.

The merger of Abacus Direct into DoubleClick raised the ante considerably. As DoubleClick's online Privacy Statement states, the "non-personally identifiable information collected by DoubleClick in the course of ad delivery can be associated with a user's personally identifiable information if that user has agreed to receive personally-tailored ads." [Italics in original] Many, but not all, might feel that this is a reasonable quid pro quo: A user who wants personally tailored ads should understand that this requires personal information to be tied to ad serving.

However, the Privacy Statement goes on to detail other ways in which personal information can be tied with ad serving and surfing behavior. These include cases where a user registers on a website and cases where, in response to an ad, a user provides personal information - information such as would be needed to make a purchase at the advertiser's web site. In the first case, DoubleClick requests that web sites disclose the possibility in their own privacy statements. In the second, DoubleClick says that it will not use the personally identifiable information for ad serving except in an aggregate way.

Overall, "Abacus Online will maintain a database consisting of personally-identifiable information about those Internet users who have received notice that their personal information will be used for online marketing purposes and who have been offered the choice not to receive those tailored messages."

DoubleClick promises that it "will not associate any personally-identifiable medical, financial, or sexual preference information with an individual. Neither will it associate information from children." It also promises that it will maintain the confidentiality of all information it collects, and offers surfers the opportunity to opt out of all forms of DoubleClick targeting.

Privacy advocates see dangers in the very existence of such a database, and claim that an "opt out" policy is a very weak form of protection for most consumers, who will not read the DoubleClick privacy statement. Indeed, it is safe to say that most consumers have never read any privacy statement and have no idea who DoubleClick is.

The Center for Democracy and Technology launched a campaign and website to inform users about the collection of personally-identifiable data and to encourage them to opt out of the program. The potential dangers of such data collection were highlighted when, independent of this issue, the California HealthCare foundation revealed that 21 health sites - including Yahoo.com and Drkoop.com - had released personal information about users in violation of their own privacy policies.

A California woman has filed a class action lawsuit against DoubleClick. She claims that the correlation of the "non-personal" cookie data and the "personally identifiable" data is being done without the users' consent.

Market Impact

Although there have been other skirmishes in the privacy conflict (see sidebar) this may be the first real battle. We doubt that the lawsuit itself will have much effect; it will probably drag through the courts for years. It will probably end up at the U.S. Supreme Court, which continues to struggle with the extent to which there are implied or explicit constitutional rights to privacy. But there is a possibility that publicity over the issue could affect both the ongoing Presidential campaign and the general level of user acceptance (or ignorance) of the current lack of controls.

The collection of information with cookies is certainly not going to be affected, and we think it highly unlikely (probability < 10%) that there will be any action that causes DoubleClick or its competitors, notably CMGI's Engage, to change course.

We do expect that the next Congress will finally come to grips with the regulation of data collected online, but that the emphasis will be on prohibiting certain kinds of re-use - such as letting insurance companies know which diseases an individual has researched in a search engine or medical site - rather than on collection. We believe, in fact, that the strongest regulation that is likely to occur will have no effect on what DoubleClick is now doing and, will find their current policies to be essentially compliant.

However, we also know that there are many potential security and privacy violations waiting to happen. The most recent ones, including thefts of credit card numbers, have been played down and don't seem to have resulted in much damage - or, if damage was done, it was covered up well. But, like airplane crashes, security problems will tend to group together, and there could be some threshold number or significant event that would catch the public's interest. As a result limits could be placed on the industry's ability to either police itself or to use these techniques at all.

User Recommendations

A website that collects personal data - especially but not necessarily data that can be used to identify individuals -- must take the protection of that data very seriously. There are three essential steps that must be taken.

First, determine exactly what information is needed and collect only that, no matter how tempting it might be to ask for more.

Second, develop a clear security policy and post it prominently. If possible, make your collection based on opt-in policies, but if that isn't feasible, accept that some people will want to opt out and make it easy for them to do so.

Third, contract for a serious security audit of all of your data. This should certainly look at your vulnerability to outside attack, but should also examine internal policies and the potential for employees to steal or misuse data. Ideally you should have - and take seriously - a policy that ensures that no personal data can be collected or used without a fairly high-level review.


January, 1999

Intel is forced to retract plans to ship the Pentium III processor with a processor serial number that can be tracked by programs and Web sites.

February, 1999

A New Hampshire company is found to be building a national photo database, using driver's license photographs obtained from motor license registries. The firm received funds and assistance from the U.S. Secret Service

March, 1999

Private security consultant, Richard Smith finds that the Windows 98 operating system attaches a globally unique identifier (GUID) to every document a user creates with Microsoft applications; the GUID also becomes known to any Microsoft website the user visits. Microsoft releases a patch to deactivate the "mistake."

June, 1999

DoubleClick and Abacus Direct announce their planned merger. Privacy groups object.

August, 1999

Amazon.com's "purchase circles," which allow surfers to look at aggregate purchasing histories of such groups as neighborhoods, employers, and professional organizations, are announced and criticized.

October, 1999

Congress fails to file legislation to protect electronically stored medical records.

November, 1999

The RealJukebox music software is found to routinely collect information and to covertly transmit it, along with personal information, to the program's creator, RealNetworks. A patch is released.

The Federal Trade Commission is lobbied to accept industry self-regulation in preference to regulatory control of online profiling

Richard Smith discovers that due to a fault in a Microsoft library the data collected by Comet Systems, provider of a configurable cursor that changes as users surf the web, contained information that identified the individual user's machine. Comet immediately rewrites their software to eliminate the problem. CBS' 60 minutes runs a segment on Internet privacy issues.

December, 1999

Richard Smith finds that many popular email systems allow senders of bulk commercial email to track the surfing behavior of people who merely read the email.

January, 2000

President Clinton uses his State of the Union message to declare "first and foremost, we have to safeguard our citizens' privacy."

Online auction house ReverseAuction.com settles the Federal Trade Commission's charges that it violated consumers' privacy by acquiring consumers' personal information from a competitor's site and then sending deceptive spam to those consumers soliciting their business.

Sources: Harper's Magazine and the Electronic Privacy Information Center



comments powered by Disqus