Event Summary
Abacus Direct
was a direct marketing specialist that had a great deal of information about
individuals - more than two billion records of catalog transactions. Do you
buy from the Sharper Image catalog? Did you send money when you received those
free address labels in the mail? Do you use your supermarket's affinity card
to buy organic yogurt and diet Dr. Pepper? Chances are that Abacus Direct or
a similar company knows all about it. So, when Internet advertising leader DoubleClick
bought Abacus Direct for $1.7 billion, alarm bells went off for privacy advocates,
as well as in the offices of the Federal Trade Commission.
Before
the acquisition DoubleClick knew you by a coded number. It knew that you visited
this bookstore site, that health information site, and, yes, even the online
gaming site. The first time you visited any of the 11,500 Web sites using DoubleClick
to serve ads, DoubleClick dropped a cookie on your machine and made an entry
for you in its database. It could then follow you as you visited other sites
served by DoubleClick.
Not
only would it know what sites you had visited, it would also be able to tell
which ads had been so interesting that you clicked on them to find out more.
If you visit health information sites and click on ads for BMW sedans, DoubleClick
draws conclusions about your age, interests, and socioeconomic status, and will
adapt its ad serving appropriately. You'll be seeing more ads for drugstore
sites, high-end clothing, and possibly retirement communities. You'll see fewer
ads for hip-hop CD's and fewer offers for trips to Daytona Beach during Spring
break.
Some privacy advocates saw even this much data collection as cause for concern.
The advertising industry suggests that it benefits those consumers who are interested
in viewing ads, since they will see more ads of value to them. As the debate
continued, advertising agencies competed to develop technology for gleaning
more information from this "impersonal" data since advertisers will want to
have their ads shown to people who are prequalified as interested.
The merger of Abacus Direct into DoubleClick raised the ante considerably. As
DoubleClick's online Privacy Statement states, the "non-personally identifiable
information collected by DoubleClick in the course of ad delivery can be
associated with a user's personally identifiable information if that user
has agreed to receive personally-tailored ads." [Italics in original] Many,
but not all, might feel that this is a reasonable quid pro quo: A user who wants
personally tailored ads should understand that this requires personal information
to be tied to ad serving.
However,
the Privacy Statement goes on to detail other ways in which personal information
can be tied with ad serving and surfing behavior. These include cases where
a user registers on a website and cases where, in response to an ad, a user
provides personal information - information such as would be needed to make
a purchase at the advertiser's web site. In the first case, DoubleClick requests
that web sites disclose the possibility in their own privacy statements. In
the second, DoubleClick says that it will not use the personally identifiable
information for ad serving except in an aggregate way.
Overall,
"Abacus Online will maintain a database consisting of personally-identifiable
information about those Internet users who have received notice that their personal
information will be used for online marketing purposes and who have been offered
the choice not to receive those tailored messages."
DoubleClick
promises that it "will not associate any personally-identifiable medical, financial,
or sexual preference information with an individual. Neither will it associate
information from children." It also promises that it will maintain the confidentiality
of all information it collects, and offers surfers the opportunity to opt out
of all forms of DoubleClick targeting.
Privacy
advocates see dangers in the very existence of such a database, and claim that
an "opt out" policy is a very weak form of protection for most consumers, who
will not read the DoubleClick privacy statement. Indeed, it is safe to say that
most consumers have never read any privacy statement and have no idea who DoubleClick
is.
The
Center for Democracy and Technology launched a campaign and website to inform
users about the collection of personally-identifiable data and to encourage
them to opt out of the program. The potential dangers of such data collection
were highlighted when, independent of this issue, the California HealthCare
foundation revealed that 21 health sites - including Yahoo.com and Drkoop.com
- had released personal information about users in violation of their own privacy
policies.
A
California woman has filed a class action lawsuit against DoubleClick. She claims
that the correlation of the "non-personal" cookie data and the "personally identifiable"
data is being done without the users' consent.
Market
Impact
Although
there have been other skirmishes in the privacy conflict (see sidebar) this
may be the first real battle. We doubt that the lawsuit itself will have much
effect; it will probably drag through the courts for years. It will probably
end up at the U.S. Supreme Court, which continues to struggle with the extent
to which there are implied or explicit constitutional rights to privacy. But
there is a possibility that publicity over the issue could affect both the ongoing
Presidential campaign and the general level of user acceptance (or ignorance)
of the current lack of controls.
The
collection of information with cookies is certainly not going to be affected,
and we think it highly unlikely (probability < 10%) that there will be any action
that causes DoubleClick or its competitors, notably CMGI's Engage, to change
course.
We
do expect that the next Congress will finally come to grips with the regulation
of data collected online, but that the emphasis will be on prohibiting certain
kinds of re-use - such as letting insurance companies know which diseases an
individual has researched in a search engine or medical site - rather than on
collection. We believe, in fact, that the strongest regulation that is likely
to occur will have no effect on what DoubleClick is now doing and, will find
their current policies to be essentially compliant.
However,
we also know that there are many potential security and privacy violations waiting
to happen. The most recent ones, including thefts of credit card numbers, have
been played down and don't seem to have resulted in much damage - or, if damage
was done, it was covered up well. But, like airplane crashes, security problems
will tend to group together, and there could be some threshold number or significant
event that would catch the public's interest. As a result limits could be placed
on the industry's ability to either police itself or to use these techniques
at all.
User
Recommendations
A website that collects personal data - especially but not necessarily data
that can be used to identify individuals -- must take the protection of that
data very seriously. There are three essential steps that must be taken.
First,
determine exactly what information is needed and collect only that, no matter
how tempting it might be to ask for more.
Second,
develop a clear security policy and post it prominently. If possible, make your
collection based on opt-in policies, but if that isn't feasible, accept that
some people will want to opt out and make it easy for them to do so.
Third,
contract for a serious security audit of all of your data. This should certainly
look at your vulnerability to outside attack, but should also examine internal
policies and the potential for employees to steal or misuse data. Ideally you
should have - and take seriously - a policy that ensures that no personal data
can be collected or used without a fairly high-level review.
A
SAMPLING OF RECENT ISSUES IN ELECTRONIC PRIVACY
January, 1999
Intel is forced
to retract plans to ship the Pentium III processor with a processor serial number
that can be tracked by programs and Web sites.
February, 1999
A New Hampshire
company is found to be building a national photo database, using driver's license
photographs obtained from motor license registries. The firm received funds
and assistance from the U.S. Secret Service
March, 1999
Private security
consultant, Richard Smith finds that the Windows 98 operating system attaches
a globally unique identifier (GUID) to every document a user creates with Microsoft
applications; the GUID also becomes known to any Microsoft website the user
visits. Microsoft releases a patch to deactivate the "mistake."
June, 1999
DoubleClick and
Abacus Direct announce their planned merger. Privacy groups object.
August, 1999
Amazon.com's "purchase
circles," which allow surfers to look at aggregate purchasing histories of such
groups as neighborhoods, employers, and professional organizations, are announced
and criticized.
October, 1999
Congress fails
to file legislation to protect electronically stored medical records.
November, 1999
The RealJukebox
music software is found to routinely collect information and to covertly transmit
it, along with personal information, to the program's creator, RealNetworks.
A patch is released.
The Federal Trade
Commission is lobbied to accept industry self-regulation in preference to regulatory
control of online profiling
Richard Smith discovers
that due to a fault in a Microsoft library the data collected by Comet Systems,
provider of a configurable cursor that changes as users surf the web, contained
information that identified the individual user's machine. Comet immediately
rewrites their software to eliminate the problem. CBS' 60 minutes runs a segment
on Internet privacy issues.
December, 1999
Richard Smith
finds that many popular email systems allow senders of bulk commercial email
to track the surfing behavior of people who merely read the email.
January, 2000
President Clinton
uses his State of the Union message to declare "first and foremost, we have
to safeguard our citizens' privacy."
Online auction
house ReverseAuction.com settles the Federal Trade Commission's charges that
it violated consumers' privacy by acquiring consumers' personal information
from a competitor's site and then sending deceptive spam to those consumers
soliciting their business.
Sources:
Harper's Magazine and the Electronic Privacy Information Center