DoubleClick is a leading provider of Internet-based advertising services. The company places messages on behalf of advertisers on Web sites that are part of the "DoubleClick Network," which consists of highly-trafficked Web sites grouped together by DoubleClick in defined categories of interest. The DoubleClick Network consists of more than 1,000 companies that have agreed to display DoubleClick advertising on the Web sites they operate and to enable the placement of "cookies" on the computers of Internet users who visit their Web sites. These include AltaVista, The Dilbert Zone, Macromedia, U.S. News Online, PBS Online, Multex Investor Network, Travelocity and Major League Baseball.
The EPIC complaint focuses on DoubleClick's Dynamic Advertising Reporting and Targeting (DART) technology. DART uses "cookies" to keep track of online usage by individual browsers who visit web sites with DoubleClick managed ads. When a user is first "served" an ad, DoubleClick assigns the user a unique number and records that number in the "cookie" file of the user's computer (usually without the user's knowledge or consent). When the user subsequently visits a Web site on which DoubleClick serves ads, DoubleClick reads and records that unique number, and also notes the type of content being viewed. As a user visits Web sites that utilize DoubleClick's technology, DART collects information regarding the user and his or her viewing activities and ad responses. This information is then aggregated in a dataase and used to personalize the ads people see when they visit any of the DoubleClick network of Web sites. This use of cookies to create profiles on online user activity is not unique to DoubleClick and is also utilized by many of its competitors.
DoubleClick describes DART as a technology which matches advertiser-selected target profiles with individual user profiles and delivers an appropriately targeted ad. In contrast, the complaint filed by EPIC alleges that:
"DoubleClick Inc. has engaged, and is engaging, in unfair and deceptive trade practices by tracking the online activities of Internet users and combining that tracking data with detailed personally-identifiable information contained in a massive, national marketing database. DoubleClick Inc. engages in these activities without the knowledge or consent of the affected consumers, and in contravention of public assurances that the information it collects on the Internet would remain anonymous."
Except with respect to advertising to children, the FTC does not currently have any specific statutory authority over online advertising or data collection processes, unless they are unfair and deceptive. While there are several bills pending in the Congress which would expand the authority of the FTC with respect to privacy issues, the FTC has to date limited the situations where it takes action to those where a company has published a privacy policy and then violates that policy.
A privacy policy published by DoubleClick in 1997 stated that "DoubleClick does not know the name, e-mail address, phone number, or home address of anybody who visits a site in the DoubleClick Network. All users who receive an ad targeted by DoubleClick's technology remain completely anonymous." DoubleClick's business partners have similarly represented that DoubleClick cookies generated at their Web sites were anonymous and that no personally-identifiable information would be collected by DoubleClick or its business partners as a result of the placement of DoubleClick cookies. However, a recent merger with Abacus Direct Corporation, a leading provider of specialized consumer information and analysis for the direct marketing industry, would permit DoubleClick to combine anonymous Internet profiles in the DoubleClick database with the personal information contained in the Abacus database. More than 1,050 direct marketers are reported to have contributed their customers' purchasing histories to Abacus for inclusion in its database. As of December 31 1998, the Abacus database contained over 88 million detailed buyer profiles compiled from records of over 2 billion catalog purchasing transactions.
The EPIC Complaint also expresses concern about DoubleClick's opt-out policy which purports to offer users the ability to "opt-out" of the information sharing. Some third-party Web sites that generate DoubleClick cookies do inform users of their relationship with DoubleClick and that DoubleClick places cookies on the computers of users who visit such third-party sites. However, users are rarely given notice by such third-party Web sites that they need to visit the DoubleClick Web site in order to understand DoubleClick's data collection activities or learn about any available "opt-out" procedures. Other Web sites which partner with DoubleClick have reportedly continued to assure users that they will remain anonymous. EPIC would like the FTC to, among other things, order DoubleClick "to obtain the express consent of any Internet user about whom DoubleClick intends to create a personally-identifiable record, and to develop such means as are necessary to ensure that the user has access to the complete contents of the record".
DoubleClick is not alone in having come to the attention of privacy advocates. Last fall, Real Networks came under fire for its collection of information from people who use its RealJukebox software to play CDs on their computers. The information transmitted to Real Networks, each time the program is used, includes the user's music preferences, the number of songs stored on the user's hard disk and a unique identifier which is assigned to the user when the software is registered. The IP address of the user's computer would also be revealed as part of each transmission. This information can then be combined with the user's e-mail address and ZIP code, both of which must be provided during the registration process. Users who register for the PRO version of the product would also have their name, credit card number and mailing address, combined with the other information. In response to public criticism, Real Networks released a patch on their Web site that would disable the automatic transmission of the usage information to Real Networks.
There are many ways in which your online privacy can be compromised. The following are some tips for protecting yourself (from ):
. Some Web sites require cookies in order to navigate within the site and it is not usually feasible to configure Web browsers to automatically reject all cookies.However, Web browsers can be configured to ask for approval before accepting new cookies.
. On a periodic basis (daily or weekly), you should delete all stored cookies (or at least all cookies except those you specifically decide to retain).
. Configure your browser to operate with more than one user profile. This would, in effect, provide you with multiple identities. You may also want to review the various software programs that can "manage" multiple online identities.
. Install "ad blocking" software on your computer. If the display of an ad is suppressed, your browser will not initiate a communication with the ad management company.
. Install personal firewall software on your computer which requires you to explicitly authorize each software program that is permitted to communicate with the out side world. This will reduce your vulnerability to soft-ware programs that install "trojan horses" which can be used by hackers to access your computer.
. Conduct searches for new domain names only on reputable domain name databases. An unscrupulous operator of a domain name database could review logs of recent searches and then itself register names that were searched but not immediately registered.
. Conduct confidential Web keyword searches only on Internet search engines which do not permit third parties to view recent searches. Many popular search engines allow third parties to monitor searches being performed on their indexes.
. Avoid using services such as Alexis which is used to follow you around while you surf the Web.
. If you use Netscape Navigator, be sure to turn off the "Smart Browsing/What's Related" feature.
. Make sure your browser does not know your e-mail address. Such addresses can be easily extracted by Web sites you visit.
. If possible, avoid subscribing to an "always on" Internet service (such as from your cable company) if the company will assign your PC an Internet Protocol (IP) address which will remain constant. Bell Sympatico's High Speed DSL service will force a different IP address on your computer every few hours. Visit to check if your computer is always being assigned the same IP address and to also view what other valuable information is being disclosed by your computer. Also, turn off your computer or disconnect the modem when not in use.
. If you want to visit Web sites with greater anonymity, consider using a service such as Anonymizer at
. Delete confidential client documents from your home computer after you have finished working on them and transferred them to the office computer.
. Use virus protection software to scan all new software you download from the Internet.
. Avoid purchasing a computer with an Intel Pentium III processor unless it permits you to turn off the ability to read the unique serial number embedded in each such processor.
. When installing new software that requires registration, choose an offline registration mechanism (for instance, print and fax the registration) rather than permitting the software to communicate with the vendor directly through the Internet.
Alan Gahtan is a Toronto-based lawyer with Bennett Jones whose practice is concentrated in the information technology and e-commerce law area. Mr. Gahtan is Chair of the Information Technology and E-Commerce Law Section of the Canadian Bar Association (Ontario) and former Chair of the Toronto Computer Lawyers Group.