MICHAEL GEIST
Thursday, February 10, 2000
Although Internet users regularly cite privacy as one of their primary concerns, technology and marketing companies seem to scarcely pay attention.
Last winter Intel released its Pentium III chip, which contained a unique identifier that permitted companies to track on-line activity. Its introduction raised great concern among privacy advocates who chided the company for developing Big Brother Inside. Following a major public protest and expressions of disapproval from law makers, Intel adjusted its chip to provide users with greater control over their privacy.
One year later, Doubleclick, an Internet advertising giant, has made moves that will make the Intel controversy seem like a minor annoyance.
The problem started with last year's merger of Doubleclick and Abacus Direct. The merger is a marketer's dream with the combined entity featuring Doubleclick's network of 11,000 Web sites (the sites use the company to serve up on-line advertising) and Abacus Direct's database of two billion consumer catalog transactions.
Privacy advocates immediately became concerned with the prospect of detailed consumer profiling and lobbied the U.S. Federal Trade Commission to block the merger. Although sympathetic to the privacy advocates' concerns, the FTC granted its approval in November.
Doubleclick has wasted little time in taking advantage of its marketing muscle. The company recently introduced a new service that provides advertisers with the opportunity to target their messages more precisely than ever. By matching off-line spending history with on-line browsing habits, Doubleclick has the ability to develop detailed, personally identifiable consumer profiles.
How does it do this?
When a user visits a Web site that is part of the Doubleclick system, a "cookie" is placed on the user's computer (the company has already placed about 100 million such cookies). Cookies are small text files that allow Web sites to recognize the particular user on future visits. They are used by many sites to provide personalized information or to automate the log-in process for password protected sites.
Although some analysts have in the past expressed concerns about the potential for cookies to track on-line surfing habits, Web site owners and marketers steadfastly maintained that cookies do not identify individuals and thus do not collect personally identifiable information.
Those assurances now ring hollow, for Doubleclick has introduced a new program where participating Web sites can link personalized information they have collected themselves to the cookie information collected by Doubleclick and the off-line purchasing information amassed by Abacus.
So, while you may never have revealed your name, address, or credit card information to Doubleclick, the company is now able to match that data with personal data obtained elsewhere, creating a detailed, personally identifiable profile.
The company defends the practice, aying users are warned about the potential collection and use of their private data, but few will be aware of the full implications.
In fact, a California woman recently launched a lawsuit against Doubleclick, alleging that it misrepresented its intention not to collect personal and identifying information. The suit claims the company has created a "sophisticated and highly intrusive means of collecting and cross-referencing private, personal information without the knowing consent of Internet users."
In practice, these developments may result in Web users finding advertising that seems to read their minds. For example, imagine I purchased some camping equipment from an off-line catalog several years ago. As a regular visitor to travel Web sites, I may occasionally provide personal information to a Doubleclick system Web site in order to receive e-mail updates on airfare or hotel specials.
By combining this data, Doubleclick can begin to develop a detailed profile of my interests and spending habits. I may begin to see ads popping up for camping destinations when I visit a travel Web site or I may receive a travel brochure from a competitive firm in the mail.
While some claim that this is done for my benefit -- I'm getting advertising that's tailored to my interests -- I may not want to feel as if my every move is fodder for a marketing database.
Moreover, the Doubleclick approach suggests that the company is entitled to collect my personal data as a matter of course, and that I must take steps to stop it from doing so. I would prefer to think that my private data belongs to me, with marketers required to explicitly ask for my permission for its collection and use.
Sadly, Doubleclick's brazen defence of its practices suggests that in the absence of legislative protection, such as Canada's Bill C-6, consumer profiling may simply be the way the privacy cookie crumbles.
Michael Geist is a law professor at the University of Ottawa School of Law specializing in Internet and electronic-commerce law. He can be reached at mgeist@uottawa.ca and on the Web at http://www.lawbytes.com.
Tech News
