Online ads may track more than you know

It's no secret that most commercial Web sites place files called "cookies" on a visitor's hard drive that can be used in ways that are beneficial to the individual, such as storing passwords or favorite stock ticker symbols. Cookies also can perform tasks that are solely for the benefit of the Web site's owner, such as recording where a visitor goes and which route he or she takes to get there.

Concern over this surveillance capability has caused many Web sites to post statements that detail exactly what type of information the site is collecting and how it is used. Typically, they state that cookies are used to obtain aggregate information and that the data is not linked to an individual user.

Consumers worried about losing their privacy and advertisers that fear a potential backlash are increasingly expressing concern over disclosure of tracking policies. Just this week, for example, Intel said it would pull its ads from Web sites that don't clearly post such privacy policies, following similar moves by Microsoft and IBM.

But those moves may not be enough. Last week, a study conducted by research firm Jupiter Communications found that 64 percent of Web users don't trust the sites they visit--even when those sites post privacy policies.

One concern, according to privacy advocates, is that these privacy statements say little about additional cookies that advertisers can place on a user's hard drive.

"There are usually in these policies elaborate loopholes and emergency exits, and they seldom live up to what the consumer wants, which is that information is collected only by consent and is limited," said Jason Catlett, president of Junkbusters, a group that lobbies against what it calls "invasive marketing."

Catlett and other privacy advocates say they are not concerned with the use of cookies, but rather with the lack of a clear policy stating that third parties also may be using cookies to collect data about site visitors.

The analogy would be if Sears were to post a warning on its doors that surveillance cameras are used to deter crime and track down thieves, but the notice failed to mention that a vacuum cleaner company also has installed video cameras to monitor the habits of Sears' shoppers.

Different rules?
The Internet is not alone in collecting data about its customers. If a consumer uses a discount card at a grocery store, for example, everything he or she purchases is recorded in a massive database. When someone mails in a registration card for a new PC, chances are he or she will soon receive free computer magazines because the manufacturer shared their data with publishers.

The Internet is unique, however, in the sense that many people do not understand the underlying technology. That--coupled with the knowledge that information can be gathered and stored--creates fear. And the fear potentially could thwart the growth of e-commerce because consumers are willing to keep their wallets closed until they are reassured.

Jupiter projected that $18 billion could be trimmed from an estimated $40 billion in e-commerce sales in 2002 if privacy concerns are not alleviated.

"Web sites haven't really looked into why consumers are scared," Jupiter analyst Michele Slack said. To fix the problem, "sites need to actively promote their efforts among consumers to start pushing back their fears."

One place to start could be to offer more information about third-party cookies.

Yahoo's privacy policy, for example, tells visitors that the portal uses cookies "to store and sometimes track information" about visitors. The policy goes on to say that Yahoo generally "will not disclose any of your personally identifiable information except when we have your permission or under special circumstances," such as a subpoena.

But the assurances do not apply to the cookies that are issued by third-party companies that serve banner ads or other content on Yahoo. "Advertising networks that serve ads onto Yahoo may also use their own cookies," the policy says, providing no further information, such as who the third parties are, what they gather, and how they use the data.

Similarly, the policy posted on the New York Times site warns that some of the ads it carries "may contain cookies that are set by third parties." It then suggests that readers contact advertisers "for more information on these cookies." Policy statements from several other sites also fail to provide details on third-party cookies, though all the sites, including Yahoo and the New York Times, provide information on how to reject cookies.

Targeting ads
Just as ad agencies for years have helped companies get the most from buying ads in magazines and commercials on television, firms such as DoubleClick, MatchLogic, and AdForce profess to help online advertisers target ads to a particular audience by tracking Web users' demographics and online moves. These services also make sure a person doesn't see the same banner ad repeatedly, even when traveling across multiple Web sites.

Privacy advocates say a function of this ad-friendly technology is the ability to compile detailed histories of individual users. For example, DoubleClick, the largest online advertising agency, with a network of more than 9,000 sites, can build detailed "clickstream" histories showing exactly which sites a person visits and in what order.

DoubleClick in theory could compile a report showing that a user each day accesses information about biotechnology stocks from one site, retirement plans from another, and medical conditions from a third.

Although the potential is there, New York City-based DoubleClick says its client contracts prevent it from sharing user information gleaned from one site with representatives from a competing site.

The company also says fears that it can build detailed databases of users' browsing habits across multiple Web sites are exaggerated. The vast majority of cookies and other tracking information compiled about users stays with the particular Web site where the cookie was issued, preventing the information from ending up in a central database, a company spokeswoman explained.

David Rosenblatt, a DoubleClick vice president, conceded that the company has the "physical ability to generate those [central] reports," but noted that "we absolutely do not and never will." Moreover, Rosenblatt said, the company does not attach a person's name or other identifying information to cookies it issues, calling the process "completely anonymous."

But the question remains: Should Web sites be obligated to update their privacy statements to reflect the use of cookies by DoubleClick and other third parties?

"We've pretty clearly explained our use of cookies and more generally what cookies are, what they can be used for, and why people use them," said Srinija Srinivasan, editor in chief at Yahoo. "It's unreasonable to expect Yahoo to think about all the ways an entity in the world might use information and cross it to other information."

New York Times spokeswoman Lisa Carparelli said the site allows third parties to track users' movements only within the site. The promise, however, is not reflected in the Times' policy.

"Unfortunately, at a certain point, it becomes the responsibility of the third party," said Carparelli. "Unfortunately, the boundaries as to when that happens are not and have not been clearly defined within the industry."

Most Web sites with privacy statements follow the model proscribed by Truste, a nonprofit group that acts as a privacy watchdog. Truste says it must be realistic about what information should be included in privacy statements.

"There's no end to creativity and how people are using this technology," said Bob Lewing, Truste's executive director. Lewing noted that Truste is working on the fifth version of its model privacy statement.