Is DoubleClick privacy plan adequate?

The Internet advertising giant announces a series of steps to mute a chorus of criticism over its online privacy policies, but consumer advocates say the measures don't go far enough.

Evan Hansen Staff Writer, CNET News.com
Department Editor Evan Hansen runs the Media section at CNET News.com. Before joining CNET he reported on business, technology and the law at American Lawyer Media.
Evan Hansen
5 min read
Internet advertising giant DoubleClick today announced a series of steps to mute a chorus of criticism over its online privacy policies, but consumer advocates said the measures don't go far enough.

The company said it has launched an educational Web site, PrivacyChoices.org, to inform users about online privacy and make it easier to opt out of DoubleClick's profiling network--a system that places digital tags known as "cookies" on personal computers to target ads to viewers based on their interests. The company said it will promote the site in an ad campaign on the Internet and in major newspapers.

Cookies can be useful to Internet users, for example, by storing passwords and other sign-on information for easy retrieval. But privacy advocates say they oppose DoubleClick's use of cookies because it allows the company to track online activities without the explicit consent of Internet users.

DoubleClick says its opt-out system gives users fair warning of the practice, while privacy advocates say the system does not provide genuine informed consent.

Today, DoubleClick announced a five-point initiative aimed at addressing its critics. The company said it will only take advertisements from businesses that have a data-collection policy, although it won't set guidelines for those policies. The company also said it will allow consumers to refuse to accept its cookies with two clicks--a process some users had found confusing in the past.

In addition, DoubleClick said it will bolster oversight of its privacy policies by hiring outside auditors to confirm it is complying with its own standards; soliciting the recommendations of consumer advocates and security experts to shape such policies; and creating the position of chief privacy officer within the company.

But privacy advocates, who have doggedly challenged the company's practices, immediately rejected the announced initiatives as inadequate.

"DoubleClick is launching an advertising campaign because they're trying desperately to avoid legislation" that would make it illegal to assign cookies without prior consent, said Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC).

EPIC last week filed a complaint against DoubleClick with the Federal Trade Commission, charging that the firm engaged in deceptive practices.

Rotenberg spoke in an audio conference today with other consumer groups that blasted the advertising firm's profiling practices.

"The default is collection," said Jeff Chester, of the Center for Media Education. "The FTC has to crack down on this deceptive kind of advertising. Congress must act as well."

Pressure on DoubleClick to bolster its privacy policies has mounted since it completed a $1.7 billion merger late last year with data-collection agency Abacus Direct, a company that works with offline catalog companies. The acquisition has fueled fears among privacy advocates that the combined companies could share data to create all-inclusive consumer profiles bridging both online and offline activities and buying habits.

Those fears came to a head last month, when DoubleClick changed its privacy policy to link its database of consumer profiles with data gleaned from cookies and to make that information available to members of a new advertising network, known as the Abacus Alliance.

In the past, if a person named Jane Doe had a DoubleClick cookie that detected that she loved golf-related sites, the company could show her ads for sports-related content. Under the new policy, DoubleClick will know a lot more about her: that her name is Jane Doe, and that she used to buy sweaters and pants via Company X's catalog but hasn't done so for years. However, Jane did buy a coat online last month. Now DoubleClick can advise Company X to target Jane with Net ads instead of sending her a catalog.

DoubleClick has collected about 100,000 personal profiles.

At the core of privacy advocates' complaints is that DoubleClick expects consumers who don't want to give up personal data to opt out of their data-collection network. Advocates say it should be the other way around. DoubleClick and its partners should get consumers' clear consent before giving them a cookie, which can lead to the creation of a personally identifiable profile on a consumer.

DoubleClick president Kevin Ryan quoted surveys conducted by the company concluding that a majority of consumers queried said they preferred receiving advertisements that address their preferences. That is why, among other things, DoubleClick offers the opt-out model as opposed to one in which individuals have to sign up to be part of the program, he said.

"We do not work with Web sites that don't offer opt-out," Ryan said in an interview.

Privacy advocates say that for now, consumers should opt out of DoubleClick's system. Richard Smith, a well-known computer security expert, explained why. He said he that during the past few months, he used a "packet sniffer" to monitor what information DoubleClick banner ads were gathering from him through the cookie it assigned to him. The company had access to many more personal details than consumers may imagine, he said.

"They are getting a lot of data there that they shouldn't be getting," Smith said.

For example, dozens of Web sites were transmitting information to DoubleClick ad servers, such as his email address, full name, mailing address and phone number, that could be tied to Smith through the unique ID number on his DoubleClick cookie. Transactional data he said was sent to DoubleClick included names of VHS movies he was interesting in buying, details of a plane trip and health conditions he researched.

In addition, privacy advocates accused DoubleClick of effectively trying to fool people into giving away their privacy.

"Our goal is to make sure that privacy is protected based on informed consent," said Evan Hendricks, editor of the Privacy Times, a privacy information Web site. "Their opt-out model doesn't add up to informed consent."

Privacy groups point to last month's policy switch, which they say came without warning, as an example of the company's tactics.

But Ryan said his company plainly stated plans to link offline consumer purchases with online activities in press interviews four months ago. He said the announcement came about the same time as the merger with Abacus.

Ryan added that privacy concerns need to be balanced with other legitimate commercial interests on the Net.

"There is a balance the Internet needs to reach," Ryan said. "Privacy issues need to be dealt with, and we feel we have addressed those concerns; there needs to be an effective way to sell advertisements."