New Web tracking service raises old privacy concerns

Cogit.com says it negotiated an exclusive agreement with Polk, a long-established source of databases on households.

According to Cogit's privacy policy, whenever a person gives a participating Web site his or her name, address or other identifying information, Cogit runs it through Polk's database.

If there's a match, Cogit creates a profile of the person's demographic information. Polk's rate card says its database includes income, net worth, bankruptcies, home value, cars owned, religion, ethnic group, "inferred lifestyles" (such as investments) and many other details.

A unique serial number for the profile is created and then stored as a cookie on the consumer's browser, the policy says.

Cogit's privacy policy emphasizes that the firm "removes the name, address and all other information that could be used to specifically identify the individual whose profile is created."

But privacy advocate Lauren Weinstein says, "It doesn't matter if they throw away the address and phone information, because they've already created a unique profile on you."

Weinstein last year co-founded the not-for-profit educational group People for Internet Responsibility with Peter Neumann, a committee chair of the Association for Computing Machinery.

To add insult to injury, Weinstein says, Cogit's "opt-out" page gives concerned Web surfers a false sense of security. Weinstein found that Cogit's opt-out page doesn't work if JavaScript or cookies are disabled in a person's browser.

Many Web surfers turn off features like these for security reasons. If either feature is disabled, Weinstein says, a person's opt-out doesn't take place. But no error message is displayed, and "the person is left looking at a page saying that they were opted out."

Cogit's vice president of marketing, Hollis Chin, said the company is working on the issue of cookies being turned off.

"We were made aware of that just last week," Chin said. "If you've turned off JavaScript, you need to go back in and turn on JavaScript."

Regardless of Cogit's policies, the mere idea of matching the sites Web surfers visit with their behavior in the physical world has computer users clicking madly in protest.

In the DoubleClick case, the Electronic Privacy Information Center filed a complaint with the FTC in February. The complaint seeks to prohibit DoubleClick from collecting personal information using cookies without an individual's informed consent. DoubleClick halted its plans until federal privacy policies were clarified.

Many e-commerce providers, of course, use cookies to track how long visitors look at different Web pages in a single site.

These "passive" cookies don't usually raise privacy concerns--but when a unique serial number can be used by multiple sites, the sparks begin to fly.

Once a unique identifier is placed on a person's PC, it's easy for a company to use it to identify an individual, say Internet security experts. Consultant Richard Smith has shown that banner ads you view on Web sites can relay your personal information to DoubleClick and other tracking services.

The types of information that Smith has demonstrated being sent include email addresses and physical addresses stored in your browser. In other cases, banner ads relayed the search phrases Smith entered at Web sites, such as "diabetes" at the medical site Drkoop.com.

To prevent uploads like these, some Web surfers install software such as the free IDcide Privacy Companion. This program allows Web sites to use passive cookies while blocking transmissions to tracking services.

Cogit's corporate name is based on the Latin phrase cogito ergo sum, "I think, therefore I am." The way some Web sites use cookies, Web surfers might say, "I surf, therefore you know who I am."

Do you know of a problem affecting consumers? Send info to tips@BrianLivingston.com. He'll send you a book of high-tech secrets free if you're the first to submit a tip he prints.