The leakage was discovered by Richard Smith, an increasingly famous Internet security consultant, who said the problem is not limited to Intuit but appears at sites across the Web. So far, he has noticed similar problems at nearly 15 sites, including Travelocity.com and Buy.com. In October, Smith alerted AltaVista that it was sending people's home addresses to DoubleClick, an Internet advertising firm.
Intuit was at first unaware of the problem and didn't quite understand it, said Smith. Once the company had more information, it began to address the problem.
"It's an artifact of HTML coding," said Brooks Fisher, Intuit's vice president, referring to Hypertext Markup Language, a collection of commands that are used to create Web pages. When the GET command--which allows users to input data into Web forms--is used, it builds a URL, or a specific page on the Net. Unfortunately, it also includes information from the previous page in the Web address, Intuit said.
"When we first heard about it, it didn't make any sense," said Fisher. "It is a fairly sophisticated notion."
Fisher said that within two hours the company pulled ads supplied by DoubleClick in its loans and mortgage sections.
"We have a contract with DoubleClick that prevents them specifically from collecting any personal information from our sites," said Fisher, quickly adding that none of the information keyed into those calculators was personally identifiable.
Smith pointed out, however, that each time data is sent, it is sent with a DoubleClick "cookie." Cookies are small data files stored on a computer hard drive that contain information a site can use to track such things as passwords. "The danger here is that all that info could be tied together"
Smith added that the "data spillage" is usually a mistake, but it has been going on for years. The problem basically means that most Web sites are violating their privacy policies, even if unintentionally, Smith said.
The leaks occur when a design glitch allows information typed into forms on the Web to be sent accidentally to companies that provide banner advertisements to sites on the Internet. Once again, DoubleClick finds itself at the center of the privacy storm.
"Because of its reach, DoubleClick seems to be the main recipient of this information," said Smith. "What troubles me is the fact that DoubleClick should notice this problem and be more proactive about getting sites to fix it."
The Federal Trade Commission is currently holding an inquiry to determine whether DoubleClick is unlawfully collecting data on consumers' surfing and shopping habits on the Net and then selling the information to third-party advertisers.
The probe comes at a time when federal investigators are increasing their scrutiny of how online companies maintain consumers' privacy, following numerous complaints from consumers and privacy groups.
DoubleClick could not be reached for comment at this time.
In the case of Intuit, information that users were typing into Quicken.com's mortgage and credit-assessment calculators, including a person's annual salary and total assets, were being sent to DoubleClick.
"If you're a Web programmer, you should realize what is going on," Smith said.