From Privacy Times, February 18, 2000

CRISIS CONTROL @ DOUBLECLICK: FTC,
MICHIGAN & NY; STOCK TAKES HIT

DoubleClick, saw its stock dive more than four percent on Feb. 17, reflecting Wall Street's nervousness over regulators' intensifying interest in its profiling practices.  It was one of the first times that potential privacy problems had significantly spooked investors.
While the Federal Trade Commission's confirmed it was conducting a "routine" inquiry, Michigan Attorney General Jennifer M. Granholm accused DoubleClick of violating state consumer protection laws by planting cookies on Internet users' computer hard drives without their knowledge and consent.  The company has 10 days to respond, after which Granholm has the option of converting her "notice of intended legal action" into a full-blown lawsuit. 
"Every time you use the Internet, DoubleClick is placing a bar code on your back -- a user I.D. -- so that it can identify your interests, habits and preferences," Granholm said.  "Because DoubleClick secretly implants additional surveillance files as you surf the Internet, DoubleClick is continually adding detailed personal information about you to its data banks. The average consumer has no idea that their on-line movements are being spied upon; this amounts to little more than a secret, cyber wiretap."
Granholm called DoubleClick's privacy policy a "moving target," and cautioned consumers about relying on its "vague promises."  She added:  "Today, the policy says one thing, but tomorrow, it may say another; we can't be certain that tomorrow's policy won't allow the company to sell the information concerning your Internet use to the highest bidder."
In response, a DoubleClick spokesman said the company is confident its policies are "beneficial to consumers and advertisers," according to Reuters.  In fact, DoubleClick disclosed the FTC's inquiry in a Feb. 8 filing at the Securities and Exchange Commission.  The company said it was cooperating fully with the FTC.  It also admitted that New York Attorney General Eliot Spitzer was conducting a probe.
On Feb. 10, the Electronic Privacy Information Center (EPIC), filed a formal complaint with the FTC, charging that DoubleClick's model for profiling Internet users amounted to unfair and deceptive trade practices.  Specifically, EPIC charged that the merger of DoubleClick's database of online profiles with Abacus' database of consumers' offline behavior violates the company's earlier assurances that the information it collects on Internet users would remain anonymous, and that the data collection was therefore unfair and deceptive. EPIC also charged that the company failed to follow its revised privacy policy and that this is also unfair.
Seeking to stave off troubles, DoubleClick on February 14 placed full-page ads in major newspapers, announcing it would: appoint a "privacy officer" (still unnamed) and a privacy advisory board; strengthen its opt-out mechanism so that people would be notified of profiling by a "pop-up" box any time they were asked for personal data on the DoubleClick network; retain PriceWaterhouseCoopers to do audits; only do businesses with Web publishers that have privacy policies; and, launch an Internet ad campaign with up to 50 billion banner ads educating Internet users about privacy.  The company said it believed in "full disclosure."   But it declined to name those Web sites that were part of the new "Abacus Alliance," designed to capture the identities of Internet users and match them with their offline purchasing behavior.
Privacy advocates, including EPIC, Jason Catlett of Junkbusters, and Center for Media Education, said DoubleClick's moves were more "crisis control" than privacy protection. The Center for Democracy and Technology launched its campaign, enabling more than 40,000 Internet users to opt out from DoubleClick banner ads. 
Beth Givens, of the Privacy Rights Clearinghouse, pointed out that some people who are concerned about their privacy periodically review and delete cookies that have been placed on the computers by Web sites.  "The problem is, to opt out from DoubleClick, they need to place an 'opt-out' cookie," she said.  "If you then delete all your cookies, you're opting back in."(From Privacy Times, February 3, 2000)
DOUBLECLICK DEFENDS PRACTICES AMIDST GROWING CONCERNS       
Rocked by a rising chorus of criticism from several directions, DoubleClick, the leading Internet advertising firm, sought to defend itself against charges that its profiling practices invaded the privacy of Internet users.
One new report detailed how DoubleClick serviced eight of the leading health Web sites, enabling it to gather health-related data on millions.  USA Today reported Jan. 25 that DoubleClick has "begun tracking Web users by name and address as they move from one Web site to the next."  Two days later, a California women, Hariett Judnick, filed an invasion-of-privacy lawsuit in a Marin County Calif. Superior Ct., seeking class-action status. 
In an interview with Privacy Times, DoubleClick Vice President Jonathon Shapiro addressed each concern.  Under its privacy policy, he said, DoubleClick will not collect sensitive data, which he defined as information pertaining to health, finances, sexual activity or children. 
He said the USA Today report was "misleading," explaining that while DoubleClick identifies visitors to its sweepstakes cite, www.NetDeals.com, it does not do so at the more than 11,500 Web sites that are part of the DoubleClick ad network.  (The notice at NetDeals.com states, "We may change this Privacy Policy from time to time.  If we do, we will post any changes, so check back here periodically."  In the fourth paragraph, it states, "we share the information you provide to us with DoubleClick's Abacus Online division.")
Some of the controversy concerns DoubleClick's new Abacus Online Alliance, designed to match online visitors' profiles to a database of 88 million consumers' offline purchasing created by Abacus, the catalog company.  In those circumstances, he continued, Web pages at which visitors provide personal data will see a notice advising them of data-sharing and of their ability to opt out. 
"This is about getting the right ad to the right person at the right time," he said. "The only time that DoubleClick will actually have personally identifiable information attached to a browser is where the user has volunteered the information and been given notice and choice."  He emphasized that the firm does not sell personal data to outsiders. 
A new study by the California HealthCare Foundation revealed that DoubleClick served banner ads to eight of the 21 leading health Web sites, including www.webmd.com, www.drkoop.com, and www.healthcentral.com.  These sites pass on to DoubleClick a "URL address" revealing that the unnamed visitor went to the "diabetes" page (i.e. drkoop.com/conditions/diabetes/)  However, the study said, "registering with a site can turn what was an anonymous profile into an identifiable profile."  All 21 sites reviewed gave visitors the opportunity to provide personally identifiable information.  But most of the health sites' privacy policies either failed to mention profiling or talked about it in vague terms.
"Banner ad network profiling of users is potentially more problematic because the ad networks can observe what users are doing at all Web sites in their networks, not just a single site," said the study, which was conducted by Janlori Goldman and Richard Smith.  DoubleClick and Abacus also hope to use data for direct mail advertising and offers.
Hariett Judnick, a California women, filed an invasion-of-privacy lawsuit in a Marin County Calif. Superior Ct., seeking class-action status.  Her suit alleged that DoubleClick represented to the general public that it was not collecting personal and identifying data and that it gave privacy interests of Internet users paramount importance.  The company then proceeded to use computer technology to identify Internet users, track and record their online activities and obtain confidential and personal data without their consent, it charged. The suit seeks an injunction against tracking data and then cross-referencing it against personal information, according to attorney Ira Rothken. 
DoubleClick's only response to the lawsuit: "DoubleClick is absolutely committed to protecting the privacy of all Internet users, and to providing consumers with notice and choice." 
Meanwhile, the Center For Democracy and Technology mounted a new "opt-out" campaign targeting DoubleClick, to counter what it called the company's "Double Cross."