DoubleClick tracks porn sites, from Brills Content, by Mark Boal

From: "Mark Boal" <> To: "Declan McCullagh" <> Subject: DoubleClick story from Brills Content Date: Wed, 28 Jun 2000 17:57:04 -0400 Declan- thought this might be good for politech posting. It's about how DoubleClick has web bugs on some porn sites. best, mark

Brills Content, July 2000 DoubleClick watches Porn/Medical Sites By Mark Boal We all know by now that when we log on to the Internet and surf the World Wide Web from the privacy of our homes, such privacy is largely an illusion. After all, websites keep track of their visitors, bulletin-board postings are archived, and even e-mail is not safe from prying eyes. But the state of privacy on the Web may be worse than you imagine. A new generation of technology is making it easier for marketers and Web hosts to track us without our knowledge. Moreover, these tracking devices are showing up in places where many people may be most sensitive about guarding their privacy: pornography and medical sites.

I realized how hard it is to keep up with the rapidly changing online privacy terrain when I paid a visit recently to Richard Smith, an expert on computer privacy who prides himself on uncovering Internet practices he considers abusive. Turns out even Smith was surprised by what we would discover.

Smith was tutoring me on what you might call online countersurveillance, giving me a lesson in how to watch the watchers on the Web. We were in his of ce overlooking downtown Boston. Our laptops were on. On screen, we were looking at a popular porn site called iFriends. We looked at the coding that creates the page, when suddenly a line jumped out at Smith:

IMGSRC="; src=104085;type=views;cat=ifdpge;ord= 00509100200118?" WIDTH=1 HEIGHT=1 BORDER=0

"It s a Web bug!" he exclaimed. Web bugs are the latest innovation in the art of monitoring people moving through websites. They are computer code, nearly identical in structure to the code for a picture or a banner ad. Except they are invisible, due to that last line: WIDTH=1 HEIGHT=1 BORDER=0. That describes an image one pixel wide and one pixel high, with no border. (The period at the end of this sentence would be represented on a typical screen as a four-pixel square.) A one-by-one pixel square can not be seen by the naked eye.

( C0VERTl -BTW, can you find the web bug on

Smith had found a Web bug, but what really struck him was that first line of code: IMGSRC="

That clued him in to the fact that DoubleClick Inc., the most successful Internet advertising agency, was collecting information about our visit to a porn-related site.

DoubleClick is an online advertising agency that buys and places banner-ad space for its clients. But it adds another layer of service, too it keeps track of who views and clicks on those banners, and now, with Web bugs, it can track people on pages without banner ads. DoubleClick s pioneering role on the Internet has earned it the adoration of Wall Street, but the enmity of privacy advocates, who are concerned that the company is building a mammoth database that pro les people s lives on the Web in elaborate detail.

"In general, DoubleClick s whole strategy of tracking Internet users invades the expectation of privacy people have when they re browsing," says Andrew Shen, a policy analyst at the watchdog Electronic Privacy Information Center. "But when you re talking about particularly sensitive areas such as health or pornography sites, which are only accessed under the assumption that the person s visit remains unknown, tracking is especially objectionable. These are places where the preservation of privacy is vital."

Indeed, DoubleClick s reach is so broad that even casual browsing in the most sensitive corners of the Net leaves a data trail the company can follow, as Smith and I discovered.

Head over to the search engine at the Internet portal Lycos, the fth-most-popular destination on the Web in May, and type the word sex into the query box. DoubleClick takes note. Or click on, a site that gathers many pages under one umbrella and is one of the Web s most popular destinations, with about 4.4 million visitors in April. Thousands of sites are listed under s adult section, and DoubleClick has the ability to monitor many of them.

Smith and I also discovered that DoubleClick operates Web bugs at, a site for the HIV-related drug Procrit, and that it monitors, an online resource for schizophrenia. Both sites are owned by Johnson & Johnson.

The question for privacy advocates is what does DoubleClick do with the data it collects? Company of cials say emphatically that it won t link information about an individual s website visits with his or her name. Yet the sort of Web bug coding Smith found DoubleClick using on various porn and health sites is ideally suited to linking a person s name to his or her computer.

This use of Web bugs, also sometimes called transparent GIFs (for graphics interchange format) seems to violate DoubleClick s own privacy pledge to be "fully committed to offering online consumers notice about the collection and use of personal information about them, and the choice not to participate." (The italics are DoubleClick s.)

Jules Polonetsky, DoubleClick s chief privacy of cer and a former New York City consumer-affairs commissioner, says the company s privacy policy was "in no way" contradicted by DoubleClick s deployment of Web bugs, because names are not linked to sensitive online activities such as health and porn sites.

Polonetsky stresses that the company has "made a commitment that we won t ever use sensitive information to target ads or to build a pro le," although he says that could change with the development of government standards. In the meantime, he adds, it s the clients responsibility to disclose DoubleClick s Web bugs. "All the sites we do business with," he says, "we wish [them] to be as transparent as possible in explaining what happens on their site."

However, none of the sites where we found Web bugs revealed that fact in their privacy policies.

When asked about this, iFriends initially denied that DoubleClick had Web bugs on the sensitive parts of the site. But when presented with a log le showing that DoubleClick recorded a visit to a "girl-girl" fetish room, labeled in the computer code as room "5," Allan Rogers, a company spokesman, replied by e-mail, "While DoubleClick does indeed record, [it] does not know that room 5 is equivalent to girls home alone." This explanation comes down to saying that while DoubleClick collects the information, it does not have the technical skill to understand it an assertion that Smith and others find hard to believe.

The other sites where Smith and I found Web bugs also downplayed their privacy implications. A Johnson & Johnson spokesman says the information gathered by Web bugs is used in-house to help the company re ne and manage its sites. Consumers have nothing to worry about because DoubleClick is contractually prohibited from using the information for any other purpose, says the spokesman, Josh McKeegan. "The contract that Doubleclick signed with us specifically stipulates that they won t use it for any of the purposes which have gotten them into trouble which is tying the aggregate data to specific cookies. That is specifically banned within our contract," says McKeegan.

Similarly, John Caplan, general manager of, acknowledges that DoubleClick collects data on users, but said "DoubleClick does not have the right to use any data it has on users in any way. They serve our ads thats it."

But critics note that DoubleClick s deal with its clients could change and it could acquire the right to disseminate data it currently collects. Moreover, a subpoena in a divorce proceeding, a warrant from a law enforcement agency, a malicious hacker, a mistake on DoubleClick s part to name just a few scenarios could drag DoubleClick s les into public view.

And regardless of who uses the data under which circumstances, the practice of covert data collection violates standards of online privacy endorsed by the Federal Trade Commission and by the industry-supported watchdog group TRUSTe. These guidelines specify that data-mining ought to occur only when the user is fully informed, and individuals are given some control over the information gathered about them.

One popular medical site,, took these concerns so seriously that in March it severed a long-standing relationship with DoubleClick. "We had a lot of concerns. There was also a perception problem," explains Laura Hicks, a spokeswoman for "So we made a decision...that for the protection of our consumers, we would not use any third-party ad networks."

For many privacy advocates, the very existence of Web bugs and the data collection they facilitate constitute an invasion of privacy, leaving aside questions about how that information could be disseminated. Think of a Peeping Tom who installs a video camera in a clothing-store dressing room. Even if he never views the footage, the people captured on lm will feel invaded.

"It s unacceptable for DoubleClick to be monitoring people s movements without their consent," says privacy advocate Jason Catlett, of the Junkbusters Corp., a group that opposes the proliferation of commercial messages. "If they tried this in the physical world it would be like having men in white coats standing outside X-rated movie theaters taking down your license plate number."

Catlett is particularly concerned about the lack of disclosure at porn sites, but a lawsuit led against DoubleClick in California alleges that the rm s deployment of Web bugs at a great many sites is a violation of consumer-protection statutes. The class-action suit, led in January by San Rafael, California, lawyer Ira Rothken, seeks an injunction to force DoubleClick to stop data mining via Web bugs and to give people a chance to see their dossiers.

"If DoubleClick doesn t change their strategy of attempting to tie name and address information with private click stream will have a chilling effect on all Web users no one will take risks in viewing sensitive sites, and Web users First Amendment rights will be impaired," Rothken says.

While the suit has garnered little press attention, it is being closely watched by privacy groups. If the case gets to the discovery stage, DoubleClick could be forced to reveal the business deals and strategy behind its data warehousing, and the nature of the les it has gathered on millions of Californians. That, in turn, could open the rm to a host of new questions that the lawsuit raises. What is in the log les? How far back do they go? Do they contain every website you or I have ever visited on the DoubleClick network? When asked for a response to these questions, a company spokeswoman repeated DoubleClick s assurances that it is "absolutely committed to protecting the privacy of all Internet users."

Why would a Wall Street darling like DoubleClick get involved in monitoring porn sites and health sites at the risk of alienating privacy advocates even more? To answer that we need to rewind to 1996. That was when Kevin O Connor founded the rm, with the idea of cashing in on the rush to all things e. Back then, companies were curious about advertising online, but few knew how to navigate the Web. It was unpredictable and chaotic, and choosing the right advertising format was like throwing darts blindfolded.

DoubleClick simplifed the task by gathering hundreds of the most popular sites in a network and then offering the ability to place banner ads across all, or some, of the network. The Fortune 500 turned their ad accounts over to DoubleClick, and soon it became the one-stop shop for online ads.

Today, DoubleClick s client roster reads like a who s who of corporate America. The company places ads on websites for AT&T, CBS, Ford Motor Company, Motorola, Inc., and hundreds of others. And its revenue is up sharply; in the rst quarter of this year, it took in $110 million, a 179 percent increase over the same period last year, according to the company.

Every month, DoubleClick places 50 billion banner ads across its network, which the company says covers about half of the Internet s total traf c. As the company s annual report boasts, "Move your mouse over any ad on the Web, and there s a good chance you ll see at the bottom of your browser window. DoubleClick didn t create the ad, but we did place it there."

And all of those ads are automatically monitored; DoubleClick gauges their effectiveness by tracking the number of people who click on them versus the number who view them. This so-called click-through rate is a metric only the Internet can offer, and it is the argument for why online advertising is more precise than TV, print, or radio advertising.

But click-through tracking yields another dividend, too. As DoubleClick quickly discovered after it began marketing the service, click-through technology opens the door to tracking individuals as they move from one site to another. If you can track whether someone clicks on one ad, why not track whether the same person clicks on any ad in a given network? Why not see exactly what an individual does online, where she goes, what she buys?

It s no wonder that from the start, privacy advocates objected to such tracking, but DoubleClick and other rms in the online marketing world pressed ahead. To make the tracking work, DoubleClick used cookie les. Cookies are random number strings like ngerprints that identify one computer to another. As you visit a page with a DoubleClick ad, the company places a cookie on your computer. After that, DoubleClick can track your movements through its network even if you do not click on its banner ads.

And now, with Web bugs, DoubleClick can track you even when there are no banner ads on a page. And if you make a purchase or fill out a questionnaire on a site with a DoubleClick ad, the form will more than likely collect that information from the Web bug and link it to your cookie.

Last year, DoubleClick tried to take the next step, and link its cookie files with actual names and identities. It merged with the consumer-database form Abacus Direct, and announced a new division designed to create elaborate profiles of more than 90 percent of American households. The plan attracted an army of critics, including privacy advocates, who said DoubleClick would usher in a new age of surveillance. The Federal Trade Commission began investigating the company; investors, who got skittish, started to dump DoubleClick stock.

When the blows and bad PR had cost DoubleClick half its market value, CEO O Connor backpedaled. "I made a mistake," he said. O Connor pledged to delay the database until there was "agreement between government and industry on privacy standards."

Despite its public disavowals, DoubleClick nevertheless continues to lay the groundwork for the database by collecting vast amounts of information about where people go online. And the news that they are employing their invisible tracking devices on health and porn sites could cause them new political, public relations, and legal woes. The FTC has asked Congress for more authority to sue companies who are in violation of consumer privacy, although Congress is not expected to enact new laws anytime soon.

If DoubleClick ever chooses to merge the data from the Web bugs and cookie files with its existing consumer dossiers, it will create a database of unprecedented depth. The form will not only have purchasing history and demographic information of some 100 million Americans at its fingertips, but also information about their sexual preferences and health conditions. For now, the records are not merged. But they lie there on servers, waiting.

_________________________________ Mark Boal > Senior Writer > Brills Content <> -------------------------------------------------------------------------- POLITECH -- the moderated mailing list of politics and technology To subscribe, visit This message is archived at --------------------------------------------------------------------------