ABA Journal
to grab user data
TEXT:
It seemed a shrewd move last fall when on-line information company
DoubleClick acquired Abacus Direct, a national marketing database. The goal was
to combine DoubleClick's method of collecting data about Web surfers with a list
of products and services that target the user. Information in, information out.
But it set off alarms among privacy and civil liberties groups, which this
spring asked the Federal Trade Commission to step in.
In the end, DoubleClick backed off from its plan to merge user data with a
marketing scheme. The New York-based company went so far as to establish a
Privacy Advisory Board, hiring former New York State Attorney General Robert
Abrams to head it.
Despite the outcome, the venture continues to send chills down the spines of
consumer advocates, who worry about Internet companies compiling profiles of
computer users without their knowing it. It amounts to an invasion of privacy
and could lead to abuses, they claim.
"It is as if somebody put a bar code on the top of your head and followed you
around for a year," says Leah Guggenheimer, a New York City plaintiffs attorney
in several lawsuits filed early this year.
At the Mercy of Marketers
Among the technologies that worry privacy advocates is the use of small text
files implanted in computers, the method used by DoubleClick. Those files,
called cookies, include an identification number that allows the Internet
company to recognize a user each time he or she accesses a Web site. They
collect information such as e-mail addresses, full names, mailing addresses and
phone numbers, as well as such seemingly private information as travel
arrangements, search phrases and health-related queries.
Companies like DoubleClick can build a dossier on users' surfing habits and
offer this information to third parties for marketing. For example, if a user of
Yahoo! (a popular Internet portal) clicks on the word "travel," a cookie would
be placed on the computer to tip off Yahoo each time the site is used. When the
Yahoo traveler uses the site, he will get ads focusing on the destination he is
planning to visit.
"Every time you go to Web sites and are looking at products, they are recording
the Web pages you are going to, to try to infer from articles you read what you
are interested in. That way they try to figure out what type of advertising" to
send you, says Richard M. Smith, a Brookline, Mass.-based computer consultant
who discovered Internet companies prying into users' surfing habits.
Cookies can be useful, though, in that they allow a Web site to recognize a
user, eliminating the need to reregister at future visits. And, Smith says, most
Web companies only track users of their site. However, a few companies, those
like DoubleClick that supply banner ads to Internet sites--track use across
several of those sites. In these cases, a cookie is placed on a computer hard
drive just by accessing a Web site on which a banner ad appears.
It is that tracking, often without the user's knowledge or permission, that
public interest groups targeted in recent lawsuits and proposed legislation. The
lawsuits filed in state and federal courts mostly focus on users' lack of
consent to data providers over how their information is handled. The complaints
allege that companies unlawfully collect and disseminate that data.
Lawsuits filed in New York, Washington, California and Illinois against data
providers RealNetworks, Alexa and DoubleClick allege violations of federal
statutes, such as the Electronic Communication Privacy Act and the Stored Wire
and Electronic Communications and Transactional Records Access Act. Some suits
allege violations of state common law and statutes, including trespass, invasion
of privacy and unfair business practice, as well as anti-stalking statutes.
Experts differ over whether the ECPA applies to these types of cases because the
law was passed to deal with interception of telecommunications, says Henry H.
Perritt, dean of Chicago-Kent College of Law and author of Law and the
Information Superhighway.
Plaintiffs, though, contend the ECPA "wasn't written to protect just voice
communications," says Guggenheimer. "Your telephone conversations with people
are private unless you consent." The Internet companies are intercepting this
information, she says.
Class Action Complaints
The computer fraud act was designed as an anti-hacker statute making it illegal
for any individual to tamper with another person's hard drive, says
Guggenheimer. Plaintiffs in multiple cases that have consolidated into
multidistrict litigation in U.S. District Court in Chicago claim that
Seattle-based RealNetworks did just that.
Plaintiffs allege that RealNetworks accessed computer users' hard drives to
determine their music preferences, according to one of the complaints.
A RealNetworks spokesperson says the company changed its software last year to
ensure that personal data concerning listening preferences is no longer sent to
RealNetworks unless a user wants to send the information.
DoubleClick contends that the lawsuits are without merit and that it intends to
defend them vigorously, says a spokesperson.
The Center for Democracy and Technology, a public interest group, said in a
statement to the FTC that "the profiling activities of these advertising
networks pose a significant risk to consumers' privacy. DoubleClick's new
practices run contrary to the average consumer's expectation. There are no
limits--technical or legal--on the purposes for which information collected by
DoubleClick can be used. Similarly, there are no limits on who can access the
information collected."
In March, DoubleClick backed down, saying it "made a mistake by planning to
merge names with anonymous user activity across Web sites in the absence of
government and industry privacy standards," according to a statement issued by
CEO Kevin O'Connor.
Though DoubleClick never implemented the plan, O'Connor says it will "continue
to abide by common industry practices in building anonymous profiles for ad
targeting."
No Anonymity Guarantee
Many companies claim their tracking of Web habits keeps users anonymous, but
that does not mean that they remain so, says plaintiffs attorney Seth Lesser,
who works at the same firm as Guggenheimer. For example, information can be
accessed by subpoena to be used in divorce cases or other civil or criminal
matters, says Chicago attorney Adam J. Levitt, who has filed several of these
privacy lawsuits.
Lesser agrees. "A spouse in a custody battle could get all of the information
that is stored," such as recent purchases, possible travel destinations or the
Web sites visited, he says.
"There have been cases where spouses sought information on Yahoo e-mails sent.
It isn't beyond the realm of lawyers if the information exists," says Lesser.
If DoubleClick and other companies "just collect the data and you don't know who
is getting it, whether or not they combine it, they are in violation of the
laws," says Lesser. "If they are going to match [these profiles] with real
names, that makes it even more frightening," he adds.
"What makes DoubleClick's actions so abhorrent is that if their software is
working right, you will never know that company is behind all of the
advertisements," says Levitt. "You're actually going to receive a DoubleClick
cookie you never authorized, never approved and never thought existed."
Federal laws are far from clear when it comes to Internet privacy, say experts.
"We do not have a privacy rights statute in the United States," says Fordham law
professor Joel R. Reidenberg. "It is very difficult to bring privacy claims in
the United States under the law as it now exists," he says, adding, "We have
enacted legislation in a piecemeal manner."
Congress has considered several privacy bills in the past few years, but only
one--the Children's Online Privacy Protection Act--has been passed. Earlier this
year, U.S. Sen. Robert Torricelli, D-N.J., offered a bill that would bar
companies from collecting information without permission from the user.
State common law has provided some protections for a reasonable expectation of
privacy, says Perritt of Chicago-Kent. But, he says, it can be argued that
"people have allowed their reasonable expectation of privacy to be diminished by
allowing cookies to be placed on their computers and filling out Internet
forms."
Though Perritt wonders whether the plaintiffs can meet some of the damages
thresholds and factual requirements of the federal statutes, he says if
plaintiffs win these cases, "It will level the playing field" and allow for
better self-regulatory privacy measures.
Despite the uncertainty, experts expect more lawsuits of this kind to be filed,
and some might target purchasers of these surfing dossiers. Clearly, cookies
continue to leave a bad taste in the mouths of some computer users.
LANGUAGE: ENGLISH
GRAPHIC: Photo, RICHARD SMITH
Document 1 of 24.
Search Terms: cookies w/5 computer!
To narrow your search, please enter a word or phrase:
Copyright© 2000, LEXIS-NEXIS, a division of Reed Elsevier Inc. All Rights
Reserved.