|Privacy problems at FAST/Alltheweb|
DoubleClick gets your search terms
| 12:31 am on Sep 15, 2002 (gmt 0)|
When searching at www.lycos.com, Lycos sets cookies that expire in 2038. Also, DoubleClick is allowed to set a cookie. Nothing unusual about that, except that DoubleClick is also given your search terms through a one-pixel web bug. These get stored at DoubleClick along with your unique cookie ID. DoubleClick stores your IP numbers also. There's an article in the October 2002 issue of 2600 The Hacker Quarterly (available at newstands) about all the things DoubleClick can do with this information.
When searching at www.alltheweb.com, it's the same story. FAST/Alltheweb allows Lycos to set its 36-year cookie, and also allows DoubleClick to set its cookie and grab your search terms. These are both done through one-pixel web bugs. Your first DoubleClick cookie is called a "test_cookie CheckForPermission." It has no ID in it and expires in 15 minutes. If you do a second search before the 15 minutes is up, it changes into a three-year cookie with a unique ID. Your search terms are given to DoubleClick in both cases. Did you know that if you do more than one Alltheweb search within a 15-minute span, then you've opted into DoubleClick's tracking of all your searches on FAST/Alltheweb for the next three years?
This policy is so disgusting that I've added a FAST/Alltheweb option to my anonymous Google proxy. See the site in my profile.
| 11:03 pm on Sep 15, 2002 (gmt 0)|
Interesting analysis, Everyman.
Just one point:
Every modern browser can be set to circumvent this policy easily - no need for any anonymous proxies.
| 1:14 am on Sep 16, 2002 (gmt 0)|
Yes, you can refuse off-site cookies, and yes, you can refuse off-site images, such as those Lycos and DoubleClick web bugs.
In which case, only Alltheweb would get your search terms and your dynamic IP number, and you wouldn't need a proxy. Because even though we know now that Alltheweb cannot be trusted to keep your search terms to themselves, it's nevertheless true that AOL IP numbers are much too dynamic to allow tracking.
That's a lot of ifs. How many of you qualify? I already refuse off-site images, and it means I can't click on profiles in WebmasterWorld without switching browsers. DoubleClick is heavy into geolocation, which comes from IP numbers. The cookies merely glue dynamic IPs together as coming from a single browser.
Email sent to firstname.lastname@example.org with a copy to public relations at fastsearch.com:
"4.DoubleClick encourages all companies with which we do business to engage in fair information practices.
"DoubleClick asks that these companies disclose their relationship with us by providing notice to consumers about the DoubleClick technologies that they use."
The search engine FAST/Alltheweb, at www.alltheweb.com, uses a DoubleClick clear GIF planted on their search results page. This clear GIF contains the search terms the user entered to produce these results. At the time that the clear GIF is served, DoubleClick plants a cookie (beginning with the second search within a 15-minute period) with a unique ID.
I feel that this amounts to profiling in the extreme. Search terms are much more sensitive than a surfing history, because they are much more revealing.
| 10:16 am on Sep 16, 2002 (gmt 0)|
Another good reason to use Opera's "Throw away new cookies on exit" ;)
Or would that be too simple?
| 10:20 am on Sep 16, 2002 (gmt 0)|
I believe this is the relevant policy:
On Alltheweb search results in IE6, I doubleclicked the little red privacy warning icon at the bottom of the screen. The Lycos 1x1 gif has a P3P policy (machine-readable) associated, and that links to their human-readable main policy, where there is a link to the Doubeclick policy.
| 12:24 pm on Sep 16, 2002 (gmt 0)|
The Lycos policy is okay as far as it goes. But it constantly refers to the phrase "non-personally identifiable," like it was some sort of mantra, and even uses the phrase "anonymous information" in the context of admitting that the IP number and/or domain name are reported.
I disagree that this information is non-personally identifiable. If you have a static IP, you can be identified quite easily with a court order. The FBI can get these now without a showing of probable cause. Even with a dynamic IP, a court order will get you identified in most cases, particularly with ISPs smaller than AOL who can easily consult their logs, given a time stamp.
Okay, let's assume that there's no court order. DoubleClick is very much into geolocation from IP number. Even if they don't know your name or email address from your IP number, they know where you are. And consider those who are surfing from their place of work -- that's a dead giveaway when the company has its own domain.
How can this be justified by a search engine, when you consider that search terms are the most sensitive thing there are? They are the pot of gold at the end of the profiling rainbow!
| 2:20 pm on Sep 16, 2002 (gmt 0)|
European countries tend to have rather strict privacy legislation (compared to the US, anyway). Since FAST are located in Norway, it might be interesting to check whether the current situation is actually legal for them.
| 9:09 am on Sep 17, 2002 (gmt 0)|
The citation for the 2600 The Hacker Quarterly article about how DoubleClick works, mentioned in my first post above, should read Vol. 19, No. 2, Summer 2002, pp. 40-43. The article is titled "Your Eyes Have Just Been Sold," by docburton. This is an excellent piece about DoubleClick's system. It's not available on the web. After the next issue is published and this current issue is no longer available on newsstands, we will ask the publisher for permission to transcribe and post it on our site.
Norway has The Data Inspectorate [datatilsynet.no] government office to deal with privacy issues, and a copy of the April 2000 Personal Data Act covering this matter is included on their website in English. We will most likely be sending a complaint by fax later this week.
We're also considering asking the Ralph Nader group, Commercial Alert, for advice about a complaint to the FTC. This would be about language in privacy policies that describes IP numbers and/or domain names as "anonymous" or "non-personally identifiable" information, which we feel is a deceptive practice.
| 12:19 pm on Sep 18, 2002 (gmt 0)|
The complaint was faxed to Norway yesterday; a copy is posted on the site in my profile.
The Data Inspectorate site has an email address. Comments, pro or con, on this complaint can be sent to them.
| 6:59 pm on Sep 21, 2002 (gmt 0)|
Comments and future plans to alleviate the problem from FAST/AtW in this article [news.com.com].
| 7:06 pm on Sep 21, 2002 (gmt 0)|
Thanks Rubble88 - the article has already been brought up here
Actually this article is based pretty much on what has been laid out here before.