Welcome to WebmasterWorld Guest from

Forum Moderators: open

Message Too Old, No Replies

Privacy problems at FAST/Alltheweb

DoubleClick gets your search terms



12:31 am on Sep 15, 2002 (gmt 0)

I am disappointed to discover that FAST/Alltheweb is careless with their privacy policy. I think they're selling out.

When searching at www.lycos.com, Lycos sets cookies that expire in 2038. Also, DoubleClick is allowed to set a cookie. Nothing unusual about that, except that DoubleClick is also given your search terms through a one-pixel web bug. These get stored at DoubleClick along with your unique cookie ID. DoubleClick stores your IP numbers also. There's an article in the October 2002 issue of 2600 The Hacker Quarterly (available at newstands) about all the things DoubleClick can do with this information.

When searching at www.alltheweb.com, it's the same story. FAST/Alltheweb allows Lycos to set its 36-year cookie, and also allows DoubleClick to set its cookie and grab your search terms. These are both done through one-pixel web bugs. Your first DoubleClick cookie is called a "test_cookie CheckForPermission." It has no ID in it and expires in 15 minutes. If you do a second search before the 15 minutes is up, it changes into a three-year cookie with a unique ID. Your search terms are given to DoubleClick in both cases. Did you know that if you do more than one Alltheweb search within a 15-minute span, then you've opted into DoubleClick's tracking of all your searches on FAST/Alltheweb for the next three years?

This policy is so disgusting that I've added a FAST/Alltheweb option to my anonymous Google proxy. See the site in my profile.


11:03 pm on Sep 15, 2002 (gmt 0)

WebmasterWorld Senior Member heini is a WebmasterWorld Top Contributor of All Time 10+ Year Member

Interesting analysis, Everyman.
Just one point:
Every modern browser can be set to circumvent this policy easily - no need for any anonymous proxies.


1:14 am on Sep 16, 2002 (gmt 0)

If you have a modern browser, and if you are sufficiently suspicious of search engines even when if there is no privacy policy on their site that may hint at what they're doing, and if you are on something like a dialup to AOL where the IP numbers change constantly, and if you have the geek chops to throw up a proxy or at least examine the source code of a results page, then:

Yes, you can refuse off-site cookies, and yes, you can refuse off-site images, such as those Lycos and DoubleClick web bugs.

In which case, only Alltheweb would get your search terms and your dynamic IP number, and you wouldn't need a proxy. Because even though we know now that Alltheweb cannot be trusted to keep your search terms to themselves, it's nevertheless true that AOL IP numbers are much too dynamic to allow tracking.

That's a lot of ifs. How many of you qualify? I already refuse off-site images, and it means I can't click on profiles in WebmasterWorld without switching browsers. DoubleClick is heavy into geolocation, which comes from IP numbers. The cookies merely glue dynamic IPs together as coming from a single browser.

Email sent to privacy@doubleclick.com with a copy to public relations at fastsearch.com:

Dear sir/madam:

In your privacy policy, you state:

"4.DoubleClick encourages all companies with which we do business to engage in fair information practices.

"DoubleClick asks that these companies disclose their relationship with us by providing notice to consumers about the DoubleClick technologies that they use."


The search engine FAST/Alltheweb, at www.alltheweb.com, uses a DoubleClick clear GIF planted on their search results page. This clear GIF contains the search terms the user entered to produce these results. At the time that the clear GIF is served, DoubleClick plants a cookie (beginning with the second search within a 15-minute period) with a unique ID.

I feel that this amounts to profiling in the extreme. Search terms are much more sensitive than a surfing history, because they are much more revealing.

Alltheweb does not have a privacy policy at www.alltheweb.com -- at least I could not find one.

You should require that Alltheweb specifically state what is happening on their site with regards to the information they send to DoubleClick. If they decline, then you should refuse to do business with them, as per your privacy policy.



10:16 am on Sep 16, 2002 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

Another good reason to use Opera's "Throw away new cookies on exit" ;)

Or would that be too simple?


10:20 am on Sep 16, 2002 (gmt 0)

10+ Year Member

I believe this is the relevant policy:

On Alltheweb search results in IE6, I doubleclicked the little red privacy warning icon at the bottom of the screen. The Lycos 1x1 gif has a P3P policy (machine-readable) associated, and that links to their human-readable main policy, where there is a link to the Doubeclick policy.


12:24 pm on Sep 16, 2002 (gmt 0)

Yes, I saw the Lycos privacy policy. It scared me, which is why I used the interface at www.alltheweb.com instead. There is no privacy policy that I've found at www.alltheweb.com. Maybe my browsers lack some gadget I need to link from Alltheweb to the Lycos policy.

The Lycos policy is okay as far as it goes. But it constantly refers to the phrase "non-personally identifiable," like it was some sort of mantra, and even uses the phrase "anonymous information" in the context of admitting that the IP number and/or domain name are reported.

I disagree that this information is non-personally identifiable. If you have a static IP, you can be identified quite easily with a court order. The FBI can get these now without a showing of probable cause. Even with a dynamic IP, a court order will get you identified in most cases, particularly with ISPs smaller than AOL who can easily consult their logs, given a time stamp.

Okay, let's assume that there's no court order. DoubleClick is very much into geolocation from IP number. Even if they don't know your name or email address from your IP number, they know where you are. And consider those who are surfing from their place of work -- that's a dead giveaway when the company has its own domain.

Finally, my big objection to both Alltheweb.com and Lycos is that there's a one-pixel web bug at the bottom of the results page that sends everything to DoubleClick. Yes, DoubleClick is used for targeted ad serving. But even when you don't click on anything on a results page, DoubleClick still gets your IP number, domain, search terms, and time stamp. You don't have to click on a DoubleClick ad. Before you can even read the ads, DoubleClick has your number. Even if you have JavaScript disabled, DoubleClick has you covered.

How can this be justified by a search engine, when you consider that search terms are the most sensitive thing there are? They are the pot of gold at the end of the profiling rainbow!

Obviously, it's the dream of serving ads based on search-term profiling, and that's how it's justified. Lycos should be clearer about the privacy implications, and Alltheweb should put a privacy policy where I can see it. (They follow Norway's laws, so they may not care about such things.)


2:20 pm on Sep 16, 2002 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

European countries tend to have rather strict privacy legislation (compared to the US, anyway). Since FAST are located in Norway, it might be interesting to check whether the current situation is actually legal for them.


9:09 am on Sep 17, 2002 (gmt 0)

The citation for the 2600 The Hacker Quarterly article about how DoubleClick works, mentioned in my first post above, should read Vol. 19, No. 2, Summer 2002, pp. 40-43. The article is titled "Your Eyes Have Just Been Sold," by docburton. This is an excellent piece about DoubleClick's system. It's not available on the web. After the next issue is published and this current issue is no longer available on newsstands, we will ask the publisher for permission to transcribe and post it on our site.

Norway has The Data Inspectorate [datatilsynet.no] government office to deal with privacy issues, and a copy of the April 2000 Personal Data Act covering this matter is included on their website in English. We will most likely be sending a complaint by fax later this week.

We're also considering asking the Ralph Nader group, Commercial Alert, for advice about a complaint to the FTC. This would be about language in privacy policies that describes IP numbers and/or domain names as "anonymous" or "non-personally identifiable" information, which we feel is a deceptive practice.


12:19 pm on Sep 18, 2002 (gmt 0)

The complaint was faxed to Norway yesterday; a copy is posted on the site in my profile.

The Data Inspectorate site has an email address. Comments, pro or con, on this complaint can be sent to them.


6:59 pm on Sep 21, 2002 (gmt 0)

10+ Year Member

Comments and future plans to alleviate the problem from FAST/AtW in this article [news.com.com].


7:06 pm on Sep 21, 2002 (gmt 0)

WebmasterWorld Senior Member heini is a WebmasterWorld Top Contributor of All Time 10+ Year Member

Thanks Rubble88 - the article has already been brought up here
Actually this article is based pretty much on what has been laid out here before.

I think what puts Fast really in an awkward situation here is they have given the complete monetization of AlltheWeb.com away to Lycos. That is what causes Fast's Peter Gorman to say: "We're working with Lycos (and DoubleClick) to not track visitors, or we will add our own privacy policy."


Featured Threads

Hot Threads This Week

Hot Threads This Month