Slashdot Mirror

In 1999, DoubleClick bought the Abacus database, which got them a ton of data about our personal buying habits. They've promised not to correlate it with their banner-ad database, but that's not the concern this week. This week, the concern is their network security. Last week Thursday, the French site Kitetoa discovered three separate security issues on DoubleClick's network; the company deleted the evidence of one immediately, but left the servers up until Monday, when they mostly closed the other two. There are numerous other issues but the question on everyone's mind should be, how long and how far has DoubleClick been penetrated? And how long can we expect it to continue?

As I write, I'm aware of two security holes in their network, which is an improvement over last night, when the number was three. Unfortunately, this does not mean they are now 33% more secure. I don't have the background to be sure exactly how significant the remaining problems are, but I'll share what I know.

Unfortunately, DoubleClick's Chief Privacy Officer was not available by press time to respond to questions. We have offered the company a chance to respond, and we hope they'll take that opportunity to clear up some questions. Meanwhile, here's their official statement on the matter as of today:

"Over the last week there have been unsuccessful attempts made to hack into DoubleClick's servers. Those situations were immediately corrected," said Jules Polonetsky, Chief Privacy Officer, DoubleClick. "DoubleClick is now undergoing a comprehensive security audit, including the expertise of external security professionals and engineers, to fully ensure the continued integrity of our servers."

Now here's the history of DoubleClick security since last week, as far as I can tell.

Kitetoa ("KITE-a-toe-a") is a group of white-hat hackers who publish together under that pseudonym. They broke the news on their website simultaneously with transfert.net, and spoke with someone at DoubleClick to make sure the company knew to patch the holes. (I left several messages to this same contact, but he did not return my calls.) They continue to update their site with more DoubleClick security news.

The first IIS vulnerability is the commonly-known unicode bug, which lets you read and write files with the same permissions as the webserver, typically "IUSR."

Using this vulnerability, Kitetoa discovered the second security issue, which is that someone else had compromised the DoubleClick corporate webserver at some time in the past. The file eeyehack.exe was left on www.doubleclick.net. This is a backdoor written by the white-hat hackers at eEye, which opens port 6969 for attackers to telnet in.

DoubleClick assures us that eeyehack.exe could never have been executed, because that directory had script access disabled.

But I spoke with Marc Maiffret, Chief Hacking Officer of eEye (the people who brought you this port of nmap to Windows NT, by the way). He points out that the same backdoor could have been copied elsewhere, too, possibly into directories that allowed execution. I've asked DoubleClick whether they checked this; no answer at press time.

It's a separate question whether a cracker could have gotten SYSTEM level access through some other hole. With just IUSR level access, probably not much could have been done. There's no evidence that higher-level access was obtained ... but absence of evidence is not evidence of absence.

What concerns many people is that the eeyehack.exe file that was visible had a modification date of 1999. We know this date is not accurate, because the exploit that writes that file did not exist until last November. But that odd date does raise questions about how long DoubleClick's network has had these vulnerabilities.

The nightmare hypothetical is that a cracker has had access to DoubleClick's networks for the last couple of months or years, and has been reading the data they have been collecting about banner ad clicks. Or, worse, has had access to the Abacus database. Let me emphasize that I know of zero evidence that this has actually happened. But the potential for enormous privacy violations, with this company more than almost any other, is very serious.

DoubleClick assures me there is a good reason for the 1999 date on the backdoor program, but my question about it goes unanswered at press time.

The third hole is almost exactly one year old, and it allows ASP source code to be read. This alarms people because the server named AbacusOnline.DoubleClick.net was shown to be vulnerable. I verified this myself and learned the SQL passwords that go with two usernames, "gcolon" and "aowebuser."

Asked to estimate whether a determined cracker could have made use of those SQL passwords, Kitetoa guessed it was "85% certain" - for whatever that's worth.

Not that SQL should have been stored in the ASP code anyway. Marc Maiffret comments, "One of the better ways to secure SQL login information, within an ASP file, would be to store all of the login information and functionality within a COM object. This is not a silver bullet solution but it does provide you with much better security than storing things in plain text in a .asp file."

Was that database accessible from outside DoubleClick's network? Not that I could tell, but I didn't try very hard. What data was in that database? Considering the wealth of data that Abacus has collected on our purchasing habits, we might justifiably be concerned about a machine named "AbacusDirect."

Again, DoubleClick denies that this is a problem, saying it was a programmer's machine which "was not connected to consumer or production data in any way." We have to trust them on that.

That's what was known as of Monday, and you may have seen that in the MSNBC story, InternetNews story, or the ZDNet story.

But the problems continue. Kitetoa has continued scanning DoubleClick's networks, and continues to turn up vulnerable servers. A half-dozen servers of unknown significance are still Unicode-able. And - let me check - yes, I can still read ASP source code on travel.doubleclick.net.

As well as www.doubleclick.net. The company said Monday that the holes had been fixed on that, their main corporate website. But as of five minutes ago, I was still able to read ASP source code on that server using the year-old exploit. (I did not see any more SQL passwords, for whatever that's worth.)

DoubleClick's Chief Privacy Officer Jules Polonetsky claimed on Monday that "Even a partial breach of a noncritical server is unusual," a claim which looks more dubious every day.

Maybe none of these servers has any valuable data on them. But to a serious cracker, breaking into them could easily have provided the necessary opportunity to reach further into DoubleClick's systems. Being inside the firewall, setting up trojans, sniffing network traffic from other machines - these are all reasons why unauthorized access of any machine must be taken very seriously.

And there's more. A security writer from transfert.net - a sort of French "Wired" - was able to snoop around one of DoubleClick's internal mail systems, webmail.doubleclick.net. It's fixed today, but he sent me a partial list of employees whose mail files were in a directory. (He could not read the mail itself, and DoubleClick denies that mail could have been, at any point, read.)

Here's the big picture. Where long-term security is concerned, process is always more important than the individual problems. We can learn more about DoubleClick's security by observing their response to security reports.

I would have hoped to see servers taken down. As Kitetoa remarked to me, "I think they should have closed all the servers for an hour or two while they fixed the problem." Or, if necessary, longer. Tough decision, but better than possibly exposing data.

I would have hoped that DoubleClick would not announce to the media that everything was fine until they actually knew that this was true. At this point, we have to trust them when they say that attackers could not have seriously compromised their data.

And I would have hoped that they would start tackling problems sooner than they did. Vulnerabilities about which they were informed last Thursday were not fixed until Monday. (The vulnerabilities themselves, of course, are not new, and some of them are a year old.)

And more vulnerabilities continue to crop up. Paranos (based in Paris) found one just by using search engines. The funny thing they found was a database of DoubleClick employees in the U.K. who attended last year's Christmas party.

Less funny is the list of people Paranos found who apparently filled out a form in conjunction with FoodTV, the "Outfit Your Kitchen Sweepstakes."

It took about two hours after I notified their PR contact of the URL before it was removed. It was stored in what appears to be a directory of backup data which was never intended to be public: http://www2.doubleclick.net/live2/chefs/ foodtv-bak/form/chefs.txt.

This isn't a vulnerability, but it is indicative of the company's security process. DoubleClick should have policies in place to prohibit posting backup data on public websites; it should enforce those policies; and when it was done anyway, it should have found the leak with by internal audit.

This promotion ran in 1999. Remember, kids, data you give to corporations never goes away, and may pop back up at any time!

I picked one of the phone numbers for my state and gave it a call. Kathy Bankes, the wife of one of the people on the list, answered the phone. She said she was "very leery with the computer," and then proceeded to give me a common-sense understanding of the state of security on the internet.

"They say things are supposed to be secure," she said, "but I don't care how secure anything is - if somebody knows how to get in, they're going to get in if they have the technology."

"Should we worry about it or not?" she asks. I would say yes, especially when the company that owns an enormous customer purchasing database has problem after problem with its security. Maybe I'm naive to think that privacy promises mean anything in the real world, or that crackers can be fended off by a big corporation.

When I'd expressed my surprise at all this to Kitetoa, he'd just chuckled and said, "You'd be surprised what you can find on the internet. It's all like this."

Kathy, too, was pretty sure that there were people who have all this private information anyway. She very sensibly pointed out that credit card and other personal data can be stolen in the real world just as easily as the internet.

And she answered her own question for me: "There's really nothing you can do. I don't feel secure anyways."

Both the Washington Post and the New York Times have stories about the FTC's decision to ask Congress for the authority to regulate online privacy. The FTC had recently completed yet another privacy survey that showed companies were doing little to protect privacy on the Internet, even after several years of dire warnings. In other news, Doubleclick named a "No-Privacy Board" -- errr, a "Privacy Board." Its members are listed below, along with my notes on their backgrounds.

It is important to keep in mind what this is being billed as: Doubleclick calls this, in their press release, a "Consumer Privacy Advocacy Board." Supposedly this board is set up to, you know, advocate consumer privacy. So, let's take a look at its composition.

Robert Abrams, former attorney general of New York: hired because of his connections in New York State, which threatened to file suit against Doubleclick. His role will be to lobby his buddies in various government agencies to prevent privacy lawsuits.

Robert Litan, vice president and director of economic studies at the Brookings Institution: supports "opt-out" marketing and notification of privacy policies, as opposed to actual privacy. (Which is exactly Doubleclick's position, of course.)

Harriet Pearson, director of public affairs at International Business Machines Corp.: Pearson is one of the people behind the Online Privacy Alliance, a corporate front group working to attack privacy on the Internet. Pearson has moderated seminars on how to profile users without seeming to be Big Brother; her job is to make you feel good about not having any privacy. Every group needs a PR flack.

Lori Fena, chairman of Web privacy organization TrustE: Fena is an advertising executive by trade. And obviously, having her on board means that TrustE won't exactly be cracking down on any of Doubleclick's practices.

Daniel Weitzner, an executive at the World Wide Web Consortium: Weitzner's main job at W3C is promoting P3P, a protocol designed to automatically give out your name, address, phone number, credit card information, Social Security number, and other personal data to Web sites as you browse -- a sort of hyper-invasive universal cookie. Need I say more?

Elizabeth Lascoutx, a director and vice president at the Council of Better Business Bureaus: Lascoutx's work at the BBB used to center around children's advertising -- she sought to have commercial messages on children's Web sites set off from the rest of the content in the same manner as television advertising ("after these messages, we'll be right back").

David Stazer, vice president and co-founder of PlanetOut.com: I don't know of any qualifications Stazer might have with regard to privacy.

Stewart Baker, a partner at the law firm of Steptoe & Johnson: Baker used to be the general counsel of the National Security Agency, probably not the first people you'd think of when you think "privacy"; he's an influential Washington lobbyist now. Baker publicly attacked the efforts to boycott Intel and Microsoft over the Pentium-III processor ID and the GUID embedded in MSOffice documents -- he stated that if all machines on the Internet were authenticated and identified, things like denial of service attacks could be prevented (which is true enough, if you don't mind a total loss of privacy).

No one from EPIC? No one from the ACLU? You can draw your own conclusions about whether this "Consumer Privacy Protection Board" (sic) is intended to actually help Doubleclick change its ways, or whether it is merely intended to help protect the company from lawsuits and adverse governmental action, like, say, the FTC wanting the authority to force companies to respect privacy concerns.

AdemoN was the first to the gate with the latest on the DoubleClick privacy fiasco. A woman in California has sued DoubleClick, alleging that they have violated her privacy rights by representing themselves as not collecting personal information, while actually doing so. Remember - you can opt-out of the whole thing as well. Click below for a note on a major PR blunder by DoubleClick from Roblimo.

- Friday, January 28, 2 p.m. US EST

Tuesday USA Today reporter Will Rodger wrote about DoubleClick. We linked to his story here. Wednesday afternoon a DoubleClick Corporate Communications person* called Andover.net Corporate Communications VP Janet Holian and asked her to remove our story and the link to USA Today.

Janet passed the problem to me, since Andover has a very strict policy prohibiting Andover corporate people from interfering in editorial decisions.

I listened politely to the DoubleClick person, who told me USA Today's story was innacurate and we were wrong to link to it, and how she was calling journalists all over the country to tell them that the information in it was false and should not be relied upon. Then she requested that we pull the Slashdot story that linked to the USA Today story. No direct threats were made, but the words "refer this to our legal department" were said.

I said no, we couldn't and wouldn't pull the story.

Next move: I called USA Today. These guys are good fact-checkers. They pointed me at some of DoubleClick's own press releases and privacy policy pages, most of which had already been referenced by Slashdot in this story back in October, 1999.

An Open Offer
I offered DoubleClick's Corporate Communications person a chance to state their side of the story here, on Slashdot. I promised to run whatever they sent verbatim. I have received nothing from them so far. I called DoubleClick and reiterated the offer before writing this. Still nothing, not even an e-mail saying what information they feel is incorrect in any of the stories written about them here, in USA Today or in other media.

At this point, it's DoubleClick's move. Perhaps, eventually, they'll post something on their Press Release page. We'll keep an eye on it in case they do.

* I left out the name of the DoubleClick Corporate Communications person purely as a personal courtesy. She is a very nice woman in a bad position, trying to do a very tough job - which, right now, could probably best be described as "frantic damage control."

Because you're reading Slashdot, you probably know that client-side cookies are perfectly safe. They don't contain any code that gets executed by your computer, and there are limits to keep them from filling up your hard drive. Just as importantly, no server can read another server's data, each site reads only its own cookies, and you don't have to worry about privacy. If you don't want a site to know anything about you, you don't tell that site anything. Simple. Or is it?

When Netscape embraced-and-extended the HTTP spec in 1995, it was really just trying to digitize the shopping cart. Allowing a server to store just a few bits on the client added almost no overhead and it made many applications, such as shopping carts, very convenient.

Maybe it was deliberate; maybe nobody really cared; or maybe it was an engineer's simple distaste for tweaking a spec too much: but they allowed cookies to hang off GIFs as well as HTML, and that changed everything. There were probably ten people in the: world at that point who could have foreseen the explosion in banner ad traffic, yielding a multi-billion-dollar industry in less than five years.

Yes, billion -- the large banner-ad company DoubleClick merged with database firm Abacus Direct last year in a billion-dollar stock swap. How much is a billion dollars worth of advertising revenue on the net? At DoubleClick's current rate, it's about 750 billion banner ads. Think of it as four petabytes of GIFs.

And the vast majority of those GIFs just get ignored. When's the last time you clicked a banner? There aren't any precise figures, but the consensus is that the average click-through rate is dropping. Three percent click-through used to be good. Now a well-targeted ad will be happy to get one or two percent. It's hard work to make money from banners, and getting harder every day.

That's why DoubleClick, and firms like it, need to maximize their efficiency. Their income ends up depending on that click-through rate. The higher they can raise that number, the more they can justify charging their clients. Sending targeted ads becomes critical. And the only way to target you is to learn more about you.

The GIF cookie loophole makes this pretty easy. The first banner ad that your browser requested from a banner-ad company got a user ID cookie sent back with it. And - here's the key - since so many banner GIFs all come from the same company's domain name, your browser sends back the same user ID no matter which website you're viewing the banner on. Your user ID is being tracked all over the web.

In the case of DoubleClick, that's a fair number of sites. They won't talk to you unless you serve a million impressions a month - and their network includes 651 publishers which translates to who-knows how many websites. All told, they deliver a billion ads every two days.

Though the Internet Movie Database can't tell where else you've been on the web today, the company delivering its banners knows. That same company knows if you read National Review, TeenMag, or Dilbert. It knows if you're into professional wrestling or what cruises you were looking at on Travelocity. It even has some of your click history through WebMD.com.

The comforting thing has always been that, while the corporation may be able to follow your footprints around the web, at least they haven't known it's you who's making them. The disconcerting thing is, that's about to change.

Remember that billion-dollar merger between DoubleClick and the database company? This database company doesn't sell software. Abacus Direct uses databases to store names, addresses, and other information about people. In offices across the country, their computers have information on two billion purchases made from 1,100 separate consumer catalogs over the years, "representing virtually all U.S. consumer catalog buying households." Their CEO brags,

"Through the sophisticated use of state-of-the-art technologies and modeling techniques, Abacus' outstanding ability to synthesize vast amounts of data into valuable insights about individual consumer buying behaviors has proven itself to be an important marketing tool for our age."

That's why it's very interesting that DoubleClick's privacy policy changed earlier this month. Its text used to read:

"DoubleClick does not know the name, email address, phone number, or home address of anybody who visits a site in the DoubleClick Network. All users who receive an ad targeted by DoubleClick's technology remain completely anonymous."

That promise is gone without a trace from the new policy. The new policy reads:

"In the course of delivering an ad to you, DoubleClick does not collect any personally-identifiable information about you, such as your name, address, phone number or email address."

Of course not. In delivering the ad, DoubleClick just collects your user ID. It probably already has your name, address, phone number and email address, somewhere in the Abacus database.

A little further down is the portent of things to come. There is "one particular Web publisher" in their network which collects a "log-in name and demographic data about users." Which publisher is that? They don't say.

Whoever it is, you may already have given it your name and address, perhaps to register for a contest, or maybe in exchange for reading its free content. Everyone does it; it's a small price to pay. DoubleClick is already combining their demographic data (your name and address) with its own database (your viewing and clicking habits) in order to deliver more-targeted ads on this one website.

And if their programmers do their jobs right, it'll end up being a simple SQL query to join up your user ID, the name you gave the mysterious web publisher, your Abacus demographic data and catalog purchases, and the footprints you've left all over the net for the past two years, into a single big lump of your online/offline data.

To be fair, their privacy policy promises they won't start doing this without, er, changing their privacy policy:

"...should DoubleClick ever match the non-personally-identifiable information collected by DoubleClick with Abacus database information, DoubleClick will revise this Privacy Statement to accurately reflect its modified data collection and data use policies and ensure that you have adequate notice of any changes and a choice to participate."

Aren't you glad that, when DoubleClick revised its privacy statement on October13,1999, you were given adequate notice of how you were being tracked across the internet? (They've sent out 46 press releases so far this year. Informing you about weakening your privacy wasn't one of them.)

Things aren't as bad as they could be. One fortunate thing is that the banner-ad market isn't a monopoly yet. Not even close. Adbility lists over fifty ad networks, of which DoubleClick is just one of the larger ones (probably the largest).

But, when any rapidly expanding market starts to level off, the smaller and less-efficient companies get eaten. Nobody knows when the internet's growth curve will hit that point, but exponential expansion can't continue forever. At some point, the companies that can't send banner ads targeted to your community will get left behind. We'll end up with two, maybe three, meganetworks that deliver a large majority of the world's banner ads.

What can you do about it? To protect your own personal privacy, opt out of DoubleClick's cookies. Of course, this doesn't affect other banner-ad companies, who may or may not even offer this solution once they get as big as DoubleClick. It also doesn't help novice websurfers like your grandmother, who doesn't understand why she should refuse free cookies. More importantly, it can't ever be a real answer - if more than a tiny percentage of their audience ever opted out, DoubleClick would see the competitive advantage of their billion-dollar merger start to erode, and that'd be the end of that option.

What makes more sense is to close the cookie loophole. DoubleClick isn't the real problem; the HTTP spec is the problem. The browsers should change their implementation of cookies so that, by default, foreign sites can't send me cookies along with their GIFs. Why should cookies be allowed onto my hard drive if they aren't attached to the page I'm viewing?

Since DoubleClick's privacy policy claims that cookies "are not essential for us to continue our leadership," they should have no problem supporting this as the default behavior of every major web browser.

Because you're reading Slashdot, you probably know that client-side cookies are perfectly safe. They don't contain any code that gets executed by your computer, and there are limits to keep them from filling up your hard drive. Just as importantly, no server can read another server's data, each site reads only its own cookies, and you don't have to worry about privacy. If you don't want a site to know anything about you, you don't tell that site anything. Simple. Or is it?

When Netscape embraced-and-extended the HTTP spec in 1995, it was really just trying to digitize the shopping cart. Allowing a server to store just a few bits on the client added almost no overhead and it made many applications, such as shopping carts, very convenient.

Maybe it was deliberate; maybe nobody really cared; or maybe it was an engineer's simple distaste for tweaking a spec too much: but they allowed cookies to hang off GIFs as well as HTML, and that changed everything. There were probably ten people in the: world at that point who could have foreseen the explosion in banner ad traffic, yielding a multi-billion-dollar industry in less than five years.

Yes, billion -- the large banner-ad company DoubleClick merged with database firm Abacus Direct last year in a billion-dollar stock swap. How much is a billion dollars worth of advertising revenue on the net? At DoubleClick's current rate, it's about 750 billion banner ads. Think of it as four petabytes of GIFs.

And the vast majority of those GIFs just get ignored. When's the last time you clicked a banner? There aren't any precise figures, but the consensus is that the average click-through rate is dropping. Three percent click-through used to be good. Now a well-targeted ad will be happy to get one or two percent. It's hard work to make money from banners, and getting harder every day.

That's why DoubleClick, and firms like it, need to maximize their efficiency. Their income ends up depending on that click-through rate. The higher they can raise that number, the more they can justify charging their clients. Sending targeted ads becomes critical. And the only way to target you is to learn more about you.

The GIF cookie loophole makes this pretty easy. The first banner ad that your browser requested from a banner-ad company got a user ID cookie sent back with it. And - here's the key - since so many banner GIFs all come from the same company's domain name, your browser sends back the same user ID no matter which website you're viewing the banner on. Your user ID is being tracked all over the web.

In the case of DoubleClick, that's a fair number of sites. They won't talk to you unless you serve a million impressions a month - and their network includes 651 publishers which translates to who-knows how many websites. All told, they deliver a billion ads every two days.

Though the Internet Movie Database can't tell where else you've been on the web today, the company delivering its banners knows. That same company knows if you read National Review, TeenMag, or Dilbert. It knows if you're into professional wrestling or what cruises you were looking at on Travelocity. It even has some of your click history through WebMD.com.

The comforting thing has always been that, while the corporation may be able to follow your footprints around the web, at least they haven't known it's you who's making them. The disconcerting thing is, that's about to change.

Remember that billion-dollar merger between DoubleClick and the database company? This database company doesn't sell software. Abacus Direct uses databases to store names, addresses, and other information about people. In offices across the country, their computers have information on two billion purchases made from 1,100 separate consumer catalogs over the years, "representing virtually all U.S. consumer catalog buying households." Their CEO brags,

"Through the sophisticated use of state-of-the-art technologies and modeling techniques, Abacus' outstanding ability to synthesize vast amounts of data into valuable insights about individual consumer buying behaviors has proven itself to be an important marketing tool for our age."

That's why it's very interesting that DoubleClick's privacy policy changed earlier this month. Its text used to read:

"DoubleClick does not know the name, email address, phone number, or home address of anybody who visits a site in the DoubleClick Network. All users who receive an ad targeted by DoubleClick's technology remain completely anonymous."

That promise is gone without a trace from the new policy. The new policy reads:

"In the course of delivering an ad to you, DoubleClick does not collect any personally-identifiable information about you, such as your name, address, phone number or email address."

Of course not. In delivering the ad, DoubleClick just collects your user ID. It probably already has your name, address, phone number and email address, somewhere in the Abacus database.

A little further down is the portent of things to come. There is "one particular Web publisher" in their network which collects a "log-in name and demographic data about users." Which publisher is that? They don't say.

Whoever it is, you may already have given it your name and address, perhaps to register for a contest, or maybe in exchange for reading its free content. Everyone does it; it's a small price to pay. DoubleClick is already combining their demographic data (your name and address) with its own database (your viewing and clicking habits) in order to deliver more-targeted ads on this one website.

And if their programmers do their jobs right, it'll end up being a simple SQL query to join up your user ID, the name you gave the mysterious web publisher, your Abacus demographic data and catalog purchases, and the footprints you've left all over the net for the past two years, into a single big lump of your online/offline data.

To be fair, their privacy policy promises they won't start doing this without, er, changing their privacy policy:

"...should DoubleClick ever match the non-personally-identifiable information collected by DoubleClick with Abacus database information, DoubleClick will revise this Privacy Statement to accurately reflect its modified data collection and data use policies and ensure that you have adequate notice of any changes and a choice to participate."

Aren't you glad that, when DoubleClick revised its privacy statement on October13,1999, you were given adequate notice of how you were being tracked across the internet? (They've sent out 46 press releases so far this year. Informing you about weakening your privacy wasn't one of them.)

Things aren't as bad as they could be. One fortunate thing is that the banner-ad market isn't a monopoly yet. Not even close. Adbility lists over fifty ad networks, of which DoubleClick is just one of the larger ones (probably the largest).

But, when any rapidly expanding market starts to level off, the smaller and less-efficient companies get eaten. Nobody knows when the internet's growth curve will hit that point, but exponential expansion can't continue forever. At some point, the companies that can't send banner ads targeted to your community will get left behind. We'll end up with two, maybe three, meganetworks that deliver a large majority of the world's banner ads.

What can you do about it? To protect your own personal privacy, opt out of DoubleClick's cookies. Of course, this doesn't affect other banner-ad companies, who may or may not even offer this solution once they get as big as DoubleClick. It also doesn't help novice websurfers like your grandmother, who doesn't understand why she should refuse free cookies. More importantly, it can't ever be a real answer - if more than a tiny percentage of their audience ever opted out, DoubleClick would see the competitive advantage of their billion-dollar merger start to erode, and that'd be the end of that option.

What makes more sense is to close the cookie loophole. DoubleClick isn't the real problem; the HTTP spec is the problem. The browsers should change their implementation of cookies so that, by default, foreign sites can't send me cookies along with their GIFs. Why should cookies be allowed onto my hard drive if they aren't attached to the page I'm viewing?

Since DoubleClick's privacy policy claims that cookies "are not essential for us to continue our leadership," they should have no problem supporting this as the default behavior of every major web browser.

Because you're reading Slashdot, you probably know that client-side cookies are perfectly safe. They don't contain any code that gets executed by your computer, and there are limits to keep them from filling up your hard drive. Just as importantly, no server can read another server's data, each site reads only its own cookies, and you don't have to worry about privacy. If you don't want a site to know anything about you, you don't tell that site anything. Simple. Or is it?

When Netscape embraced-and-extended the HTTP spec in 1995, it was really just trying to digitize the shopping cart. Allowing a server to store just a few bits on the client added almost no overhead and it made many applications, such as shopping carts, very convenient.

Maybe it was deliberate; maybe nobody really cared; or maybe it was an engineer's simple distaste for tweaking a spec too much: but they allowed cookies to hang off GIFs as well as HTML, and that changed everything. There were probably ten people in the: world at that point who could have foreseen the explosion in banner ad traffic, yielding a multi-billion-dollar industry in less than five years.

Yes, billion -- the large banner-ad company DoubleClick merged with database firm Abacus Direct last year in a billion-dollar stock swap. How much is a billion dollars worth of advertising revenue on the net? At DoubleClick's current rate, it's about 750 billion banner ads. Think of it as four petabytes of GIFs.

And the vast majority of those GIFs just get ignored. When's the last time you clicked a banner? There aren't any precise figures, but the consensus is that the average click-through rate is dropping. Three percent click-through used to be good. Now a well-targeted ad will be happy to get one or two percent. It's hard work to make money from banners, and getting harder every day.

That's why DoubleClick, and firms like it, need to maximize their efficiency. Their income ends up depending on that click-through rate. The higher they can raise that number, the more they can justify charging their clients. Sending targeted ads becomes critical. And the only way to target you is to learn more about you.

The GIF cookie loophole makes this pretty easy. The first banner ad that your browser requested from a banner-ad company got a user ID cookie sent back with it. And - here's the key - since so many banner GIFs all come from the same company's domain name, your browser sends back the same user ID no matter which website you're viewing the banner on. Your user ID is being tracked all over the web.

In the case of DoubleClick, that's a fair number of sites. They won't talk to you unless you serve a million impressions a month - and their network includes 651 publishers which translates to who-knows how many websites. All told, they deliver a billion ads every two days.

Though the Internet Movie Database can't tell where else you've been on the web today, the company delivering its banners knows. That same company knows if you read National Review, TeenMag, or Dilbert. It knows if you're into professional wrestling or what cruises you were looking at on Travelocity. It even has some of your click history through WebMD.com.

The comforting thing has always been that, while the corporation may be able to follow your footprints around the web, at least they haven't known it's you who's making them. The disconcerting thing is, that's about to change.

Remember that billion-dollar merger between DoubleClick and the database company? This database company doesn't sell software. Abacus Direct uses databases to store names, addresses, and other information about people. In offices across the country, their computers have information on two billion purchases made from 1,100 separate consumer catalogs over the years, "representing virtually all U.S. consumer catalog buying households." Their CEO brags,

"Through the sophisticated use of state-of-the-art technologies and modeling techniques, Abacus' outstanding ability to synthesize vast amounts of data into valuable insights about individual consumer buying behaviors has proven itself to be an important marketing tool for our age."

That's why it's very interesting that DoubleClick's privacy policy changed earlier this month. Its text used to read:

"DoubleClick does not know the name, email address, phone number, or home address of anybody who visits a site in the DoubleClick Network. All users who receive an ad targeted by DoubleClick's technology remain completely anonymous."

That promise is gone without a trace from the new policy. The new policy reads:

"In the course of delivering an ad to you, DoubleClick does not collect any personally-identifiable information about you, such as your name, address, phone number or email address."

Of course not. In delivering the ad, DoubleClick just collects your user ID. It probably already has your name, address, phone number and email address, somewhere in the Abacus database.

A little further down is the portent of things to come. There is "one particular Web publisher" in their network which collects a "log-in name and demographic data about users." Which publisher is that? They don't say.

Whoever it is, you may already have given it your name and address, perhaps to register for a contest, or maybe in exchange for reading its free content. Everyone does it; it's a small price to pay. DoubleClick is already combining their demographic data (your name and address) with its own database (your viewing and clicking habits) in order to deliver more-targeted ads on this one website.

And if their programmers do their jobs right, it'll end up being a simple SQL query to join up your user ID, the name you gave the mysterious web publisher, your Abacus demographic data and catalog purchases, and the footprints you've left all over the net for the past two years, into a single big lump of your online/offline data.

To be fair, their privacy policy promises they won't start doing this without, er, changing their privacy policy:

"...should DoubleClick ever match the non-personally-identifiable information collected by DoubleClick with Abacus database information, DoubleClick will revise this Privacy Statement to accurately reflect its modified data collection and data use policies and ensure that you have adequate notice of any changes and a choice to participate."

Aren't you glad that, when DoubleClick revised its privacy statement on October13,1999, you were given adequate notice of how you were being tracked across the internet? (They've sent out 46 press releases so far this year. Informing you about weakening your privacy wasn't one of them.)

Things aren't as bad as they could be. One fortunate thing is that the banner-ad market isn't a monopoly yet. Not even close. Adbility lists over fifty ad networks, of which DoubleClick is just one of the larger ones (probably the largest).

But, when any rapidly expanding market starts to level off, the smaller and less-efficient companies get eaten. Nobody knows when the internet's growth curve will hit that point, but exponential expansion can't continue forever. At some point, the companies that can't send banner ads targeted to your community will get left behind. We'll end up with two, maybe three, meganetworks that deliver a large majority of the world's banner ads.

What can you do about it? To protect your own personal privacy, opt out of DoubleClick's cookies. Of course, this doesn't affect other banner-ad companies, who may or may not even offer this solution once they get as big as DoubleClick. It also doesn't help novice websurfers like your grandmother, who doesn't understand why she should refuse free cookies. More importantly, it can't ever be a real answer - if more than a tiny percentage of their audience ever opted out, DoubleClick would see the competitive advantage of their billion-dollar merger start to erode, and that'd be the end of that option.

What makes more sense is to close the cookie loophole. DoubleClick isn't the real problem; the HTTP spec is the problem. The browsers should change their implementation of cookies so that, by default, foreign sites can't send me cookies along with their GIFs. Why should cookies be allowed onto my hard drive if they aren't attached to the page I'm viewing?

Since DoubleClick's privacy policy claims that cookies "are not essential for us to continue our leadership," they should have no problem supporting this as the default behavior of every major web browser.

Because you're reading Slashdot, you probably know that client-side cookies are perfectly safe. They don't contain any code that gets executed by your computer, and there are limits to keep them from filling up your hard drive. Just as importantly, no server can read another server's data, each site reads only its own cookies, and you don't have to worry about privacy. If you don't want a site to know anything about you, you don't tell that site anything. Simple. Or is it?

When Netscape embraced-and-extended the HTTP spec in 1995, it was really just trying to digitize the shopping cart. Allowing a server to store just a few bits on the client added almost no overhead and it made many applications, such as shopping carts, very convenient.

Maybe it was deliberate; maybe nobody really cared; or maybe it was an engineer's simple distaste for tweaking a spec too much: but they allowed cookies to hang off GIFs as well as HTML, and that changed everything. There were probably ten people in the: world at that point who could have foreseen the explosion in banner ad traffic, yielding a multi-billion-dollar industry in less than five years.

Yes, billion -- the large banner-ad company DoubleClick merged with database firm Abacus Direct last year in a billion-dollar stock swap. How much is a billion dollars worth of advertising revenue on the net? At DoubleClick's current rate, it's about 750 billion banner ads. Think of it as four petabytes of GIFs.

And the vast majority of those GIFs just get ignored. When's the last time you clicked a banner? There aren't any precise figures, but the consensus is that the average click-through rate is dropping. Three percent click-through used to be good. Now a well-targeted ad will be happy to get one or two percent. It's hard work to make money from banners, and getting harder every day.

That's why DoubleClick, and firms like it, need to maximize their efficiency. Their income ends up depending on that click-through rate. The higher they can raise that number, the more they can justify charging their clients. Sending targeted ads becomes critical. And the only way to target you is to learn more about you.

The GIF cookie loophole makes this pretty easy. The first banner ad that your browser requested from a banner-ad company got a user ID cookie sent back with it. And - here's the key - since so many banner GIFs all come from the same company's domain name, your browser sends back the same user ID no matter which website you're viewing the banner on. Your user ID is being tracked all over the web.

In the case of DoubleClick, that's a fair number of sites. They won't talk to you unless you serve a million impressions a month - and their network includes 651 publishers which translates to who-knows how many websites. All told, they deliver a billion ads every two days.

Though the Internet Movie Database can't tell where else you've been on the web today, the company delivering its banners knows. That same company knows if you read National Review, TeenMag, or Dilbert. It knows if you're into professional wrestling or what cruises you were looking at on Travelocity. It even has some of your click history through WebMD.com.

The comforting thing has always been that, while the corporation may be able to follow your footprints around the web, at least they haven't known it's you who's making them. The disconcerting thing is, that's about to change.

Remember that billion-dollar merger between DoubleClick and the database company? This database company doesn't sell software. Abacus Direct uses databases to store names, addresses, and other information about people. In offices across the country, their computers have information on two billion purchases made from 1,100 separate consumer catalogs over the years, "representing virtually all U.S. consumer catalog buying households." Their CEO brags,

"Through the sophisticated use of state-of-the-art technologies and modeling techniques, Abacus' outstanding ability to synthesize vast amounts of data into valuable insights about individual consumer buying behaviors has proven itself to be an important marketing tool for our age."

That's why it's very interesting that DoubleClick's privacy policy changed earlier this month. Its text used to read:

"DoubleClick does not know the name, email address, phone number, or home address of anybody who visits a site in the DoubleClick Network. All users who receive an ad targeted by DoubleClick's technology remain completely anonymous."

That promise is gone without a trace from the new policy. The new policy reads:

"In the course of delivering an ad to you, DoubleClick does not collect any personally-identifiable information about you, such as your name, address, phone number or email address."

Of course not. In delivering the ad, DoubleClick just collects your user ID. It probably already has your name, address, phone number and email address, somewhere in the Abacus database.

A little further down is the portent of things to come. There is "one particular Web publisher" in their network which collects a "log-in name and demographic data about users." Which publisher is that? They don't say.

Whoever it is, you may already have given it your name and address, perhaps to register for a contest, or maybe in exchange for reading its free content. Everyone does it; it's a small price to pay. DoubleClick is already combining their demographic data (your name and address) with its own database (your viewing and clicking habits) in order to deliver more-targeted ads on this one website.

And if their programmers do their jobs right, it'll end up being a simple SQL query to join up your user ID, the name you gave the mysterious web publisher, your Abacus demographic data and catalog purchases, and the footprints you've left all over the net for the past two years, into a single big lump of your online/offline data.

To be fair, their privacy policy promises they won't start doing this without, er, changing their privacy policy:

"...should DoubleClick ever match the non-personally-identifiable information collected by DoubleClick with Abacus database information, DoubleClick will revise this Privacy Statement to accurately reflect its modified data collection and data use policies and ensure that you have adequate notice of any changes and a choice to participate."

Aren't you glad that, when DoubleClick revised its privacy statement on October13,1999, you were given adequate notice of how you were being tracked across the internet? (They've sent out 46 press releases so far this year. Informing you about weakening your privacy wasn't one of them.)

Things aren't as bad as they could be. One fortunate thing is that the banner-ad market isn't a monopoly yet. Not even close. Adbility lists over fifty ad networks, of which DoubleClick is just one of the larger ones (probably the largest).

But, when any rapidly expanding market starts to level off, the smaller and less-efficient companies get eaten. Nobody knows when the internet's growth curve will hit that point, but exponential expansion can't continue forever. At some point, the companies that can't send banner ads targeted to your community will get left behind. We'll end up with two, maybe three, meganetworks that deliver a large majority of the world's banner ads.

What can you do about it? To protect your own personal privacy, opt out of DoubleClick's cookies. Of course, this doesn't affect other banner-ad companies, who may or may not even offer this solution once they get as big as DoubleClick. It also doesn't help novice websurfers like your grandmother, who doesn't understand why she should refuse free cookies. More importantly, it can't ever be a real answer - if more than a tiny percentage of their audience ever opted out, DoubleClick would see the competitive advantage of their billion-dollar merger start to erode, and that'd be the end of that option.

What makes more sense is to close the cookie loophole. DoubleClick isn't the real problem; the HTTP spec is the problem. The browsers should change their implementation of cookies so that, by default, foreign sites can't send me cookies along with their GIFs. Why should cookies be allowed onto my hard drive if they aren't attached to the page I'm viewing?

Since DoubleClick's privacy policy claims that cookies "are not essential for us to continue our leadership," they should have no problem supporting this as the default behavior of every major web browser.

Because you're reading Slashdot, you probably know that client-side cookies are perfectly safe. They don't contain any code that gets executed by your computer, and there are limits to keep them from filling up your hard drive. Just as importantly, no server can read another server's data, each site reads only its own cookies, and you don't have to worry about privacy. If you don't want a site to know anything about you, you don't tell that site anything. Simple. Or is it?

When Netscape embraced-and-extended the HTTP spec in 1995, it was really just trying to digitize the shopping cart. Allowing a server to store just a few bits on the client added almost no overhead and it made many applications, such as shopping carts, very convenient.

Maybe it was deliberate; maybe nobody really cared; or maybe it was an engineer's simple distaste for tweaking a spec too much: but they allowed cookies to hang off GIFs as well as HTML, and that changed everything. There were probably ten people in the: world at that point who could have foreseen the explosion in banner ad traffic, yielding a multi-billion-dollar industry in less than five years.

Yes, billion -- the large banner-ad company DoubleClick merged with database firm Abacus Direct last year in a billion-dollar stock swap. How much is a billion dollars worth of advertising revenue on the net? At DoubleClick's current rate, it's about 750 billion banner ads. Think of it as four petabytes of GIFs.

And the vast majority of those GIFs just get ignored. When's the last time you clicked a banner? There aren't any precise figures, but the consensus is that the average click-through rate is dropping. Three percent click-through used to be good. Now a well-targeted ad will be happy to get one or two percent. It's hard work to make money from banners, and getting harder every day.

That's why DoubleClick, and firms like it, need to maximize their efficiency. Their income ends up depending on that click-through rate. The higher they can raise that number, the more they can justify charging their clients. Sending targeted ads becomes critical. And the only way to target you is to learn more about you.

The GIF cookie loophole makes this pretty easy. The first banner ad that your browser requested from a banner-ad company got a user ID cookie sent back with it. And - here's the key - since so many banner GIFs all come from the same company's domain name, your browser sends back the same user ID no matter which website you're viewing the banner on. Your user ID is being tracked all over the web.

In the case of DoubleClick, that's a fair number of sites. They won't talk to you unless you serve a million impressions a month - and their network includes 651 publishers which translates to who-knows how many websites. All told, they deliver a billion ads every two days.

Though the Internet Movie Database can't tell where else you've been on the web today, the company delivering its banners knows. That same company knows if you read National Review, TeenMag, or Dilbert. It knows if you're into professional wrestling or what cruises you were looking at on Travelocity. It even has some of your click history through WebMD.com.

The comforting thing has always been that, while the corporation may be able to follow your footprints around the web, at least they haven't known it's you who's making them. The disconcerting thing is, that's about to change.

Remember that billion-dollar merger between DoubleClick and the database company? This database company doesn't sell software. Abacus Direct uses databases to store names, addresses, and other information about people. In offices across the country, their computers have information on two billion purchases made from 1,100 separate consumer catalogs over the years, "representing virtually all U.S. consumer catalog buying households." Their CEO brags,

"Through the sophisticated use of state-of-the-art technologies and modeling techniques, Abacus' outstanding ability to synthesize vast amounts of data into valuable insights about individual consumer buying behaviors has proven itself to be an important marketing tool for our age."

That's why it's very interesting that DoubleClick's privacy policy changed earlier this month. Its text used to read:

"DoubleClick does not know the name, email address, phone number, or home address of anybody who visits a site in the DoubleClick Network. All users who receive an ad targeted by DoubleClick's technology remain completely anonymous."

That promise is gone without a trace from the new policy. The new policy reads:

"In the course of delivering an ad to you, DoubleClick does not collect any personally-identifiable information about you, such as your name, address, phone number or email address."

Of course not. In delivering the ad, DoubleClick just collects your user ID. It probably already has your name, address, phone number and email address, somewhere in the Abacus database.

A little further down is the portent of things to come. There is "one particular Web publisher" in their network which collects a "log-in name and demographic data about users." Which publisher is that? They don't say.

Whoever it is, you may already have given it your name and address, perhaps to register for a contest, or maybe in exchange for reading its free content. Everyone does it; it's a small price to pay. DoubleClick is already combining their demographic data (your name and address) with its own database (your viewing and clicking habits) in order to deliver more-targeted ads on this one website.

And if their programmers do their jobs right, it'll end up being a simple SQL query to join up your user ID, the name you gave the mysterious web publisher, your Abacus demographic data and catalog purchases, and the footprints you've left all over the net for the past two years, into a single big lump of your online/offline data.

To be fair, their privacy policy promises they won't start doing this without, er, changing their privacy policy:

"...should DoubleClick ever match the non-personally-identifiable information collected by DoubleClick with Abacus database information, DoubleClick will revise this Privacy Statement to accurately reflect its modified data collection and data use policies and ensure that you have adequate notice of any changes and a choice to participate."

Aren't you glad that, when DoubleClick revised its privacy statement on October13,1999, you were given adequate notice of how you were being tracked across the internet? (They've sent out 46 press releases so far this year. Informing you about weakening your privacy wasn't one of them.)

Things aren't as bad as they could be. One fortunate thing is that the banner-ad market isn't a monopoly yet. Not even close. Adbility lists over fifty ad networks, of which DoubleClick is just one of the larger ones (probably the largest).

But, when any rapidly expanding market starts to level off, the smaller and less-efficient companies get eaten. Nobody knows when the internet's growth curve will hit that point, but exponential expansion can't continue forever. At some point, the companies that can't send banner ads targeted to your community will get left behind. We'll end up with two, maybe three, meganetworks that deliver a large majority of the world's banner ads.

What can you do about it? To protect your own personal privacy, opt out of DoubleClick's cookies. Of course, this doesn't affect other banner-ad companies, who may or may not even offer this solution once they get as big as DoubleClick. It also doesn't help novice websurfers like your grandmother, who doesn't understand why she should refuse free cookies. More importantly, it can't ever be a real answer - if more than a tiny percentage of their audience ever opted out, DoubleClick would see the competitive advantage of their billion-dollar merger start to erode, and that'd be the end of that option.

What makes more sense is to close the cookie loophole. DoubleClick isn't the real problem; the HTTP spec is the problem. The browsers should change their implementation of cookies so that, by default, foreign sites can't send me cookies along with their GIFs. Why should cookies be allowed onto my hard drive if they aren't attached to the page I'm viewing?

Since DoubleClick's privacy policy claims that cookies "are not essential for us to continue our leadership," they should have no problem supporting this as the default behavior of every major web browser.

Because you're reading Slashdot, you probably know that client-side cookies are perfectly safe. They don't contain any code that gets executed by your computer, and there are limits to keep them from filling up your hard drive. Just as importantly, no server can read another server's data, each site reads only its own cookies, and you don't have to worry about privacy. If you don't want a site to know anything about you, you don't tell that site anything. Simple. Or is it?

When Netscape embraced-and-extended the HTTP spec in 1995, it was really just trying to digitize the shopping cart. Allowing a server to store just a few bits on the client added almost no overhead and it made many applications, such as shopping carts, very convenient.

Maybe it was deliberate; maybe nobody really cared; or maybe it was an engineer's simple distaste for tweaking a spec too much: but they allowed cookies to hang off GIFs as well as HTML, and that changed everything. There were probably ten people in the: world at that point who could have foreseen the explosion in banner ad traffic, yielding a multi-billion-dollar industry in less than five years.

Yes, billion -- the large banner-ad company DoubleClick merged with database firm Abacus Direct last year in a billion-dollar stock swap. How much is a billion dollars worth of advertising revenue on the net? At DoubleClick's current rate, it's about 750 billion banner ads. Think of it as four petabytes of GIFs.

And the vast majority of those GIFs just get ignored. When's the last time you clicked a banner? There aren't any precise figures, but the consensus is that the average click-through rate is dropping. Three percent click-through used to be good. Now a well-targeted ad will be happy to get one or two percent. It's hard work to make money from banners, and getting harder every day.

That's why DoubleClick, and firms like it, need to maximize their efficiency. Their income ends up depending on that click-through rate. The higher they can raise that number, the more they can justify charging their clients. Sending targeted ads becomes critical. And the only way to target you is to learn more about you.

The GIF cookie loophole makes this pretty easy. The first banner ad that your browser requested from a banner-ad company got a user ID cookie sent back with it. And - here's the key - since so many banner GIFs all come from the same company's domain name, your browser sends back the same user ID no matter which website you're viewing the banner on. Your user ID is being tracked all over the web.

In the case of DoubleClick, that's a fair number of sites. They won't talk to you unless you serve a million impressions a month - and their network includes 651 publishers which translates to who-knows how many websites. All told, they deliver a billion ads every two days.

Though the Internet Movie Database can't tell where else you've been on the web today, the company delivering its banners knows. That same company knows if you read National Review, TeenMag, or Dilbert. It knows if you're into professional wrestling or what cruises you were looking at on Travelocity. It even has some of your click history through WebMD.com.

The comforting thing has always been that, while the corporation may be able to follow your footprints around the web, at least they haven't known it's you who's making them. The disconcerting thing is, that's about to change.

Remember that billion-dollar merger between DoubleClick and the database company? This database company doesn't sell software. Abacus Direct uses databases to store names, addresses, and other information about people. In offices across the country, their computers have information on two billion purchases made from 1,100 separate consumer catalogs over the years, "representing virtually all U.S. consumer catalog buying households." Their CEO brags,

"Through the sophisticated use of state-of-the-art technologies and modeling techniques, Abacus' outstanding ability to synthesize vast amounts of data into valuable insights about individual consumer buying behaviors has proven itself to be an important marketing tool for our age."

That's why it's very interesting that DoubleClick's privacy policy changed earlier this month. Its text used to read:

"DoubleClick does not know the name, email address, phone number, or home address of anybody who visits a site in the DoubleClick Network. All users who receive an ad targeted by DoubleClick's technology remain completely anonymous."

That promise is gone without a trace from the new policy. The new policy reads:

"In the course of delivering an ad to you, DoubleClick does not collect any personally-identifiable information about you, such as your name, address, phone number or email address."

Of course not. In delivering the ad, DoubleClick just collects your user ID. It probably already has your name, address, phone number and email address, somewhere in the Abacus database.

A little further down is the portent of things to come. There is "one particular Web publisher" in their network which collects a "log-in name and demographic data about users." Which publisher is that? They don't say.

Whoever it is, you may already have given it your name and address, perhaps to register for a contest, or maybe in exchange for reading its free content. Everyone does it; it's a small price to pay. DoubleClick is already combining their demographic data (your name and address) with its own database (your viewing and clicking habits) in order to deliver more-targeted ads on this one website.

And if their programmers do their jobs right, it'll end up being a simple SQL query to join up your user ID, the name you gave the mysterious web publisher, your Abacus demographic data and catalog purchases, and the footprints you've left all over the net for the past two years, into a single big lump of your online/offline data.

To be fair, their privacy policy promises they won't start doing this without, er, changing their privacy policy:

"...should DoubleClick ever match the non-personally-identifiable information collected by DoubleClick with Abacus database information, DoubleClick will revise this Privacy Statement to accurately reflect its modified data collection and data use policies and ensure that you have adequate notice of any changes and a choice to participate."

Aren't you glad that, when DoubleClick revised its privacy statement on October13,1999, you were given adequate notice of how you were being tracked across the internet? (They've sent out 46 press releases so far this year. Informing you about weakening your privacy wasn't one of them.)

Things aren't as bad as they could be. One fortunate thing is that the banner-ad market isn't a monopoly yet. Not even close. Adbility lists over fifty ad networks, of which DoubleClick is just one of the larger ones (probably the largest).

But, when any rapidly expanding market starts to level off, the smaller and less-efficient companies get eaten. Nobody knows when the internet's growth curve will hit that point, but exponential expansion can't continue forever. At some point, the companies that can't send banner ads targeted to your community will get left behind. We'll end up with two, maybe three, meganetworks that deliver a large majority of the world's banner ads.

What can you do about it? To protect your own personal privacy, opt out of DoubleClick's cookies. Of course, this doesn't affect other banner-ad companies, who may or may not even offer this solution once they get as big as DoubleClick. It also doesn't help novice websurfers like your grandmother, who doesn't understand why she should refuse free cookies. More importantly, it can't ever be a real answer - if more than a tiny percentage of their audience ever opted out, DoubleClick would see the competitive advantage of their billion-dollar merger start to erode, and that'd be the end of that option.

What makes more sense is to close the cookie loophole. DoubleClick isn't the real problem; the HTTP spec is the problem. The browsers should change their implementation of cookies so that, by default, foreign sites can't send me cookies along with their GIFs. Why should cookies be allowed onto my hard drive if they aren't attached to the page I'm viewing?

Since DoubleClick's privacy policy claims that cookies "are not essential for us to continue our leadership," they should have no problem supporting this as the default behavior of every major web browser.

Because you're reading Slashdot, you probably know that client-side cookies are perfectly safe. They don't contain any code that gets executed by your computer, and there are limits to keep them from filling up your hard drive. Just as importantly, no server can read another server's data, each site reads only its own cookies, and you don't have to worry about privacy. If you don't want a site to know anything about you, you don't tell that site anything. Simple. Or is it?

When Netscape embraced-and-extended the HTTP spec in 1995, it was really just trying to digitize the shopping cart. Allowing a server to store just a few bits on the client added almost no overhead and it made many applications, such as shopping carts, very convenient.

Maybe it was deliberate; maybe nobody really cared; or maybe it was an engineer's simple distaste for tweaking a spec too much: but they allowed cookies to hang off GIFs as well as HTML, and that changed everything. There were probably ten people in the: world at that point who could have foreseen the explosion in banner ad traffic, yielding a multi-billion-dollar industry in less than five years.

Yes, billion -- the large banner-ad company DoubleClick merged with database firm Abacus Direct last year in a billion-dollar stock swap. How much is a billion dollars worth of advertising revenue on the net? At DoubleClick's current rate, it's about 750 billion banner ads. Think of it as four petabytes of GIFs.

And the vast majority of those GIFs just get ignored. When's the last time you clicked a banner? There aren't any precise figures, but the consensus is that the average click-through rate is dropping. Three percent click-through used to be good. Now a well-targeted ad will be happy to get one or two percent. It's hard work to make money from banners, and getting harder every day.

That's why DoubleClick, and firms like it, need to maximize their efficiency. Their income ends up depending on that click-through rate. The higher they can raise that number, the more they can justify charging their clients. Sending targeted ads becomes critical. And the only way to target you is to learn more about you.

The GIF cookie loophole makes this pretty easy. The first banner ad that your browser requested from a banner-ad company got a user ID cookie sent back with it. And - here's the key - since so many banner GIFs all come from the same company's domain name, your browser sends back the same user ID no matter which website you're viewing the banner on. Your user ID is being tracked all over the web.

In the case of DoubleClick, that's a fair number of sites. They won't talk to you unless you serve a million impressions a month - and their network includes 651 publishers which translates to who-knows how many websites. All told, they deliver a billion ads every two days.

Though the Internet Movie Database can't tell where else you've been on the web today, the company delivering its banners knows. That same company knows if you read National Review, TeenMag, or Dilbert. It knows if you're into professional wrestling or what cruises you were looking at on Travelocity. It even has some of your click history through WebMD.com.

The comforting thing has always been that, while the corporation may be able to follow your footprints around the web, at least they haven't known it's you who's making them. The disconcerting thing is, that's about to change.

Remember that billion-dollar merger between DoubleClick and the database company? This database company doesn't sell software. Abacus Direct uses databases to store names, addresses, and other information about people. In offices across the country, their computers have information on two billion purchases made from 1,100 separate consumer catalogs over the years, "representing virtually all U.S. consumer catalog buying households." Their CEO brags,

"Through the sophisticated use of state-of-the-art technologies and modeling techniques, Abacus' outstanding ability to synthesize vast amounts of data into valuable insights about individual consumer buying behaviors has proven itself to be an important marketing tool for our age."

That's why it's very interesting that DoubleClick's privacy policy changed earlier this month. Its text used to read:

"DoubleClick does not know the name, email address, phone number, or home address of anybody who visits a site in the DoubleClick Network. All users who receive an ad targeted by DoubleClick's technology remain completely anonymous."

That promise is gone without a trace from the new policy. The new policy reads:

"In the course of delivering an ad to you, DoubleClick does not collect any personally-identifiable information about you, such as your name, address, phone number or email address."

Of course not. In delivering the ad, DoubleClick just collects your user ID. It probably already has your name, address, phone number and email address, somewhere in the Abacus database.

A little further down is the portent of things to come. There is "one particular Web publisher" in their network which collects a "log-in name and demographic data about users." Which publisher is that? They don't say.

Whoever it is, you may already have given it your name and address, perhaps to register for a contest, or maybe in exchange for reading its free content. Everyone does it; it's a small price to pay. DoubleClick is already combining their demographic data (your name and address) with its own database (your viewing and clicking habits) in order to deliver more-targeted ads on this one website.

And if their programmers do their jobs right, it'll end up being a simple SQL query to join up your user ID, the name you gave the mysterious web publisher, your Abacus demographic data and catalog purchases, and the footprints you've left all over the net for the past two years, into a single big lump of your online/offline data.

To be fair, their privacy policy promises they won't start doing this without, er, changing their privacy policy:

"...should DoubleClick ever match the non-personally-identifiable information collected by DoubleClick with Abacus database information, DoubleClick will revise this Privacy Statement to accurately reflect its modified data collection and data use policies and ensure that you have adequate notice of any changes and a choice to participate."

Aren't you glad that, when DoubleClick revised its privacy statement on October13,1999, you were given adequate notice of how you were being tracked across the internet? (They've sent out 46 press releases so far this year. Informing you about weakening your privacy wasn't one of them.)

Things aren't as bad as they could be. One fortunate thing is that the banner-ad market isn't a monopoly yet. Not even close. Adbility lists over fifty ad networks, of which DoubleClick is just one of the larger ones (probably the largest).

But, when any rapidly expanding market starts to level off, the smaller and less-efficient companies get eaten. Nobody knows when the internet's growth curve will hit that point, but exponential expansion can't continue forever. At some point, the companies that can't send banner ads targeted to your community will get left behind. We'll end up with two, maybe three, meganetworks that deliver a large majority of the world's banner ads.

What can you do about it? To protect your own personal privacy, opt out of DoubleClick's cookies. Of course, this doesn't affect other banner-ad companies, who may or may not even offer this solution once they get as big as DoubleClick. It also doesn't help novice websurfers like your grandmother, who doesn't understand why she should refuse free cookies. More importantly, it can't ever be a real answer - if more than a tiny percentage of their audience ever opted out, DoubleClick would see the competitive advantage of their billion-dollar merger start to erode, and that'd be the end of that option.

What makes more sense is to close the cookie loophole. DoubleClick isn't the real problem; the HTTP spec is the problem. The browsers should change their implementation of cookies so that, by default, foreign sites can't send me cookies along with their GIFs. Why should cookies be allowed onto my hard drive if they aren't attached to the page I'm viewing?

Since DoubleClick's privacy policy claims that cookies "are not essential for us to continue our leadership," they should have no problem supporting this as the default behavior of every major web browser.