Ad Attack

After reading Mary Pipher's review of Deadly Persuasion: Why Women and Girls Must Fight the Addictive Power of Advertising by Jean Kilbourne, forwarded to an email list I'm on, I wrote an extended reply in January, 2000. From an ad for Lion hair tonic, in a Japanese magazine I mentioned DoubleClick in it, as a force to be reckoned with. They first got on my radar thanks to Philip Greenspun's online version of his book, Philip and Alex's Guide to Web Publishing, wherein he details how they track, accumulate, and cross-reference your online behavior for themselves and their clients. Greenspun notes "Of course, Double Click assures everyone that your privacy is assured."

In my message, I suggested that web advertising "as attractive nuisance" was not particulary effective, but that the bad news was, it was likely to be "fixed" to serve market forces.

Resources

How to track users on the web

NYT: Giving the web a memory cost users its privacy

Center for Democracy and Technology's convenient list of opt-out links.

Opt out of DoubleClick

Opt out of Engage, another cookie collector (that ate Flycast).

Junkbusters FAQ; more general protection with your own proxy server.

Shields UP! and Opt Out from Gibson Research

Dan Gillmor's observations about (the lack of) email security come with useful tips for securing Outlook and Outlook Express.

Links to book titles for more reading.

PC World Magazine, "Who's watching you on the web?" (ironically served up with DoubleClick ads)

The next day, a Wall Street Journal page affirmed my concerns about what DoubleClick's doing "behind the scenes," and how online advertising is evolving. Perhaps it was nothing more than the bad taste to serve up a particularly bloated piece of advertising, but I found it to be a breach of trust, and reason enough to scratch Walter Mossberg's "Personal Technology" website from my list of potential destinations.

I wrote to Mossberg, telling him what I thought of his site's underhanded advertising. He may well have been uninformed about the methods, but given what he writes about -- to say nothing about the irony of the particular column at hand -- he should know better. He blew me off; he had nothing to do with WSJ advertising, even though he was happy to critique other companies' behavior.

In the following months, Double Click was in the news quite a bit. Two pieces ran in national newspapers on the same subject: Charles J. Sykes' "Rule of Law" column in The Wall Street Journal on 24.Jan, "Your Best Defense Against Big Brother: You," and a piece by Will Rodger in the 26.Jan USA Today, "Surfer beware: Advertiser's on your trail."

Sykes' piece starts out about the Supreme Court's recent decision to uphold Congress' attempt to safeguard the privacy of drivers' license records with the 1994 Drivers Privacy Protection Act. You have the right to refuse permission to the state to see your personal information. If you grant permission (practically, if you do not refuse it), your state will be happy to sell the information on your driver's license to anyone who asks for it by referencing your vehicle's license plate number.

His point is that this is a small consolation, given the current traffic in personal information. Scott McNealy tells us to "get over" our loss of privacy, but polls find it our greatest concern about the new century. In describing the mechanics of our loss, he notes that "the Internet hypercharges the process."

The solution he proposes is similar to what Mossberg suggested I do: "patronize those businesses that respect (your privacy) and spurn those that don't." Earlier in the article, though he tells us that 86 of the top 100 e-commerce sites use cookies (not in and of itself an attack, of course), and that the Electronic Privacy Information Center found most e-commerce sites' privacy policies to be "confusing, incomplete and inconsistent."

Sykes is a research fellow at the Hoover Institution, and the author of The End of Privacy.

The USA Today piece was directly on point. They just learned that Double Click "has begun tracking Web users' online movements, not just by anonymous identifying numbers but also by their actual names, addresses and real-world purchasing habits." As Greenspun described years ago, they can do this even if you haven't bought anything, or registered with the particular site they've infected.

If you've ever registered for something on the web, it's likely that information will eventually be linked into Double Click's database.

They say Double Click now has 11,500 website clients, and a hundred million user files, and is combining this database with the one they got when they bought Abacus Direct in June 1999.

On Feb. 18, the San Jose Mercury News reported off AP and Reuters that Michigan's Attorney General's office had begun legal proceedings against the company, and that it faces "five other similar lawsuits as well as government inquiries in Washington and New York" (where the company is based). In his eJournal column Dan Gillmor says it's about time that "the FTC and several state governments are finally taking a close look at DoubleClick, the company that sells Net surveillance -- or targeted advertising, depending on your point of view."

He predicts that they'll find nothing illegal, and I expect he's right. He goes on to say "the law will eventually catch up with these outrageous invasions of privacy." I think he's wrong there. It's going to be up to us to protect our own privacy.

In July, Joel Sapolsky reports on the attack potential in Microsoft Passport, embedding the technology deeper into your applications and/or operating system. (Microsoft likes to blur or sharpen the distinction between the two to suit particular purposes.) (Jason Levine complains that it's just unsubstantiated FUD.)

Doc Searls' open letter to Meg Whitman (the CEO of E-bay) responds to E-bay's decision to become yet another advertising medium. [Oct. 2000]

Advertising is not the only attack front, of course. The U.S. passed its Bill of Rights in reponse to familiar encroachment from the British government, with very different traditions. The Standard report (July 27, 2000) on the Regulation of Investigatory Powers bill shows us how incredibly different: all U.K. ISPs will have to send all traffic to the government, and give up encryption keys on request, and the person complying with such a request is forbidden to tell anyone -- even the managers of the company s/he works for! (And yes, the Standard's site has DoubleClick ads...)

Footnotes

  1. On pages 247-251 of his book (and online, in chapter 9 at photo.net/wtr/thebook/user-tracking.html), Greenspun describes the basic mechanism Double Click is using to exploit "cookies" technology to track web users' behavior. I've taken to editing my cookies.txt file from time to time, and deleting Double Click's entries along with any others that don't look legitimate to me. Netscape flags the file with warnings not to edit it, which I interpret to mean I shouldn't edit it while I have Netscape running. Use appropriate caution for yourself. Internet Explorer users can use View > Options > Advanced > View (Temporary) Files. WinXX/Netscape users may find the file by searching in the C:\Program Files\Netscape directory tree.
  2. Steve Gibson reports on a new technique using small (typically single pixel, transparent) GIF files and fake dates for identification. This is clearly an arms race. Richard M. Smith's Advanced web programming site gives more information about so-called webbugs.

  3. I link book titles to Amazon.com's website, with a URL that includes an identifier for this site. They'll pay me for referrals, if I ever manage to get up to $100's worth, for which I'm not holding my breath. I provide details about the method, my justification for using it, and how to subvert it if you choose to. Normally, the link goes straight from the title, but given the issue under discussion, I added a level of indirection to this notice on this page.
  4. Amazon Associates links to the four books mentioned, with their reviews, and responses from other readers (and of course, no obligation to buy):

Tom von Alten      tva_∂t_fortboise_⋅_org

http://www.anybrowser.org/

Thursday, 06-Sep-2001 09:18:11 MDT
http://fortboise.org/useful/adattack.html