7.26 Privacy suits: DoubleClick and Toysmart

Some examples should help to illustrate some of the problems associated with privacy and the internet. Privacy suits taken out against Doubleclick and Toysmart are important illustrative cases with respect to the influence of commerce on privacy. They raise questions about the kind of architecture we should be striving for, somewhere along the continuum from open-anonymous to closed-identifiable.

Late in 1999, the largest internet advertising company, DoubleClick, effectively changed its policy on tracking websurfers anonymously. In the summer of 1999 they bought out the direct marketing (junkmail and catalogue) company Abacus Direct, which reportedly had a database profiling the spending habits of 90 million US households. DoubleClick planned to cross-match the Abacus database with its own, building profiles of online and offline consumer habits. Privacy groups were angered by the move, as DoubleClick had maintained that their technology allowed internet users to remain anonymous. The company won Privacy International's ‘Big Brother Award’ in April 2000, in the Greatest Corporate Invader category ‘for monitoring the surfing of 50 million Net users.’ Some consumers and the State Attorneys General of New York and Michigan sued the company. ZDNet published a report in March 2000 on how the DoubleClick cases could change US law. It did not change the law – the New York Times reported in April 2001 on DoubleClick's victory in the case. (Note: the New York Times requires you to register and accept cookies to view their articles.)

The Federal Trade Commission (FTC) also investigated DoubleClick's data collection practices after a formal complaint from the Electronic Privacy Information Center (EPIC). With the FTC review and the court cases, DoubleClick shelved the plan to merge the online and offline profiling information until ‘government and industry privacy standards’ could be developed. The company was also responding to the huge drop in its share price which may have been due to the negative publicity over privacy (Wired ran a story on this at the time). The FTC investigation was closed in early 2001. The FTC wrote to DoubleClick saying they believed that the company abided by its own privacy policy:

Doubleclick never used or disclosed consumers' PII [personal identifying information] for purposes other than those disclosed in its privacy policy.

They also said that the closing of the investigation:

… is not to be construed as a determination that a violation may not have occurred, just as the pendency of an investigation should not be construed as a determination that a violation has occurred. The Commission reserves the right to take such further action as the public interest may require.

Legalese often gets tied up in ‘nots’ like this, making it confusing – it just means that the FTC are still sitting on the fence, i.e. they are not siding with DoubleClick or the company's critics, such as EPIC. If you are interested you can read the FTC letter to DoubleClick's lawyer. By the summer of 2001 DoubleClick unveiled a new privacy policy and asked for comments on it ‘to make sure that our policy provides awareness of our services and technologies in a way that is easy to understand.’

By the summer of 2007 DoubleClick was in line to be taken over by Google. Since Google's chief executive, Eric Schmidt, had declared that one of the company's key goals was to collect as much personal information about individual users as possible, this proposed takeover became the object of much concern among civil right activists. The takeover was examined by US and EU regulators with the US Federal Trade Commission approving the deal in December 2007 and the European Commission following suit in March 2008.

The Federal Trade Commission sued Toysmart in the summer of 2000. In May of that year, the company filed for bankruptcy and planned to sell confidential customer information. This was in violation of its own privacy policy. You can see the FTC's reasoning for taking the action in their press release at the time. The two sides came to an agreement that Toysmart could sell the information if the buyer agreed to uphold the original privacy guarantees provided by the company. Then the bankruptcy court judge overturned the deal. Next, Buena Vista Internet Group, a subsidiary of the Walt Disney Co. and the majority shareholder in ToySmart, offered to pay the company (about $50 000) to destroy the information. The bankruptcy judge partly agreed to the plan early in 2001. However, rather than having the information immediately destroyed, she required that the company lawyers retain it until all claims against the company have been settled. The $50 000 should then be divided among the company's creditors, with the lawyers having to provide a legal document (affidavit) to declare how the information was destroyed.

What each of these cases and the preceding discussion again illustrate is the need to make policy choices – about how commerce is handled via the internet and how far the need to facilitate e-commerce can be allowed to erode traditional notions of personal privacy.

I have hardly scratched the surface of the issues related to privacy and the internet. There have been a huge number of developments in the area since Lessig published his book, the most important, arguably, being those developments arising out of the tragedies of September 11, 2001. These include a whole host of anti-terrorism legislation (such as the USA/PATRIOT Act and the Anti-Terrorism Crime and Security Act in the UK), the national identity card proposed by the UK government, and the ‘Secure Flight’ passenger screening system (which replaced the Computer Assisted Passenger Pre-screening System (CAPPSII)), which aims to improve airline security.

The cost of manufacturing microscopic radio frequency identification (RFID) tags has also come down to the extent that it now makes economic sense for commerce to deploy them on a large scale. The Guardian reported (Tesco tests spy chip technology) on a trial run with these chips at Tesco in Cambridge.

In a cnet news report a Californian senator worried, ‘How would you like it if, for instance, one day you realised your underwear was reporting on your whereabouts?’

Further reading: the debates in relation to privacy also tend to get quite polarised, but there are quite a few useful information websites and books in the area should you decide to look into the matter further. For example:

  • Privacy International

  • EPIC

  • Center for Democracy and Technology

  • The Control Revolution, by Andrew Shapiro

  • The Internet, Law and Society, edited by Yaman Akdeniz, Clive Walker and David S. Wall

  • The Unwanted Gaze: The Destruction of Privacy in America, by Jeffrey Rosen

  • Database Nation, by Simson Garfinkel

  • Secrets and Lies, by Bruce Schneier

  • Beyond Fear: Thinking Sensibly About Security in an Uncertain World, by Bruce Schneier

Look out also for stories in the media about the handling and transfer of EU airline passenger data to US authorities and the use of the so-called CAPPS on CAPPSII database in the US. The CAPPSII program was declared dead by the US Secretary for Homeland Security in July 2004 but it is was replaced by a similar scheme operating under a different name, ‘Secure Flight’. By 2006 Secure Flight had been subjected to several government reviews (including reviews by the Department for Homeland Security and the General Accounting Office), all of which basically found it unfit for purpose. Though it was temporarily suspended in 2006, Secure Flight was re-introduced and, as of the autumn of 2007, the program was still being used, with budget plans to spend a further $38 million on it in the next financial year. US Customs have also for some years been operating an ‘Automated Targeting System’ which assigns a score to all travellers entering or leaving the US indicating what level of terrorist threat they pose. There is very little public information about how the programme operates, but the data collected can be shared with a range of federal or local authorities and even private organisations. It seems that the only people who can't get the information are those travellers to whom it relates. It is also subject to retention for 40 years.

7.25.1 Privacy and why the Net changes things

7.27 Activity 6