Quicken Privacy Leak Adds to DoubleClick’s Woes

According to published reports, controversial Internet advertising firm DoubleClick, Inc. has been receiving leaked personal financial information from Intuit Corp.’s Quicken Web site.

Intuit claims to have resolved the problem temporarily by pulling the DoubleClick advertisement from the Web page in question. DoubleClick has said that it was unaware of the leaks and did not use the information it received.

More of the Same for DoubleClick

This latest revelation about privacy leaks comes just weeks after DoubleClick became the subject of investigations by the U.S. Federal Trade Commission (FTC) and the New York State Attorney General’s office.

DoubleClick is also being threatened with legal action by the state of Michigan’s Attorney General’s office and has become the subject of six lawsuits that are seeking class action status.

Mortgage, Credit Info Leaked

The leak is being attributed to a design flaw that allows information from computer forms to be attached to Web page location codes that are used by third parties. In Intuit’s case, both a mortgage-calculator and credit-assessment feature have been collecting information about consumers’ income, assets and debt.

Wednesday, DoubleClick CEO Kevin O’Connor reportedly said that DoubleClick will “look at all the sites to find out if this quirk is happening.” He added that, “when and if we discover this, we will immediately tell our clients.”

The “data spillage” was discovered by Internet security consultant Richard M. Smith, who says that the problem seems to be widespread and is not limited to just personal finance sites. For example, he said that e-tailer Buy.com also appears to be sending the results of video title searches to DoubleClick.

Smith added that other sites, such as RealNetworks and Alta Vista, have experienced similar problems in the past — but have already addressed them.

Intuit Unaware

Wednesday, when the Mountain View, California-based Intuit was contacted about the DoubleClick issue, the company first said that it was unaware of the problem.

However, after company officials analyzed the electronic traffic, Intuit Vice President Brooks Fisher confirmed the situation and disclosed that the company had decided to remove the DoubleClick ad from its Quicken loans site.

AltaVista Clarifies Privacy Policy

In an unrelated action, Internet portal AltaVista — which is DoubleClick’s leading customer — clarified its privacy policies and its relationship with DoubleClick.

AltaVista stated clearly that it will not allow personally-identifiable information about its users to be released to anyone without users opting-in to such activity. By contrast, however, the company said that it will continue to allow anonymous information to be shared and used by outside parties.

AltaVista also expressly said that it will continue to allow DoubleClick to place cookies on its users’ computers so that their actions can be tracked anonymously across multiple Web sites. It then stated that users will be able to opt out of such tracking.

Center of Privacy Issue

While there is widespread agreement that using personal information without permission is troublesome, there is a growing debate about whether so-called pseudonymous tracking is acceptable without the user first opting in to being tracked.

The state of Michigan asserts that DoubleClick cannot do such anonymous tracking because the company is not known to the user. In its “Notice of Intended Action,” Michigan informed DoubleClick that “Among those Michigan consumers who expect cookies to be placed by the site they have chosen to visit, many do not know that surveillance cookies are being placed by DoubleClick, a third party with whom users are not acquainted and have not chosen to establish an online relationship.”

Will Michigan Stand Firm?

The Michigan case could have substantial ramifications on how DoubleClick is allowed to operate in Michigan and, potentially, in other states. It is not clear, however, how the matter will be resolved.

In an interview with the E-Commerce Times, Tracy Sonneborn, an assistant attorney general in the consumer protection division, said that Michigan has scheduled a meeting with DoubleClick in the next couple of weeks to discuss its threatened action.

Sonneborn said that while Michigan is very concerned about the use of pseudonymous tracking, the state has not drawn a hard line in the sand against such usage and remains willing to discuss potential resolutions.

He added that Michigan is not against the use of cookies in an appropriate manner, such as when a consumer is on a known shopping site where using a cookie would be expected to customize the shopping experience.