The profiling techniques employed by online advertising networks raise troubling privacy concerns. Advertising networks are using unique identifiers to track and monitor individuals' online activities across multiple Web sites without their knowledge and consent. This practice undermines individuals' expectations of privacy by fundamentally changing the Web experience from one where consumers can browse and seek out information anonymously, to one where an individual's every move is recorded.

The profiling activities of advertising networks, such as DoubleClick which currently commands approximately 60% of market share, are the leading edge of a growing industry built upon the widespread tracking and monitoring of individuals' online behavior. The increasingly pervasive use of surreptitious monitoring systems breeds consumer distrust and undermines consumers' efforts to protect their privacy by depriving them of control over their personal information.

The practices of advertising networks have far-reaching impacts on consumers' online privacy. The advertising networks that engage in profiling are hidden from the individual. They reach through the Web site with whom the individual has chosen to interact with and, unbeknownst to the individual, extract information about the individual's activities. In the rare instances where individuals are aware of the fact that a third party is collecting information about them, they are unlikely to be aware that this information is being fed into a growing personal profile maintained at a data warehouse [ 1 ] , on which data mining [ 2 ] can be exercised.

While several of the companies engaged in profiling state that they do not correlate information with identifying information such as name, e-mail, address, this does not on its own address the privacy concerns at issue. The highly detailed nature of the profiles and the capture of information that can be reasonably easily associated with a specific individual raise questions about the claims of anonymity and promises of non-identifiability. While the companies, in some instances, may not be using the information in identifiable form, the information may be quite capable of revealing the individual's identity, through the use of various computer tools and software.

Equally troubling is the possibility that any one of these companies might unilaterally decide to change its terms of service and retroactively attach identities to these extensive profiles -- contradicting the statement relied upon by consumers. We have seen Web sites and online service providers attempt to change their privacy practices and terms of service. While some have come under heavy fire and stepped back, we are certain that many have gone unnoticed by consumers and advocates alike. A change in policy that so fundamentally alters the privacy expectation of consumers should not be permitted unless consumers have unequivocally consented.

As these companies merge with each other and with companies such as Abacus that maintain detailed personally identifiable profiles about individuals' offline activities, the consolidation of offline and online profiles will erode the distinction between online and offline identity. Online companies are aware of the sensitivity this raises. Consumers have shown an aversion to having their online activities tied to their identity. Finally, recent revelations about government demands for access to individual profiles created in the consumer marketplace warn us that even the most benign information, such as grocery purchases, that provides insights into individuals' behavior are sought out by the government.

Perhaps most importantly, the profiles created by the advertising networks are being used to make decisions about specific individuals. While the name and e-mail address of the individual may remain obscure, the information the individual is able to access, the offers made to the individual are being determined by the business based on specific information collected about the individual. While the concern raised by the use of information about the individual to alter what information they see in the context of advertising may appear relatively trivial, this same practice, and perhaps data, can be used to make other decisions about the individual that even a privacy-skeptic may find objectionable. The info collected about the individual could be used to alter the prices at which goods or services, including important services such as life and health insurance, are offered, employed by a government, and could be used to alter the information viewed by individuals. While the impact of altered advertisements on the individual-- harm ? benefit ?--can be disputed, these other examples indicate that there is a privacy interest in information about individuals actions and interactions when it is collected and used to make decisions about them.

Similar concerns, led CDT and other advocates to file a complaint asking the FTC to enjoin the shipment of the Intel Pentium III Processors equipped with unique identifiers. [ 3 ] Our complaint stated that the deployment of the Intel Pentium III Processors equipped with unique identifiers did not comport with concepts of privacy protection. We specifically noted that the PSN threatened consumer privacy by failing to provide consumers with effective notice of how data is handled and by facilitating the collection of personal information without consumers' consent -- two bedrock principles of fair information practice.

Like Intel, the profiling companies have recognized that their activity poses a threat to online privacy. And like Intel, their opening response to privacy concerns is inadequate.

We welcome the Federal Trade Commission and Department of Commerce's attention to the troubling practices explored during the Workshop and look forward to a swift resolution of the privacy concerns raised by online profiling.

A. The practice and risks of profiling

"Profiling" is the collection of detailed data about an individual or a group of people (living in the same area or belonging to the same ethnicity for example). Profiling can be the compilation of information in a clearly identifiable fashion -- including information such as full name or social security number. It may be the collection of information about a unique individual, but without information about who the individual is -- a DC metro card for example contains a profile of your trips but it does not contain any information about you. The term also includes the creation of a profile that does not contain information about a specific individual but is used to make decisions or impute traits to individuals who match this profile. For example, the widely condemned "racial profiling" does not use information about unique individuals, but rather imputes traits to individuals based on a characteristic.

"Online profiling" : the term online profiling captures the above activities when they occur on the Internet. A general description of the practices of the ad networks is : the practice of aggregating various data about Internet users' and consumers' preferences, interests, and transactions (purchases, sales,...), gathered primarily by tracking their movements online, and using the resulting profiles to create targeted advertising on Web sites. Profiling in the online environment can be split into a few categories. First, individual Web sites or online service providers can collect information from users -- both information provided by the individual and click stream or navigational data. This data may be captured for a limited duration -- session specific -- or may be collected and maintained as an ongoing portrait of the individual. It may be directly tied to a unique individual, to a pseudonym or to a specific, named individual.

With growing frequency, navigational and other data is being captured by third parties -- advertising networks or "profiling companies." With the permission of the Web site, but not the individual, these profiling companies place unique identifiers on individuals' computers. These identifiers are then used to track the individual as they surf the Web. The individual's profile grows with time, because online profiling is a continuing collection of his online behavior, despite the fact that the individual disconnects. The navigational data collected may include information such as, Web sites and Web pages visited, the time and duration of the visit, search terms typed in search engines' forms, and other queries, purchases, "click through" responses to advertisements, and the previous page visited. In addition to long lists of collected information, a profile may contain "inferential" or "psychographic" data -- information that the business infers about the individual based on the behavioral data captured. From this amassed data, elaborate inferences may be drawn, including the individual's interests, habits, associations, and other traits. [ 4 ]

To build profiles of individuals, online profiling companies want to create as complete a picture as possible of them. To do so, they capture various bits of information about individuals' online activities, for example the search terms people type in search engines' Web sites. It is certainly valuable for marketers and profilers to know what a Web user is seeking because it allows for advertisements to be designed to appeal to the individuals' particular interests. An ad-serving company like Double Click is capable of capturing all the search terms typed by every user of the famous Altavista search engine, with the ability to match these queries with a unique individual, and then use this information to accurately serve this individual with ad banners. To be accurate, it is more correct to say that it is only the computer that is targeted, since ad-serving companies use the information provided from a specific computer Here are some technical explanations.

It is true that data is collected about individuals at Web sites and by online service providers. From the outset it is important to recognize that the activities of the online profiling companies highlights the complexity of privacy issues and the need for a broader and deeper examination of privacy on the Internet. But, the activities of these companies or the advertising networks under discussion today threaten privacy in ways that merit special consideration.

Unlike an online service provider or Web site with whom an individual initiates a relationship, advertising networks do not directly serve consumers. Rather, advertising networks establish relationships with Web sites or portals, whereby they are permitted to extract information from consumers without notifying them of the collection.

It is important to note that if a series of Web sites desired to exchange information about individuals to create the type of profiles enabled by advertising networks they would need to collect and disclose information about visitors in identifiable form. To engage in such a practice, under the Federal Trade Commission's framework a Web site would have to follow four basic Fair Information Practices when handling personal information: provide notice to consumers; gain consumer's consent prior to using data for unrelated purposes (or at least provide an opt-out); allow consumers to access and correct personal information; and provide redress to consumers where these practices are breached. Of utmost importance is the consent of the individual.

The profiling activities under discussion today fail to meet this standard in the following ways.

The profiling activities of these companies pose unique risks to consumer privacy and consumer trust. As these companies continue to merge with themselves and offline profilers, they will hold detailed profiles on an increasingly large segment of the population. These profiles will have been created without the participation of the individual. They will have been created through the surreptitious and non-consensual collection of detailed navigational data. The profiles may become -- as the business plans and SEC disclosures of some companies portend -- fully associated with individuals, combining information about on and off line behavior.

This tracking can harm individual privacy and consumer trust in several ways.

There are several core "privacy expectations" [ 12 ] that individuals have long held, and which should carry over to their interactions on the Internet, that are at risk due to these online profiling activities.

Surveys indicate that the fear of privacy intrusions is keeping individuals off the Internet. [ 13 ] The surreptitious tracking of individuals' behavior undertaken by the profiling companies is likely to further erode consumer confidence and trust. There is already substantial public anxiety about cookies, as this particular use of cookies becomes known, it is likely to set off additional public concern.

Tracking and monitoring of Internet usage can have a negative effect on individuals' access to information. The anonymity that the Internet affords individuals has made it an incredible resource for those seeking out information. Particularly where the information sought is on controversial topics such as sex, sexuality, or health issues such as HIV, depression, and abortion; the ability to access information without risking identification has been critical. This is not a new revelation. Protecting privacy and anonymity has consistently been recognized as an important component of ensuring full exercise of the First Amendment freedom to seek out information. But privacy is not just theoretically related to free expression. Our public policies, including laws that protect the confidentiality of library patron's records and the confidentiality of video store patron's records exist because they are critical to ensuring the public's right to read and view information.

Studies in both the online and offline world reveal that an actual or perceived lack of privacy chills individual's access to information. A 1989 study found that teenagers who used computer assisted games to gain information about pregnancy prevention sought out more information than those who were enrolled in health education classes. [ 14 ] Among the reasons for pursuing computer assisted health education, the authors stated that "Patients have indicated that they prefer computer to human interviewing or advice regarding sensitive topics such as sexuality. Computer-assisted instruction has been shown to enhance interactive skills with regard to sexuality without the sensitive personal exposure of class or groups sessions." [ 15 ] The privacy and confidentiality provided by computer-assisted education was critical to ensuring that students sought out desired information. Similarly, a more recent study found that online access was critical to gay youths' ability to come to terms with their sexual orientation. The ability to gain information without risking exposure of their identity was pivotal. [ 16 ]

The profiling activities of these advertising networks pose a significant risk to consumers' privacy. Individuals should not be the subject of this profiling -- whether it is occurring in fully identifiable form or through the use of a unique identifier -- against their will. At this time, we believe that individual's informed consent must be obtained by these companies prior to the collection of personal information from consumers. This issue merits additional consideration by the Commission.

The surreptitious creation of detailed dossiers of individuals' online behavior has the potential to transform the World Wide Web from a largely anonymous environment into one where individuals are continuously monitored and in some cases fully identified. If the practices of these companies are allowed to spread unchecked we believe that individuals' control over the use and disclosure of their personal information will be further eroded. Survey after survey informs us that the surreptitious collection and compilation of data represented by these companies breeds consumer mistrust.

The proliferation of these profiling systems will needlessly erode anonymity and expand the practice of collecting personal information from Web site visitors without proper notice to them and without their consent. The segment of the online business community that has committed itself to promoting more responsible practices in the online environment may find its work to increase consumer participation and trust undermined. Studies have found that the collection of information and the tracking of individuals' activities makes individuals' reluctant to participate in online life.

Technical and policy solutions must be developed that provide strong protections for individual privacy and anonymity, and allow individuals to benefit from the customization possible on the Web. The practices of the advertising networks do not meet this standard.

Concept of HTTP :

Stands for "HyperText Transport Protocol". It is the protocol used between a Web browser and a Web server. The Web browser sends an HTTP request to a Web server (a Web site) and gets an HTTP answer including the Web page in HTML code.

Distinction between explicit and implicit hyperlinks [ 17 ] :

An explicit hyperlink is a hyperlink that appears on a Web page (they are generally underlined and in blue) and which refers the Web user to another Web page when he clicks on it.

An implicit (or invisible) hyperlink automatically links the Web user's browser to an HTML document, either located on the same server or on another one (it is also called inlining). The browser does not need the Web user's intervention to download this HTML document. The Web user may sometimes notice that such a hyperlink is executed on his browser by paying attention to the display of packets of information downloaded when accessing a web page and displayed at the bottom of the browser. When the browser reads that an HTML document contains an HTTP request, it opens a new HTTP session with the web site indicated by the HTTP request, while downloading the current web page. This is what is happening when a Web site displays ad banners : the Web page contains an HTTP request to another Web site that will send an image file containing the banner.

2. Data mining is "a set of automated techniques used to extract buried or previously unknown bits of information from large databases." (Ann CAVOUKIAN, Data Mining : Staking a Claim on your Privacy (Information and Privacy Commissioner of Ontario, Canada), Jan. 1998, http://www.ipc.on.ca/web_site.eng/matters/sum_pap/PAPERS/datamine.htm (last viewed on Oct. 6, 1999). A successful data mining operation will make it possible to unearth patterns and relationships, and afterwards, use the new information to make proactive knowledge-driven business decisions. Data mining focuses on the automated discovery of new facts and relationships in data. For more information, cf. Kurt Thearling, From Data Mining to Database Marketing, Oct. 1995, http://www3.shore.net/~kht/text/wp9502/ wp9502.htm (last viewed on Oct. 17, 1999).

3. On February 26, 1999, the Center for Democracy and Technology (CDT), the Privacy Rights Clearinghouse, and Consumer Action filed a Complaint and Request for relief with the Federal Trade Commission (FTC) seeking immediate action to prevent harm to consumer privacy as a result of the deployment of the Intel Pentium III Processor Serial Number (PSN). Specifically, the Complaint requested that the Commission enjoin the shipment of Intel Pentium III Processors equipped with a unique PSN and to enjoin computer manufacturers from shipping Pentium III PSN-equipped computers unless the PSN was turned "Off" in a secure manner. In addition to this specific and immediate relief, the complaint also requested that the Commission commence an investigation into the privacy issues posed by the Intel Pentium III PSN, because we believe that a broader examination of the privacy implications of the PSN and other computer and Internet-based identifiers is critically needed to ensure that a privacy framework guides the development and deployment of online authentication tools. Our complaint argued that the introduction of the PSN was a violation of individual privacy and, therefore, an unfair and deceptive trade practice under Section 5 of the FTC Act. The complaint charged that the impending release of the Intel Corp.'s Pentium III chip with an identifying serial number would harm consumers' privacy.

4. A psychographic study "joins consumers' measurable demographic characteristics with the more abstract aspects of attitudes, opinions and interests." Data mining specialists code demographic, media, purchasing and psychographic data from surveys, throw them together and analyze them until some groups with shared characteristics can be distinguished from all other groups. They can identify those groups most likely to buy specific products and services by including questions relating to a product about past buying habits or future intentions to purchase. Every kind of psychographic study adds the dimension of psychology and/or lifestyles to a demographic inquiry and uses quantitative survey techniques. Cf. Rebecca Piirto HEATH, Psychographics : Qu'est-Ce Que C'est ?, Marketing Tools, Nov.-Dec. 1995; http://www.demographics.com/publications/mt/95_mt/9511 _mt/MT388.htm (last viewed on Nov. 12, 1999).

5. HTTP stands for HyperText Transfer Protocol. For more information, see appendix.

6. HTML stands for HyperText Markup Language.

7. A cookie is a data file, in the form of a string of numbers and/or letters, that Web sites embed on a user's browser, and which can be used to track visitors as they move through the site.

8. Cf. Jean-Marc DINANT, Les traitements invisibles sur Internet, http://www.droit.fundp.ac.be/crid/eclip/luxembourg.html.

9. The DoubleClick Network is a collection of about 1,500 Web sites delivering all kinds of content, from US News and World Report to Major League Baseball, Autobytel.com, FoodTV, etc., classified in different categories, such as business & finance, technology, travel, health, automotive. All these sites have signed with DoubleClick an agreement to have the company serve ad banners on the Web sites and be responsible for collecting and managing the data for advertising purposes. For more information, cf http://www.doubleclick.net/annualreport/network.htm, and http://www.doubleclick.net/advertisers/net work/net_sites/us_network/default.htm.

10. DoubleClick has been able to give a detailed profile of the typical user of the famous search engine. It states that over 25 million unique individuals per month use Altavista worldwide. They use it most often during work hours for business-related purposes; are predominantly male (60%); in the 18-34 age range; 86% of them have attended college, "the highest of any search engine"; they have an average household income of $64,000; more than half (57%) of them have conducted a purchase online, to buy books (35%), music CDs (19%), software (29%), travel (18%); the vast majority of them (93%) of them turn to the Web for product purchase information; 90% use keywords on search engines, 81% visit company/supplier sites, 44% used the Web for info on Music, 55% for info on books. See http://saleslogix.doubleclick.net/scripts/slxweb.dll/leadimport?page=av.

11. See the FTC documents on the Individual Reference Services Groups, http://www.ftc.gov/bcp/privacy/wkshp97/irsdoc2.htm.

12. The phrase "expectations of privacy" is used here with intent. Despite case law suggesting that the legal protections afforded to our expectations of privacy are limited by the technical and social possibilities for surveillance, we believe that, as a society, we do share some basic expectations of privacy. Privacy legislation enacted by Congress in response to some of the Court's decisions lends credence to this notion.

13. See CDT's privacy survey page: http://www.cdt.org/privacy/survey/

14. Adolescent Pregnancy Prevention by Health Education Computer Games: Computer-Assisted Instruction of Knowledge and Attitudes, David M. Paperny et. al, Pediatrics Vol. 83 No. 5, May 1989.

15. Id.

16. 1997 survey conducted by Oasis Magazine and !OutProud!, the National Coalition of Lesbian, Gay, Bisexual and Transgender Youth, reported that 68% of gay youth were able to come to terms with their sexual orientation as a result of online access. (See letter submitted by GLAAD to the FTC, March 17, 1999.

17. Cfr Jean-Marc DINANT, Les traitements invisibles sur Internet, http://www.droit.fundp.ac.be/crid/eclip/ luxembourg.html.