Most people who use the Internet probably do not realize that banner ads
that they are seeing on Web pages are also sending information about
them back to Internet marketing companies. In this write-up, I have
put together examples of how one of these marketing companies,
DoubleClick (
http://www.doubleclick.net), is receiving a great deal of sensitive information about
people as they surf the Web. I chose to focus on DoubleClick because
they are largest provider of banner ads on the Internet. Their servers
currently send out more than a billion banner ads every day
according to a recent company press release.
I have been tracking over the last couple of months, what information
is being sent from my own computer to DoubleClick ad servers. I used
a packet sniffer to do the monitoring. I found more than a dozen examples
from different Web sites of information being transmitted to DoubleClick
that most people would consider rather sensitive. All this information
can be tied to me, because all transmissions to the DoubleClick ad
servers also include the same unique ID number in a DoubleClick cookie.
I found both personally identifiable information and transactional
data being sent to DoubleClick servers.
Personal data I saw being sent to DoubleClick servers included:
My Email address
My full name
My mailing address (street, city, state, and Zip code)
My phone number
Transactional data that was sent to DoubleClick
included:
Names of VHS movies I am interesting in buying
Details of a plane trip
Search phrases used at search engines
Health conditions
In some cases, this information was explicitly being transmitted
by Web sites to DoubleClick encoded in the URLs of banner ads. In
other cases, the data is encoded in the URLs of the Web page themselves.
The Web page URLs are sent to DoubleClick servers as referring
URLs when banner ads are fetched.
Except for one banner ad from LifeMinders, all of the data is sent
to DoubleClick when I viewed the Web pages. It was not necessary
for me to click on the banner ads for information to be sent to
DoubleClick servers.
At some Web sites, I found that personal data is accidentally being
leaked in referring URLs. I reported these problems to the sites and
they have fixed the leaks either by removing the banner ads from
Web pages or removing the personal data from URLs.
The following tables provide details of the information I saw going
to DoubleClick. Personal data and
transactional data is color-coded
in the URLs.