DoubleClick Deals With New Security Flap

Financial software maker Intuit Inc. Thursday was moving to plug leaks on its
popular Quicken site, after it was
revealed personal financial information users entered on the site was
being sent to DoubleClick Inc., which
served the ads on the site.

The discovery was made by Richard Smith, the Internet security consultant
who discovered that Real
Networks Inc.’s jukebox software was sending information about users’
listening habits back to the company.

Smith discovered, while surfing Intuit’s site with a “packet sniffer”
running on his computer, that information from a mortgage calculator and a
credit-assessment feature were being sent to DoubleClick. Both contained
fields where people input sensitive information like income, assets, and
debt. Other features on the site, like a sample tax return, did not send
data to the ad company.

DoubleClick officials told InternetNews.com the company makes no use of the data.

“That data is sent to us, but we don’t receive it. We don’t capture it in
any way,” says Jeff Epstein, executive vice president of DoubleClick.
“We’re in the process of sending letters to all of our customers to alert
them of this problem.”

Officials from Intuit (INTU) could not be reached for comment.

Although DoubleClick (DCLK) seems to be taking the offensive in what could be
another public-relations black eye, the revelation that this is happening
adds to the “big brother” reputation of the company.

DoubleClick has recently come under heavy fire from privacy advocates
because of its privacy practices, and is the subject of inquiries by the
Federal Trade Commission, the New York State Attorney General’s office, and
the Michigan Attorney General’s office. The company is also the defendant
in six privacy-related lawsuits.

The issue is mostly one of referral URLs, a problem that is not limited to
either Intuit or DoubleClick. In fact, Smith says, “This is a fairly
generic problem that 50, 100, 200 sites may have.”

When users enter information into forms and click “submit,” often the
information they submitted appears in the URL of the next page they are
served. DoubleClick, and any other ad network, is sent the URL of pages on
which its ads are served.

Smith says Buy.com, an e-tailer of books,
videos, and many other products, is also sending this kind of information
to DoubleClick. So, the ad company could theoretically get information
about what books or videos people are purchasing, information which is
illegal to disclose under the Video Privacy Protection Act.

Buy.com officials could not be reached for comment.

Other sites that Smith noticed problems with include Travelocity, and AltaVista. In response, AltaVista has
corrected the problem, and even changed its privacy policies.

According to privacy advocates, AltaVista has adopted an opt-in policy for
personal information collected about the surfing habits of users registered
at its site.

Another DoubleClick network member, Kozmo.com, is trying to accelerate the
termination of its relationship with the ad company, according to published
reports.