Analysis: The Federal Trade Commission’s decision to approve Google’s
acquisition of DoubleClick without conditions runs counter to the
warnings of a host of privacy and consumer advocates, as well as
members of Congress. With a single dissenter, the FTC found that
there was no cause to hold up the merger.
At the outset of the merger, the Electronic Privacy Information
Center (EPIC), the Center for Digital Democracy, and the U.S. Public
Interest Research Group filed a complaint, claiming “Google’s
proposed acquisition of DoubleClick will give one company access to
more information about the Internet activities of consumers than any
other company in the world,” and that “Google will operate with
virtually no legal obligation to ensure the privacy, security and
accuracy of the personal data that it collects.”
But the FTC has rejected those concerns, stating that they are not
unique to Google and Doubleclick. “At the outset, we note that some
have urged the Commission to oppose Google’s proposed acquisition of
DoubleClick based on the theory that the combination of their
respective data sets of consumer information could be exploited in a
way that threatens consumers’ privacy,” the commissioners wrote in
their decision. “Of course, the consumer privacy issues presented by
“behavioral advertising” are not unique to Google and DoubleClick.
To the contrary, these issues extend to the entire online advertising
The persistent growth of targeted online advertising and other, less
savory methods and reasons for capturing identifying information
today place the burden of privacy squarely on the shoulders of
consumers. Personal data is freely given up by consumers, often,
just as the price of entry into many commercial Web sites. As Scott
McNealy, Sun Microsystem’s chairman, once said: “Privacy is dead, get over it.”
There are measures that users can take to cover some of their
tracks. Web proxy servers, secure browsing sites, ad filtering
tools, and “cookie busters” can all help users reduce the exposure of
their identity and Web behaviors to potential aggregators of such
information. EPIC provides links to a collection of privacy tools on its Web site. But the question is whether such measures are worth the
effort. Should users just stop worrying and learn to love the Google-
Privacy concerns come from all corners for Internet users today, from
the proliferation of spyware that captures user behavior (or even personal data) and sends it back surreptitiously to a remote
computer, to the seemingly more benign behaviors of ad targeting like Google’s AdSense. But the power of a united Google and DoubleClick is the kind of information that they can bring together from a combination of services that can tie your personal identity to where you travel on the Web through cookies.
Cookies, used to pass session data back and forth between a Web
browser and a server, containing stored information that can be used
to track movements within a site or pass back other information.
Odds are, if you’ve visited a display-advertisment driven Web site,
you’ve got a DoubleClick cookie on your system. And users of
Google’s search, GMail, and other services will find Google’s
tracking cookies as well.
A lightning rod for privacy advocates.
There’s no doubt that the type of tracking done by online advertisers
in general poses privacy concerns. But the Google-DoubleClick merger
creates a uniquely large single lightning rod for privacy
activists to get up in arms over. While the FTC’s decision is not
the final hurdle left for the merger to overcome, it now seems
certain that it will proceed with much less restriction than
advocates and some legislators had hoped.
“What Google [and the FTC are] claiming,” said Jeff Chester,
director of the the Center for Digital Democracy, “is that there are
no specific privacy concerns intrinsic to the Google and DoubleClick
merger, which frankly is absurd on the face of it when you’re
merging the two number ones, for the search and online advertising
industries, with a vast apparatus for data collection and targeting
and profiling across the globe.” Chester calls Google an “ever-growing behemoth,” and fears Google will use DoubleClick’s existing ad tracking capabilities to further triangulate Internet users in the
name of better targeted advertising.
According to Google’s own privacy FAQ, the search giant captures cookie information and the Internet Protocol (IP) address that identify the user with
each search request.
While many cookies used by Web applications –- and many of Google’s
and DoubleClicks’s cookies -— expire and are removed at the end of a web
browsing session, some of the two companies’ cookies are set to
stay active much longer. One Google cookie, the infamous “immortal
cookie” —- which carries the name “PREF” — has an expiration date of
January 17, 2038. In July, the company announced that it would start replacing the 2038 cookie with one that
expired after two years.
While users can clear these cookies from their browser, or set their
browser not to receive cookies at all,” some Web site features or
services may not function properly without cookies,” Google’s privacy
Because the data collected by the cookies from Google and DoubleClick
could theoretically be cross-referenced to obtain further profiling
data on users. Part of what privacy advocates had hoped to secure
from the FTC was assurances that DoubleClick would remove user-
identifier cookies and “other persistent pseudonymic” identifiers from all corporate records and databases prior to a Google merger.
In June, Google announced that it would remove user identification
information from search logs after 18 months. By comparison,
Microsoft also retains data for 18
months, while Yahoo has shortened its retention to 13 months and Ask.com
allows users to opt out of search retention.
DoubleClick’s DART ad-serving cookie doesn’t
get associated with searches. Instead, it tracks what sites that
serve up DoubleClick ads a user visits, and controls how frequently
you see specific ads and in which order you see them. While
DoubleClick allows Web users to opt out of the unique tracking
cookie, it still records data based on IP addresses. The company
So, short of legislation or a legal challenge to the FTC approval of
the merger, there’s likely only one way to avoid Google knowing even
more about you: by turning off cookies on your browser and searching
the Web through a proxy to hide your IP address. But what’s not to
like about giving information to a company whose slogan is “Don’t be
Sean Gallagher is a Contributing Editor for InternetNews.com.