DoubleClick, Abacus Direct and Privacy

  Open Letter to Kevin Ryan, June 1, 2001

Mr Kevin Ryan
President
DoubleClick Inc.

Dear Sir

In a press release issued today (http://biz.yahoo.com/bw/010601/2316.html) your Chief Privacy Officer made the following statement: "DoubleClick is committed to executing its business in the most open manner possible." This claim is more suited to a Chief Propaganda Officer than a Chief Privacy Officer.

I have repeatedly asked DoubleClick to show the 88 million Americans what is kept in Doubleclick's Abacus Direct database about them, and I have met with repeated refusal. How could keeping billions of records in secret electronic dossiers constitute executing business in "the most open manner possible?" This flagrant boasting about what is manifestly untrue is simply one of the worst examples of public relations pabulum I have ever seen outside the tobacco industry.

The press release uses the phrase "fair information practices," but DoubleClick's own practices are nonconsensual, opaque and grossly unfair. If you examine the OECD's principles of fair information practice, available at http://www.junkbusters.com/fip.html you can see how remote DoubleClick's practices are from basic standards of fairness. You will note that openness is one of the principles, but it is one to which DoubleClick has failed to adhere.

Mr Polonetsky has not responded to my open letter of March 27, 2001, which I reproduce below. (http://www.junkbusters.com/doubleclick.html#four) In the name of openness, I call on you now to respond to that letter.

On March 26 DoubleClick declined to answer the Wall Street Journal's question of whether any data had been stolen by the hackers who repeatedly broke into its systems. In the name of openness, I call on you now to answer that question to the best of your ability.

On March 29 the Wall Street Journal reported that DoubleClick commissioned ``PricewaterhouseCoopers LLC to conduct a security audit of its computer systems.'' In the name of openness, I call on you to make that audit report public immediately.

The press release also solicits revisions to the policy. Here are a few of my suggestions, based on genuine fair information practices.

1. DoubleClick will only collect information about you or your browser if you explicitly consent to this collection.
2. DoubleClick will always show you the information it has associated with you or your browser.
3. DoubleClick always allows you to delete all information it has about you or your browser.

  Open letter to Doubleclick, March 27, 2001

Mr Jules Polonetsky
Chief Privacy Officer
DoubleClick Inc.

Dear Sir

The recent series of security holes found on DoubleClick's computers is scandalous. It is intolerable that Doubleclick keeps such vast amounts of data - trillions of page view records and billions of offline purchases on hundreds of millions of people - all secret, hidden from the people they concern, but is apparently incapable of keeping its systems secure from foreign hackers.

I call on DoubleClick to take the following actions.

1. Publish all existing auditors' reports and attestations on DoubleClick's privacy compliance and the state of its security. (Doubleclick announced in February 2000 that PriceWaterhouseCoopers would conduct privacy audits.)
2. Commission a specific independent investigation of this incident and the current state of DoubleClick's security, and publish the report.
3. Show me all the data it has about me, and then permanently destroy it.
4. Do the same for anyone else who asks.

  Open Letter sent to managers of socially responsible mutual funds 1999/11/19

Open letter to the fund managers of:

1. Calvert Social Equity Fund (A) (CSIEX)
2. Citizens Emerging Growth Fund (WAEGX)
3. Domini Social Equity Fund (DSEFX)
4. Dreyfus Third Century Fund (DRTHX)
5. Parnassus Fund (PARNX)
6. Smith Barney Concert Social Awareness Fund(A) (SSIAX)

We are writing to alert you to the harmful social effects of the imminent merger of Doubleclick and Abacus Direct, and of the current practices of the online advertising industry, which are severely damaging the fundamental human right of privacy. We would also like to take this opportunity to provide you with a summary of our campaign against Intel Pentium III Processor Serial Number, which we also wrote to you about in February.

As you may know, online advertising networks have been building huge profiles of World Wide Web users via a technology called cookies. Until recently most of these companies claimed that their cookies were anonymous, but some (including DoubleClick) recently reversed course, heading towards personal identification of cookies and the integration of offline marketing databases with their online ones. DoubleClick's merger with Abacus Direct is the preeminent example of these dangerous initiatives since it will integrate millions of online profiles with millions of catalog buying profiles containing personal information. The trend threatens to fundamentally change the nature of the Web, from one where people's movements in cyberspace are generally anonymous, to one where their identity and a large profiles move around with them. This attack on privacy is socially corrosive, moving us towards a surveillance society and harming consumer trust in the Internet. We have opposed the merger on these grounds since it was announced in June. We wrote to the companies on June 21 asking them to abandon the merger and again on June 29 to shareholders of Abacus Direct, asking them to disapprove the merger and to demand greater disclosure of privacy risks from the companies' executives. We have received no response. These letters are available at http://www.junkbusters.com/doubleclick.html on the Web.

In a 10-Q/A available at http://edgar.sec.gov/Archives/edgar/data/1049480/0001047469-99-039015-index.html and filed with the SEC October 15, DoubleClick made the following statements.

CHANGING REQUIREMENTS FOR FAIR INFORMATION COLLECTION PRACTICES AND POTENTIALLY HEIGHTENED SCRUTINY OF OUR PRODUCTS OR SERVICES COULD REQUIRE ADVERSE CHANGES IN THE WAY THE COMBINED COMPANY CONDUCTS OR PLANS TO CONDUCT ITS BUSINESS

There has been public debate about how fair information collection practices should be formulated for the online and offline collection, distribution and use of information about a consumer. Some of the discussion has focused on the fair information collection practices that should apply when information about an individual that is collected in the offline environment is associated with information that is collected over the Internet about that individual. Following the announcement of the Abacus merger with DoubleClick, some of the public discussion has included, and may continue in the future to include, speculation about the information collection practices that will be employed in the combined company's new products and services. We have publicly committed that no personally identifiable offline information about a consumer will be associated with online information about that consumer for the delivery of personally-targeted Internet advertising without first providing the consumer notice and a choice to opt out of the targeted advertising. However, as a consequence of governmental legislation or regulation or evolving standards of fair information collection practices, the combined company may be required to make changes to its products or services in ways that could diminish the effectiveness of the product or service or its attractiveness to potential customers, which could have a material adverse effect on the combined company.

The issue has certainly received considerable public attention in recent weeks. On November 8 the Federal Trade Commission and the Department of Commerce held hearings on the topic of online profiling. (This refers to the practice by online advertisers of systematically record and uniquely identify the online behavior of Internet users. Online behavior encompasses interactions on the World Wide Web including the pages viewed, searches conducted, and products or services purchased. More detail on this is available at http://www.junkbusters.com/profiling.html on the Web.) A coalition of online advertisers proposed a self-regulatory scheme based on the doctrine of notice and opt-out, which is unacceptable because it places the burden of stopping surveillance on people who are largely unaware that it is being performed. Privacy advocates called for an immediate halt to online profiling, pending the development of a suitable legislative framework.

We would welcome your advice on how to best achieve the goal of stopping these companies from severely damaging privacy. Here are our current proposals to socially responsible investors.

1. Divest any holdings of DoubleClick and Abacus Direct as soon as possible. (Our examination of the major holdings of your fund did not indicate any current investment, but we ask if you would check.)
2. Add DoubleClick and Abacus to "screening" lists of companies that are to be excluded from investment based on social criteria, specifically a disregard for human rights.
3. Dialog with the publicly-traded online advertising networks to persuade them to limit their data collection and not to associate profiles with offline identity.
4. Support programs of shareholder activism towards these ends by means such as submitting and voting proxy resolutions.

Finally, we would like to take this opportunity to give you an update on our campaign against Intel Pentium III Processor Serial Number, which we also wrote to you about in February, and to thank you for considering that request. Some of our groups called a consumer boycott of the company, and Intel responded within hours claiming that it would change the chip's identifier from "normally on" to "normally off." Intel wanted to have this switch performed by the operating system, which would have effectively left the decision to Microsoft. We asked the PC manufacturers to turn the PSN off in the BIOS (before the operating system starts up), and most chose this configuration. Thus the threat of the development of a software infrastructure using the PSN as a tracking device was largely averted or at least deferred. It is shameful that Intel has not turned off the PSN in the hardware, and it could later become prevalent, but for the present the worst risk seems to have been averted. We continue to oppose the PSN, and any assistance in persuading Intel to retire this ill-conceived feature would be welcome.

We believe that privacy will be as important to socially responsible investing in the 21st century as health and pollution have been in the late 20th century, and we hope that your fund will take the lead in signaling to businesses that privacy-invading information practices are unacceptable. If you have any questions or comments on these or other privacy topics we would be pleased to hear from you.

Sincerely

Jason Catlett, President, Junkbusters Corp.
Jeff Chester, Executive Director, Center for Media Education
Simon Davies, Director-General, Privacy International
Andrew Shen, Policy Analyst, Electronic Privacy Information Center

Other subsequent sign-ons:
Robert Bulmash, President, Private Citizen
Beth Givens, Privacy Rights Clearinghouse

  Open Letter 6/29 to Stockholders of Abacus Direct

Dear Stockholders

This open letter urges you to disapprove the proposed merger of Abacus Direct and DoubleClick, and to demand disclosure from the companies on certain key questions affecting it.

1. We explain why we believe disapproving the merger is the right choice both on public policy grounds and in terms of your best economic interests.
2. We raise the question of whether you have been misled or inadequately informed about the privacy-related risks of the two companies' past behavior and their proposed merger.
3. We point out that due to privacy concerns it may be impossible for the merged entity to engage in practices on which the rationale for the merger depends.

Our open letter of June 21 to the CEOs of Abacus and DoubleClick (copy attached) detailed the public policy basis of our objection, alerted them to the risks of flying in the face of public sentiment on privacy, pointed to the current volatile regulatory environment, and sketched the campaign that will be waged against the merger if they attempt to proceed. No representative of either company has yet proposed a date for a meeting to discuss our concerns, despite our frequent requests. Worried investors, however, have called us.

First let us draw your attention to DoubleClick's statements on privacy to the investment community. We believe these statements contain misrepresentations and material omissions.

DoubleClick's statements in its SEC filings suggest that its officers are either unaware of the legal and political environment concerning privacy and their business in Europe, or they are deliberately concealing important difficulties and risks from investors. Either conclusion would clearly be a very grave situation. At the very least Abacus stockholders should demand an extensive disclosure of the company's position regarding privacy, as one of the Risk Factors in the S-4 registration statement to be filed concerning the merger, and preferably also in other earlier documents.

The only mention of privacy in DoubleClick's 8-K filed with the SEC July 17 (conformed period July 13, available at http://www.sec.gov/Archives/edgar/data/1049480/0001005477-99-002865-index.html on the Web) was the following statement, which we dispute.

(q) Company has conducted its business and has collected, maintained and used its data at all times materially in accordance with (i) accepted industry practice and the standards promulgated by the Direct Marketing Association; and (ii) all applicable Laws, including but not limited to those affecting privacy issues.

One of DoubleClick's earlier SEC filings, their S-3 of May 20, http://www.sec.gov/Archives/edgar/data/1049480/0001047469-99-021740.txt on the Web, contained the following paragraph:

The European Union recently enacted its own privacy regulations that may result in limits on the collection and use of certain user information. The laws governing the Internet, however, remain largely unsettled, even in areas where there has been some legislative action.

No mention was given of the Department of Commerce's long-running Safe Harbor negotiations and the risk of data flows being curtailed. Privacy International, a human rights organization based in London, now regards DoubleClick as an outstanding choice for its planned actions to enjoin illegal trans-Atlantic dataflows. This merger shows every indication of becoming a major focal point for activism and political attention, and could even precipitate or contribute to the collapse of the Safe Harbor negotiations.

An additional European difficulty to expect if Abacus persists in its US merger will be its UK subsidiary, based in Teddington, England. Privacy International intends to oppose the merger with UK authorities such as the Monopolies and Mergers Commission and the Data Protection Registrar.

The US too is contemplating online privacy laws which may affect the merged entity's practices. Even without such laws, a merged entity will likely be unable to realize the implicit promise and potential of this deal -- the linking of DoubleClick's online and Abacus's offline databases -- because of representations Doubleclick has already made. The web sites of DoubleClick itself and a very large number of its customers have made representations in their privacy policies that their cookies are not associated with an individual person. Millions of consumers have accepted Doubleclick's cookies, and doubtless many of them would not have done so absent that assurance. A departure from that representation could prompt an action under Section 5 of the Federal Trade Commission Act, relating to deceptive practices. The FTC has already used that power in actions against the Web-based practices of of Geocities and Liberty Financial. Intel and Microsoft are two well-known examples of companies that privacy advocates have often called on the FTC to investigate and to enjoin from privacy-invasive business practices. If this merger proceeds, we can assure you that the company will become the subject of petitions by privacy advocates to the FTC and other regulators. The implied strategic rationale for this merger is that value can be gained by merging the two databases, but we have seen no statement from the companies assessing this kind of impediment to realizing that value. As investors you deserve to be informed about this, not deluded by a false assumption.

Another important omission we would expect DoubleClick to have already disclosed is the existence and substance of its discussions with the FTC on advertising and privacy. Privacy Times reported June 4 that the FTC ``has turned its attention to the Internet advertising industry, presumably to verify ad companies' claims that they don't track the identity of Web surfers.'' We have seen no statement from DoubleClick concerning this presumably important development.

Second, we would argue that the merger may be disadvantageous to Abacus on purely economic grounds. You must surely be aware of the great disparity between Abacus's history of profitability and DoubleClick's lack of such, and of the risks of the bubble in Internet stocks and particularly in Internet advertising. There is a wide consensus in the industry that the banner ad model is broken and that click-rates are declining. These risks contrast with the steady growth of the catalog business. If as investors you wish to make a high-risk play on the Internet, you have plenty of choices to do that as a separate investment, rather than endanger a lower-risk proven performer. The confirmation last week that DoubleClick competitor CMGi is in talks to buy AltaVista, DoubleClick's main source of revenue, showed these dangers with a downgrade a drop in price that was closely mirrored in Abacus's price. Doubleclick's merger could be seen as a desperate move to hitch an endangered species to a cash cow before its own milk runs out.

By aggravating privacy concerns, this merger may reduce the availability of capital to the company. For example, on Saturday June 26, the Los Angeles Times headlined in its business section ``US search.com falls 22.9% in trading debut; Opener is the second-worst by an internet firm. Analysts say privacy concerns and a crowded market contributed to the decline.'' Privacy groups have indicated their intention to ask socially responsible mutual funds to add the company to their screening lists. We believe that privacy issues will become as important to investment community in the 21st century as environmental and heath issues have been in the late 20th century. The unfavorable publicity in incidents such as the Intel Processor Serial Number and the Microsoft Global User ID stand out as examples of the market risk of practices hostile to privacy.

The officers of Abacus Direct owe it to you as investors to disclose these issues. We hope you will require satisfactory answers from them, and that this will lead you to the conclusion that the right decision, on both moral and economic grounds, is to disapprove this merger proposal.

Sincerely

Jason Catlett, President, Junkbusters Corp.
Marc Rotenberg, Executive Director, Electronic Privacy Information Center
Simon Davies, Director-General, Privacy International
[Other consumer groups who sign on may be added here later]

Copy to:
Mr Kevin O'Connor, CEO, DoubleClick
Mr Tony White, CEO, Abacus Direct

Federal Trade Commission, Bureau of Consumer Protection
Securities and Exchange Commission, Enforcement Division

Major stockholders:
Pilgrim Baxter & Associates, Ltd., Wayne, PA
Citigroup, Inc., New York, NY
Nicholas Applegate Capital Management, San Diego, CA
Putnam Investments Inc., Boston, MA

  Open Letter 6/21 asking the companies to abandon their merger

Mr Kevin O'Connor, CEO, DoubleClick
Mr Tony White, CEO, Abacus Direct

Dear Sirs

We write to urge you to abandon the proposed merger of your companies on the grounds that it would severely undermine the privacy of Internet users. This letter details the basis of our objection, and sketches the campaign that will be waged against the merger if you attempt to proceed.

The proposed merger makes economic sense only if your intention is to link the 88+ million households and individuals identified in the Abacus Alliance database with the 30+ million cookies in the Doubleclick DART database. This would represent a surveillance machine of unprecedented breadth and depth, posing unacceptable privacy dangers to the public. These assumptions and concerns are not restricted to privacy advocates. For example, an article on MSNBC June 14 at http://www.msnbc.com/news/279771.asp stated that Internet industry analysts believe the integration would be done, specifically quoting Jim Nail of Forrester Research as saying "There are huge privacy questions."

The resulting business model of the merged entity is highly predictable given the businesses of the two partners. We sketch it here because this is an open letter, to make our assumptions clear, and to illustrate the threats to privacy. If you are willing to issue a guarantee that the merged entity and successors will never associate a name and address with a cookie without the affirmative informed consent of the individual concerned, please state this in public. Absent such a guarantee we (and any other rational observer) will assume this is your intention.

The merged Doubleclick/Abacus Direct company would enlist the cooperation of its business customers who participate in the "co-op" (hereafter Co-op Participants) to provide Doubleclick/Abacus with information identifying the visitor where known to the Co-op Participant's web site. (The identity is known to the web site where the visitor has made a purchase at the Co-op Participant's e-commerce site, or registered with a media site, or has merely given his or her email address at a site offering a newsletter.) By matching the details of the Web server requests for a banner ad served by DoubleClick against the request for the web page on the Co-op Participant's site on which that ad appeared, Doubleclick/Abacus and the Co-op Participant would "synchronize" their respective cookies placed the consumer's hard drive. This would enable the two-way flow of personally identifying information between Doubleclick/Abacus and any Co-op Participant, without the knowledge of the consumer who is being identified. Once the identity of a consumer is reported to Doubleclick/Abacus by any Co-op Participant, Doubleclick/Abacus could provide that identity or any information associated with it to any other Co-op Participant on request, a fraction of a second after the consumer visits the Co-op Participant's web site.

Given the existing size of the networks of DoubleClick and Abacus, this co-operative would encompass a large fraction of the most frequently visited sites on the web, and thereby a large fraction of the online consumer population. Abacus has more than a thousand catalogers, including most well-known brands, which of course have ecommerce web sites. Those businesses would be faced with the choice of compromising their customers' privacy or being excluded from valuable marketing information that Doubleclick/Abacus would sell to their competitors. The enormous market power of Abacus would mean most are likely to cooperate.

The most important damage to privacy from a DoubleClick/Abacus merger would be a fundamental change to the Internet: from one where people are usually anonymous as they move around the Web, to one where they are usually silently identified unless they consistently work to protect their anonymity. It would also create an extraordinary incentive to build ever more detailed profiles of consumers on the Internet. Such a shift away from anonymity would greatly damage the medium. Surveys show that the overwhelming majority of people want to be anonymous online, and that the number one reason given by those who are not already online for not participating in the medium (and thereby in ecommerce) is fear for their privacy. The proliferation of a DoubleClick/Abacus scheme would make these people's worst fears a reality. It would also alienate people who are already online and who value their anonymity. Such people would be more reluctant to buy online, stunting the growth of ecommerce.

The DoubleClick/Abacus entity would enable far more intrusive practices than consumers current expect are possible. For example, a prolonged visit to a web site about golfing could trigger the mailing of a catalog of golf clubs and accessories. The birth of a child could result in banner ads for diapers: the link being made by matching public records against the cookie associated with a name and address. Seconds after reading an article on a newspaper's web site about financial planning for retirement, a consumer could receive a telemarketing call pitching life insurance. Whereas most people brought up on television assume that they are watching the ads, in a DoubleClick/Abacus world, the ads will be watching the consumers, reporting their individual movements through cyberspace, on demand to potentially thousands of organizations.

Over time this database would become one of the largest and most comprehensive surveillance records anywhere. It would therefore be an obvious target for government investigators, civil litigators, and a range of hackers from the teenage amateur to the paid professional. A prosecutor of the 21st century would regard Kenneth Starr's subpoena for the book purchases of Monica Lewinsky in a bookshop as a quaint and hopeful gesture, when thanks to your technology he could with a single order help himself to a comprehensive and detailed account of any individual's behavior, online and offline. Such a database should simply never be built because the risk to individuals is so great, and its effect on society so negative.

It would not sufficient for DoubleClick/Abacus and its co-op partners to simply offer an opt-out. Most consumers are unaware of even the existence of DoubleClick and Abacus Direct, let alone what they are capable of doing with their personal information. Many consumers who do understand what DoubleClick does have configured their PCs to block DoubleClick's ads or cookies. We would be interested to hear your estimates of the number who have. The "opt-out" cookie offered by DoubleClick is as unsatisfactory as an inn keeper offering do-not-disturb signs instead of locks on guest room doors. The only fair approach would entail fully informed affirmative consent (opt-in). Because few consumers would consent to such surveillance, we do not expect that you would consider this an economically viable option, so we are asking you to abandon the merger entirely.

If you attempt to proceed with the merger, you should expect to face a campaign against it from privacy advocates similar to the campaigns waged against Intel over their Processor Serial Number and Microsoft over their Global User Identifier (two other threats on online anonymity comparable to the DoubleClick/Abacus move). Details of those campaigns, including press clippings, copies of letters to the companies, to the FTC, TRUSTe, business partners, and investment managers are available at http://www.junkbusters.com/intel.html and http://www.junkbusters.com/microsoft.html for your perusal.

Without attempting to detail a comprehensive plan in your case, some elements of the campaign might include:

1. An appeal to shareholders of DoubleClick and Abacus to disapprove the merger;
2. An appeal to the Federal Trade Commission or Department of Justice to disapprove the merger under the Hart Scott Rodino Act;
3. An appeal to the FTC to enjoin certain business practices by the merged entity as unfair or deceptive under the Federal Trade Commission Act;
4. A call to socially responsible mutual funds to divest their holdings in your companies;
5. A public education campaign on the privacy risks of online advertising and catalog buying, and the benefits of ad-blocking software and opting out of list sales; and
6. A call for Congressional oversight hearings on the proposed merger as well as possibly an evaluation of the entire enterprise of industry self-regulation to protect privacy. (We note that the Online Privacy Alliance, a coalition of large companies that opposes laws to protect privacy, has thus far expressed no opposition to this merger).

Copies of this letter are being sent on an informal basis to several members of staff at the Federal Trade Commission, but this is not a formal petition or complaint to the Commission. We may file one at a later date.

As indicated by Jason Catlett to DoubleClick's Kevin Ryan on Wednesday June 16, we would be glad to meet with you and your staff for discussions. Because time is of the essence we cannot suspend execution of our campaign before such a meeting, even if you delay or do not choose to propose a date.

We urge you to abandon this merger, and to inform us as quickly as possible of your intention to do so.

Sincerely

Jason Catlett, President, Junkbusters Corp.
Marc Rotenberg, Executive Director, Electronic Privacy Information Center
David Banisar, Privacy International
Ed Mierzwinski, US Public Interest Research Group
Jeff Chester, Center for Media Education
Beth Givens, Privacy Rights Clearinghouse
[Other consumer groups who sign on may be added here later]

Copy to: John McCain (Senate Commerce Committee)
Ernest Hollings (Senate Commerce Committee)

John Ashcroft (Subcommittee on Consumer Affairs)
Richard Bryan (Subcommittee on Consumer Affairs)

Thomas Bliley (House Commerce Committee)
John D. Dingell (House Commerce Committee)

Billy Tauzin (Subcommittee on Telecomm., Trade and Consumer Protection)
Ed Markey (Subcommittee on Telecomm., Trade and Consumer Protection)

Our critique of a survey sponsored by Doubleclick is given on our page on profiling.

Copyright © 1996-2005 Guidescope Inc ®. Copying and distribution permitted under the GNU General Public License. 2005/01/15 http://www.junkbusters.com/doubleclick.html