Eager to learn more about diabetes, Richard Smith went to the Internet. Though he's a computer privacy consultant, he got a surprise even he didn't anticipate.
The information he entered into a popular Web health site _ including his e-mail address and the disease he was researching _ was transmitted without his permission to an advertising company, according to Smith.
Smith, a retired programmer and business executive who has turned to security and privacy consulting, used specialized tracking software to find out, and then show to the Senate Commerce Committee that millions of other Americans also were unwittingly transmitting personal information to ad companies when they surfed the Internet.
In addition to such information as Social Security numbers typed into a Web site's form, the data sent to the ad company includes such details as exactly which Web sites are visited and which pages read.
The discovery has alarmed both federal regulators and members of Congress, who examined the issue Tuesday on Capitol Hill.
``If local shops did things like this, we'd be outraged,'' said Sen. Richard Bryan, D-Nev., a member of the Commerce Committee.
The advertiser receiving the bulk of the information, New York-based DoubleClick, said the transmission of personal data is inadvertent and that the company is not using the information to target consumers.
``We don't save it, or keep it at all. It won't ever be involved in how we deliver ads,'' said Jules Polonetsky, DoubleClick's privacy officer.
But the little-known transmission, common to many Web sites that carry advertising banners, could be adapted easily by others eager to mine useful personal information for marketing, sale, advertising or even nefarious purposes.
``The data collection systems that the Internet ad companies are currently running are getting personal and sensitive information that almost everyone will agree is none of the business of these companies,'' Smith, of Brookline, Mass., told senators. ``It's almost like they have put hidden microphones in our homes and our offices and they are listening to what we do all day long.''
Smith said he discovered several medical sites, including DrKoop.com named after former U.S. Surgeon General C. Everett Koop, reported to DoubleClick his e-mail address and that he was looking for information on diabetes. Representatives of the site denied the site disclosed e-mail addresses, although they confirmed that at the time they did pass on user interests.
Other well-known sites like Web search site AltaVista, multimedia site RealNetworks and travel site Travelocity have passed along personally identifying information to DoubleClick, Smith said.
``Travelocity passed on my daughter's flight information,'' Smith told the committee.
The problem can get serious when Internet users register with the sites or fill out a form when they seek information or shop for products. That data is automatically sent to various outside parties, often companies like DoubleClick that place Internet ads and track how many people see them.
When a user fills out a Web form, the information -- from street addresses to Social Security numbers -- can get shipped off to ad companies. The user doesn't have to even click on the ad for information to be sent.
Smith called the problem ``data spillage.'' He and other experts said that in many cases, Web sites don't even know they're forwarding the personal data.
``Any site should be aware and take a close look that they're not sending information out to other companies,'' Polonetsky of DoubleClick cautioned.
The nation's largest Internet ad agency, DoubleClick handles ads on about 1,500 Web sites and counts the traffic. It is the subject of a lawsuit by a private consumer and a complaint filed by the Electronic Privacy Information Center with the Federal Trade Commission. Both accuse the company of cross-referencing its information on Web users with the vast database of direct-mail company Abacus Direct to target potential consumers.
DoubleClick acquired Abacus earlier this year.
Polonetsky said DoubleClick only uses basic geographic information gleaned from a user's Internet address to target its ads. It also places a text file known as a ``cookie'' on the user's hard drive to ensure that person doesn't see the same ad repetitively. No other personal information is saved, he said.
Web surfers have plenty of options to protect themselves. They can go to DoubleClick's Internet site and ask to opt out of ad tracking, or buy software that can make their Internet visits anonymous.
Some Internet sites already use a newer version of Web forms that don't pass on personal information. DoubleClick says it is also trying to educate its clients.
And the FTC said the Internet advertising industry is attempting to create a voluntary compliance program to regulate itself on privacy issues. Those who volunteer and then crossed the line could be fined a substantial amount.
All six senators at Tuesday's hearing said legislation is needed to ensure the government can protect Americans from unwittingly disclosing private information.
``Absent legislation, meaningful enforcement and airtight coverage, online profiling will eviscerate personal privacy,'' said Commerce Committee Chairman John McCain, R-Ariz.
Some companies are trying to end data spillage. AltaVista used to transmit which addresses Web users searched on the Yellow Pages portion of its site, but has stopped the practice.
By D. IAN HOPPER, AP Technology Writer, June 13, 2000, (AP) via NewsEdge Corporation
Copyright © 2000, Individual.com, Inc.. All rights reserved.