A company builds dossiers on consumers, without their knowledge, and then markets the details to faceless third parties. It sounds nefarious, but have laws been broken? And who do you sue? These are some of the questions people have been are asking in the wake of recent disclosures about how DoubleClick, the Internet's leading advertising firm, goes about its business. The answers, it turns out, are far from clear.
DoubleClick is at the centre of a growing storm over Internet privacy that has attracted the interest of the Federal Trade Commission (FTC), class-action lawyers and outraged consumers, some of whom are suing. The particulars vary, but the essence of the allegations is that DoubleClick improperly collected and used information on Internet users.
The company has committed "obvious violations" of federal law, alleges Melvyn Weiss, a New York class action specialist from Milberg Weiss Bershad Hynes & Lerach, which is among those suing DoubleClick. "We can't even figure out what their defences are."
In suits filed against DoubleClick across the US, a wealth of legal theories are being advanced -- to some extent filling a vacuum. Federal statutes aren't clear about the scope of any privacy protection for consumers. Even before the Internet came along, courts were disinclined to give consumers an absolute right of privacy, which allowed mass marketers to trade mailing lists or permit newspapers to publish embarrassing photographs of people when it suited the public interest.
"The public has a significant misperception of their existing legal rights to privacy," says Joel Reidenberg, a privacy scholar at Fordham University Law School in New York. Federal laws covering Internet privacy rights are quite limited, he says, and somewhat incoherent. One statute, for instance, gives a right of privacy in the transactional records of people who rent tapes at their local video store, but not when they see the same film over the Internet, he points out.
DoubleClick's case is just the latest example of how the legal system is struggling to keep pace with technological change. "We are in the midst of another creative moment in the law," says Paul Schwartz, an Internet privacy expert at New York's Brooklyn Law School. "We don't know the extent to which there is a right to privacy over the Internet, and what that will mean in the technological age. This is all up for grabs."
While DoubleClick has been the focus of the legal action to date, it could someday have the company in court. Reidenberg says certain Internet service providers (ISPs), especially those that hook consumers to the Net via cable, may be ensnared in the case because of special federal requirements for consumer privacy covering cable companies. Even advertisers could be liable to the extent that they benefited from and participated in the DoubleClick network.
"Anybody in the chain of information who participated in the passing off of information to others would be potential targets," Reidenberg says.
Industry lawyers say the consumer lawyers are getting ahead of themselves. Richard Kurnit, an advertising lawyer in New York, says he doubts that advertisers, for instance, would be on the hook unless they actively conspired with DoubleClick to seek out consumer information and "violate someone's rights".
Until recently, DoubleClick was one of the Internet's success stories, with a targeted approach of selling ads over a network of hundreds of Web sites. Deploying "cookies" -- data files that it stores on users' hard drives to track individual Web-surfing habits -- it has been able to personalise ads that people see when they pull up the sites.
Recently, DoubleClick figured out a way to cross-reference what had been anonymous data about online shopping habits, with real names and addresses of people -- courtesy of a direct-marketing company it purchased last year. The combination has prompted fears that the resulting profiles will be abused.
"That information is devastating if it ever gets into the hands of your enemy. It is one subpoena away if you ever get involved in a divorce case," says Ira Rothken, a lawyer who has sued the company in a California state court. Unlike the federal system, California's constitution protects consumers against privacy abuses by individuals and private companies.
DoubleClick says it gave consumers adequate notice about its collection methods, and that it has yet to place ads using the identifying information consumer advocates consider the most intrusive. It, and other online marketers, say many consumers like tailor-made ads because they improve e-shopping.
At the same time, DoubleClick is stepping up efforts to be more sensitive to consumers' privacy concerns, including a promotion that makes it easy for people to "opt out" of its ad program. Nonetheless, the legal action against the company seems to be intensifying. A half-dozen suits alleging a variety of offences under federal and state law have been filed. Many of the allegations have never been tried before, including one that DoubleClick violated the US federal wiretap statute, which is aimed at people who intercept or eavesdrop on telephone conversations.
Lawyers say the wiretap law should apply to DoubleClick because the company is picking up data about people, without their consent, while they're communicating with a Web site. The wiretap statute's "language is very broad, and [the law] was intended basically to prevent intrusion into personal lives," argues Alan Mansfield, a lawyer at Milberg Weiss.
Others allege that DoubleClick violated laws covering hackers who break into computer systems. "In every case, [plaintiffs] are using a statute that was not intended to deal with the issue," contends Fred Cate, an online privacy expert at Indiana University Law School. "But, of course, that doesn't mean they can't get away with it. It is like using tax statutes to get at gangsters."