Giving the Web a Memory Cost Its Users Privacy

(Page 3 of 7)

What Mr. Holtman did not know was that companies were already planning to exploit this wrinkle of the Web. Before long, large Internet advertising companies like DoubleClick ( news/quote ) and Engage were displaying ads across thousands of sites, using a common cookie across the network that allowed the company to recognize a visitor wherever he wandered on the Web. The innovation allowed these companies to rotate the ads the user sees from site to site.

DoubleClick's Web site says that it "allows marketers to deliver the right message, to the right person, at the right time." The concern of privacy advocates, however, was that these "third-party cookies" could also be used to build a detailed profile of a Web user's habits.

If a Web surfer visited a large number of sites about AIDS treatment, for example, and if that data were tied to information that identified him — say, registration at one of the sites — an insurance company could, conceivably, collect the cookie data from an ad network and use it in a quiet decision to decline an application for a policy. (Advertising networks insist that they do not sell data for such purposes.)

Third-party cookies were precisely the kind of tracking mechanism Mr. Montulli had tried to prevent through his privacy measures. He describes it today as a surprise — and something of an embarrassment. "That's the one `gotcha' we had," he recalls with chagrin.

A Hot Media Topic

By 1996, the existence of cookies and third-party cookies was becoming a hot topic in the news media and in online forums; Mr. Montulli and Netscape altered the company's browsers to distinguish cookies coming directly from the site being viewed from third-party cookies and to give consumers some control over them, allowing them to turn off all cookies or just the third-party variety. Microsoft, too, implemented some cookie control tools over time. But by default, browsers were set (and are still set) to accept such cookies automatically unless the user told the software not to — which meant that a great majority of people ended up accepting cookies unknowingly from nearly every site they had visited.

The Internet Engineering Task Force was pursuing a different tack, however, recommending in 1997 that browsers be set to block any cookie that did not come directly from the site being visited.

Mr. Kristol said that the response from the advertising companies, which were by then well established, was: "This is terrible. This will destroy our business." Each argument caused further delay — time in which the advertising companies became more powerful and the market crystallized around the two leading browsers.

Mr. Kristol was not surprised, then, that neither Netscape nor Microsoft took to heart the recommendation that browsers block cookies unless instructed not to. He acknowledged that there was little he could do to persuade companies to adopt the voluntary standards. "There's no Internet police going around knocking on doors and saying, `Excuse me — the software you're using doesn't follow I.E.T.F. standards.' "

By then, Mr. Montulli said he had drifted away from the process, saying that the working group had, in fact, called for the kinds of technical changes that companies would not comply with. "I was hoping we'd get some kind of incremental improvement" out of the working group, he said — ideas like the cookie control mechanisms he was working into new versions of the browser.

"But what the new standard required," he said, "was that you start over."

To Mr. Montulli, the conflict came down to the differences between pure researchers like Mr. Kristol and commercial engineers like himself. "The cold reality of the software business is you have to ship something that's good enough and get it out there," he said. "That's the way you ship software, and hopefully make money. If you wait forever trying to make something perfect, you may never ship."

In an article that Mr. Kristol prepared for Communications of the Association for Computing Machinery, the journal of the leading computer science professional organization, he said several factors kept him on his somewhat quixotic task. On one level, "I simply wanted to see the effort through to an appropriate completion," he said. But in his paper, Mr. Kristol — who recently retired from Bell Laboratories — writes, "Feeling I was being bullied" by the industry "made me more determined to persist, and I didn't like to see an attempt to bully the I.E.T.F., either."

If nothing else, the effort raised the visibility of the issues underlying cookies, Mr. Kristol said. Thanks in part to his group's work, he said, companies can't violate consumer privacy, or even appear to, without attracting unwelcome attention.

He cited the controversy that arose when DoubleClick announced in 1999 that it had bought Abacus Direct, a company that maintained a database of the buying habits of 88 million catalog shoppers, and planned to match and merge some of the data that it was collecting online with the offline data from Abacus. The resulting data trove would portray millions of consumers' habits at a level of detail unparalleled in its intimacy.

A Public Outcry