Financial software maker Intuit Inc. Thursday was moving to plug leaks on its popular Quicken site, after it was revealed personal financial information users entered on the site was being sent to DoubleClick Inc., which served the ads on the site.
The discovery was made by Richard Smith, the Internet security consultant who discovered that Real Networks Inc.’s jukebox software was sending information about users’ listening habits back to the company.
Smith discovered, while surfing Intuit’s site with a “packet sniffer” running on his computer, that information from a mortgage calculator and a credit-assessment feature were being sent to DoubleClick. Both contained fields where people input sensitive information like income, assets, and debt. Other features on the site, like a sample tax return, did not send data to the ad company.
DoubleClick officials told InternetNews.com the company makes no use of the data.
“That data is sent to us, but we don’t receive it. We don’t capture it in any way,” says Jeff Epstein, executive vice president of DoubleClick. “We’re in the process of sending letters to all of our customers to alert them of this problem.”
Officials from Intuit (INTU) could not be reached for comment.
Although DoubleClick (DCLK) seems to be taking the offensive in what could be another public-relations black eye, the revelation that this is happening adds to the “big brother” reputation of the company.
DoubleClick has recently come under heavy fire from privacy advocates because of its privacy practices, and is the subject of inquiries by the Federal Trade Commission, the New York State Attorney General’s office, and the Michigan Attorney General’s office. The company is also the defendant in six privacy-related lawsuits.
The issue is mostly one of referral URLs, a problem that is not limited to either Intuit or DoubleClick. In fact, Smith says, “This is a fairly generic problem that 50, 100, 200 sites may have.”
When users enter information into forms and click “submit,” often the information they submitted appears in the URL of the next page they are served. DoubleClick, and any other ad network, is sent the URL of pages on which its ads are served.
Smith says Buy.com, an e-tailer of books, videos, and many other products, is also sending this kind of information to DoubleClick. So, the ad company could theoretically get information about what books or videos people are purchasing, information which is illegal to disclose under the Video Privacy Protection Act.
Buy.com officials could not be reached for comment.
Other sites that Smith noticed problems with include Travelocity, and AltaVista. In response, AltaVista has corrected the problem, and even changed its privacy policies.
According to privacy advocates, AltaVista has adopted an opt-in policy for personal information collected about the surfing habits of users registered at its site.
Another DoubleClick network member, Kozmo.com, is trying to accelerate the termination of its relationship with the ad company, according to published reports.