DoubleClick, « le Roi des cookies », remporte une importante victoire judiciaire
Publié le 08/04/2001 par Etienne Wery
Une décision rendue ce 28 mars par un juge fédéral américain a mis (provisoirement) fin à la plus grande sage judiciaire que les USA ont connu en matière de protection de la vie privée. Doubleclick, la plus grande firme au monde de online-profiling, a en effet été déchargée de toutes les accusations portées contre elle…
Une décision rendue ce 28 mars par un juge fédéral américain a mis (provisoirement) fin à la plus grande sage judiciaire que les USA ont connu en matière de protection de la vie privée. Doubleclick, la plus grande firme au monde de online-profiling, a en effet été déchargée de toutes les accusations portées contre elle par un ensemble de consommateurs agissant dans le cadre d’une class action (procédure typiquement américaine qui débouche souvent, en cas de condamnation, à des dommages et intérêts colossaux).
Comment fonctionne DoubleClick ?
La décision s’est longuement penchée sur le fonctionnement de DoubleClick. Morceaux choisis :
A. Targeting Banner Advertisements
DoubleClick’s advertising targeting process involves three participants and four steps. The three participants are: (1) the user; (2) the DoubleClick-affiliated Web site; (3) the DoubleClick server.10 For the purposes of this discussion, we assume that a DoubleClick cookie already sits on the user’s computer with the identification number “#0001.”
In Step One, a user seeks to access a DoubleClick-affiliated Web site such as Lycos.com. The user’s browser 11 sends a communication to Lycos.com (technically, to Lycos.com’s server) saying, in essence, “Send me your homepage.” U.S. Patent No. 5,948,061 (issued September 7, 1999) (“DoubleClick Patent”), col. 3, ll. 6-9. This communication may contain data submitted as part of the request, such as a query string or field information.
In Step Two, Lycos.com receives the request, processes it, and returns a communication to the user saying “Here is the Web page you requested.” The communication has two parts. The first part is a copy of the Lycos.com homepage, essentially the collection article summaries, pictures and hotlinks a user sees on his screen when Lycos.com appears. The only objects missing are the banner advertisements; in their places lie blank spaces. Id. at col. 3, ll. 28-34. The second part of the communication is an IP-address link to the DoubleClick server. Id. at col. 3, ll. 35-38. This link instructs the user’s computer to send a communication automatically to DoubleClick’s server.
In Step Three, as per the IP-address instruction, the user’s computer sends a communication to the DoubleClick server saying “I am cookie #0001, send me banner advertisements to fill the blank spaces in the Lycos.com Web page.” This communication contains information including the cookie identification number, the name of the DoubleClick-affilated Web site the user requested, and the user’s browser-type. Id. at col. 3, ll. 41- 52.
Finally, in Step Four, the DoubleClick server identifies the user’s profile by the cookie identification number and runs a complex set of algorithms based, in part, on the user’s profile, to determine which advertisements it will present to the user. Id. at col. 3, ll. 52-57, col. 5, l. 11 – col. 6, l. 59. It then sends a communication to the user with banner advertisements saying “Here are the targeted banner advertisements for the Lycos.com homepage.” Meanwhile, it also updates the user’s profile with the information from the request. Id. at col. 6, l. 60 – col. 7, l. 14. DoubleClick’s targeted advertising process is invisible to the user. His experience consists simply of requesting the Lycos.com homepage and, several moments later, receiving it complete with banner advertisements.
B. Cookie Information Collection
DoubleClick’s cookies only collect information from one step of the above process: Step One. The cookies capture certain parts of the communications that users send to DoubleClick-affiliated Web sites. They collect this information in three ways: (1) “GET” submissions, (2) “POST” submissions, and (3) “GIF” submissions.
GET information is submitted as part of a Web site’s address or “URL,” in what is known as a “query string.” For example, a request for a hypothetical online record store’s selection of B o n J o v i a l b u m s m i g h t r e a d : http://recordstore.hypothetical.com/search?terms=bonjovi. The URL query string begins with the “?” character meaning the cookie would record that the user requested information about Bon Jovi.
Users submit POST information when they fill-in multiple blank fields on a webpage. For example, if a user signed-up for an online discussion group, he might have to fill-in fields with his name, address, email address, phone number and discussion group alias. The cookie would capture this submitted POST information.
Finally, DoubleClick places GIF tags on its affiliated Web sites. GIF tags are the size of a single pixel and are invisible to users. Unseen, they record the users’ movements throughout the affiliated Web site, enabling DoubleClick to learn what information the user sought and viewed.
Although the information collected by DoubleClick’s cookies is allegedly voluminous and detailed, it is important to note three clearly defined parameters. First, DoubleClick’s cookies only collect information concerning users’ activities on DoubleClick-affiliated Web sites.12 Thus, if a user visits an unaffiliated Web site, the DoubleClick cookie captures no information. Second, plaintiff does not allege that DoubleClick ever attempted to collect any information other than the GET, POST, and GIF information submitted by users. DoubleClick is never alleged to have accessed files, programs or other information on users’ hard drives. Third, DoubleClick will not collect information from any user who takes simple steps to prevent DoubleClick’s tracking. As plaintiffs’ counsel demonstrated at oral argument, users can easily and at no cost prevent DoubleClick from collecting information from them. They may do this in two ways: (1) visiting the DoubleClick Web site and requesting an “opt-out” cookie; and (2) configuring their browsers to block any cookies from being deposited. Transcript of February 22, 2001 Oral Argument at 15-18.
Once DoubleClick collects information from the cookies on users’ hard drives, it aggregates and compiles the information to build demographic profiles of users. Plaintiffs allege that DoubleClick has more than 100 million user profiles in its database. Exploiting its proprietary Dynamic Advertising Reporting & Targeting (“DART”) technology, DoubleClick and its licensees target banner advertisements using these demographic profiles.
L’influence du rachat d’Abacus ?
En juin 1999, DoubleClick a racheté l’amércain Abacus, société spécialisée dans le marketing direct. Celle-ci détient donc un fichier considérable d’adresses « réelles ».
Autant dire que la combinaison des fichiers de DoubleClick (monde virtuel) et d’Abacus (monde réel) était détonante. D’autant plus détonante que DoubleClick signalait au même moment qu’elle modifiait sa privacy policy pour permettre ce mariage.
Cette décision a provoqué un tollé général des défenseurs de la vie privée, … et une enquête de la Federal Trade Commission qui s’est soldée le 22 janvier 2001 par un classement sans suite :
Based on this investigation, it appears to staff that DoubleClick never used or disclosed consumers’ PII [personal identifiable information] for purposes other than those disclosed in its privacy policy. Specifically, it appears that DoubleClick did notcombine PII from Abacus Direct with clickstream collected on client Web sites. In addition, it appears that DoubleClick has not used sensitive data for any online preference marketing product, in contravention of its stated online policy. We understand that DoubleClick’s Boomerang product takes user data from one site to target advertising to the same user on other sites. However, the user profiles DoubleClick creates for its Boomerang clients for this targeting contains only non-PII. Furthermore, we understand that for all new Boomerang clients, DoubleClick requires by contract that the site disclose in its privacy policy that it uses DoubleClick’s services to target advertising to consumers, and DoubleClick will not implement Boomerang on a site until such disclosures are posted.
La plainte contre DoubleClick pour violation des lois fédérales
La plainte était fondée principalement sur les lois fédérales suivantes :
- Electronic Communications Privacy Act, qui punit le hacking : “(a) Except as provided in subsection (c) of this section whoever– (1) intentionally accesses without authorization a facility through which an electronic information service is provided; or (2) intentionally exceeds an authorization to access that facility; and thereby obtains… access to a wire or electronic communication while it is in electronic storage in such system shall be punished….” ;
- Wiretap Act, qui contient des interdictions générales relatives à l’interception de telecommunications : « any person who–(a) intentionally intercepts,endeavors to intercept, or procures any other person to intercept or endeavor to intercept wire, oral, or electronic communication [except as provided in the statute].” 18 U.S.C. §2511.
- Computer Fraud and Abuse Act, qui interdit l’accès non autorisé à un système informatique : “[18 U.S.C. §1030](a) – whoever… (2)(c) intentionally accesses a computer without authorization, or exceeds authorized access, and thereby obtains… information from any protected computer if the conduct involved an interstate or foreign communication… shall be punished as provided in subsection (c) of this section.”
En Europe également certaines voix prétendent que l’installation d’un cookie constitue un accès non autorisé réprimé par la loi sur la criminalité informatique.
Sans nous livrer à une analyse extensive du droit américain, signalons que la juge a rejeté l’application des trois lois. Elle s’est livrée à une interprétation téléologique de ces lois pour estimer que les activités de DoubleClick n’étaient pas visées par ces textes, ou que celles qui le sont bénéficient des exceptions notamment en raison du consentement des sites affiliés et/ou des visiteurs.
La plainte contre DoubleClick pour violation de certaines lois des États
La plainte visait également certaines lois des États. De manière plus intéressante, le débat se déplace : les lois fédérales visent plutôt la protectoin des système sinformatiues alors que les lois des États visent la protection de la vie privée proprement dite.
Malheureusement le jugement n’est d’aucune utilité : un juge fédéral ne peut pas appliquer une loi d’un État s’il rejette la demande basée sur les lois fédérales : When federal claims are dismissed, retention of state law claims under supplemental jurisdiction is left to the discretion of the trial court.
Le débat ne s’arrête pas là
Les plaignants ont ananoncé leurt intention d’aller en appel.
Par ailleurs, comme nous l’avons vu, la juge n’a rien dit sur le droit de la protection de la vie privée proprement dit, renvoyant les parties devant un juge d’un État. Et justement, deux autres poursuites sont actuellement en cours contre DoubleClick en Californie et au Texas, précisément pour violation des lois de ces Etats qui protègent la vie privée et les données personnelles.
Suite au prochain numéro.
Plus d’infos
-
En consultant le jugement commenté, en ligne sur ce site
-
En faisant une recherche dans notre moteur de recherche sous le mot-clef « cookie« .