what doubleclick (and others in the business) do is multifold:
1) By putting an image on each page that needs to be tracked, they can tell when there is a page view for that page. The page views are identified by IP address, and they can make the reasonable assumption that even with Dynamic IP's, two successive page views a few seconds apart from the same IP are from the same person. Granted, it's statisical, but their primary purpose is broad statistics, not tracking a particular person.
2) A bit more insidious.. by putting a javascript (or other language (ActiveX, jscript, java, etc.)) program in the popup page that gets displayed (or framed), you can save a cookie, and then, return the contents of that cookie in the URL that gets used to fetch the image. For instance, the first page sets a cookie with a random key in it (i.e. "asdf").. The next page uses that cookie key to generate the URL for the image:
IMG SRC="http://nefarious.net/adimage". The server at nefarious.net gets the HTTP request for "adimage", strips the cookiekey off (remembering it a log file), and serves up "adimage". Now, you don't have to worry about tracking IP addresses, etc. As long as the cookie is on the user's computer, it can be used to return the original random number.
There is a trick in that the algorithm generating the number needs to make the probability low of generating the same number more than once (i.e. it does no good if everyone uses "asdf"..) It's not all that bad, because you still have the IP address to help match things up.
Note also that the image being retrieved might be a clear 1x1 pixel GIF, and not visible on the screen.
OK, so now, nefarious.net has the ability to keep a track of a particular persons detailed web browsing history (at least, of those pages with images or webbots embedded in them). i.e. they have a list that says, Person "X" (unidentified) visited page A at 04:02:01.00, then page B at 04:03:15.03, then page C two days later at 15:32:12.01.
Say that the person who has Page B has a form that you fill out to get some advertising information sent to you. Page B's owner now has a piece of information that says that at 04:03:15.03, Jim Lux visited their site.
It is now a simple matter to match up Page B's data with nefarious.net's data, and determine that Jim has visited pages A and C. If, for instance, as a condition of putting nefarious.net's banners on their site, the owners of page A, B, and C, agree to get a copy of nefarious.net's data, all of these folks have the ability to construct fairly detailed descriptions of what Jim Lux has been up to on the net. If, also, Page A, has agreed to provide nefarious.net with it's database, then nefarious.net has the ability to build the same database.
None of the participants in this have made any commitments not to sell the data, by the way (except, perhaps Jim Lux..), and perhaps, internet advertising isn't providing the revenue stream they had hoped. A much more valuable (for targeted marketing purposes) commodity is the browsing habits of a particular person (identified by name and other info), as opposed to general statistical stuff (which is the vanilla doubleclick sort of things:e.g on Fridays, 22% of viewers of your site click through to the car loan site, but on Monday, it's only 10%). Add a few cash flow problems to the .com who runs Page B, and all of a sudden, there's real potential for abuse.
Created on Saturday, March 10, 2001 11:28 AM EDT by James Lux