CDT Charges ISP Ad Scheme Might Be Illegal

WASHINGTON–If the recent press wasn’t bad enough already for NebuAd, a public interest watchdog group today released a report suggesting that the Redwood City, Calif-based startup’s controversial plan to target ads according to people’s browsing habits collected from Internet service providers (ISPs) might be illegal.

At a meeting with reporters here at the headquarters of the Center for Democracy and Technology (CDT), the group laid out a legal argument alleging that ISPs that engage in NebuAd’s program could run afoul of the 1986 Electronic Communications Privacy Act (ECPA) — also known as the Wiretap Act — as well as several states’ privacy laws.

“Advertising per se is not considered the evil,” said CDT President and CEO Leslie Harris. “It’s the collection of individuals’ information — usually without their knowledge — always without their consent, the creation of profiles, and the complete inability of people to make informed choices about that.”

The concerns raised by the CDT echo a larger debate over the targeting of ads based on what people do online and an individual’s right to privacy that has been building steam over the past several months, drawing scrutiny from the Federal Trade Commission and prominent lawmakers of both parties.

Tomorrow, the Senate Commerce Committee is holding a full committee hearing to address the issue. The witness list includes representatives from Microsoft, Google, NebuAd and the CDT, which advocates a baseline national privacy policy.

NebuAd, which declined to comment for this story, pitches its service to ISPs as a way to bring them into the online advertising revenue stream. The company pays ISPs to install a hardware client that collects information about their subscribers’ Web activities, which NebuAd then uses to place ads tailored to people’s interests. A British company called Phorm engages in a similar practice.

“The ISP sits in a different position than a Web site,” Harris said. “They are sort of the only trusted intermediary between the ends of the network. What comes over those pipes is an order of magnitude in terms of the range of information simply different than an ad network.”

NebuAd’s claim that it doesn’t collect any personally identifiable information has met with considerable skepticism.

Next page: Hijacking your browser?

Page 2 of 3

Hijacking your browser?

“This is analogous to AT&T listening to your phone calls all day to decide what to call you at dinner about in order to sell you something,” said Rob Topolski, a security researcher who has written a report comparing NebuAd’s system to different forms of browser-hijacking attacks, known as a man-in-the-middle attack and a cross-scripting attack.

Topolski serves as a technical consultant to the media-reform groups Free Press and Public Knowledge. He is widely known for his research last year that revealed that Comcast was deliberately slowing traffic from the peer-to-peer site BitTorrent.

Toploski estimates that through its partnerships with more than a dozen smaller ISPs, NebuAd collects information on about 10 percent of the nation’s online population.

Two weeks ago, Charter Communications (NASDAQ: CHTR), the nation’s fourth-largest cable company, shelved its plan to partner with NebuAd amid pressure from privacy advocates and lawmakers.

NebuAd, which maintains that its system is built with privacy as a top priority, requires its ISP partners to provide consumers with a method of opting out of having their activities tracked.

Today, the company announced that it has expanded its opt-out policies to require ISPs to provide consumers with periodic notices that their activities are being tracked, and developed an opt-out mechanism without placing a small text file known as a cookie on a computer. Privacy advocates have long charged that ad networks’ opt-out policies that are based on cookies are flawed because many users routinely delete cookies from their browser, which erases the signal that is designed to prevent Web activity from being tracked.

But for the CDT, even an enhanced opt-out model doesn’t go far enough.

“With the opt-out model, you definitely still have the EPCA concerns,” said CDT Vice President Ari Schwartz, arguing that only an opt-in model would satisfy the 1986 Wiretap Act.

Deep packet analysis

According to the CDT’s analysis, that law would require ISPs to obtain consent from their customers before installing NebuAd’s device, which uses a technique called deep-packet inspection to determine the contents of Web transmissions.

“A mail carrier walking down the street knows where to deliver which envelopes based on the information on the outside of the envelopes,” Topolski said. “What deep-packet inspection enables is analogous to the postal service opening the envelope and reading all the contents and saying, ‘This is bulk mail,’ or maybe even ‘This is junk mail, they probably don’t even want that.’ That’s the type of technology we’re dealing with here.”

Schwartz warned that an opt-in system could still leave ISPs on the hook for violating states’ privacy laws.

“In addition to the federal Wiretap Act, a majority of states have their own wiretap laws, which can be more stringent than the federal law,” the CDT wrote in its legal analysis. “Most significantly, 12 states require all parties to consent to the interception or recording of certain types of communications.”

Under the CDT’s interpretation, those states with all-party consent laws would not only require the individual users to agree to share their Web activities with NebuAd through their ISPs, but the sites that they visit would have to provide consent as well.

The 12 states with two-party consent laws are California, Connecticut, Florida, Washington, Pennsylvania, New Hampshire, Nevada, Montana, Massachusetts, Michigan, Maryland and Illinois, the state where Topolski’s initial research (available as a PDF here) was focused.

Next page: Claims of privacy at risk

Page 3 of 3

Claims of privacy at risk

The CDT has no plans to file litigation against any of the ISPs currently using NebuAd’s system. Instead, the group is trying to raise awareness that many of the existing structures of behavioral targeting — which it has long argued put individuals’ privacy at risk — are now being applied to what it argues should be trusted communications providers.

“We are now seeing the migration of this model from individual portals and Web sites to ISPs, so I think it’s important to understand that all of the concerns that we have in the online space are equal and amplified here,” Harris said.

As severe as those concerns are to privacy advocates, Harris acknowledged the bare necessity of advertising to the way the Web works today.

“It’s important to understand the fact that a lot of the content on the Internet is free to the consumer because it is supported by this advertising model,” she said.

“But from the perspective of consumers, it’s not transparent. Very few people understand the practice is occurring. To the extent that we have had a self-regulatory model intended to give consumers some choice over whether or not they wanted to participate in behavioral advertising, consumers are largely unaware of it,” she said. “It is a very difficult system to navigate, and has been in our view largely a failure.”

News Around the Web