NebuAd CEO Bob Dykes took another shellacking on Capitol Hill this morning, as lawmakers probed into his company’s controversial plan to target ads to Internet users by intercepting their Web activities from broadband service providers.
Appearing before the House Subcommittee on Telecommunications and the Internet, Dykes reprised his testimony at a Senate hearing last week, defending his company against charges that NebuAd’s technology runs roughshod over consumer privacy.
“In many ways I feel like Galileo when he was viewed with skepticism for demonstrating that the Earth revolved around the sun,” Dykes said, emphatically claiming that NebuAd only collects nonsensitive information on an anonymous basis. “No one, not even the government, can determine the identity of our users.”
The hearing, the second in as many weeks to consider privacy and online advertising, follows the highly publicized decision of Charter Communications, the nation’s fourth-largest cable provider, to shelve its plan to try out NebuAd’s system.
NebuAd promises to bring Internet service providers (ISPs) into the online advertising revenue stream, but critics have charged that intercepting data from unsuspecting subscribers amounts to wiretapping.
One group, the Center for Democracy and Technology, has concluded that the practice could put ISPs on the wrong side of federal and state surveillance laws.
“Most consumers would be quite surprised to find a middleman lurking between them and the sites they visit,” said Alyssa Cooper, chief computer scientist for the CDT.
The matter of consent was central to the hearing. Ed Markey, the Massachusetts Democrat who chairs the subcommittee, pressed Dykes on whether he would be willing to alter NebuAd’s policy so that consumers would have to proactively consent to having their browsing histories tracked, rather than the current model, which sets tracking as the default but allows people to opt out.
Dykes did not answer the question directly, instead saying that it is important for the ISPs to give their subscribers “robust notice” — a phrase he repeated more than half a dozen times throughout the hearing. Visibly frustrated, Markey tried again.
“Should you get permission from the consumer first, Mr. Dykes?”
Again Dykes protested and said he felt like he was being bullied, like a man facing the hopelessly loaded question, “Have you stopped beating your wife?”
No, Markey said, “It’s more like have you stopped beating the consumer?” After a third unsuccessful attempt at getting Dykes to give a direct answer to the opt-in question, the congressman gave up. “I don’t think that’s a high enough standard Mr. Dykes. I think that’s basically saying that silence is consent.”
NebuAd requires its ISP partners to provide their subscribers with written notice 30 days before it begins tracking their information. That notice can take the form of a message on their billing statement, a separate mailed letter, an e-mail or a posting online.
The technology that facilitates NebuAd’s system is called deep-packet inspection, a form of Internet traffic filtering that examines the contents of individual packets of information. The common form of packet inspection only looks at the header of a data packet to determine where it is to be routed.
Deep-packet inspection, or DPI, was the nominal subject of the hearing, though the discussion was predominated by NebuAd. DPI is regularly used to detect and block security threats such as spam or distributed denial-of-service (DDoS) attacks. It can also be used to detect the transmission of copyrighted material, though Net neutrality advocates warn that ISPs could use the technology to block or degrade transmissions of online content or services that compete with their own.
Next page: Customer trust
Page 2 of 2
Customer trust
Then there is the greater issue of consumer trust. David Reed, engineering professor at M.I.T. and one of the early architects of the Internet packet-exchange technology, encouraged the representatives to think of the Internet as a shipping service. A technology such as NebuAd’s, Reed suggested, is the equivalent to a carrier opening the package and looking at its contents before delivering it.
“DPI technologies are not at all necessary to operating the Internet,” Reed claimed, arguing that “they violate long-agreed standards of Internet principle and design,” and “pose major risks to the economic success of the Internet as a whole.”
The shipping analogy resonated with many of the representative who took up Markey’s part in grilling Dykes about NebuAd. But Dykes maintained that with the Internet moving to an increasingly free, ad-supported model, his technology was helping support some of the companies that constitute the backbone of the network — the ISPs.
NebuAd pays its ISP partners a fee to collect Web traffic from their subscribers, which it then automatically translates into consumer categories such as travel or automotive, using that information to serve relevant ads.
According to NebuAd, its filtering system automatically discards information that falls outside of those categories, so it never sees queries for sensitive topics such as health or finance.
“The end result is simply our noting that an anonymous profile qualifies for certain innocuous categories,” Dykes said.
Cliff Stearns, R-Fla., asked if they were expected to take him at his word. Dykes said that NebuAd was planning to hire an accounting firm to audit his company’s system but would not name the firm because he said a final decision had not been made.
Markey shot back that he hoped Dykes would find one of the firms not connected with Enron or the subprime mortgage scandal or any of the other fiascos of the past seven years, where slipshod accounting helped concealed some very ugly truths.
“In most cases the accounting firms miss the stuff that the industry wants them to miss — because they also have consulting contracts.”