NebuAd: The Third Rail for ISPs?

Facing objections from lawmakers and privacy advocates, Charter Communications, the nation’s fourth-largest cable company, has set aside its plan to test-drive a controversial ad deal with behavioral targeting firm NebuAd. So what was all the fuss about?

NebuAd isn’t the typical online ad firm. The company promises to bring Internet service providers into the advertising revenue stream by paying them for access to data about the Web sites their subscribers visit and the search terms they use.

For some, that idea sounds a little too creepy for comfort.

NebuAd supplies ISPs with a hardware appliance that enables them to mine packets of information traveling across their networks. It then uses that data to target participating Web sites’ ads to individual users.

For its part, NebuAd maintains that it does not record queries on sensitive topics like financial information or collect any information that can be used to personally identify individuals, relying instead on a computer’s unique IP address.

NebuAd declined to comment for this story beyond a company statement. “We remain committed to driving strong value to advertisers, publishers and ISPs while setting the gold standard for privacy in online advertising,” it said.

The company claims on its Web site that its system looks at individuals’ search terms and browsing habits and translates that activity into any one of more than 1,000 commercial categories to serve relevant ads in real time.

NebuAd also says that it does not retain the browsing habits of individuals in any way that they could be identified.

“We are open and forthcoming about what we do, how we do it, and we require our partners to do the same,” including requiring ISPs to provide their customers with a mechanism to opt out of tracking, NebuAd said in the statement.

A study earlier this month disputed that claim. In a research report commissioned by the media-reform groups Free Press and Public Knowledge, engineer Robert Topolski found that NebuAd modifies data packets that Web sites transmit in order to install advertising cookies on users’ computer.

In the report (available as a PDF here), Topolski calls NebuAd’s tactic “browser hijacking,” and compares it to two famous security exploits known as cross-site scripting and man-in-the-middle attacks.

NebuAd responded in a statement in Broadcasting & Cable that the report mischaracterized its practices, claiming that the cookies it installs are no different from those used by other ad-tracking systems.

Topolski, who gained fame last fall when he alleged in another study that Comcast was throttling peer-to-peer BitTorrent traffic, shot back at NebuAd’s claims in a blog post, saying that other ad companies do not engage in the practice of “forging TCP packets.”

NebuAd suffered another splash of bad press when the U.K. tech tabloid The Register scoured the professional networking sites LinkedIn and LinkSV and found that five executives at the company used to work at Claria (formerly Gator Corp.), a company that has been widely criticized as a distributor of advertising spyware.

The controversy around NebuAd may come as a blow to ISPs hoping to cash in on the online advertising market.

Increasingly, cable companies are looking to harness their users’ data to serve more targeted ads and create a lucrative business line. Several of the nation’s largest cable providers, including Charter (NASDAQ: CHTR), are working together to sell targeted ads across their networks under the aegis of a group called Canoe Ventures.

A Charter spokeswoman told that the company still plans to go forward with the NebuAd trial once the privacy issues have been resolved.

The outcry also attracted the attention of U.S. lawmakers. Following Topolski’s report earlier this month, Rep. Ed Markey (D-Mass.), who chairs the U.S. House of Representatives’ subcommittee on telecommunications and the Internet, held a meeting with Charter to discuss the privacy concerns of the NebuAd deal.

He later praised the ISP’s decision to delay the trial.

“I urge other broadband companies considering similar user profiling programs to similarly hold off on implementation while these important privacy concerns can be addressed,” Markey said in a statement.

Markey spokespeople did not return requests for comment by press time.

News Around the Web