This story appeared on Network World at

http://www.networkworld.com/columnists/2007/070209bradner.html

An invisible abomination

By Scott Bradner, Network World, 07/02/07

Once upon a time ISPs just transported packets of information from place to place without looking at them other than to find out where they should go. Of course that could not last. Now a company is selling ISPs a device designed to spy on customer traffic, track preferences and insert specially selected ads during Web surfing.

Start-up NebuAd seems to be trying to put all ISP-related, bad network-behavior into a single box. It is trying to sell a device that, according to its Web page, will “analyze and act on consumer behavior” in order to develop a “keen insight into a consumer’s dynamic, Web-wide behavior.” Basically, the device spies on traffic to try to determine the “demographics, geography, life style and interests” of individual customers (see the Web site for NebuAd’s Fair Eagle division). The box then inserts ads into the data stream the customer is receiving back from a Web site. This is done without the knowledge or permission of the customer or the Web site owner. Predictably, just like the data brokers who sell your every secret to the lowest bidder, NebuAd tries to claim that this is in the best interest of the consumer. Also note that the company could be subpoenaed for any spying it might have done on traffic to or from your IP address.

My reaction on reading about this device was one of disgust — it’s as if one were to take the entire swamp of bad things an ISP could do and boil it down to get concentrated slime. NebuAd does claim it doesn’t collect or use any personally identifiable information (see its privacy policy). But, based on such experiences as AOL’s data release (thanks for nothing, AOL), if one collects the kind of information NebuAd seems to be, it is easy to figure out whom you are looking at in far too many cases. In addition, even if the company might not be collecting personally identifiable information today, it is hard to trust that a company offering such an invasive product would not hesitate to change its tune if it thought there was a buck in it somewhere. It may give a hint to the company’s mind-set if you understand that “nebu” is the Egyptian hieroglyph for gold.

Some of this is far from a new idea. The idea of developing technology to enable ISPs to insert or replace ads surreptitiously when their customers surf the Web came up in the IETF more than six years ago. The Internet Architecture Board carefully considered the policy and architectural aspects of the idea and published RFC 3238, “Architectural and Policy Considerations for Open Pluggable Edge Services.” This document, among many other things, said that any deployment of such technology must be enabled only if the user or the Web site operator agreed. NebuAd is ignoring that guidance.

At least one Texas-based ISP has tried this device without letting its users know. If you were a customer of that ISP and you surfed my ad-free Web site, you might see ads and assume I had sold out. In that way, NebuAd would be directly harming me.

NebuAd says that individuals can opt out unless they are using a Wi-Fi ISP. If someone does opt out, NebuAd will place a cookie from the Fair Eagle site on the user’s machine that it claims will block the data gathering and ad placement. That will not work for anyone who does not know about the “service” or who removes cookies from their machine regularly -- as I do.

In my opinion, any ISP that secretly deploys such a device should be outed, shunned, then sued for theft by every Web site operator that has an ad overwritten or added. When you do so please add NebuAd to the suit for contributory sliminess. Hopefully there is still enough venture capital money left to attract the right kind of lawyers.

Disclaimer: Harvard trains all kinds of lawyers, but I did not ask any of them for their opinion of the value of these targets. Thus, the above is my own slime exploration.