This story appeared on Network World at

http://www.networkworld.com/columnists/2007/073107-bradner.html

A semi-visible semi-abomination

'Net Insider

By Scott Bradner, Network World, 07/31/07

Sponsored by:

I seldom hear from vendors that are targets of negative comments in this column. Every now and then I get a flame, and once in a blue moon someone actually wants to talk seriously about the issues I raised. NebuAd, the advertising start-up I criticized recently, turns out to be one of those blue moon companies.

A few days after the column (“An invisible abomination,”) appeared in early July, I got e-mail from one Ben Billingsley, who identified himself as involved in marketing for NebuAd. Billingsley said he had read the column "with interest" and wanted to know if I would be open to talking with NebuAd's CEO. No flame-age, just a polite offer, so I accepted. Billingsley set up a conference call in which I was able to have an informative conversation with him, Chairman and CEO Robert Dykes and President of Advertising Systems Kira Makagon.

I wrote the original column using information on NebuAd's Web site and from a number of online comments and blogs. Dykes did not say I had gotten things wrong — he just offered to describe what the company did. Based on the description, I'm not sure I did get the basics wrong. But what NebuAd is doing is not as bad as I feared, though not as good as I would like either.

Basically the company is monitoring all sites you visit and builds up a profile of your interests. Based on what Dykes said, the profile is quite coarse and basically keeps track of the categories of the sites you visit. They categorize the sites based on their review and based on scanning site metadata and text. NebuAd carefully does not include any categories related to health issues, politics or adult topics, Dykes says. Thus it winds up with a profile tied to an IP address (which they hash before storing) with counters indicating how often particular types of sites are visited. This lets NebuAd serve up an ad for a car even if you are visiting a Web site focused on quilting if your previous Web activities included visiting a lot of car-related sites.

The company also keeps track of session-based activities — for example, how many people visited Ford, what they saw and what else they visited. NebuAd provides this info to ad agencies but only after double hashing the IP address to make it essentially impossible for the agency to link the activity back to an individual IP address.

Dykes also said that NebuAd tries hard to be sure that the Web site or the customer knows what's going on. Mostly it sells its services to Web site operators — the quilting site can get more ad revenue if it is not restricted to quilting-related ads. NebuAd also offers its services to ISPs. Dykes said most major ISPs do not want NebuAd to add still more ads to the user experience but that ad-supported ISPs (for example public Wi-Fi nets) do want the revenue from additional ads. NebuAd insists that the ISPs’ users are told up front about the usage monitoring with enough lead time so that they can switch providers if they want to, according to Dykes. He also said that any ad that NebuAd inserts without the Web site's OK has a banner on it indicating that the ad is not from the site. Billingsley sent me an example and I'd just as soon that the banner was bigger and clearer, but at least there was one.

As I said above, I'm now not as unhappy as I was. I still do not like the idea that NebuAd is keeping track of what I'm doing and worry about what additional info the company might decide to start using its systems to record if it runs into financial difficulty or is bought by a less scrupulous company. But NebuAd, and its privacy board, do seem to be trying to do this bad thing in as responsible a way as I can think of.

Disclaimer: It's not likely that Harvard will run into significant financial difficulty anytime soon, so the above worries would not apply. The university has not expressed any specific opinion on this topic.