Security

Senators Question NebuAd, Targeted Ad Privacy

NebuAd, the controversial online behavioral advertising vendor, does not collect personally identifiable information or keep the information it collects for an extended time, the company's chairman and CEO said Wednesday.

NebuAd, which has reportedly worked with more than a dozen ISPs (Internet service providers) in the U.S., collects information about users' Web surfing habits, then delivers targeted advertising based on those results. Privacy critics have protested the service, saying it uses common Internet attacks to collect data and may be illegal because it does not get affirmative consent from both the ISP subscribers and the Web sites they visit.

But Robert Dykes, chairman and CEO of the California company, told a U.S. Senate committee that NebuAd collects limited data about users and it anonymizes the data it collects, including the IP (Internet Protocol) numbers. In the data's aggregated forum, it would be impossible to identify a subscriber of an ISP that has a partnership with NebuAd, he told the Senate Commerce, Science and Transportation Committee.

If the U.S. government asked NebuAd to identify users, the company wouldn't be able to comply, Dykes told senators. "No one, not even the government, can determine the identity of our users," he said.

NebuAd only collects information to use to create profiles for a limited number of advertising categories, Dykes said. All other data collected is deleted, he said. In addition, users can easily opt out of NebuAd's data collection, he said.

The Senate committee scheduled the hearing after Charter Communications, one of the largest providers of cable-based broadband service in the U.S., announced in May that it was testing NebuAd's service. After privacy objections, the ISP said last month it was suspending its partnership with NebuAd.

The practices of NebuAd and other behavioral advertising services have led to privacy questions, said Senator Byron Dorgan, a North Dakota Democrat. "Many consumers express concerns about the privacy and data security implications of being targeted," he said.

On Tuesday, privacy advocacy group the Center for Democracy and Technology (CDT) released a report suggesting NebuAd's practice may be illegal under some state wiretap laws. In June, privacy advocates Public Knowledge and Free Press released their own report suggesting that NebuAd hijacks browsers, employs man-in-the-middle attacks, uses packet forgery and installs unwanted cookies in order to track users' Internet habits.

NebuAd has disputed the information in those reports.

One NebuAd critic at the hearing said she was skeptical that the information the company collects is truly anonymous. NebuAd should be able to identify individual users based on their searches and other Web activity, said Leslie Harris, president and CEO of the Center for Democracy and Technology (CDT), a privacy and digital rights advocacy group.

"[NebuAd is] building profiles," Harris said. "I think it's pseudonymous. It can't be entirely anonymous."

Harris, as well as officials from Google and Microsoft and some Democratic senators, called on the U.S. Congress to pass comprehensive privacy legislation that would govern how personal information can be used online. Voluntary rules set up by the online advertising industry and recommended privacy practices from the U.S. Federal Trade Commission aren't enough, Harris said.

Others at the hearing questioned the need for new privacy laws. Targeted advertising supports Internet content, and Internet users have differing levels of privacy needs, depending on what Web service they're using, said Clyde Wayne Crews Jr., vice president for policy at the Competitive Enterprise Institute, a conservative think tank.

"Privacy is not a thing to legislate, it's a relationship expressed in countless ways," Crews said. Legislation would be complex and would likely not keep up with technological advances, he added.

In addition, Internet users understand that the Web has privacy limitations, he added. "If privacy is what you want, the Internet is probably not for you," he said.

Senator Jim DeMint, a South Carolina Republican, suggested that competition, and not legislation, will solve most privacy issues online. "In some ways, we've got a solution in search of a problem, as the industry moves very quickly to cut off these problems before they occur," he said.

Subscribe to the Security Watch Newsletter

Comments