Security

Lawmakers Call on NebuAd to Change Privacy Notification

Several U.S. lawmakers called on behavioral advertising vendor NebuAd to change its privacy notification procedures so that customers have to opt in for the company to track their Web habits instead of opting out.

Several members of the House of Representatives Telecommunications and Internet Subcommittee questioned NebuAd's business practice of working with ISPs (Internet service providers) to track subscribers' Web activities in an effort to deliver targeted advertising to them.

NebuAd's use of "deep-packet inspection" to examine subscribers' traffic across the Web, while requiring them to opt out of the service, raises serious privacy concerns, said Representative Edward Markey, a Massachusetts Democrat and chairman of the subcommittee.

Markey pressured NebuAd Chairman and CEO Robert Dykes to switch notification to opt in during a Thursday hearing on ISPs' use of deep-packet inspection, a method for ISPs and other companies to examine the contents of packets traveling across the Web. "Should you get permission from the consumer first?" Markey asked. "Will you give them opt in?"

Dykes wouldn't commit to changing his service to opt in, although he said NebuAd will work with privacy group the Center for Democracy and Technology (CDT) to address its concerns. Earlier this month, NebuAd also announced plans to provide notification of the Web tracking online, in addition to e-mails or notes on ISPs' bills sent to customers, he noted.

Instead of opt-in permission, "it's much more important that the consumer is well informed," he said.

Several lawmakers disagreed. "Why do I have to opt out?" said Representative Bart Stupak, a Michigan Democrat. "Why should the burden have to be on the American consumer?"

NebuAd doesn't collect personal or sensitive information and anonymizes the data it collects, Dykes said. Other Web companies doing similar kinds of information collection don't have to get opt-in permission, he said.

"The science exists today, and NebuAd is using it, to create truly anonymous profiles that cannot be hacked or reverse engineered," he added.

Privacy advocates started raising concerns about NebuAd's service after Charter Communications, one of the largest providers of cable broadband service in the U.S., announced in May it would test the NebuAd product. Charter, in June, suspended the trials because of privacy concerns raised by customers.

But several other U.S. ISPs are using or testing NebuAd's service in attempts to get a piece of the Internet advertising pie. This week, Markey and two other lawmakers sent a letter to Embarq, a Kansas ISP, questioning its use of NebuAd Web tracking, apparently without notifying its customers.

While some lawmakers at Thursday's hearing questioned whether NebuAd's service violates state wiretap laws, as CDT has suggested, other lawmakers said that Congress is targeting a small category of businesses, while other Internet-based businesses collect huge amounts of data.

Google, Yahoo and Microsoft all deliver targeted ads, said Representative Cliff Stearns, a Florida Republican. "Consumers don't care whether you're a search engine or a broadband provider," he said. "They want to ensure you are not violating their privacy either way."

Stearns also questioned if there was any demonstrated consumer harm from the NebuAd model of collecting data. "It's imperative that there be some evidence of harm if we're going to regulate this practice, or we run the risk of prematurely restricting the latest technological advancements," he said. "As the overall economy continues to take a significant downturn, the government should not be contemplating how to make it harder for small businesses to succeed."

But Markey and David Reed, a professor at the Massachusetts Institute of Technology and a pioneer in the development of the Internet, suggested that an ISP has much more power to track Internet users' habits than an individual Web site or an ad network. "You've got Google times 100," Markey said.

Reed compared ISPs using NebuAd to a package delivery company looking inside every box it handles.

Deep-packet inspection methods "violate long-agreed standards and principles of Internet design," Reed said. Such services put the Internet at risk, he said, by "normalizing nonstandard and risky technical activity on behalf of telecom operators and broadband operators who may choose to exploit their captive customers rather than transparently delivering the communications services for which their customers have paid."

Subscribe to the Security Watch Newsletter

Comments