Lawmakers Seek Opt-in Regime for NebuAd

It has not been a good few months for NebuAd, the Silicon Valley startup pushing DPI, or deep packet inspection, as a source of new revenue for ISPs. Without a user's consent, NebuAd collects information about the user's browsing history and serves up ads based on those travels.

Privacy advocates have been relentless in their criticism of DPI and Congressional pressure has already cost NebuAd a deal with Charter Communications.

Things didn't get any better for NebuAd CEO Bob Dykes July 17 at a House hearing on behavioral advertising, particularly after he compared himself to Galileo.

"I feel like Galileo when he was viewed with skepticism on demonstrating that the Earth revolved around the sun," Dykes told skeptical lawmakers. "The science exists today and NebuAd is using it to create truly anonymous profiles that cannot be hacked or reverse-engineered."

Rep. Ed Markey, chairman of the House Subcommittee on Telecommunications and the Internet, was unimpressed.

"From a privacy perspective, given the sheer sophistication of the technology's capability and the obvious sensitivity of the personal information that can be gleaned from a consumer's Web use, I believe broadband providers deploying deep packet inspection technologies must adopt clear privacy policies," Markey said. 

At the top of that privacy policy list is requiring ISPs to use an opt-in regime when deploying NebuAd's DPI technology, a notion Dykes said would dilute the effectiveness of the program. "No one, not even the government, can determine the identity of our users," Dykes argued.

NebuAd allows users to opt out of the customized ads program but not online tracking.

"That's basically saying silence is consent and as a result you can do whatever you want with their information," Markey said. "I don't think, unless you've got clear affirmative permission, that you should be able to take this incredible leap into the breaching of the privacy of Americans."

According to a technical report (PDF) by Free Press and Public Knowledge, NebuAd uses special equipment that "monitors, intercepts and modifies the contents of Internet packets" as consumers go online. The report found that NebuAd inserts extra hidden code into users' Web browsers that was not sent by the Web site being visited. 

In turn, the code directs the browser to another site not requested or even seen by the consumer, where more hidden code is downloaded and executed to add more tracking cookies. Using the secretly collected information, NebuAd serves up ads based on the user's browsing habits.

"NebuAd breaks the rules of acceptable behavior on the Internet," Robert Topolski, the report's author, wrote. "It monitors what you do and see on the Internet, it breaks in and changes the contents of your private communications, it keeps track of what you've done, and if you even know that it's happening, it is impossible to opt out of it."

In May, Ed Markey and Joe Barton, the ranking member of the subcommittee, wrote (PDF) to Charter Communications President and CEO Neil Smit asking him to stop NebuAd testing until the subcommittee has had time to review the program.

"Any service to which a subscriber does not affirmatively subscribe and that can result in the collection of information about the Web-related habits and interests of a subscriber, or a subscriber's use of the operator's services … without the 'prior written consent or electronic consent of the subscriber' raises substantial questions related to [privacy]," Markey and Barton wrote.

Charter, the nation's fourth-largest broadband provider, withdrew from its proposed deal with NebuAd June 24. Markey and Barton have also sent a similar a letter to Embarq. NebuAd claims to also have deals in place with Broadstripe, CenturyTel, Metro Provider and other ISPs. NebuAd pays ISPs to install monitoring boxes on their networks.