The year began promisingly enough for NebuAd, a Silicon Valley advertising startup promising a new source of revenue for ISPs through the use of deep packet inspection. DPI allows ISPs to track the behavior of Internet users without their consent in order to more accurately target advertising.
Charter Communications, the nation’s fourth-largest broadband provider, signed up for the service, as did several other ISPs.
That was then and this now. After a spring and summer of harsh criticism from Congress and public interest groups over the privacy implications of DPI, the Charter deal is gone, NebuAd CEO Bob Dykes has resigned and, according to the Washington Post, NebuAd has abandoned pushing DPI to ISPs.
“Our platform was architected to be a multichannel ad system,” NebuAd spokesperson Janet McGraw wrote the newspaper in an e-mail. “With the Internet service provider channel currently on hold with the events of the summer, we have broadened the focus of our business but continue to enhance our technologies for that ISP channel.”
U.S. Sen. Byron Dorgan immediately hailed NebuAd’s decision.
“NebuAd’s decision to put this plan on hold is a significant victory for the privacy rights of Americans,” Dorgan, who held a July hearing on NebuAd’s ability to track users’ Web travels, said in a Sept. 4 statement. “This decision should put broadband providers on notice that turning data on users’ behavior over to third parties, particularly without their clear consent and understanding of the practice, is not in line with good privacy practices.”
NebuAd’s problems began in May when Rep. Ed Markey, the chairman of the House Subcommittee on Telecommunications and the Internet, and Rep. Joe Barton, the panel’s ranking Republican, wrote a letter (PDF) to Charter urging the broadband provider to drop its plans to use NebuAd’s DPI package. That was followed by a critical technical report (PDF) on NebuAd’s DPI process by Free Press and Public Knowledge.
According to the report, NebuAd uses special equipment that “monitors, intercepts and modifies the contents of Internet packets” as consumers go online. The report found that NebuAd inserts extra hidden code into users’ Web browsers that was not sent by the Web site being visited.
In turn, the code directs the browser to another site not requested or even seen by the consumer, where more hidden code is downloaded and executed to add more tracking cookies. Using the secretly collected information, NebuAd serves up ads based on the user’s browsing habits. NebuAd allows users to opt out of the customized ads program but not online tracking.
Charter soon cancelled its deal with NebuAd and Dykes found himself testifying before Congress.
“I feel like Galileo when he was viewed with skepticism on demonstrating that the Earth revolved around the sun,” Dykes told skeptical lawmakers July 18. “The science exists today and NebuAd is using it to create truly anonymous profiles that cannot be hacked or reverse-engineered.”
Markey was unimpressed.
“From a privacy perspective, given the sheer sophistication of the technology’s capability and the obvious sensitivity of the personal information that can be gleaned from a consumer’s Web use, I believe broadband providers deploying deep packet inspection technologies must adopt clear privacy policies,” Markey said.
At the top of that privacy policy list is requiring ISPs to use an opt-in regime when deploying NebuAd’s DPI technology, a notion Dykes said would dilute the effectiveness of the program. “No one, not even the government, can determine the identity of our users,” Dykes argued.
Dykes’ testimony before the committee turned out to be one of his last public appearances for NebuAd, which he joined in 2007. Dykes resigned Sept. 3 and plans to join VeriFone Holdings as a senior vice president and chief financial officer.