• by Wendy Davis  @wendyndavis, February 1, 2011

The start-up Kindsight, which plans to roll out a form of behavioral advertising that relies on controversial deep packet inspection technology, is urging the Commerce Department to adopt a "technology-neutral" approach to online privacy protection.

"Any federal privacy program should focus on the type and amount of consumer information collected and how it is used," Kindsight says in comments filed with the Commerce Department in response to its recent privacy report. "Disparate treatment of entities engaged in behavior with similar privacy impacts based solely on the technology they employ would undercut the privacy protection and clarity for consumers that any privacy regime should otherwise seek to promote."

Like now-defunct NebuAd, Kindsight intends to use deep packet inspection to obtain information from Internet service providers about the sites consumers visit, then serve them ads based on that data. That form of behavioral targeting is seen by some as posing more of a privacy threat than other, older types of behavioral advertising for several reasons.

For one, ad networks only collect information from a limited number of publishers, nearly all of which are commercial. But ISPs can collect information from every page users visit, including search engines, doctors' offices, religious institutions and other non-commercial sites.

In addition, users have several methods for avoiding cookie-based targeting. Many ad networks and publishers offer opt-out links, yet even without such links, users can delete their cookies or install ad blockers. But people have no good way of preventing their data from being collected by ISPs.

Kindsight says it is only going to launch its platform on an opt-in basis. It intends to offer users free online security services in exchange for the ability to capture information about the Web sites they visit and serve them targeted ads. Kindsight also says that its targeting will be anonymous in that it won't connect users' names and their clickstream data.

NebuAd, which tested its technology several years ago before shuttering in the face of Congressional pressure, said it operated on an opt-out basis. In reality, however, at least one company that tested NebuAd's platform admitted to Congress  that it never offered consumers the chance to opt out.

But even when ISP-based targeting companies seek users' explicit consent, privacy advocates have raised questions about whether consumers truly understand the details. In 2008, Phorm tested its ISP-based targeting platform on an opt-in basis, but some digital rights advocates still expressed concern about whether users' consent was valid.

Industry groups' self-regulatory standards do not take a technology-neutral approach. On the contrary, the July 2009 self-regulatory standards say that companies that target users based on clickstream data -- including companies that gather data from ISPs and entities that track users via toolbars or other downloaded applications -- should not do so unless users have taken an "action in response to a clear, meaningful and prominent notice."

The self-regulatory standards for cookie-based targeting by ad networks require only that companies provide clear notice of the practice and allow people to opt out.