• by Wendy Davis , Staff Writer @wendyndavis, July 9, 2008

To hear NebuAd CEO Bob Dykes tell it, the controversial company is the best thing to come along for online privacy in a very long time.

"NebuAd's systems are designed so that no one, not even the government, can determine the identity of our users," Dykes told the Senate commerce committee today at a hearing in Washington.

NebuAd partners with ISPs to gather data that's used to send consumers targeted ads. Its platform riles privacy advocates because ISPs have access to users' entire Web-surfing history, ranging from every search made to every Web site visited.

Dykes insists that any information that isn't relevant to particular marketing segments is immediately discarded and that the company doesn't store users' names, identifying information or IP addresses. NebuAd converts IP addresses into other, random, identifiers via a supposedly irreversible and uncrackable formula, Dykes said.

He added that the company developed its platform in 2006, shortly after AOL posted search histories of 650,000 Web users online -- a blunder still considered among the worst privacy breaches to date. Even though AOL had "anonymized" the IP addresses, it proved possible to identify users simply by examining their search histories. Dykes said the company aimed to design a platform that would make a similar breach impossible.

Privacy advocates, meanwhile, weren't convinced. Leslie Harris, president and CEO of the digital rights group Center for Democracy & Technology, argued that NebuAd's platform seems to violate federal wiretap laws.

Byron Dorgan, the Senator who chaired today's hearing, also seemed unpersuaded. He questioned NebuAd's decision to let users opt out of the service, as opposed to asking them to affirmatively consent to it. Dorgan said if his ISP approached him to ask if he would allow another company to view every site he visited, his answer would be an unequivocal no. "Of course it's not okay. Are you kidding me? N-O. No."

One topic didn't come up at today's hearing: adware.

Recent media reports have highlighted the fact that several veterans of adware company Claria (formerly Gator) are now executives at NebuAd. Additionally, NebuAd rival Phorm used to be an adware company.

Certainly, there are some superficial similarities. Adware companies target ads to Web users based on the sites they visit. But then again, so do all behavioral targeting companies. It's true that older behavioral targeting companies only collect data from a limited number of sites, while adware companies, as well as Phorm and NebuAd, have access to all sites users visit.

But adware companies -- at least in theory -- look somewhat different from a privacy point of view than Phorm and NebuAd. Consider, adware companies are theoretically opt-in, in that consumers must affirmatively download the ad-serving software. (Admittedly, that isn't always the case, given rogue installers' ingenuity in hijacking people's computers and loading them with software.) But NebuAd and Phorm are both opt-out, meaning that consumers who don't read the notifications will automatically be included in the program.

NebuAd and Phorm's business model is different from adware in at least one other key respect. Adware companies traditionally served pop-ups that competed with publishers' own ads. NebuAd and Phorm only serve ads on Web sites of publishers they have deals with.

That's not to say that publishers by and large will embrace NebuAd and Phorm. Both companies harvest information from Web sites they have no relationship with -- activities that may well lead to lawsuits. In fact, the Center for Democracy & Technology this week pointed out that at least 12 states require that both parties to a conversation consent to it being recorded. Even if Web users agree to participate in NebuAd or Phorm's programs, the Web sites they visit might not likewise agree.