• by Wendy Davis  @wendyndavis, March 25, 2008

A leading privacy advocacy group is preparing to file a Federal Communications Commission complaint about Internet service providers that share data with ad companies about consumers' Web-surfing activity.

"You can't have the ISPs be either a censor or a controller or harvester of consumer data," said Jeffrey Chester, executive director of the Center for Digital Democracy. "It's just inappropriate. They have to be, like it or not, a dumb profitable pipe."

Chester says the organization's legal team is now gathering material to include in a complaint. The news comes as the controversial start-up Phorm is poised to launch a behavioral targeting platform in the U.K. that uses data about people's Web searches and history gleaned from three large U.K. ISPs--BT, Virgin and Talk Talk.

In the U.S., companies like NebuAd late last year also started offering behavioral targeting programs that rely on data gleaned from Internet service providers. NebuAd has declined to state which access companies it works with.

The Center for Digital Democracy and other advocates previously asked another government agency, the Federal Trade Commission, to examine behavioral targeting in online ads generally. That agency late last year issued proposed guidelines, which are still up for comment, but hasn't yet come out with any mandates.

Gathering data from Internet service providers is often seen as potentially more intrusive than other, older forms of behavioral targeting, which track people's activity across only a limited number of publishers' sites. Companies like Phorm and NebuAd that partner with access companies theoretically can track users across all sites they visit and compile a record of all of their search queries.

Phorm and NebuAd say they discard a host of data, including information that might potentially reveal sensitive medical conditions or financial matters, and retain only data relevant to their advertisers. The companies also say they won't accept ads for adult-oriented material, or campaigns targeted at people with medical conditions, so they have no reason to store information that could embarrass users.

Still, the sheer scope of the material about users that is available through Internet access companies alarms privacy advocates. "This is a direct pipeline into people's personal information," Chester says. Phorm and other similar companies, he says, "are foolish if they don't think there's going to be a major firestorm over this."

NebuAd and Phorm both offer users the chance to opt-out of the programs, but some observers say companies shouldn't collect this type of information without users' explicit consent.

In the U.K., the non-profit think tank Foundation for Information Policy Research last week wrote a letter to the Information Commissioner stating that Phorm should obtain people's agreement before deploying its "highly intrusive" data collection methods.

"We think that it should not be undertaken without explicit consent from users who have been given particularly clear information about what is liable to be scanned," the letter states. "We believe this is also required under European data protection law; failure to establish a clear and transparent 'opt-in' system is likely to render the entire process illegal and open to challenge in U.K. and European courts."

Phorm CEO Kent Ertugrul disagrees that the platform poses a threat. "There's obviously been a lot of emotion around this," he says. But, he adds, the company takes steps to protect people's privacy. For one thing, he says, the company imposes limits on the type of data it uses.

For instance, he says, if the company wants to identify users that it believes are more likely than average to buy, say, Jaguar cars, it can use ISP data to tag people who visit one of a limited number of relevant Web sites, and have searched for keywords like "Jaguar dealer."

If users' search queries or Web-surfing history isn't relevant to the company's marketers, Phorm discards the data, Ertugrul says.

Phorm also places a cookie on users' computers and codes that cookie with information about the bucket the user falls into--potential Jaguar buyer, luxury car buyer, and the like. When users delete their cookies, Phorm's information about which marketing bucket that user falls into disappears, Ertugrul says.

He adds that the company won't create any marketing buckets unless they can place at least 5,000 people in them. Keeping the categories that large, he says, will prevent people from figuring out any one audience member's identity. Phorm also doesn't store financial information or keep a record of adult sites visited, he said.

NebuAd CEO Bob Dykes said that his company also deliberately avoids ads that would require them to market to users based on medical conditions or other sensitive topics. "Because we have such deeper insights, we have to be careful about the fact that we don't touch some data," he says.