• by Wendy Davis  @wendyndavis, June 9, 2008

Behavioral targeting companies that plan to harvest data from Internet service companies are likely to face new scrutiny in light of two developments last week. A broad coalition of digital rights advocates is calling for Congressional hearings. Separately, a leaked report showed that a U.K. Internet service provider conducted secret tests in 2006.

On Friday, 15 advocacy groups asked lawmakers to investigate online ad companies' plans to harvest data from Internet service providers. "We are concerned that such ISP wiretapping schemes may violate multiple privacy laws and policies," a consortium of 15 groups said Friday in a letter to Reps. Ed Markey (D-Mass) and Joe Barton (R-Tex).

At the same time, behavioral targeting company Phorm was confronted with new questions about privacy in light of a leaked report, which surfaced on whistle-blowing site Wikileaks, showing that U.K. Internet service provider BT secretly deployed Phorm's platform in a two-week test in 2006 that involved 18,000 users.

The developments come at a time of growing concern about whether behavioral targeting infringes on privacy. Currently, New York and Connecticut are considering new legislation regulating the field, while the FTC is considering new voluntary guidelines.

In the U.S., Charter Communications--which provides broadband access to 2.8 million subscribers--has said it will soon start testing a plan to share information with behavioral targeting company NebuAd, which will serve online ads to users based on their Web activity. The groups who wrote to Congress Friday are calling for investigations into whether deals between companies like NebuAd and Charter are lawful. Their letter did not address the BT tests, because the groups drafted it before the document appeared online.

Markey, chairman of the House subcommittee on telecommunications and the Internet, and Barton, ranking member of the House committee on energy and commerce, previously indicated that they were troubled by the deal between NebuAd and Charter. Several weeks ago, they sent a letter to Charter CEO Neil Smith, asking him to delay implementing the plan.

Signatories to Friday's letter to Markey and Barton included privacy groups like The Center for Digital Democracy and the Electronic Privacy Information Center, which have long been critical of online ad techniques, as well as net neutrality advocates like Free Press and Public Advocate, which generally hold that Internet access companies shouldn't examine the content of the data they transmit.

"When you're talking about technology that looks inside every packet, you're really on a slippery slope to not only privacy violations, but also privileging or degrading content based on what it finds in that packet," said Ben Scott, policy director of Free Press.

Some critics of companies like NebuAd and Phorm fear that behavioral targeting platforms that rely on data from Internet service providers have the potential to be far more intrusive than older forms of behavioral targeting, because Internet service providers have access to every site users visit online and their search history. Older behavioral targeting companies usually gathered data from a limited number of sites within a network.

Behavioral targeting companies say Web users can opt-out of the service and that all data collection is anonymous, in that no names or addresses are collected. But some digital liberties groups are still alarmed by the implications of Internet service providers examining traffic because it's possible to figure out users' identities by examining their searches and/or Web-surfing activity.

Online ad companies also say that users have the ability to opt out of receiving targeted ads. But the leaked document about the Phorm-BT tests explicitly said that subscribers were not notified about the test. "The customers who participated in the trial were not made aware of this fact as one of the aims of the validation was not to affect their experience."

While most subscribers did not appear to be aware of the tests, the report states that at least 15 to 20 users made posts to message boards indicating that something unusual was going on. "From the postings, no user correctly determined the source of these effects," the report states. "However all postings suspected that their machines had a virus, a malware or a spyware infection."

The report also highlighted a problem with the opt-out mechanism. "The current opt-out method does not actually avoid the system entirely. A user who has opted out will still have their Web pages tagged ... although no data collection of any kind will occur," the report states.

Phorm referred questions about the test to BT. A BT spokesman confirmed that the company conducted "a very small-scale technical test of a prototype advertising platform." The spokesman said that no "personally identifiable information"--which ad companies tend to define as names or addresses--was processed, stored or disclosed.