The ISP-based targeting platform itself raises obvious privacy concerns, because ISPs have access to subscribers' entire Web history -- from every site visited to every search query performed. NebuAd says that users can opt out of the program, and that all of the information collected is anonymous. But advocates have doubts about whether people will even see, much less understand, the opt-out information. And users' clickstream data often provides enough information to figure out their identities.
But aside from the privacy implications, it also seems likely that publishers will object to the plan. After all, the whole point of this type of targeting is to figure out what users are interested in, based on information gleaned from examining their activity on publishers' sites. That data is then going to be used to sell ads that won't in any way benefit those publishers.
This technology will allow advertisers to find people who have performed searches on Google long after they have left the site; it will potentially allow marketers to send ads to readers of the Wall Street Journal when they're reading blogs.
But it turns out that the methods used by ISPs to facilitate this type of targeting might themselves give rise to lawsuits. A report last week by Free Press and Public Knowledge accuses the company of hijacking users' browsers and inserting packets into the data stream that ultimately cause them to load scripts from NebuAd.
Now, professor James Gimmelman at New York Law School has said that such techniques could violate publishers' rights.
He proposes that the alteration of Web pages potentially violates sites' trademark rights. Gimmelman argues that the ISPs' actions in altering the code are similar to giving people a house-brand soda when they ask for a Coke. "The harm consists in using your competitor's trademark (and all the trust people have in it) to pass off your own goods on consumers," he writes.
"When an ISP delivers a page to a user, there's an implicit statement involved: 'This is the page you asked for.' " he argues. "When your ISP delivers you a page with a NebuAd cookie injected, the statement that this is the page you asked for is false."
It's an interesting theory, and one that Web publishers might well want to test.