NebuAd, Privacy Advocates Face Off Before Senate Today

Senator Daniel K. InouyeBehavioral targeting company NebuAd, which serves ads to Web users based on information gleaned from Internet service providers, might be violating federal wiretap laws, the digital rights group Center for Democracy & Technology said Tuesday.

Collecting data transmitted by Internet service providers is arguably the type of interception and disclosure of communications that requires users' consent under the federal Electronic Communications Privacy Act, the rights group asserted in a new report. "The practice that has been described to us, whereby an ISP may enter into an agreement with an advertising network to copy and analyze the traffic content of the ISP's customers, poses serious questions under the federal Wiretap Act," wrote the Center for Democracy & Technology. "It seems that the disclosure of a subscriber's communications is prohibited without consent."

NebuAd CEO Bob Dykes called the Center for Democracy & Technology's report "grievously wrong" and denied violating any laws or infringing on people's privacy. Dykes added that NebuAd doesn't collect names, addresses or other personally identifiable information and that it allows subscribers to opt out of its targeting system. "We are setting the gold standard in terms of online advertising and privacy," Dykes said. The center released its report in preparation for a Senate commerce committee hearing today about online advertising and privacy. NebuAd, Microsoft and Facebook are among the companies slated to testify before the committee, chaired by Sen. Daniel K. Inouye.

NebuAd and another startup, Phorm, have helped fuel an ongoing debate about whether online ad targeting violates Web users' privacy. While questions about tracking Web users date back to the first dot-com boom, older forms of behavioral targeting only relied on data collected from one site or a limited number of sites. NebuAd and Phorm, by contrast, rely on data from Internet service providers, which have access to users' entire clickstream data, including their search queries.

Dykes said NebuAd only collects information necessary to place anonymous Web users into marketing buckets and discards all other data.

But advocates are worried because of the vast trove of information that the company has access to. "It's analogous to AT&T listening to your phone calls all day to decide what to call you about at dinner to sell you something," software researcher Robb Topolski said on a conference call with reporters. Topolski recently studied NebuAd's methods for a critical report about the company issued by Free Press and Public Knowledge several weeks ago.

NebuAd also said Tuesday it had improved the opt-out procedure for people who do not wish to participate in its ad-serving program. The company will work with Internet service providers to improve the notifications that are sent to subscribers. Additionally, NebuAd will develop a network-based opt-out mechanism, which will be more permanent than the cookie-based system currently in use. Currently, NebuAd uses cookies to flag users who have opted out, but this system doesn't work when people delete their cookies.

Still, the Center for Democracy & Technology, along with other privacy advocates, say that NebuAd should not deploy its platform without users' express opt-in consent. Older behavioral targeting companies allow people to opt out of tracking, but advocates say that Internet service based-tracking is so intrusive that it should require explicit consent.

Several Internet service providers, including Charter Communications, CenturyTel and Embarq, recently put plans to work NebuAd on hold while lawmakers probe the company. In May, Reps Ed Markey (D-Mass.) and Joe Barton (R-Texas) asked Charter to delay its deal with NebuAd pending an investigation.

NebuAd late Tuesday issued a memo aimed at refuting the Center for Democracy & Technology's report. "NebuAd's service uses only a subset of HTTP traffic to construct anonymous inferences about the user's level of qualification with respect to a predefined set of market segment categories," the company stated. "NebuAd does not store raw data such as URLs navigated or IP addresses associated with an identifiable individual."

Next story loading loading..