• by Steve Smith , Staff Writer @popeyesm, July 11, 2008

A day after testifying at the Senate Committee on Commerce, Science, and Transportation, NebuAd CEO Bob Dykes reflects on his day in Washington -- and the hill his ISP-based behavioral tracking solution now has to climb in the U.S. market. In the last month Charter Communications dropped its deal with NebuAd, and a report from the Free Press and Public Knowledge accused the company's technology of adware-like bad practices. And so Dykes went to Washington as a big target for legislators and privacy advocates.

Behavioral Insider: What point do you think you successfully made on Wednesday in Washington?

Bob Dykes: I think I definitely conveyed the clear message that we operate with no personally identifiable information [PII]. We really are setting the gold standard in online consumer privacy protection. We are able to give advertisers much greater insight into the audience without having any PII. It is completely anonymous targeting. So we enable the advertisers to have their value, the audience intelligence and consumer segment information, without having the sensitive personally identifiable information that people often associate with targeted advertising. So we really are achieving a higher standard in that regard.

BI: But that is the sticking point now, it seems. There was a great deal of skepticism voiced about ‘anonymous tracking' and whether it is genuinely anonymous. The legislators and certainly privacy advocates expressed fear that in some way, especially at the ISP level, the behaviors can be connected back to a specific identity.

Dykes: That is the crux of the matter and we have to continue to educate people about how we operate and prove that point, and we know it to be true. So we need to convince others that it is possible.

BI: Well, what is the point of disagreement? Do you think the concern is based on a misconception about the technology? 

Dykes: They are misunderstanding some very fundamental things that we say. For example, we say that we don't take any PII. And we even include IP addresses in that category. We do a one-way hash of all the IP addresses and other things that would characterize the person, such as their browser type. We use that encrypted number as the way to track the person. There is no practical way to link that number back to the individual. And so it is going to be an ongoing education process of Congress and privacy advocates to explain that technology. Clearly I understand people who don't understand cryptology and don't understand a one-way hash, but we need to convince them of that.

BI: But there are other fears about data collection and deciphering an identity.

Dykes: People say that if you have enough various data on individuals, then that may represent a way to track a person. The example is the AOL search data that became public in 2006. Well that was exactly when we were putting the company together and an exact example of what we set out to ensure could never happen with NebuAd. We transform the raw data into categories and we are only mapping qualification for market segments against that anonymous identifier. It just isn't possible to determine who the person is based on a variety of qualifications. There isn't enough granularity there. There are no names and addresses, and none of the stuff that was present with AOL exists in our database. But nonetheless we are still able to provide advertisers with very good actionable categories.

BI: From your experience with legislators yesterday, where do you think they are on this issues?

Dykes: What they actually mentioned is, should we have baseline privacy standards? The government across all industries doesn't have such things at the moment. And I said we would support that. We think it is reasonable. We did stress that it should be technology- and business-process-neutral so that one group shouldn't be penalized vs. another. But as an example, we said that if the data being collected doesn't include PII or even pseudo-identifiable information then robust notice should be in place. But it should be an opt-out. That is the type of rule that the government might propose. I think that any reasonable laws in this area, as long as they are technology-neutral, will be perfectly acceptable to NebuAd.

BI: When you say you think any law should be ]technology-neutral,' what kind of unfairness are you concerned with?

Dykes: That we don't have one set of rules for publishers and another set of rules for service providers. We believe the rules should be based on the amount of privacy or sensitivity that is encompassed in the data.

BI: Do you think the ISP-based solutions are being singled out for practices that are common? NebuAd as a company seems to be attracting a lot of fire, and some ISPs  have decided to delay or withdraw from the model.

Dykes: Well, it has evolved quickly, and we do need to set the record straight quickly as well. Most of the concerns are based on a misunderstanding about how we operate. And we understand that sitting in the Internet puts on us a greater burden to be absolutely sure that we operate in a very clean manner. We always understood that extra burden that we would have vs. folks who are operating elsewhere on the Internet. Nevertheless, we have risen to that bar and therefore I think that the criticisms are unfair.

BI: There is one report from the Free Press and Public Knowledge accusing NebuAd technology of engaging in practices that are not considered above-board.

Dykes: What they cited was that they found that we provided some code to cause our cookie to drop on the person's computer. There is standard code that every ad network uses to cause their cookies to come on. Every ad network when they are running an ad places a cookie. In that regard it is no different. And the way we operate today is the same as other ad networks. When we found [was] that in part of our early technology we were accelerating the process of getting our cookie onto the machine, rather than waiting for an ad to run. We provided some supplemental code. It actually was well-identified and clearly outside of the browser code. Inasmuch as we stopped doing, it that probably is not worth more conversation. But what we were doing we felt was completely upright and honorable and well-identified. There was a script in there that said this is where it is coming from. But we don't do it that way today.

BI: Given the last month for NebuAd and the legislative attention on privacy, where do you think the ISP solution sits in the U.S. market now? What are the prospects?

Dykes: I think that the ISPs definitely want this source of revenue. I think that many Web sites want more targeted advertising and so there continues to be a need. Inasmuch as our privacy standards are higher than many others, we believe that we can convince the public and Congress that this is a perfectly acceptable way to operate and regain the confidence of the ISPs and restart the deployments.