In a letter sent Monday to the Internet service provider Embarq, Reps. Ed Markey (D-Mass.), John Dingell (D-Mich.) and Joe Barton (R-Texas) questioned whether consumers were adequately notified that they had been enrolled in a recent test of NebuAd's behavioral targeting program. "We are concerned that Embarq may not have directly notified the subscribers involved in the test that their Web use was being analyzed and profiled," they wrote.
The Congress members asked Tom Gerke, CEO of Overland Park, Kan.-based Embarq, to answer a host of questions about the tests, including how subscribers were notified, whether they were able to opt out and what happened to the data collected during the tests. Markey and Barton requested that Gerke respond by July 21.
Markey on Tuesday also issued a statement criticizing Embarq. "Surreptitiously tracking individual users' Internet activity cuts to the heart of consumer privacy. The information collected through NebuAd's technology can be highly personal and sensitive information. Embarq's apparent use of this technology without directly notifying affected customers that their activity was being tracked, collected, and analyzed raises serious privacy red flags," he stated.
NebuAd referred all inquiries to Embarq. An Embarq spokesperson declined to answer whether the company directly notified subscribers about NebuAd, saying only: "We have received the letter from Reps. Markey, Barton and Dingell and are reviewing it for an appropriate response."
But software researcher Robb Topolski, who recently tested NebuAd and concluded that the program violated users' expectations of privacy, said the vast majority of the Internet service providers who worked with NebuAd did not seem to send separate notifications to subscribers. Instead, they apparently placed information about the program in their terms of service, privacy policies or other lengthy documents subscribers generally ignore.
Charter Communications was an exception. That company sent letters to subscribers in four markets alerting them about an upcoming test of NebuAd. But those notifications triggered congressional scrutiny, which ultimately led Charter to delay testing the system.
NebuAd's behavioral targeting platform draws on information about Web users' activity gathered by their Internet service providers. Redwood City, Calif.-based NebuAd says it doesn't store personally identifiable information, and that people can opt out of receiving targeted ads. At a Senate Commerce Committee hearing last week, Dykes testified that NebuAd doesn't store data that could be used to identify specific users.
But privacy advocates are still concerned. Advocates say Internet service provider-based targeting is potentially far more intrusive than older forms of Web targeting, given that ISPs have access to users' entire clickstream data, including all sites visited and search queries. With such comprehensive information, it's sometimes possible to identify people without even knowing their names.
"While each piece of consumer information in a profile may not in itself be personally identifiable, the aggregation of this information in rich profiles means it may more readily be tied into a person's identity," according to Leslie Harris, president and CEO of the Center for Democracy & Technology, who also testified last week. Her group and others have called for companies to seek users' express consent before conducting ISP-based targeting.
Markey, chairman of the House Energy and Commerce Telecommunications Subcommittee, also indicated he believes consumers should give express consent before companies like NebuAd deploy behavioral targeting platforms that track them across the Web.
The Telecommunications Subcommittee will hold a hearing about online ad tracking Thursday.