• by Wendy Davis  @wendyndavis, July 23, 2008

Responding to a Congressional inquiry, Internet service provider Embarq said it revised its privacy policy more than two weeks before conducting a test of NebuAd's behavioral targeting platform. The response leaves little doubt that Embarq didn't send letters or e-mails to subscribers about the test, or otherwise actively alert them that it was about to start selling data about their Web-surfing activity.

"Embarq followed the industry practices of the most similar business model, that of online advertising networks," David Zesiger, Embarq senior vice president, regulatory policy and external affairs, wrote to Reps. John Dingell (D-Mich.), Ed Markey (D-Mass.) and Joe Barton (R-Texas). "It appears that industry standards in this area are evolving rapidly toward a more robust form of notice and choice."

Last week, the lawmakers wrote to the Overland Park, Kan.-based Embarq to ask whether the company tested NebuAd's platform without directly notifying subscribers. "Surreptitiously tracking individual users' Internet activity cuts to the heart of consumer privacy," Markey said at the time. "Embarq's apparent use of this technology without directly notifying affected customers that their activity was being tracked, collected, and analyzed raises serious privacy red flags."

Embarq said in its letter that the test "was designed with customer privacy in mind" and that the revised privacy policy contained an opt-out link. The company said all data collected was "anonymous" and that none of it still exists. "Embarq has no plans for more tests or for general deployment of this technology, until such time as the privacy questions that have been raised recently have been addressed," the company wrote.

The Internet service provider also defended its notification via privacy policy change as consistent with a Federal Trade Commission proposal late last year for voluntary guidelines. That proposal calls for companies to provide clear and prominent notice that they track Web users' activity.

NebuAd's behavioral targeting platform draws on information about Web users' activity gathered by their Internet service providers. Redwood City, Calif.-based NebuAd says it does not store personally identifiable information, and that people can opt out of receiving targeted ads. But privacy advocates are still concerned. They say that Internet service provider-based targeting is potentially more threatening than older forms of Web targeting--given that ISPs have access to users' entire clickstream data, including all sites visited and search queries. With such vast quantities of information, it's sometimes possible to identify people without even knowing their names.

Embarq's letter is not likely to be the final word on the matter. Last week, several Congress members, including Markey, said that Internet service based-targeting should require opt-in consent.