The following text is copyright 2007 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.
An invisible abomination
By: Scott Bradner
Once upon a time Internet service providers (ISPs) just transported packets of information from place to place on the Internet without looking at them other than to find out where they should go. Of course that could not last. Now there is a company that is selling ISPs a device designed to spy on an ISP's customer traffic, figure out a customer's preferences and insert specially selected ads when that customer surfs the web.
New startup NebuAd (http://nebuad.com/ and http://www.networkworld.com/community/?q=node/12480) seems to be trying to put all ISP related bad network behavior in a single box. They are trying to sell a device to ISPs that, according to their web page, is designed to "analyze and act on consumer behavior" in order to develop a "keen insight into a consumer's dynamic web-wide behavior." Basically the device spies on ISP customer traffic to try to determine the "demographics, geography, lifestyle and interests" of individual customers. (see also http://www.faireagle.com/faireagle/index.html) The box can then insert ads into the data stream that the customer is receiving back from a web site. This is done without the knowledge or permission of the customer or the web site owner. Predictably, just like the data brokers who sell your every secret to the lowest bidder, NebuAd tries to claim that this is in the best interest of the consumer. Also note that they could also be subpoenaed for any spying they might have done on traffic to or from your IP address.
My reaction upon reading about this device was one of disgust -- it's as if one were to take the entire swamp of bad things an ISP could do and boil it down to get concentrated slime. NebuAd does claim to not collect or use any personally identifiable information. (see http://www.nebuad.com/company/privacy.php) But, based on experiences such as AOL's data release (Thanks for nothing, AOL http://www.networkworld.com/columnists/2006/082806bradner.html) if one is collecting the kind of information NebuAd seems to be it is easy to figure out who you are looking at in far too many cases. In addition, even if they might not be collecting personally identifiable information today it is hard to trust that a company that is offering such a invasive product would hesitate to change their tune if they thought there was a buck in it somewhere. It may be give a hint to their mindset if you understand that nebu is the Egyptian symbol for gold. (http://www.egyptianmyths.net/gold.htm)
Some of this is far from a new idea. The idea to develop technology to enable ISPs to surreptitiously insert or replace ads when their customers surfed the web came up in the IETF more than 6 years ago. The IAB carefully considered the policy and architectural aspects of the idea and published RFC 3238 "Architectural and Policy Considerations for Open Pluggable Edge Services." (http:www.ietf.org/rfc/rfc3238.txt). This document, among many other things, said that any deployment of such technology must be enabled only if the user or the web site operator agreed. NebuAd is ignoring that guidance.
At least one Texas-based ISP has tried this device without letting their users know. (http://www.techcrunch.com/2007/06/23/real-evil-isp-inserted-advertising/) If you were a customer of that ISP and you surfed my ad-free web site (www.sobco.com) you might have seen ads and assumed I had sold out. In that way, NebuAd would be directly harming me.
NebuAd says that individuals can opt-out (http://www.nebuad.com/company/optout.php) unless they are using a WiFi ISP. If someone does opt-out NebuAd will place a cookie (from faireagle.com) on the user's machine that they claim will block the data gathering and ad placement. That will not work for anyone who does not know about the "service" or who, like I do, removes cookies from my machine regularly.
In my opinion, any ISP that secretly deploys such a device should get outted, shunned and then sued for theft by every web site operator that has an ad overwritten or added. When you do so please add NebuAd to the suit for contributory slimilyness. Hopefully there is still enough venture capital money left (http://venturebeat.com/2006/11/02/nebuad-yet-another-online-ad-co-raises-61m/) to attract the right kind of lawyers.
disclaimer: Harvard trains all kinds of lawyers but I did not ask any of them for their opinion of the value of these targets, thus, the above is my own slime exploration.