Senate questions privacy impact of Web monitoring for ads

Monitoring customers' Web browsing to serve up targeted advertisements is coming under increased political scrutiny on privacy grounds, making the future of the controversial technique among Internet service providers less than certain.

A hearing convened by a U.S. Senate panel on Wednesday is the latest potential obstacle to widespread adoption of the practice, which relies on intercepting customers' Internet packets and building anonymized profiles that can be used for topic-based advertisements.

Sen. Byron Dorgan, D-N.D., suggested that the procedure amounts to "wiretapping" and promised a followup hearing in the near future to explore the subject further. "We need to take a closer look at Internet users' privacy," he said.

It's like "you go to CVS and there's someone behind you making notes...and that becomes part of a data bank they send to someone," Dorgan said. "Someone is gathering information about where you travel and what you viewed and that goes into a data bank and can be sold or resold."

After pressure this spring from some members of the House of Representatives, companies including CenturyTel and cable providers Charter Communications and Wide Open West recently have suspended plans to use monitoring-and-ad-delivery technology from NebuAd, a secretive Silicon Valley start-up.

Mere speechifying by Washington politicians can't prohibit an otherwise legal product, of course. (If that were the case, surely some Democrats would have shut down ExxonMobil and some Republicans would have pulled the plug on Playboy Enterprises years ago.)

But the problem for NebuAd and its ISP customers is that--as we reported in May--a collection of federal laws written back in the 1980s create a treacherous legal landscape for broadband providers that are engaging in this kind of Web monitoring. Some of those laws restrict deep packet inspection by any broadband provider; the Cable TV Privacy Act singles out cable providers for the most extensive opt-in regulations.

For its part, NebuAd says it's doing nothing untoward. CEO Bob Dykes told the Senate panel that "my lawyers have told me we're in compliance with the law."

After being asked what would happen if the U.S. Department of Justice were to serve NebuAd with a subpoena asking for information about people who searched for explosives, Dykes replied: "We would not be able to provide names or even IP addresses."

NebuAd has repeatedly refused to disclose what advertising networks it uses or what broadband providers it counts as customers. It has said that it does not collect or use personally identifiable information and does not store raw data linked to "identifiable individuals." Rather, it says, it creates and continually updates anonymized profiles with information "about the user's level of qualification" for certain types of ads.

That nevertheless likely violates federal and state wiretap laws, unless customers give unambiguous consent to this eavesdropping on their Internet connections, says the Center for Democracy and Technology. CDT, which receives the majority of its funding from technology companies, published a report (PDF) on Tuesday that concludes: "Especially where the copying is achieved by a device owned or controlled by the advertising network, the copying of the contents of subscriber communications seems to be, in the absence of consent, a prohibited interception."

In addition, NebuAd has hired at least five employees from Gator, which changed its name to Claria five years ago to distance itself from associations with spyware. Symantec offers a Windows application that removes Claria's Gain software.

Dorgan said that he had invited a selection of unnamed broadband providers--presumably including Charter and CenturyTel--to testify at the hearing but they "declined the invitation." He promised a second hearing that would focus specifically on them.

Also on Wednesday, Dorgan wondered whether search engines "likely have information about where I've been traveling" on the Internet and mentioned hypothetical searches on WebMD about gout, dementia, and post-nasal drip. A representative from Google (Facebook and Microsoft also had representatives present) said the company doesn't know what people do when they're not using the Google.com site.

[georgiarat]

However, they are willing to allow an unelected judge turn over all your surfing activity on YouTube to Viacom.

[Digital_2008]

Yep. They seem to be playing games with us and just pretending to be concerned about privacy. Same old crap, different day.

[jamalystic]

To free ourselves of these threats to Internet privacy and freedom we need a new business model where the consumer owns the last mile and is free to connect to any service provider he or she wishes at a neighborhood, carrier-neutral interconnect facility:Improving Internet Transparency( http://www.internetevolution.com/author.asp?section_id=506&doc_id=154745&F_src=flftwo)

[chuck_whealton]

These guys seem to forget that just because something is legal doesn't make it ethical.

That some providers were even considering using this type of technology is frightening. I guess people will do anything for $$$.

Charles R. Whealton
Charles Whealton @ pleasedontspam.com

[NewEnglander]

Yeah, well, legal and MORAL are two different things.

I use Firefox for my browser. I may not be 100% safe from leeches, but I have my cookies set to accept ONLY site cookies (no third-party hangers-on) and I carefully pick and choose what scripts run by add-ons called NoScript and AdBlockPlus.

[mikeburek]

"you go to CVS and there's someone behind you making notes" - hmm, like a rewards card program available at CVS and many other stores?

[Mister L]

Yes like a rewards program you have to deliberatley sign up for. You know, like opting in.