Politics and Law

Silicon Valley start-up NebuAd has suspended plans to deploy a controversial program that displays ads based on the monitoring of Web activity while Congress reviews privacy concerns, according to a report in The Washington Post.

The secretive company, which intercepts and performs deep-packet inspection of what's flowing through a company's network in hopes of delivering relevant ads, announced earlier this week that co-founder and CEO Bob Dykes was resigning. His departure comes as several Internet companies canceled or suspended trials of the tracking technique.

"Our platform was architected to be a multi-channel ad system," spokeswoman Janet McGraw wrote in an e-mail to the newspaper. "With the Internet service provider channel currently on hold with the events of the summer, we have broadened the focus of our business but continue to enhance our technologies for that ISP channel."

NebuAd supports the companies "who have put their trial deployments on hold so that Congress can spend additional time addressing the privacy issues and policies associated with online behavioral advertising," McGraw said.

In July, a trio of politicians in the U.S. House of Representatives opened an investigation into the concept of Web monitoring to display advertisements. Reps. John Dingell, Joe Barton, and Ed Markey focused their probe on a test of NebuAd performed by broadband provider Embarq.

The test involved 26,000 broadband subscribers and was based in Gardner, Kansas. Embarq subscribers were not given a written notice in the mail permitting them to opt out; instead, the only notification they received was a modification to the privacy policy saying "the Web sites that you visit or online searches that you conduct" may be used to "deliver or facilitate the delivery of targeted advertisements." Only 15 subscribers opted out of the test.

Embarq said it believed its "brief" test was consistent with current online advertising business models, and the Federal Trade Commission's voluntary best practices framework.

Markey convened a hearing in which politicians assailed NebuAd for alleged privacy violations, calling its opt-out practices "contemptible" and in violation of "everything the country's been founded on." Around the same time, he and the others had asked Embarq to answer a series of questions. Another NebuAd-testing company that had been pressured by Markey, cable operator Charter Communications, announced in June that it was suspending use of the technology.

Making matters complicated is that the legality of the type of monitoring that NebuAd does is not entirely clear; intercepting customers' communications as they flow through the network begins to look a lot like wiretapping.

The Electronic Communications Privacy Act of 1986 (ECPA); the Communications Act of 1934; and the Cable TV Privacy Act of 1984 all may apply. Cable providers may need to obtain affirmative opt-in consent from customers, putting them at a competitive disadvantage to, say, AT&T and Verizon. State wiretapping laws also may apply.

For its part, NebuAd had posted a legal memo (PDF) designed to defuse those criticisms. It argues that the 1986 changes to wiretap law have not been clarified by courts, and that the Cable Act may not apply to "any record of aggregate data which does not identify particular persons."

CNET News' Declan McCullagh contributed to this report.

A trio of politicians in the U.S. House of Representatives is continuing a campaign against the concept of Web monitoring to display advertisements, most recently with a series of letters this week exchanged with broadband provider Embarq.

Embarq provides Internet connectivity to about 1.3 million subscribers, making it the fourth-largest DSL provider in the country. It has acknowledged experimenting earlier this year with NebuAd, which intercepts and performs deep packet inspection of what's flowing through a company's network in hopes of delivering relevant, anonymized ads.

In two letters (No. 1, and No. 2) to the House trio, Embarq defended the legality of its test of NebuAd: "It has always been Embarq's belief that its conduct of the test was lawful and otherwise permissible." The three members of Congress are House Energy and Commerce Chairman John Dingell, a Democrat; Joe Barton, a Republican; Ed Markey, a Democrat and chairman of an Internet subcommittee.

The test involved 26,000 broadband subscribers and was based in Gardner, Kansas. Embarq subscribers were not given a written notice in the mail permitting them to opt out; instead, the only notification they received was a modification to the privacy policy saying "the Web sites that you visit or online searches that you conduct" may be used to "deliver or facilitate the delivery of targeted advertisements." Only 15 subscribers opted out of the test.

Embarq said that it believes its "brief" test was consistent with current online advertising business models, and the Federal Trade Commission's voluntary best practices framework.

Last week, Markey convened a hearing in which politicians assailed NebuAd for alleged privacy violations, calling its opt-out practices "contemptible" and in violation of "everything the country's been founded on." Around the same time, he and the others had asked Embarq to answer a series of questions. Another NebuAd-testing company that had been pressured by Markey, cable operator Charter Communications, announced last month that it was suspending use of the technology.

Making matters complicated is that the legality of the type of monitoring that NebuAd does is not entirely clear; intercepting customers' communications as they flow through the network begins to look a lot like wiretapping.

The Electronic Communications Privacy Act of 1986 (ECPA); the Communications Act of 1934; and the Cable TV Privacy Act of 1984 all may apply. Cable providers may need to obtain affirmative opt-in consent from customers, putting them at a competitive disadvantage to, say, AT&T and Verizon. State wiretapping laws also may apply.

For its part, NebuAd has posted a legal memo designed to defuse those criticisms. It argues that the 1986 changes to wiretap law have not been clarified by courts, and that the Cable Act may not apply to "any record of aggregate data which does not identify particular persons."

NebuAd has made few friends, thanks to a business built on monitoring broadband customers' Web surfing to deliver advertisements. It certainly found none on Capitol Hill on Thursday.

The Redwood City, Calif.-based start-up was forced on the defensive during a hearing in which politicians charged that deep packet inspection of Internet traffic was far too privacy-invasive. Only if customers gave affirmative consent by opting in, they said, might the practice be acceptable.

Texas Rep. Gene Green called NebuAd's opt-out procedures "contemptible." To Pennsylvania Rep. Mike Doyle, the practice "goes against everything the country's been founded on." Michigan Rep. Bart Stupak wondered: "Why do I have to opt out? Why should the burden be on the American consumer?"

Subcommittee Chairman Ed Markey, a Massachusetts Democrat, suggested the business model was, without opt-in, flatly illegal. "We need to have remedial legal courses for some corporate general counsels," Markey said.

This was hardly a pleasant experience for NebuAd CEO Robert Dykes--who has already seen paying customers including Charter Communications pull the plug on his company's deep packet inspection service in response to pressure from politicians. Markey and his Republican counterpart, for instance, complained to Charter about NebuAd two months ago.

Dykes first claimed he was misunderstood. "I feel like Galileo when he was viewed with skepticism on demonstrating that the Earth revolved around the sun," Dykes said. "The science exists today and NebuAd is using it to create truly anonymous profiles that cannot be hacked or reverse-engineered."

But, under questioning from Markey, Dykes refused to answer whether he thought an opt-in standard should be applied. "I really must protest...I think you're forcing me into a 'Have you stopped beating your wife recently?'," he said. (Markey replied, to laughter: "No, no, no, it's 'Have you stopped beating the consumer?' is the question.")

The U.S. Congress, of course, has no direct role in regulating whether or not Charter and other broadband companies including CenturyTel, Wide Open West, and Embarq sign up with NebuAd or not. But as I wrote in an article on a Senate antitrust hearing this week, research has confirmed what common sense suggests: Congress sets the budget for federal agencies, and a congressional hearing makes them significantly more likely to bring lawsuits or other enforcement actions. And politicians can always rewrite the laws to explicitly outlaw NebuAd's business model.

NebuAd's potential legal problem is that what it's doing--intercepting a broadband customer's communications and determining what kind of ads may be relevant to display--looks a lot like wiretapping under existing law. And a wealth of complex and arcane state and federal laws specify when wiretapping is and is not legal, practically inviting federal regulators or state attorneys general to take action.

We published a detailed analysis two months ago, but the summary is that the Electronic Communications Privacy Act of 1986 (ECPA); the Communications Act of 1934; and the Cable TV Privacy Act of 1984 all may apply. Cable providers may need to obtain affirmative opt-in consent from customers, putting them at a competitive disadvantage to, say, AT&T and Verizon. The Center for Democracy and Technology's subsequent analysis published on July 8 reviews state laws as well.

For its part, NebuAd has posted a legal memo designed to defuse those criticisms. It argues that the 1986 changes to wiretap law have not been clarified by courts, and that the Cable Act may not apply to "any record of aggregate data which does not identify particular persons."