Politics and Law

NebuAd has made few friends, thanks to a business built on monitoring broadband customers' Web surfing to deliver advertisements. It certainly found none on Capitol Hill on Thursday.

The Redwood City, Calif.-based start-up was forced on the defensive during a hearing in which politicians charged that deep packet inspection of Internet traffic was far too privacy-invasive. Only if customers gave affirmative consent by opting in, they said, might the practice be acceptable.

Texas Rep. Gene Green called NebuAd's opt-out procedures "contemptible." To Pennsylvania Rep. Mike Doyle, the practice "goes against everything the country's been founded on." Michigan Rep. Bart Stupak wondered: "Why do I have to opt out? Why should the burden be on the American consumer?"

Subcommittee Chairman Ed Markey, a Massachusetts Democrat, suggested the business model was, without opt-in, flatly illegal. "We need to have remedial legal courses for some corporate general counsels," Markey said.

This was hardly a pleasant experience for NebuAd CEO Robert Dykes--who has already seen paying customers including Charter Communications pull the plug on his company's deep packet inspection service in response to pressure from politicians. Markey and his Republican counterpart, for instance, complained to Charter about NebuAd two months ago.

Dykes first claimed he was misunderstood. "I feel like Galileo when he was viewed with skepticism on demonstrating that the Earth revolved around the sun," Dykes said. "The science exists today and NebuAd is using it to create truly anonymous profiles that cannot be hacked or reverse-engineered."

But, under questioning from Markey, Dykes refused to answer whether he thought an opt-in standard should be applied. "I really must protest...I think you're forcing me into a 'Have you stopped beating your wife recently?'," he said. (Markey replied, to laughter: "No, no, no, it's 'Have you stopped beating the consumer?' is the question.")

The U.S. Congress, of course, has no direct role in regulating whether or not Charter and other broadband companies including CenturyTel, Wide Open West, and Embarq sign up with NebuAd or not. But as I wrote in an article on a Senate antitrust hearing this week, research has confirmed what common sense suggests: Congress sets the budget for federal agencies, and a congressional hearing makes them significantly more likely to bring lawsuits or other enforcement actions. And politicians can always rewrite the laws to explicitly outlaw NebuAd's business model.

NebuAd's potential legal problem is that what it's doing--intercepting a broadband customer's communications and determining what kind of ads may be relevant to display--looks a lot like wiretapping under existing law. And a wealth of complex and arcane state and federal laws specify when wiretapping is and is not legal, practically inviting federal regulators or state attorneys general to take action.

We published a detailed analysis two months ago, but the summary is that the Electronic Communications Privacy Act of 1986 (ECPA); the Communications Act of 1934; and the Cable TV Privacy Act of 1984 all may apply. Cable providers may need to obtain affirmative opt-in consent from customers, putting them at a competitive disadvantage to, say, AT&T and Verizon. The Center for Democracy and Technology's subsequent analysis published on July 8 reviews state laws as well.

For its part, NebuAd has posted a legal memo designed to defuse those criticisms. It argues that the 1986 changes to wiretap law have not been clarified by courts, and that the Cable Act may not apply to "any record of aggregate data which does not identify particular persons."

Monitoring customers' Web browsing to serve up targeted advertisements is coming under increased political scrutiny on privacy grounds, making the future of the controversial technique among Internet service providers less than certain.

A hearing convened by a U.S. Senate panel on Wednesday is the latest potential obstacle to widespread adoption of the practice, which relies on intercepting customers' Internet packets and building anonymized profiles that can be used for topic-based advertisements.

Sen. Byron Dorgan, D-N.D., suggested that the procedure amounts to "wiretapping" and promised a followup hearing in the near future to explore the subject further. "We need to take a closer look at Internet users' privacy," he said.

It's like "you go to CVS and there's someone behind you making notes...and that becomes part of a data bank they send to someone," Dorgan said. "Someone is gathering information about where you travel and what you viewed and that goes into a data bank and can be sold or resold."

After pressure this spring from some members of the House of Representatives, companies including CenturyTel and cable providers Charter Communications and Wide Open West recently have suspended plans to use monitoring-and-ad-delivery technology from NebuAd, a secretive Silicon Valley start-up.

Mere speechifying by Washington politicians can't prohibit an otherwise legal product, of course. (If that were the case, surely some Democrats would have shut down ExxonMobil and some Republicans would have pulled the plug on Playboy Enterprises years ago.)

But the problem for NebuAd and its ISP customers is that--as we reported in May--a collection of federal laws written back in the 1980s create a treacherous legal landscape for broadband providers that are engaging in this kind of Web monitoring. Some of those laws restrict deep packet inspection by any broadband provider; the Cable TV Privacy Act singles out cable providers for the most extensive opt-in regulations.

For its part, NebuAd says it's doing nothing untoward. CEO Bob Dykes told the Senate panel that "my lawyers have told me we're in compliance with the law."

After being asked what would happen if the U.S. Department of Justice were to serve NebuAd with a subpoena asking for information about people who searched for explosives, Dykes replied: "We would not be able to provide names or even IP addresses."

NebuAd has repeatedly refused to disclose what advertising networks it uses or what broadband providers it counts as customers. It has said that it does not collect or use personally identifiable information and does not store raw data linked to "identifiable individuals." Rather, it says, it creates and continually updates anonymized profiles with information "about the user's level of qualification" for certain types of ads.

That nevertheless likely violates federal and state wiretap laws, unless customers give unambiguous consent to this eavesdropping on their Internet connections, says the Center for Democracy and Technology. CDT, which receives the majority of its funding from technology companies, published a report (PDF) on Tuesday that concludes: "Especially where the copying is achieved by a device owned or controlled by the advertising network, the copying of the contents of subscriber communications seems to be, in the absence of consent, a prohibited interception."

In addition, NebuAd has hired at least five employees from Gator, which changed its name to Claria five years ago to distance itself from associations with spyware. Symantec offers a Windows application that removes Claria's Gain software.

Dorgan said that he had invited a selection of unnamed broadband providers--presumably including Charter and CenturyTel--to testify at the hearing but they "declined the invitation." He promised a second hearing that would focus specifically on them.

Also on Wednesday, Dorgan wondered whether search engines "likely have information about where I've been traveling" on the Internet and mentioned hypothetical searches on WebMD about gout, dementia, and post-nasal drip. A representative from Google (Facebook and Microsoft also had representatives present) said the company doesn't know what people do when they're not using the Google.com site.

Online advertising has ballooned into a roughly $45 billion-a-year business, to the benefit of Google, Yahoo, ad networks, and innumerable speciality and hobbyist Web sites.

One corner of this ecosystem that hasn't managed to cash in on advertising is, by some measurements, the largest: broadband providers. So it may have been inevitable that they would seek additional revenue by monitoring their customers' online activities and creating behavioral profiles that could yield hyper-relevant ads.

The only problem with this practice is that it may not be entirely, well, legal. The first warning sign came last week when two members of the U.S. Congress sent a letter to Charter Communications, a large cable provider, raising "substantial questions" about the legality of deep packet inspection and asking the company to hold off. (See our Q&A with a Charter executive.)

In interviews with News.com over the last few days, privacy advocates and attorneys pointed to a collection of federal laws--written in the 1980s when broadband services were merely a pipe dream--that combine to create a treacherous legal landscape for broadband providers that plan to conduct Web monitoring.

It's "a problem for cable providers because the very collection of personal information is prohibited without consent," said Al Gidari, a partner at Perkins Coie in Seattle, whose clients include Google and broadband providers. "It's plainly a problem for Charter. I'm amazed we haven't seen a class action lawsuit on this."

The problem for broadband providers is that intercepting customers' Web browsing, analyzing the protocols to see what's going on, and reviewing the packets' contents starts to look a lot like wiretapping. And there are federal and state laws, complete with civil and criminal sanctions, that broadly prohibit wiretapping.

It's unclear how many providers are performing Web monitoring for advertising, not least because all of the companies providing deep packet inspection are highly secretive.

Wide Open West is using technology from Redwood City, Calif.-based NebuAd, as it discloses in its privacy policy. Charter and (reportedly) Knology are experimenting with it, too. CenturyTel told us that "we are doing business" with NebuAd and that it did a trial of NebuAd's technology in one of its markets late last year.

Embarq talks about "preference advertising" in its privacy policy and confirmed it has tested NebuAd "in one of our markets," but added that "we are not currently using those tools and have not decided whether to move forward with them." Rivals to NebuAd include Front Porch of Sonora, Calif., and U.K.-based Phorm.

NebuAd refused to disclose what advertising networks--such as DoubleClick or Microsoft's Aquantive--it uses, or what broadband providers it counts as customers. So did Phorm and Front Porch (which said it could not arrange an interview).

When asked why it won't disclose that information, NebuAd told us in e-mail: "We would like to respect the trust and relationship that already exists between an ISP and their end customer. We want to stress that we do not publicly discuss our ISP partner relationships because of the direct relationship that already exists between an ISP and their customers. Our belief is that our ISP partners have a direct, trusted relationship with their customers; and communication, public or otherwise, should be directly from our ISP partner to their end customer." NebuAd does provide an opt-out mechanism through browser cookies.

The stakes are high. The advertising industry is moving toward behavioral targeting, meaning compiling dossiers (anonymized or not) on individuals and using those to display targeted ads. Theoretically, this benefits everyone: Internet users see ads that match their interests, and advertisers sell more products.

Because deep packet inspection can, barring the use of encryption, monitor everything that a customer does online, a broadband provider is in the enviable position of being able to know exactly what each customer is doing. The odds of successful monetization are high. But so are the legal risks.

Three federal laws, three legal hurdles

At least three wiretapping-related federal laws restrict what broadband providers can do: the Electronic Communications Privacy Act of 1986 (ECPA); the Communications Act of 1934; and the Cable TV Privacy Act of 1984. The cable privacy law is the most restrictive and applies only to cable broadband providers--meaning, thanks to a law written when the Apple Macintosh was new, they're at a competitive disadvantage to AT&T and Verizon.

The cable privacy law is unusually onerous because it requires the "prior written or electronic consent of the subscriber" before any personally identifiable information can be collected. What that means is sending a postcard or e-mail telling customers that they can opt-out (which is what cable providers are doing so far) may not be good enough.

"They have to worry about it more," said Gidari, the attorney at Perkins Coie, referring to cable operators. "Their rules are much more restrictive. They have the obligation to give notice to their customers before they disclose information. They have the obligation not to collect information without prior consent...Cable operators have the most exposure in doing this."

One irony of this situation is that broadband providers are seeking to do precisely what companies like Google and Yahoo have done for many years: monitor what users are doing and display relevant advertisements. But cultural expectations are different. And by an accident of history, or a quirk of fate, those laws don't apply to Google and Yahoo and other Web sites. They single out Internet service providers.

For their part, cable providers insist that they're following the law. Charter tells us it is "confident" that "all legal requirements" have been met. Wide Open West, a cable operator in the Midwest that's using NebuAd's hardware, said: "We feel that the service and our use of it is in compliance with current regulations."

But other laws apply to all Internet providers. ECPA says, in general, that "a person or entity providing an electronic communication service to the public shall not intentionally divulge the contents of any communication." Two exceptions to that general rule allow monitoring that is a "necessary incident" to providing the service and monitoring with a user's "lawful consent."

Translation: Obtaining "lawful consent" may mean more than sending e-mail notifying customers that the terms of service have changed. At the least it means that an opt-in process is less risky, legally speaking, than an opt-out one.

The 2003 In Re Pharmatrak decision from the U.S. Court of Appeals for the 1st Circuit offers a glimpse of how judges view consent. The court ruled in a case involving Web tracking "that it makes more sense to place the burden of showing consent on the party seeking the benefit of the exception." The judges approvingly cited a second case, which said "consent can only be implied when the surrounding circumstances convincingly show that the party knew about and consented to the interception."

Yet another legal obstacle for Web monitoring is the Communications Act, which says companies engaged in "transmitting" communications shall not "divulge" those contents.

"The question is whether or not a third party like this can track usage for things other than for routine maintenance of a network--they are entitled to do that," said Barry Steinhardt, director of the ACLU's Technology and Liberty Program. "But where you're actually tracking the content of what users do, there are serious questions there about the Electronic Communications Privacy Act and the cable laws."

Steinhardt added: "I think Congressman (Edward) Markey is exactly right to raise this issue. The implications here are profound...Do (broadband providers) think they own that data? If they own that data, there are no limits on what can be done with it? Can they give it to an employer? Can they give it to a credit bureau? Can they give it to a potential landlord?"

Another possible threat to broadband providers is the Federal Trade Commission, which can file lawsuits alleging unfair or deceptive business practices. The FTC has posed suggested guidelines for behavioral advertising after convening a workshop last fall, and the Center for Democracy and Technology filed comments with the agency last month raising questions about NebuAd and its peers. (Disclaimer: I spoke at last fall's workshop.)

CDT's comments allege that broadband providers do "not appear to be adequately disclosing this involvement" and suggests that the Electronic Communications Privacy Act regulates the practice. They also suggest that the FTC "should address" advertising-related monitoring and require affirmative consent from customers instead of an opt-out mechanism. In its privacy principles, the FTC said "companies should obtain affirmative express consent from affected consumers" before substantially changing privacy policies.

In the past, the FTC has taken a relatively strict view of informed consent. In its lawsuit filed against Odysseus Marketing, the FTC argued that it was unlawful for a company not "to adequately disclose" to customers that it was sharing information with third parties. The case ended in a settlement.

There's one final legal twist that could imperil NebuAd and similar companies that conduct deep packet inspection. The way they work is to perform a Carnivore-like interception of all customers' Web browsing. Then Web traffic with NebuAd's opt-out cookie is discarded.

What that means in practice is that, if you've chosen to opt-out through your Internet provider, the contents of your communications are nevertheless continually disclosed to a third party--even if for a microsecond--which is exactly what federal privacy laws seem to prohibit.

News.com's Anne Broache contributed to this report

Two prominent members of the U.S. Congress are asking Charter Communications to hold off on its plan to monitor its customers' Web browsing and deliver relevant advertisements.

In a letter to Charter chief executive Neil Smit, Reps. Ed Markey and Joe Barton say the monitoring plan may violate federal privacy laws and ask that the company "not move forward" until "we have an opportunity to discuss" it. Markey is the Democratic chairman of a House Internet subcommittee and Barton is the senior Republican on the House Energy and Commerce committee.

Charter did not immediately respond on Friday to our questions about whether it would delay its monitoring-and-advertising plans as a result of the letter. Although Markey and Barton have no legal authority to order a halt, they could make life difficult for Charter by convening hearings and lambasting the company for alleged privacy violations.

Charter is planning a trial of what it calls an "anonymized" ad-delivery system for its customers, who are able to opt-out by setting cookies. In an interview with us on Thursday, a Charter executive said hardware from NebuAd would be placed on the company's network and allowed to monitor what URLs its customers visited.

The letter from Markey and Barton says that federal law regulating cable TV providers--Charter is the third-largest in the United States--may restrict its ability to monitor customers' activities with the intent of serving up more relevant advertisements. In other words, they argue that an opt-in mechanism is necessary instead of an opt-out one.

That section of federal law, 47 USC 551, says: "A cable operator shall not use the cable system to collect personally identifiable information concerning any subscriber without the prior written or electronic consent of the subscriber concerned." Charter has sent notices to customers who may be affected once the trial period begins, but a mere notification (that may never be seen) may not amount to actual consent.

Marc Rotenberg, director of the Electronic Privacy Information Center in Washington, D.C., says there's an even better argument that Charter would violate federal wiretapping laws because it wouldn't have obtained legally-valid consent from all customers. "I'm sure Charter will argue consent (was obtained)," Rotenberg said. "But I think they'll run into a very real problem in saying that people can grant consent to open-ended snooping on their communications when Congress has given broad privacy protections."

Charter Communications is planning to monitor its customers' Web surfing and then, anonymously, display relevant advertisements.

What the third-largest U.S. cable operator, headquartered in St. Louis, Mo., probably wasn't planning on was a privacy-fueled Internet backlash that began a few days ago after it began notifying customers of its intentions. For its part, Charter describes its behavioral profiling plans this way: "innovative new technology in the field of online advertising enables Charter to provide you with an enhanced online experience that is more customized to your interests and activities."

Ted Schremp, Charter's senior vice president of product management and strategy, who says there's a lot of 'misinformation' about his company's plans to monitor users' activity so appropriate ads can be displayed.

(Credit: Charter Communications)

The disclosure led to a flurry of criticism, with Consumerist.com reprinting a letter from a Charter subscriber and speculation on DSLReports.com that existing Web advertisements would be intercepted and replaced by targeted ones. Slashdot called it "spying on" customers.

Missing were details about how Charter's system works, which we've tried to remedy with the following conversation that took place on Thursday with Ted Schremp, Charter's senior vice president of product management and strategy. Schremp confirmed that Charter is using technology from Redwood City, Calif.-based NebuAd--which is reminiscent of how British broadband providers have been working with Phorm, which uses deep packet inspection with "anonymized ISP data to deliver the right ad to the right person at the right time."

Now, there's nothing particularly novel about free Internet services that look at what you're doing and display relevant advertisements. Google.com and Gmail.com do just that. Nor is there anything novel about ad-supported Internet connectivity: Juno has offered this for years.

But, culturally speaking, Internet users have grown to expect broadband providers to provide mere pipes and not be involved in monitoring Web activity for advertising purposes. (There's also a difference between making monitoring a feature of the service from the beginning and adding it after you have millions of customers. Expectations have already been set.) So how to convince customers that monitoring is useful and sufficiently privacy-protective? How to handle requests to opt-out? Keep reading to see how Charter answers those questions.

Q: How does your "enhanced" Web browsing experience work?

We're sort of piloting the service in four markets. What's generated the activity is that we've proactively informed customers in these markets via letters. The trial hasn't actually started but it will shortly.

We're partnering with a third-party company called NebuAd. The system is designed to protect our customers' privacy. Their information is never shared with NebuAd. The way the system works is that it tracks URL information, again in an anonymous way, and uses it essentially to build a model that infers the customer's interests based on the URL visited. I can give you an example.

Q: Sure.

The easiest example is someone shopping for a car and visiting Honda.com, Toyota.com, Ford.com, Chevrolet.com. As our end user does that, the model becomes informed based on the notion that the end user may be shopping for a car. Let's say they go to a Web site that utilizes an ad network that NebuAd is part of. An ad may be served based on that model.

It doesn't sort of sit on top of advertising that's there. Most Internet advertising, as I'm sure you know, is served through ad networks (and NebuAd works with them).

Q: Do you know what ad networks it partners with?

That's a better question for NebuAd.

Q: Let's say NebuAd has a relationship with DoubleClick, and let's say CNN.com uses DoubleClick for advertising. If you visit car Web sites and then visit CNN.com, you're more likely to see a car ad as a result, right?

Yes. If you look at the transaction flow, if CNN has a relationship with DoubleClick, we, through this anonymous model, have provided information to NebuAd.

The ads that are already being served are being served on an informed basis. We're informing the model to an additional degree. There is a level of misinformation about how that works.

Q: There's been speculation that you're delivering additional ads through pop-ups or pop-unders or replacing existing ads. But you're not doing that, are you? Charter customers would see a more targeted ad instead of an existing generic ad.

What you said is correct. What's being said is incorrect. We're not serving additional ads. We're not replacing ads.

Q: Do you know how many sites are participating, how much of your customers' attention you can capture? How big is this?

My understanding is that NebuAd has partnered with ad companies that represent the majority of Internet advertising. The majority of Internet advertising is syndicated.

Q: What other ISPs are doing this, as far as you know?

We really don't know. We can really only speak to Charter.

Q: If you're conducting deep packet inspection, that means you know what data your customers are transferring. Are you going to look for evidence of copyright infringement, child pornography, and so on as well?

The enhanced advertising solution does not utilize deep packet inspection. It looks at URL level information only. That's another point of misinformation on the Net.

Q: You're saying that URL-level information is not deep packet?

Suffice it to say that we're using URL-level information only.

Q: Maybe this is a confusion over terminology. To obtain the domain name to route the packet, you need to look at only the headers through shallow packet inspection. Obtaining the URL means unpacking and understanding one more level, the Hypertext Transfer Protocol. Are you looking beyond the domain name to the URL, say ford.com/mustang and ford.com/focus?

The way the model's built is that they're trying to inform what's essentially a preconstructed model. We're looking at the complete URL. How often that URL-level information is utilized in the context of building a model, I don't know.

There are a number of categories, call them all sensitive in nature, that are clearly exempted from any (inspection) including items of a sexual nature, medical nature.

Q: If you're getting a new stream of revenue from NebuAd, does that mean lower prices for your customers?

As we've gone into these pilots, we've conducted a series of focus groups to help us understand from their perspective, does this technology add value to their Internet experience, talk through privacy concerns, and so on. What our customers have shared with us is that they understand the fact that advertising is part of the Internet model. To the extent that fuels the economics behind the Internet, they understand that. They appreciate the notion that ads that are being served are attuned to their interests or potential interests.

We view it the same way as offering faster Internet speeds. This is no different. It's about taking the latest technology and applying it as a way to be useful to our customers.

Q: One point of criticism has been the way your opt-out mechanism currently works. In the future, are you going to allow a customer to opt-out their entire household, without having to set a browser cookie for each user account on each computer?

The cookie-based opt-out was arrived at on the basis of our focus groups and the nature of the Internet household at this point. The majority of households are becoming multi-PC households. The users are a variety of folks, be it spouses, kids, etc. The way we've done it is very consistent with Internet use in the household. The notion of a cookie-based opt-out supports a variety of choices.

The intent of pilots and the intent of being very forthcoming with our customers is to let us fine-tune the deployment.

Q: Do you have any plans to fine-tune it and make any changes?

At this point it's very early. I think it's consistent with the way we've rolled out any other product.

Q: Can you disclose how much you expect to receive in terms of revenue?

We don't disclose the terms of our agreements or this sort of detail.

Q: If NebuAd gives you a box or boxes that you place on your network, these devices will have access to all of your customers' traffic. Have you independently verified that privacy protections are in place and the boxes act the way you think they will?

Absolutely. What we heard from customers is that No. 1, ensure that my privacy is being protected and give me an opt-out should I choose that path. When we picked a partner, that was (important). We're confident that all baseline privacy regulations are accommodated in the engineering of the solution.

Q: Though it's still going to be a box on your network. You're going to have to trust them to some extent to get the privacy safeguards right.

In any relationship there's always a level of trust. But there's also a level of rigor and selection and testing and we've applied that here.

Q: What reaction have you received from your customers?

It's still pretty early. As I said before, our objective from day one has been to be very proactive and forthcoming with the information. We've had some levels of calls and inquiries and so on, and it's mostly "Try to help me understand how my privacy is (protected) in the engineering of the solution."

Q: Is there anything else you'd like to add?

The key from our perspective is that we're very customer-oriented in everything we do. The privacy concerns and the ability of our customers to opt-out and the fact that we're talking today is indicative of that as well. We want to be very clear that they have a choice.