Emerging Issues: NebuBad
Posted in NebuAd in the U.S. and Phorm (formerly 121 Media) in the U.K. have both been accused of deep packet inspection of user traffic without consent with the lofty goal of tracking behaviour to target ads. I posted a dozen questions for Phorm and while I know they have followed the entries, they declined to answer the dirty dozen. For what it is worth I also invite NebuAd to answer them as well- these are the questions that need to be asked. (So that it is clear Phorm and NebuAd are seperate companies and not related.)
The fundamental issue is pretty clear- permission needs to be obtained, it needs to be obvious and in easy-to-understand language. This means fifty page EULA’s written by lawyers are NOT the answer either. Bypassing consent is a deal killer.
I want to call attention to Brad Waller’s recent entry on Deep Packet Injection / Trademark Infringement and NebuAd which looks at the issue from an Intellectual Property perspective.
…compares the NebuAd process to serving some other cola to a customer who asks for a “Coke.” He argues that when the NebuAd cookie is injected by your ISP into a page they serve you, that the page is no longer the exact page you asked for. He says ” When your ISP delivers you a page with a NebuAd cookie injected, the statement that this is the page you asked for is false. The ISP is passing off the NebuAd cookie as being from Amazon. It’s not.” This seems like a bit of a stretch to me, but I’m not an intellectual property attorney. He argues that since the cookie is used to sell you goods that it would be close enough to be an issue.
Talk about splitting hairs and cookie crumbs!
A coalition has formed to tackle NebuAd. (This is good!) The groups at this stage in the game include heavy-weights like the: Electronic Privacy Information Center (EPIC), the Electronic Frontier Foundation (EFF), the Center for Democracy and Technology (CDT), the Center for Digital Democracy (CDD), Public Knowledge, and Free Press.
As other security guns have reported Charter Communications has cancelled a pilot of the NebuAd advertising system and apparently CenturyTel is cutting NebuAd loose as well. MediaPost reports that the CDT plans to present to the Senate Commerce Committee that NebuAd’s methodology may violate federal wiretapping laws due to how communications are intercepted. The title of their June report: “NebuAd and Partner ISPs: Wiretapping, Forgery and Browser Hijacking.” leaves nothing to the imagination.
The state of online security is wobbly enough, the last thing people need is yet another incursion that erodes their privacy. While privacy and security are different they are related…I really feel this needs to be nipped in the bud so make your voice known.
Ironically some people might already know…this quote from Art Brodsky a spokesman for Public Knowledge on NebuAd’s CEO’s claims is pretty startling:
“We have seen video of the NebuAd CEO saying, ‘Google knows what they do on your site, but we know everywhere you go, the sites you stop at and ads you see.‘ The problem is there’s no opt-in or opt-out to these types of services.”
Popularity: 4% [?]
This definitely needs to be nipped in the bud.
For those in the UK, make your voice heard by going to the protest on the 16th July outside the BT AGM at the Barbican, London.
More details:
http://www.nodpi.org/events
These are indeed very important issues emerging around NebuAd and Phorm. On a side note, it should not come as a surprise that some of the execs at NeBuAd are former execs from Claria/Gator. It is similar data tracking but only at a potentially much larger scale.
INAL so I’m not sure how strong of a legal case the Intellectual Property angle may be. It didn’t work that well in the past with lawsuits involving adware. But then a split hair can make all the legal difference at times.
I do think that there other issues surrounding this aside from consumer privacy rights and concerns. As if that isn’t enough in and of itself. ISP’s willingness to use both Phorm and NebuAd (until the stuff hit the fan) follows the same track as other practices I’ve observed by ISPs, which are flat out browser hijacks for their own profit IMO. With ISPs facing more competition these days and are looking at online advertising as a revenue source they need to understand what types of practices are and are not fair game. If certain practices have been deemed as unacceptable by sfotware, why can an ISP engage in the practice? As an end user, I’m not any more happy when my browser doesn’t go where I’ve specifically intended for it to or my user preferences have been overridden. It doesn’t matter to me if it’s a piece of software or my ISP that has done it. I’m actually more distrubed when it’s my ISP because I view them (whether it’s correct or not to do so) as a public service provider such as other media providers. Indeed cable companies have been regulated by Public Service Commissions in the past, although that regulation seems to pretty fragmented now. Regardless, I have expectations of a higher level of responsibilty from my ISP (which may well be providing my TV and telephone service as well in the case of companies like Charter).
I also think that this brings up another issue that I don’t think has ever been adequately addressed when looking such data collection by software applications on the end user’s computer. Even if the end user does agree to opt in to tracking such as by NebuAd and Phorm, where is the line drawn about what type of inoformation can be collected and how it can be used. Online businesses need to have their rights to fair competition and protection of propriatary information protected along the same lines as in the brick and mortar world. The boundaries seem not as clearly defined online as they are offline. I brought this issue to the FBI in the past in the form of a formal complaint when I saw the type of data a particular adware application was collecting and sending back to their servers. Coincidentally (?) the behavior disappeared from the adware a few weeks later. Of course some forms of behavioral tracking with consent has long been considered acceptable. Hence Nielsen ratings.
Sorry for the comment that’s pretty much another blog post.
[...] corrections and bolded a few key sentences. The original post about the controversy plus the comments can be found here. Other relevant posts: Twelve Questions for Phorm, more on Phorm, some more and Phorm’s [...]
[...] been talking about the Phorm and NebuAd lately. The original post about the controversy plus the comments can be found here. Other relevant posts: Twelve Questions for Phorm, more on Phorm, some more and Phorm’s [...]