Article 43


Wednesday, April 23, 2008

NebuAd Era

Data Pimping Catches ISP On The Hop

By Cade Metz
The Register
April 22, 2008

What’s the story with PHORM, NEBUAD, and other behavioral targeting firms that TRACK USER DATA from inside the world’s ISPs? In some cases, even the ISP can’t tell you.

In February, the Silicon Valley-based NEBUAD deployed its deep-packet inspection technology on a Middle America ISP known as WOW, formerly WideOpenWest. The official word from NebuAd is that its partner ISPs are required to DIRECTLY NOTIFY CUSTOMERS via letter or email before its hardware is turned on, but WOW! - America’s 12th largest cable operator, serving Illinois, Michigan, and Ohio - says this did not happen on its service.

According to vice president of programming Peter Smith, WOW! updated its terms of service to include a mention of NebuAd, and in some cases, it told customers that the terms had been updated. But it didn’t go any further.

“We started rolling out the service in February and we completed the roll-out the first week in March,” Smith told us. “About the third week in March, we got an updated memorandum from NebuAd detailing their ‘best practice’ standards. That was not provided before we rolled the service out.

“When we got the memorandum, we put together a plan to comply with the best practices, and we’re in the process of doing that right now, sending customers an email that explicitly alerts them to NebuAd and providing messages on bills.”

At least two WOW! customers argue that the ISP’S INITIAL NOTIFICATION WASN’T ENOUGH. Both of these Chicago-area customers were unaware that NebuAd was tracking their behavior until some unexpected Web cookies turned up on their machines. When they visited Google, non-Google cookies were being read by addresses such as “”

When these users contacted WOW! customer support, reps initially denied that the ISP was responsible for the cookies. So these customers did some digging on their own, eventually turning up the NebuAd mention in WOW’s terms of service. Only then did reps confirm that NebuAd was a partner.

Someone else’s cookies

When we contacted WOW! to discuss the matter, VP Peter Smith initially denied that NebuAd uses tracking cookies. “There’s been a lot of rumors out there are not correct,” Smith told us. “NebuAd doesn’t drop cookies, so those were someone else’s cookies.” When pressed, Smith then said that NebuAd only drops a cookiewhen users opt-out of the service.

But NebuAd makes no bones about the fact that it drops cookies from the get-go. “We place just one cookiefor each NebuAd ad-serving domain,” said NebuAd CEO Bob Dykes. “It usually contains just an alphanumeric, which is not the number we use internally to identify the user anonymously, and some ad-serving related info such as ad frequency caps, which is similar to functionality used by almost all ad networks in their cookies. If the user opts out, then that is noted in the cookieand the alphanumeric is deleted.”

Peter Smith negotiated WOW!’s contract with NebuAd, but he said that these negotiations carried on for months and that NebuAd’s practices may have changed since the two companies first spoke.

NebuAd’s behavior-tracking service is similar to ISP-based SERVICES USED BY PHORM in the UK and FRONT PORCH here the US (though Front Porch shares its data with outside ad firms). Other operations that appear to be working on similar services include ADZILLA and PROJECT RIALTO, a “stealth company” created by Alcatel-Lucent, but these firms did not respond to our interview requests.

According to NebuAd, its current ISP contracts give it access to the search and browsing activity of at least 10 per cent of American net surfers. It then uses this data to target advertisements.

NebuAd insists the data is never matched to personally identifiable information. But many - including the Center of Democracy and Technology - believe that end users should be actively notified before these services start tracking their behavior and given every opportunity to opt-out.

NebuAd aka Nebula

When one WOW! customer - we’ll call him WOWed - first noticed those un-Google cookies on his machine, he assumed it was infected with spyware. “I realized that Google was loading slowly, and I spent hours trying to clean spyware off my system,” WOWed told us. “Finally, I reinstalled my machine from scratch, installed all of Microsoft’s patches, and the cookies came back. I was convinced that this was coming from the ISP.”

And WOW! customer support did nothing to dissuade him. “They just said that I had spyware too, that they ran tests from their office and that when they went to Google, they didn’t see a problem.”

A second WOW! customer - we’ll call him WOWed Again - had a similar experience. “When I first noticed this, I called customer support, and no one knew anything about it,” WOWed Again told us. “Then I called again and pointed them to the new terms and conditions.

“The rep said ‘Oh no, sir, we don’t monitor any internet usage. We don’t care what you’re browsing.’” WOWed Again has since noticed that his January bill from WOW! mentioned that the ISP’s terms of service had changed.

But the company eventually told both customers that its network was equipped with NebuAd hardware. According to WOWed, a company employee - believed to be the head of customer service - told him “You can opt-out if you go to Nebula’s [sic] site.”

NebuAd does provide an opt-out, but both WOW! users complain that this does not remove NebuAd’s cookies from their machines. “NebuAd says they don’t track you if you opt-out,” WOWed Again said. “But if I go to Google, my browser is still calling back to NebuAd’s servers. I’m not happy with this at all.”

When we asked NebuAd about its opt-out cookie, the company called it an “industry-standard mechanism.”

“Once a user opts out, the users surfing habits are no longer being observed by NebuAd,” the company told us. “Once a user opts out, NebuAd removes the history on the user and will ignore the user’s subsequent surfing habits. An opt-out flag in a cookieis the industry-standard way of signaling to the system not to track this user.”

The company also said that some web surfers may notice a NebuAd cookieon their machine even if their ISP is not a partner. “Because we buy some media unrelated to our ISP partnerships, the fact that a user sees our cookiedoes not indicate that the userҒs ISP is using NebuAd.”

According to WOWed Again, when a WOW! customer support rep finally acknowledge the company had contracted with NebuAd, she assured him this wasn’t a problem. “She said ‘We really haven’t gotten too many calls about this, so apparently people think there’s value in getting targeted ads.’”

“I should have told her ‘You haven’t gotten many calls because no one knows about it.’”

Yes, NebuAd has now told WOW! that it needs to be more proactive when notifying customers. And WOW! says it began sending emails to customers early last week (though it doesn’t have email addresses for all customers).

But according to WOW!, NebuAd didn’t give the ISP its so-called best practices until after the company’s service was discussed on BROADBAND REPORTS and in various news stories. Some have argued that behavioral ad trackers have received an unfair shake in the press. But on some level, press is necessary.



NebuAd’s Data Monitoring Appliance Placed Inside ISPs: A 360-degree View Of You

Democratic Media
November 16, 2007

It’s time the FTC and the online ad industry redefined Personally Identifiable Information (PII) to reflect the realities of the interactive marketing era: it must include the bits of data about us which describe and analyze our behaviors, now classified as non-PII. Such so-called non-PII tracking is really linked to individuals. The role that Internet Service Providers (ISPs) play in providing behavioral targeting and other interactive marketing firms with our data requires an investigation. Take NebuAd, a company that explains:

[T]o date, the role of service providers (ISPs) has been limited to enabling, but not participating in, the online advertising revenue ecosystem. NebuAd creates a greater market opportunity for the entire online advertising ecosystem, opening new revenue possibilities for ISPs that preserve and enhance the interests of the advertisers, publishers and consumers on their networks.

NebuAd also says that it is the:

leading the industry to a new level of advertising effectiveness. NebuAd combines web-wide consumer activity data with reach into any site on the Internet. The result is vastly more data and relevance than existing solutions that are limited to one network or site. NebuAd is dedicated to the highest standards of consumer privacy. In fact, the company touts its membership in Truste and claims that it is committed to the highest standards of consumer privacy. NebuAd’s network was architected from the ground up to meet industry best-practices regarding consumer information privacy protection.

But in this week’s Behavioral Insider, NebuAd’s CEO says the following (our emphasis):

We don’t track individual consumers by anonymous we mean we collect no personally identifiable email addresses, last names, home addresses, social security or phone numbers, financial or health information. The kind of data we do aggregate includes Web search terms, page views, page and ad clicks, time spent on specific sites, zip code, browser info and connection speed...within this vast universe of information we create a map of interest categories, beginning with the widest definitions, auto, finance, education, what have you. But within those we can provide far greater granularity. So if youre talking about auto, we can drill down into particular interest segments, say SUVs, luxury cars, minivans, and then even to particular brands or models. Within the interest category of travel, we can identify consumers interested in learning about Martinique, the south of France or Las Vegas.

How do they do that? Why, they get ISPs to turn over our data. Here the Nebu Ad CEO again (with our emphasis):

ISPs have been a neglected aspect of online’s evolution over the past several years. But the fact is the depth of aggregated data they have to offer, anonymous data, is an untapped source of incredible power The conventional approach to behavioral targeting has been to place cookies on specific Web sites or pages. WeŅve gone about it in a very different way. We place an appliance in the ISP itself. Therefore were able to get a 360-degree, multidimensional view over a long period of time of all the pages users visit. So what we’re really talking about for the first time is a truly user-focused, though still anonymous, targeting, taking the totality of anonymous behaviors rather than just a subset of sites on a network.

Huh? That’s privacy protection? ISPs are going to have a lot of explaining to do about the appliance” (built by the NSA?) watching us. I think the company better reconvene its new Privacy Council.”

PS: Heres an excerpt from the press release NebuAd issued at ad:tech two weeks ago:

NebuAds rich insight into consumer interests surpasses any other behavioral targeting solution and enables NebuAd to deliver precisely targeted ads that drive substantially increased value per impressionNebuAd’s deep insight into anonymous consumer commercial interests across the Internet, combined with its ability to micro-target the most relevant ad placements, brings a new level of value for advertisers, publishers and ISPs..



Deliver targeted, scheduled messagesthat inform, promote, or advertiseŗdirectly to your subscribers browser. Deployments in networks of 5K to over 1M subscribers in North America and Europe demonstrate PerfTech’s superior scalability.

Blocking Perftech Injected ISP Messages

DSL Reports
April 24, 2008

Canadian cable provider Rogers recently gave American cable users a possible glimpse of the future when they started charging data consumption overage fees for their capped and throttled broadband service. They’ve also been using a new user alerttechnology from Perftech that could see broader use as an ad-injection engine. Perftech’s technology lets the ISP inject a banner ad above, beside or below any existing web content.

Perftech’s technology clearly can be of practical use: it was used as early as 2005 on Wide Open West’s network to deliver Amber alerts. It can also be used to alertsubscribers to possible infection or if their PC is being used as a spam relay. Rogers currently only uses it to alertcustomers when they get close to their monthly cap of 60GB.

However, Perftech also advertises the technology as a possible way for ISPs to subsidize certain lower-cost tiers of service. In this industry, it’s hard not to think that a number of ISPs—under constant pressure from investors to create new revenue streams—will eventually use the technology to try and grab an additional slice of ad revenue. It’s a good guess that users, ad networks and network neutrality supporters might get slightly annoyed.

Rogers does allow users to opt-out of the alerts, though users are forced to opt-out every billing cycle. One user in our Rogers forum highlights that the system is fairly easy to block if you want a more...absolute solution. You simply have to identify the server (in Roger’s cap alertsystem’s case it’s, then use either a rule based firewall or a personal proxy server to block the IP. Might be useful information to keep on hand for down the road.



Can Phorm Be Trusted to Track User Clicks?

By Cynthia Brumfield
IP Democracy
April 8, 2008

For those of you who haven’t been following a primarily UK-based controversy, digital technology company Phorm sells a system to ISPs that tracks user Internet activity in order to provider better “behavioral targeting” data for advertising purposes. Although Phorm’s purported history as a spyware provider and its recent sketchy Wikipedia editing behavior have drummed up controversy for the company, it earned a bad rap when it was disclosed last year that big ISPs BT, Virgin Media and TalkTalk were testing Phorm’s system without clearly notifying customers of this fact, an obvious privacy concern that Phorm tells the NYT’s Saul Hansell will be remedied by an “unavoidable notice” pop-up screen that users can’t ignore.

Phorm, formally 121Media, comes with a little bit of baggage. First, the company is rumored to have once been a spyware purveyor, although Phorm argues that its spyware was really adware (note: a lot of web encyclopedias define adware as spyware.)

Then earlier this month Phorm got caught in an embarassing attempt to edit its Wikipedia profile by deleting key factual and unpleasant facts about the company. Phorm executives admitted to being “overzealous” in the Wikipedia edits and promised to never do it again.

Still, Phorm looks better than NebuAd, its main rival. NebuAd, which has contracts with U.S. ISPs Embarq and WideOpenWest, doesn’t go as far as the opt-out pop-up notification. ISPs that use NebuAd can send emails, bill inserts or include boilerplate language in their user or privacy policy statements—any one or all of these methods are almost virtually guaranteed to be ineffective.

Opting-out is far from an ideal solution, even ignoring the notion that opt-in methods are preferred by privacy advocates. According to a technical white paper by Cambridge University researcher Richard Clayton, opting out of Phorm’s system might increase latency or reduce robustness of the user’s Internet activity. (The “GET” requests are redirected three times for opt-out users, or something to that effect.)

Although I’ve always been less worried than most about private sector privacy violations (as opposed to law enforcement privacy violations), operating under the belief that few companies are smart enought to do bad things with the overwhelming snarl of data they receive, lately I’ve received some eerily targeted ads and feeds that are clearly based on things about myself that I consider private (mostly investment-related stuff...sorry, nothing really good.) Although Phorm might very well be an upstanding outfit, I’d feel a lot better if the company that is tracking all my Internet activity were far beyond anyone’s moral reproach.


Posted by Elvis on 04/23/08 •
Section Privacy And Rights • Section Broadband Privacy
View (1) comment(s) or add a new one
Printable viewLink to this article
Page 1 of 1 pages


Total page hits 9747346
Page rendered in 1.0375 seconds
40 queries executed
Debug mode is off
Total Entries: 3222
Total Comments: 337
Most Recent Entry: 05/04/2020 08:41 am
Most Recent Comment on: 01/02/2016 09:13 pm
Total Logged in members: 0
Total guests: 13
Total anonymous users: 0
The most visitors ever was 172 on 12/25/2019 07:40 am

Email Us


Login | Register
Resumes | Members

In memory of the layed off workers of AT&T

Today's Diversion

Solitude vivifies; isolation kills. - Joseph Roux


Advanced Search



July 2020
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31  

Must Read

Most recent entries

RSS Feeds

Today's News

ARS Technica

External Links

Elvis Picks

BLS Pages


All Posts



Creative Commons License

Support Bloggers' Rights