Robb is an unlikely celebrity. His background is highly technical, and he doesn’t live in a key news media market. The research he does doesn’t sound bite well. Yet somehow he causes tremendous change in the digital arena.
What I think makes him so compelling is his passion and his sincerity. Robb does what he does because he believes it is the right thing to do. Whether or not you agree with his POV, it’s important that we in the digital marketing industry really listen to the issues he raises. I say that because digital marketing techniques are a new world in terms of the technological sophistication required to entirely understand them.
So with that intro, here are Robb’s answers to the questions I thought might interest you. I am grateful to him for his willingness to participate. He often talks to national media, but I am pleased that he was willing to share his views on this, the digital marketing industry’s version of The Golden Girls’ Shady Pines Retirement Home.
Can you tell us a bit about your background – what makes you adept at sleuthing business practices like those of Comcast and NebuAd?
I don’t know if this would be cause or effect, but I learned to read music before I learned to read anything else. I was picking out tunes on a Hammond organ when my Mom and a music teacher bartered lessons for – I think – dog grooming! I’ve always had an eye and ear for algorithms, protocols, and other transactional sequences and an insatiable curiosity and enthusiasm for technology. In the early 70s, I was programming screen-less computers using paper tape for input and teletype for output.
Even with that geeky foundation, I’ve always had an inclination to service. My Dad was a veteran, a volunteer firefighter and a Little-League umpire. I would have defiantly denied it at the time, but he taught me the rewards of service. I was a Boy Scout, and later an Explorer Scout Leader, community sports coach, I did my own stint in the military, and I’ve been a music leader both in church and the Barbershop Harmony society.
I’ve followed your advocacy efforts for years, from the beginnings of the Comcast/BitTorrent issue on through your more recent activities re NebuAd. And the first thing that strikes me is that you spend A LOT of time and energy pursuing these issues. What drives you to do so?
The Internet allows everyday individuals to issue their unique perspectives, showcase their art, offer their products, or follow their interests. In a sense, that’s what I’m doing. But I’m especially motivated because, in the history of mankind, there are only a few moments in human expression that rival this one – perhaps the invention of the printing press, the radio, or the postal system comes closest.
The Internet itself is the ultimate people-helping-people Open Source project. The protocols and standards that allow it to work are given and maintained for free by people who have poured their best into it. That’s worth enabling others to participate in it. If threatened by a bad actor, it’s worth defending.
How do you choose what you research and expose?
I don’t choose. If it’s important and relevant and I’ve spent some time on it, I just put it out there. Who knows, it might save someone time and aggravation months or years later.
I put out my findings about Comcast in May 2007 and they sat, mostly dormant, until August when a major blogger picked up on them. My approach to the Comcast case was, “Hey, here’s something that’s not supposed to be happening!” It essentially was a simple complaint that I made publicly because it was being denied by Comcast and it was reproducible.
At first, I figured that someone at Comcast made a boneheaded decision and, once I explained why an ISP ought not to do that, they’d just say, “Hey, you’re right, we’ll fix that.” I just thought someone at Comcast made a well-intended, poorly-executed goof. But things started to pile up. Sandvine’s use was unknown among Comcast’s own tech-support people – so if any customers had any complaints about it, they were ignored. Comcast then issued flat denials about it, even to go as far to suggest that my testing didn’t amount to anything (not that they ever asked me to demonstrate it to them). I then knew this was going to be one for the long haul.
As it turns out, I wasn’t the first person to notice the strange things that happened when users tried to upload using Comcast – I was the first person (outside of their inner circle) to figure out what was causing the disconnections.
Similarly, my being very familiar with how the Internet and its technologies work was what led me to look at NebuAd. Customers were reporting that cookies were mysteriously appearing on their platforms. I knew that something very unusual had to be causing that, since browsers will only accept cookies under limited circumstances. I found the injected JavaScript nearly immediately, but I spent many hours over many days trying to make it happen in a scenario where I controlled both the browser and the server (so that I could isolate it). Apparently NebuAd had this thing wired down to the IP addresses of Google and Yahoo because I couldn’t fake it out. So I had to raise the issue with Google, and they were very helpful and appreciative and confirmed that they weren’t responsible for the injected script. Case proven.
One of the questions I hear a lot from marketers relates to how ISP-based BT differs from what I am going to call “regular BT”, meaning the approach used by most ad networks in which they track activities on the pages where they serve ads. Can you tell me about why the ISP based approach is more troubling to you? Or isn’t it?
Let me start by saying that my objection is not about the advertising. My objection is having an ISP be complicit in “tapping” the line. We don’t let people listen in on non-broadcast radio signals and disclose the contents of those communications, we don’t accept that behavior on our telephone lines, why would we accept that on our Internet connections? And it’s not like the ISPs and NebuAd didn’t know that users would object -- that’s why they disclosed “under the radar” by quietly changing the legalese that nobody regularly scans for changes.
Secondly, an Internet Service Provider is selling access to a brand – Internet. It is a set of standards that are open and agreed-on and interoperable protocols. Just like a fast-food joint can’t sell Kool-Aid as Cola, an ISP can’t sell something as “the Internet” when it has changed the formula. On the heels of Comcast screwing with the TCP protocol to tear down connections, we had NebuAd doing the same thing to inject a script. NebuAd did this to fake-out the browser into doing things that its security precautions would normally prevent.
In both cases, the issue was that the ISP did something it ought not to be doing. It’s not an objection about how a website or an ad network does Behavioral Targeting across a variety of sites.
How is what NebuAd did different from how the portals collect our online travels using a toolbar like Google Toolbar?
Users who are extremely sensitive about their privacy would never install those toolbars. But some people do, and I have. The Google toolbar, the Alexa toolbar, or Compete’s toolbar – all these things are applications that “spy” in plain sight. You invite them onto your computer, and you can remove them. They exist in a frictionless environment – if the user doesn’t like the intrusion, they’re gone in one moment. Users can disable or uninstall the unwanted application and their surfing information is no longer being shared. The user remains in control and loses essentially nothing for revoking his permission to be tracked.
Embedding the spying device into the ISP changes everything. Most homes in the United States are served by one or two broadband providers. If your only broadband provider is letting a third-party tap your line, the only choice is to do without. (Under the NebuAd model, opting-out only stops the targeted ads – NebuAd is still presented with all of your data – opting completely out was impossible.)
Many people have focused on the idea of robust notice as the key issue with NebuAd and the ISPs, but it doesn’t seem to me that they did anything different in that regard than millions of web sites are already doing when they work with an ad network. Is there a difference in your view, or is it all problematic?
Up to this point, I think that most ad networks worked in a way where a user retained control in a normal way. Users could turn off scripting, block hosts, erase cookies – and for the most part, privacy-conscious users acting like normal privacy-conscious users can successfully avoid tracking (or avoid building a significant profile).
The NebuAd model was not avoidable by privacy-conscious users. It tracked users regardless of their desire. The opt-out didn’t protect them and the opt-out cookie went away when users cleared their cookies (which privacy-conscious users do).
Just a word about “Robust” notice -- Remember that NebuAd claimed that it required robust notice, but the only ISP that I know of which actually provided prior and assertive notice was that big NebuAd ISP that never got started – Charter! The rest of them slipped NebuAd in under the radar or notified their users after the investigation began.
Boiling it all down, how much do the privacy issues you see online relate to our use of opt-out versus opt-in models?
I think that “Opt-In” is the argument winner for your industry. How can anyone object on grounds of “illegal,” or “unethical,” or “non-standard” when the user has specifically and truly optionally requested to do whatever it is you’re doing? Embrace truly informed “opt-in” and all these regulatory or lawsuit risks go away. Now, it’s not a true “opt-in” if you’re not clear. Don’t tell me boldly that you’re a “security” application when you’re also quietly selling the click stream out the back door. Opt-in means I’m fully informed and completely free to decline without losing something that I already have.
Opt-Out as implemented today just won’t work. It’s a “sounds-good, does-nothing” solution. It’s the kind of non-solution that causes users just to reject all advertising.
What are your views on the proposed NAI guidelines for BT?
I think that industry best-practices are very useful and that membership and participation in such groups is part of being an active part of your community. I think that calling for “Opt-In” use of DPI is the right call. The application of DPI on the Internet is still very immature and the rush to beat the competition might trample discretion.
Do you think a federal privacy law would be beneficial to consumers? To business? Is it practical to create a valuable privacy law in a rapidly changing technological environment?
Right now the privacy laws are here-and-there. Consumers wouldn’t know where to start or finish looking for the laws that apply to their situation. Business is afraid that changing these patches of laws into some kind of unified “quilt” would change things. They’re right – it will change things. But who is more used to change than your industry? You’re always either leading it or following it. So, what else do they have to be afraid of?
One of the biggest challenges I feel as a marketer is how to make decisions on marketing tools that are increasingly technical –difficult for lay people like me to understand. It’s tough to know what questions we should be asking. Can you provide thoughts on what questions marketers need to ask in order to stay on the right side of preserving user privacy?
What would my mother think of this?” is the question people should ask. If she would object, it’s probably wrong on some level. Are you having to “color” or oversell the description of what you’re doing? Are you having to bury the disclosure? Those are all signs you’re on the wrong side of the fence.
Why is it important to focus on digital business practices versus offline practices? Since reputable digital marketing technologies don’t collect PII, aren’t they LESS DANGEROUS to privacy than, say, the catalog industry or credit bureaus that routinely collect, use, and share PII?
You’re making the case for unifying these conflicting privacy laws, or at least trying to rediscover the principles or expectations that created the privacy laws we have. NebuAd missed the point, claiming that it was fine because it didn’t save any PII even though it saw everything you said and did (even PII if it happened to be in the data) when you thought you were interacting in privacy.
You’ve been very successful at documenting the questionable behaviors of very large and well funded companies. I am really amazed at your successes. What makes you so successful? How have you leveraged digital media to gain awareness for the issues you care about?
I’ve been privileged to work with others, including my clients Free Press and Public Knowledge, which are excellent in the fields that are their namesakes. They’re very interested in keeping the Internet a free and level marketplace, as are many of your readers (there would be a lot fewer online marketers if the Internet became a managed “walled garden” environment.)
My stock in trade about any subject is the set facts about it. I explain things in simple and historical terms and in ways so that others can repeat my steps and see the same results I saw. I use my real name. I avoid complication. I give both sides. I am passionate, but my value is my technical knowledge and ability, and I try and extend that to others.
It strikes me that whenever there is a controversy between privacy advocates and digital companies, the debate quickly devolves into personal attacks instead of directly addressing issues. Has this been your experience?
Yes, and it’s unfortunately contagious. We should all speak with facts and challenge our biases – or risk being challenged by both.
In closing, do you have any thoughts or advice for marketers concerned about both the ethical and legal aspects of online targeting technologies?
It’s not a war against advertising, please understand that. Don’t resist change, participate in it. You’re Internet users, too.
OK, one very personal and totally unrelated question: Is there any video online of one of your Funchords barbershop performances? ;-)
Unfortunately, because of the convoluted way that mechanical licenses work for music, I haven’t tried to clear anything that I could publish online. None of the quartets I was in ever bore the name “Funchords,” although all of my quartets have been more the up-tune and comedy variety. “One Bit Parody” was the work quartet (Intel – a play on the error-checking routine called parity), and we did company and non-company gigs both in and out of Oregon. “Spare Time” was the non-work quartet and we did local gigs and contests. The last song “One Bit Parody” ever sang together was Smile. This isn’t us, but it’s that song and we’re about that caliber -- http://www.youtube.com/watch?v=J6o-RKMVEZY
Fantastic interview overall. Oldest living has clearly made it to the upper tier, as Rob has played such an important role in some big technological-marketing disputes. My favorite point is, "What would my mother think of this?" We've used that when trying to understand technology and ethics and I think that is the truest measure stick of when a technology is crossing the line.
ReplyDeletegreat interview robb
ReplyDelete"gator"