New Site And Messaging For NebuAd...

There's a pretty new site and some changes to the model at NebuAd. Their new model aggregates data from ISPs, publishers, and emerging media channels to provide behavior clusters. So more data sources.



More data sources is relevant because some ISPs are gonna wanna piece of them for a bit. But they can expand their footprint with publisher and emerging media data, to get scale.

They've done some more explicit naming and graphicing, like the "privacy protection layer."

It's still opt out, so that won't make the super privacy advocates happy. But then so is every other BT offering that I know of, anyway.

Here's their constituency messaging:

Insight for Marketers
- Rich, multi-dimensional insights based on anonymous, online user activity and multiple interest triggers.
- More precise targeting / re-targeting of defined audiences based on demonstrated likelihood of buying a product or service.
- Audience & campaign intelligence reports with insights into who your audience is and what their interests are enabling audience specific messaging.
- Minimized waste through precise and effective matching of qualified audiences to each specific campaign.

Insight for Media Companies
- Most effective solution for boosting RPM and monetizing all of your inventory.
- Comprehensive aggregate reports with industry-leading visitor intelligence based on actual visitor activity.
- Turnkey deployment to get up and running quickly with minimal effort and disruption.
- Flexibility to automatically accommodate changes to your site.

Insight for Communication Providers
- Most effective solution for achieving stronger revenue growth via market-leading advertising system, while preserving and enhancing the interests of advertisers, publishers and consumers.
- Deliver built-in, industry-leading consumer privacy and data protection with Privacy by Design approach.
- Transparent technologies and wire-speed performance ensure an optimal user experience.
- Turnkey deployment to get up and running quickly with minimal effort and disruption to your existing network.

They are outlining the following privacy protections:

As a team of Internet security and online advertising veterans, we hold the highest standards in consumer privacy protection. Our unique Privacy by Design approach ensures that we safeguard consumer privacy and consumer data while empowering consumers with proper control.

- We do not collect or use personally identifiable information.
- We have no knowledge of any web user's identity since we exclusively employ anonymous segmentation processes.
- We do not store the original raw data about a web user's online activities, such as websites visited, in association with anonymous individual segmentation.
- We use the data exclusively to map interests to market segment categories.
- We require our partners to provide consumer notice and offer informed choice in a manner appropriate to the partnership type and channel.
- We make available on-going disclosure and informed choice.

Honestly, I don't see a lot of difference in the privacy message there versus what they said before. But there is a de facto difference in that no one in their right mind would work with them without sending emails in 44 point bold type informing people. And that, my friends, was the bulk of the rub before.

There was another issue, if I understand it correctly, and that is the undisclosed redirection of the browser. I'm guessing that that has been addressed as well, though I dunno for sure. Whether that is addressed through a change in process or will be disclosed in the...disclosure...I would imagine that they have a solution there as well. Without addressing that, I would imagine they would face ISP acceptance problems. That, I understand, is NOT an essential process for ISP targeting.

I didn't see any mention of the issue in the privacy policy, but I ain't no lawya.

Thanks for reading, and don't forget to write.

POV Thursdays: Q&A With Robb Topolski

It’s difficult to know where to begin in providing a short intro to this Q&A exchange with Robb Topolski. Unless you’ve been living under a rock, I am sure you know the name. Robb was the citizen who exposed Comcast’s secret blocking of BitTorrent traffic to its customers. He is also the man who produced the study that questioned both the processes and policies of NebuAd and the ISPs that worked with it (or planned to work with them.

Robb is an unlikely celebrity. His background is highly technical, and he doesn’t live in a key news media market. The research he does doesn’t sound bite well. Yet somehow he causes tremendous change in the digital arena.

What I think makes him so compelling is his passion and his sincerity. Robb does what he does because he believes it is the right thing to do. Whether or not you agree with his POV, it’s important that we in the digital marketing industry really listen to the issues he raises. I say that because digital marketing techniques are a new world in terms of the technological sophistication required to entirely understand them.

So with that intro, here are Robb’s answers to the questions I thought might interest you. I am grateful to him for his willingness to participate. He often talks to national media, but I am pleased that he was willing to share his views on this, the digital marketing industry’s version of The Golden Girls’ Shady Pines Retirement Home.

Can you tell us a bit about your background – what makes you adept at sleuthing business practices like those of Comcast and NebuAd?

I don’t know if this would be cause or effect, but I learned to read music before I learned to read anything else. I was picking out tunes on a Hammond organ when my Mom and a music teacher bartered lessons for – I think – dog grooming! I’ve always had an eye and ear for algorithms, protocols, and other transactional sequences and an insatiable curiosity and enthusiasm for technology. In the early 70s, I was programming screen-less computers using paper tape for input and teletype for output.

Even with that geeky foundation, I’ve always had an inclination to service. My Dad was a veteran, a volunteer firefighter and a Little-League umpire. I would have defiantly denied it at the time, but he taught me the rewards of service. I was a Boy Scout, and later an Explorer Scout Leader, community sports coach, I did my own stint in the military, and I’ve been a music leader both in church and the Barbershop Harmony society.

I’ve followed your advocacy efforts for years, from the beginnings of the Comcast/BitTorrent issue on through your more recent activities re NebuAd. And the first thing that strikes me is that you spend A LOT of time and energy pursuing these issues. What drives you to do so?

The Internet allows everyday individuals to issue their unique perspectives, showcase their art, offer their products, or follow their interests. In a sense, that’s what I’m doing. But I’m especially motivated because, in the history of mankind, there are only a few moments in human expression that rival this one – perhaps the invention of the printing press, the radio, or the postal system comes closest.

The Internet itself is the ultimate people-helping-people Open Source project. The protocols and standards that allow it to work are given and maintained for free by people who have poured their best into it. That’s worth enabling others to participate in it. If threatened by a bad actor, it’s worth defending.

How do you choose what you research and expose?

I don’t choose. If it’s important and relevant and I’ve spent some time on it, I just put it out there. Who knows, it might save someone time and aggravation months or years later.

I put out my findings about Comcast in May 2007 and they sat, mostly dormant, until August when a major blogger picked up on them. My approach to the Comcast case was, “Hey, here’s something that’s not supposed to be happening!” It essentially was a simple complaint that I made publicly because it was being denied by Comcast and it was reproducible.

At first, I figured that someone at Comcast made a boneheaded decision and, once I explained why an ISP ought not to do that, they’d just say, “Hey, you’re right, we’ll fix that.” I just thought someone at Comcast made a well-intended, poorly-executed goof. But things started to pile up. Sandvine’s use was unknown among Comcast’s own tech-support people – so if any customers had any complaints about it, they were ignored. Comcast then issued flat denials about it, even to go as far to suggest that my testing didn’t amount to anything (not that they ever asked me to demonstrate it to them). I then knew this was going to be one for the long haul.

As it turns out, I wasn’t the first person to notice the strange things that happened when users tried to upload using Comcast – I was the first person (outside of their inner circle) to figure out what was causing the disconnections.

Similarly, my being very familiar with how the Internet and its technologies work was what led me to look at NebuAd. Customers were reporting that cookies were mysteriously appearing on their platforms. I knew that something very unusual had to be causing that, since browsers will only accept cookies under limited circumstances. I found the injected JavaScript nearly immediately, but I spent many hours over many days trying to make it happen in a scenario where I controlled both the browser and the server (so that I could isolate it). Apparently NebuAd had this thing wired down to the IP addresses of Google and Yahoo because I couldn’t fake it out. So I had to raise the issue with Google, and they were very helpful and appreciative and confirmed that they weren’t responsible for the injected script. Case proven.

One of the questions I hear a lot from marketers relates to how ISP-based BT differs from what I am going to call “regular BT”, meaning the approach used by most ad networks in which they track activities on the pages where they serve ads. Can you tell me about why the ISP based approach is more troubling to you? Or isn’t it?

Let me start by saying that my objection is not about the advertising. My objection is having an ISP be complicit in “tapping” the line. We don’t let people listen in on non-broadcast radio signals and disclose the contents of those communications, we don’t accept that behavior on our telephone lines, why would we accept that on our Internet connections? And it’s not like the ISPs and NebuAd didn’t know that users would object -- that’s why they disclosed “under the radar” by quietly changing the legalese that nobody regularly scans for changes.

Secondly, an Internet Service Provider is selling access to a brand – Internet. It is a set of standards that are open and agreed-on and interoperable protocols. Just like a fast-food joint can’t sell Kool-Aid as Cola, an ISP can’t sell something as “the Internet” when it has changed the formula. On the heels of Comcast screwing with the TCP protocol to tear down connections, we had NebuAd doing the same thing to inject a script. NebuAd did this to fake-out the browser into doing things that its security precautions would normally prevent.

In both cases, the issue was that the ISP did something it ought not to be doing. It’s not an objection about how a website or an ad network does Behavioral Targeting across a variety of sites.

How is what NebuAd did different from how the portals collect our online travels using a toolbar like Google Toolbar?

Users who are extremely sensitive about their privacy would never install those toolbars. But some people do, and I have. The Google toolbar, the Alexa toolbar, or Compete’s toolbar – all these things are applications that “spy” in plain sight. You invite them onto your computer, and you can remove them. They exist in a frictionless environment – if the user doesn’t like the intrusion, they’re gone in one moment. Users can disable or uninstall the unwanted application and their surfing information is no longer being shared. The user remains in control and loses essentially nothing for revoking his permission to be tracked.

Embedding the spying device into the ISP changes everything. Most homes in the United States are served by one or two broadband providers. If your only broadband provider is letting a third-party tap your line, the only choice is to do without. (Under the NebuAd model, opting-out only stops the targeted ads – NebuAd is still presented with all of your data – opting completely out was impossible.)

Many people have focused on the idea of robust notice as the key issue with NebuAd and the ISPs, but it doesn’t seem to me that they did anything different in that regard than millions of web sites are already doing when they work with an ad network. Is there a difference in your view, or is it all problematic?

Up to this point, I think that most ad networks worked in a way where a user retained control in a normal way. Users could turn off scripting, block hosts, erase cookies – and for the most part, privacy-conscious users acting like normal privacy-conscious users can successfully avoid tracking (or avoid building a significant profile).

The NebuAd model was not avoidable by privacy-conscious users. It tracked users regardless of their desire. The opt-out didn’t protect them and the opt-out cookie went away when users cleared their cookies (which privacy-conscious users do).

Just a word about “Robust” notice -- Remember that NebuAd claimed that it required robust notice, but the only ISP that I know of which actually provided prior and assertive notice was that big NebuAd ISP that never got started – Charter! The rest of them slipped NebuAd in under the radar or notified their users after the investigation began.

Boiling it all down, how much do the privacy issues you see online relate to our use of opt-out versus opt-in models?

I think that “Opt-In” is the argument winner for your industry. How can anyone object on grounds of “illegal,” or “unethical,” or “non-standard” when the user has specifically and truly optionally requested to do whatever it is you’re doing? Embrace truly informed “opt-in” and all these regulatory or lawsuit risks go away. Now, it’s not a true “opt-in” if you’re not clear. Don’t tell me boldly that you’re a “security” application when you’re also quietly selling the click stream out the back door. Opt-in means I’m fully informed and completely free to decline without losing something that I already have.

Opt-Out as implemented today just won’t work. It’s a “sounds-good, does-nothing” solution. It’s the kind of non-solution that causes users just to reject all advertising.

What are your views on the proposed NAI guidelines for BT?

I think that industry best-practices are very useful and that membership and participation in such groups is part of being an active part of your community. I think that calling for “Opt-In” use of DPI is the right call. The application of DPI on the Internet is still very immature and the rush to beat the competition might trample discretion.

Do you think a federal privacy law would be beneficial to consumers? To business? Is it practical to create a valuable privacy law in a rapidly changing technological environment?

Right now the privacy laws are here-and-there. Consumers wouldn’t know where to start or finish looking for the laws that apply to their situation. Business is afraid that changing these patches of laws into some kind of unified “quilt” would change things. They’re right – it will change things. But who is more used to change than your industry? You’re always either leading it or following it. So, what else do they have to be afraid of?

One of the biggest challenges I feel as a marketer is how to make decisions on marketing tools that are increasingly technical –difficult for lay people like me to understand. It’s tough to know what questions we should be asking. Can you provide thoughts on what questions marketers need to ask in order to stay on the right side of preserving user privacy?

What would my mother think of this?” is the question people should ask. If she would object, it’s probably wrong on some level. Are you having to “color” or oversell the description of what you’re doing? Are you having to bury the disclosure? Those are all signs you’re on the wrong side of the fence.

Why is it important to focus on digital business practices versus offline practices? Since reputable digital marketing technologies don’t collect PII, aren’t they LESS DANGEROUS to privacy than, say, the catalog industry or credit bureaus that routinely collect, use, and share PII?

You’re making the case for unifying these conflicting privacy laws, or at least trying to rediscover the principles or expectations that created the privacy laws we have. NebuAd missed the point, claiming that it was fine because it didn’t save any PII even though it saw everything you said and did (even PII if it happened to be in the data) when you thought you were interacting in privacy.

You’ve been very successful at documenting the questionable behaviors of very large and well funded companies. I am really amazed at your successes. What makes you so successful? How have you leveraged digital media to gain awareness for the issues you care about?

I’ve been privileged to work with others, including my clients Free Press and Public Knowledge, which are excellent in the fields that are their namesakes. They’re very interested in keeping the Internet a free and level marketplace, as are many of your readers (there would be a lot fewer online marketers if the Internet became a managed “walled garden” environment.)

My stock in trade about any subject is the set facts about it. I explain things in simple and historical terms and in ways so that others can repeat my steps and see the same results I saw. I use my real name. I avoid complication. I give both sides. I am passionate, but my value is my technical knowledge and ability, and I try and extend that to others.

It strikes me that whenever there is a controversy between privacy advocates and digital companies, the debate quickly devolves into personal attacks instead of directly addressing issues. Has this been your experience?

Yes, and it’s unfortunately contagious. We should all speak with facts and challenge our biases – or risk being challenged by both.

In closing, do you have any thoughts or advice for marketers concerned about both the ethical and legal aspects of online targeting technologies?

It’s not a war against advertising, please understand that. Don’t resist change, participate in it. You’re Internet users, too.

OK, one very personal and totally unrelated question: Is there any video online of one of your Funchords barbershop performances? ;-)

Unfortunately, because of the convoluted way that mechanical licenses work for music, I haven’t tried to clear anything that I could publish online. None of the quartets I was in ever bore the name “Funchords,” although all of my quartets have been more the up-tune and comedy variety. “One Bit Parody” was the work quartet (Intel – a play on the error-checking routine called parity), and we did company and non-company gigs both in and out of Oregon. “Spare Time” was the non-work quartet and we did local gigs and contests. The last song “One Bit Parody” ever sang together was Smile. This isn’t us, but it’s that song and we’re about that caliber -- http://www.youtube.com/watch?v=J6o-RKMVEZY

The Sunset of US Internet Leadership?

Mashable has an excellent post on how the US may be losing leadership in the digital space. They point to the following developments as signs of bad times ahead:

1. Comcast and others are imposing bandwidth limits on home Internet accounts. This is ultimately a move to increase revenue without improving infrastructure.
2. Canadian universities are dropping their use of US Internet infrastructure because of the high levels of monitoring and surveillance allowed by the so called Patriot Act.
3. Foreign companies and governments are building alternate routing systems so that they can avoid being dependent upon the US and indeed exposing their traffic to US surveillance. And who can blame them?

The Mashable post says we are becoming a backwater. Seems a bit excessive a categorization to me, but it points to how everything is connected. That all decisions have consequences that can be foreseen and not foreseen.

The bandwidth charging stuff is perhaps the only controllable part of the soup, and it seems highly unlikely to change given the ISP's desire for more revenue without major infrastructure investment. And to be fair, they have NOT been able to capitalize on the explosion of web revenue from advertising. Which is what NebuAd was (is?) ultimately about.

Thanks for reading, and don't forget to write.

NebuAd Mothballs Its ISP Targeting Platform

Question: If you are in the woods, and you shutter a platform that no one uses, does it make a sound?

OK, maybe that was a cheap shot. But it should come as no surprise to the world that NebuAd has "suspended" the use of its platform, which has been attacked across the media and indeed in

the halls of Congress. Read more at MediaPost, courtesy of writer Wendy Davis.

NebuAd claimed that they were covering 10% of ISP users earlier this year. Now, that's Internet math, so if we lop off a zero that's 1%. The Congressional inquiry revealed that six major ISPs had tested NebuAd -- and none were using it today, so the suspension had likely been achieved by the market long before NebuAd announced it.

What next for NebuAd? We'll be finding out in the next few weeks I am sure. Too many people have too much money in this baby to let it die without a fight.

Also, we all need to realize that this does NOT mean the end of ISP-based targeting products. The issues that were raised about NebuAd related to:

1. Insufficient consumer notice. Or indeed in some cases it is debatable whether there was any notice at all.

2. Data collection methods. Allegations of procedures that amounted to forgery and wiretapping.

3. Lack of consumer value exchange. What were consumers getting in return for their "participation."

But ISPs still want more ways to make more money for subscribers.

What this category REALLY needs is some genuine innovation to drive opt-in at strong levels coupled with real consumer value exchange.

Thanks for reading, and don't forget to write.

Is Your ISP Tracking Your Online Behavior? Check This List From SV Insider

Silicon Valley Insider has published a list of which ISPs were and are tracking consumers, whether they work(ed) with NebuAd, someone else, or are doing it through internal systems. Check out the list.

Thanks to SV Insider for compiling this list.

Thanks for reading, and don't forget to write.

ISP Targeting: In the EU The Gun Sights Are On Phorm

I'm not suggesting for a moment that the heat is off NebuAd, but in the EU at least the company in the sights of regulators is Phorm. You may recall that Phorm had a positively disastrous time in the UK last Summer when they quietly launched their version of an ISP based ad network with BT (nee British Telecom), Virgin Mobile, and TalkTalk. Well, quietly is not the right word. Secretly is actually the correct term. Or perhaps covertly.

Phorm is the new name developed by a spyware operation called 121Media, which used offers of free secondary utility applications to convince people to download their adware/spyware products. Tomato/tomahto. As with Gator, the early days of this business in particular were loaded with examples of people not understanding that they were allowing 121Media to track their behaviors and field targeted ads. 121Media claimed it was those pesky partners that distributed their software that were to blame for these atrocities. Several millions of Americans including myself will find the story rather familiar -- we downloaded apps that gave Gator permission to field ads to us based upon serving habits. Then, when we realized what we had done, we found Gator all but unremovable.

OK, so Phorm. They changed the name of the company and shifted their focus from getting people to download their offering to getting ISPs to sell them the non PII portion of the info that made ad targeting possible.

Only trouble is, they didn't tell the people that were being tracked in the test. Some 18,000 of them. I don't mean they buried the revelation. They didn't tell them AT ALL, even in an intentionally quiet way.

How was this all discovered? Well, by a reader of TheRegister.co.uk, as outlined in this post. Here's an excerpt:

In June 2007, Reg reader Stephen noticed his Firefox 2.0.0.4 installations making suspicious unauthorised connections to the domain dns.sysip.net every time he visted any website. Naturally worried his machines had contracted some kind of digital infection, Stephen performed a series of exhaustive malware scans, which all came back clean.

He wasn't the only BT subscriber to notice that his browser was making the mysterious contacts around July last year, as this thread archived at Thinkbroadband.com shows.

"I spent all weekend wiping my disks clean and reinstalling from backups (four PCs seemed to be affected). I spent a further two days researching and installing all kinds of anti-virus, anti-spyware and anti-rootkit utilities. But even after all that I still have this problem!" Stephen told us at the time.

Having failed to trace the source of the dodgy redirect in his own network, he contacted BT to suggest one of their DNS servers may have been hijacked. BT dismissed the idea, yet the browser requests were still making an unauthorised stop off at dns.sysip.net.

Worried that his business' financial data might be being monitored, Stephen continued to investigate. A Whois search for dns.sysip.net revealed the domain was registered by Ahmet Can, an employee of a new online advertising company called 121Media. The address is now registered through a third party private domaining agency. 121Media rebranded itself as - you guessed it - Phorm in May 2007.

This is, you'll be unsurprised to learn, indeed the same Phorm that BT, Virgin Media and Carphone Warehouse recently revealed they had agreed to sell their customer's browsing habits to, despite the questions over its links to spyware. For helping Phorm target advertising, the ISPs are set to bag a cut of click revenues.

So, throughout the test period Phorm and BT had a novel consumer communications system.

DENY DENY DENY!

BT actually called the hijack process by which the system worked a clear incidence of malware.

But then! On 2/14/2008, BT and two other companies announced they had a deal, and that the hijack process was

validated under best industry practices, both through an independent audit conducted by Ernst & Young (View report PDF) and a Privacy Impact Assessment undertaken by Simon Davies, MD of 80/20 Thinking and Director of Privacy International.

Malware...revolutionis[ing] current standards of online privacy and fully protect[ing] the identity of consumers. Tomato...tomahto.

Phorm was paired with an application called Web Wise which was supposed to make people feel OK about the tracking. It was and is a phishing detector.

The British government essentially decided not to deeply pursue whether laws had been broken in the BT test. They issued their opinion that things were okiedokie, but many European web experts disagreed, as outlined in this post on TheRegister.co.uk.

(Has the US started exporting Bush Administration officials? ;-) We've have loads more folks like this, UK, if you want them. 2 for 1 sale through November.)

Here's a morsel:

"The explicit consent of a properly-informed user is necessary but not sufficient to make interception lawful.

"The consent of those who host the web pages visited by a user is also required, since they communicate their pages to the user, as is the consent of those who send email to the user, since those who host web-based email services have no authority to consent to interception on their users' behalf."

And the EU earlier this summer insisted they do so. Here is the text of the letter that was sent to the Brits by Brussels:

Dear Sir,

I am writing to you in relation to certain issues arising from the past and future deployment by some major United Kingdom Internet Service providers of the technology provided by a company called 'Phorm' to serve their customers with targeted advertisements based on prior analysis of these customers' internet usage.

In March 2008, a number of news items appeared in the media concerning the planned use by United Kingdom ISPs of the Phorm technology. Many of these publications raised issues concerning the impact of this technology on the privacy of Internet users. The information published on the web also included an e-petition submitted to the Prime Minister and a complaint made to the Information Commissioner's Office (ICO). In addition, in early April 2008, BT published a briefing according to which it had performed trials of the Phorm technology in autumn 2006 and summer 2007. In a TV interview, a BT representative confirmed that these trials had been performed without informing the customers affected and obtaining their consent.

The European Commission has already been contacted by Members of the European Parliament from the United Kingdom who communicated the concerns of their constituents regarding the deployment of Phorm technology. The issue has also been the subject of several written parliamentary questions addressed to the Commission by MEPs asking the Commission to comment on the applicability of WU legislation and also to set out its intended action in relation to the previous trials. Finally, a number of individuals have also written to the Commission directly to express their concerns and invite it to intervene in the matter.

In order to provide the response that is expected from it, the Commission needs to base itself on a clear understanding of the position of the United Kingdom authorities. Several EU law provisions concerning privacy and electronic communications may be applicable to other activities involved in the deploment of Phorm technology by ISPs.

In particular, Directive 2002/58/EC on privacy and electronic communications, which particularises and complements for the electronic communications sector the general personal data protection principles defined in the directive 94/45/EC (Data Protection Directive), obliges Member States to ensure the confidentiality of communications and related traffic through national legislation. They are required to prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than the users without their consent (Article 5(1)). The consent must be freely given, specific and an informed indication of the user's wishes (Article 2(h) of Directive 95/46/EC). Traffic data may only be processed for certain defined purposes and for a limited period. The subscriber must be informed about the processing of traffic data and, depending on the purpose of processing, prior consent of the subscriber or user must be obtained (Article 6 of Directive 2002/58/EC).

In the light of the above, we would highly appreciate it if the United Kingdom authorities could provide us with information on (1) the current handling by the United Kingdom authorities of the issues arising from the past trials of the Phorm technology by BT and on (2) the position of the United Kingdom authorities regarding the planned deployment of the Phorm technology by ISPs.

As regards the first issue, according to applicable EU law the responsibility for investigating complaints concerning such trials and determining whether the national legal provisions implementing the requirements of the relevant EU legislation have been complied with lies with the competent national authority(-ies) in the United Kingdom. The Information Commissioner's Office (ICO), which is responsible for enforcing the United Kingdom Data Protection Act 1998 (DPA) and Privacy and Electronic Communications Regulations 2003 (PECR), has made a number of statements on Phorm. In its latest published statement of 18 April 2008, the ICO analyses the conformity of the deployment of the Phorm technology with the DPA and the PECR. At the same time, the ICO indicates that it does not have responsibility for enforcing the Regulation of Investigatory Powers Act 2000 (RIPA), which has been invoked by some individuals who question whether the use of Phorm entails an unlawful interception of communications under this Regulation. In this respect, the ICO refers to a statement by the Home Office, which says that it is questionable whether the use of Phorm's technology involves an interception within the meaning of RIPA and that it does not consider that RIPA was intended to cover such situations. The ICO concludes on the issue of RIPA by stating that it will not be pursuing this matter. At the same time, the ICO statement does not include any indication as regards the intentions of the ICO in relation to the investigation of possible breaches of other relevant legal provisions* in the past trials of the Phorm technology.

Second, as regards the issues arising with regard to the planned future deployment of the Phorm technology, there appears to be a certain discrepancy between how it is envisaged by the ICO, the ISPs and Phorm itself. One of the most significant issues in this regard is the way in which customers will express their consent to the application of Phorm technology in their case. While the ICO seems to suggest that the consent of users for the Phorm technology should be on an opt-in basis and also BT seems to confirm this approach, Phorm has indicated that it intends to tackle user consent through providing 'transparent meaningful user notice'.

I would therefore be grateful to receive the response of the United Kingdom authorities on the following questions:

1. What are the United Kingdom laws and other legal acts which govern activities falling within the scope of Articles 5(1) and 6 of Directive 2002/58/EC on privacy and electronic communications and Articles 6, 7 and 17(1) of Directive 95/46/EC?

2. Which United Kingdom authority(-ies) is (are) competent (i) to investigate whether there have been any breaches of the national law transposing each of the above-mentioned provisions of Community law arising from the past trials of Phorm technology carried out by BT and (ii) to impose any penalties for infringement of those provisions where appropriate?

3. Have there been any investigations about the past trials of Phorm technology by BT and what were their results and the conclusions of the competent authority(-ies)? Are there ongoing investigations about possible similar activities by other ISPs?

4. What remedies, liability and sanctions are provided for by United Kingdom law in accordance with Article 15(2) of the Directive on privacy and electronic communications, which may be sought by users affected by the past trials of the Phorm technology and may be imposed by the competent United Kingdom authority(-ies) including the courts?

5. According to the information available to the United Kingdom authorities, what exactly will be the methodology followed by the ISPs in order to obtain their customers' consent for the deployment of Phorm technology in accordance with the relevant legal requirements and what is the United Kingdom authorities' assessment of this methodology?

Given the urgency of this matter I would highly appreciate receiving your reply within one month of receipt of this letter.

Yours sincerely,

Fabio Colasanti

The EU has far stricter definitions of online privacy protections.

The Brits demured from responding, so the EU has since issued a "prewarning" followup letter.

This is beginning to become a rather significant embarassment for the UK government, BT, and Phorm. More as it develops.

If you are looking for more on Phorm, make sure you head over to TheaRegister.co.uk. They are clearly at the forefront of this investigation and issue. After all, they broke the story and typically break every significant development on the topic.

Thanks for reading, and don't forget to write.

If You Don't Like the News, Lay Off the PR Folks

NebuAd has let go both its internal PR team and its PR firm. Their PR firm, The Horn Group, confirmed the parting of ways according to this piece on The Register.

One understands why the layoff occurred, though in the defense of the team, NebuAd is certainly in new waters where there is little precedent as to how to shape public opinion. Dustups about BT were pretty minor in the past, and there are plenty of companies collecting PII, which would seem on some level more serious than what NebuAd does.

What's interesting about the layoff is the accompanying info that they are going to hire a new PR team focused less on business press and more on regulatory issues. What THAT says is they expect a tough row of hoeing over the fate of their ISP based out opt model.

I'll say this for NebuAd's now separated PR people: these folks know how to spread the word. This is not left handed praise. Before Robb Topolski's report, NebuAd was travelling with full sails of largely excellent press coverage. Their CEO was EVERYWHERE touting the power of their model.

You can fault them for not having a better plan for the regulatory and PR problems that befell the company beginning a month or two ago, but for pure corporate hype and PR these people knew their stuff.

Perhaps you will find that an odd point to make -- what I think it means is that PR< like virtually every other area of marketing these days, is increasingly becoming a field for the versatile. While the web seemingly ushered in an era of experts, the opposite seems to have occurred. Companies are moving away from the dedicated digital team toward a model where EVERYONE is expected to know about digital, because it is the central core of current and future marketing.

In the PR vane, operating a powerful PR organization will be about more than a hype team -- it'll be having a sound strategic approach to both the hype development mandate and the contingencies for potential public or industry backlash.

Here's a piece of what MediaPost's Wendy Davis wrote on the topic of the layoffs and the future of NebuAd:

It's not surprising that NebuAd would be feeling an economic squeeze, given that several broadband providers have suspended plans to work with the company while Congress investigates. Lawmakers are now questioning whether companies like NebuAd and Phorm, which purchase data about users' Web-surfing activity to send them targeted ads, violate federal wiretap laws. Rep. Ed Markey, for one, has said he believes ISP-based behavioral targeting requires users' opt-in consent.

Still, the layoffs, combined with the new PR strategy, make clear that NebuAd didn't anticipate the degree of pushback it's now facing, both from policymakers and privacy advocates. Of course, until this summer, NebuAd didn't have much reason to think Washington would take an interest in its activities.

For the most part, online behavioral targeting seemed to fly under lawmakers' radar earlier this decade, when companies like Tacoda and Revenue Science were getting started. That situation had started to change by 2006, when the Center for Digital Democracy and U.S. Public Interest Research Group filed an FTC complaint about behavioral targeting techniques. The FTC held a town hall meeting last November, but few people were yet discussing NebuAd and other companies that rely on data purchased from ISPs.

But when news that NebuAd was testing its ISP-based targeting model trickled out earlier this year, it was clear that behavioral targeting was entering new territory. Older companies only know when users visit a site within one of their networks, but ISPs know about all sites that are visited and all search queries entered.

SO what IS the future of NebuAd??? Naturally as an outsider I have no idea, but here are my guesses:

1. A name change. Whether deserved or not, they may as well be called KGB Industries at this point.

2. A freeze on making efforts to sign up for ISPs AT LEAST through the end of the year. My understanding is that they have already begun this free period. I think this would make sense not because it'll actually make a difference in sign-ups from ISPs -- my guess is that the doorbell isn't ringing right now -- not when BNET is reporting that the feds are investigating the company under wiretapping laws. But rather as a signal throughout the organization that they need to make their model right.

3. Some sort of consumer communication solution that will make opt-out a more palatable solution. I don't think they will go opt-in -- I don't think opt-in is a realistic approach for an ad network. There's no consumer value to all this beyond the dubious possibility that it lowers ISP costs.

Will this stuff come to pass? I have no idea. But I do know that those layoffs were probably necessary given the burn rate. Even after the layoffs, 60 people is a big pile of salary and bennies.

Thanks for reading, and don't forget to write.

New Revelations in DC ISP-Based "Deep Packet" BT Scrutiny

Early emanations from the House Energy and Commerce Committee's examination of privacy issues primarily related to ISP based BT are pretty interesting and revealing. Here are some highlights:

30 companies were asked about their Deep Packet BT and other tracking practices. Based upon the information provided to the committee, Chairman Markey has stated his intention to introduce opt-in privacy legislation next year. Reports WaPo:

Markey said he and his colleagues plan to introduce legislation next year, a sort of online-privacy Bill of Rights, that would require that consumers must opt in to the tracking of their online behavior and the collection and sharing of their personal data.

But some committee leaders cautioned that such legislation could damage the economy by preventing small companies from reaching customers. Rep. Cliff Stearns (R-Fla.) said self-regulation that focuses on transparency and choice might be the best approach.

But let's not get ahead of ourselves in this post. Here are some of the things that the inquiry uncovered.

On August 1, the committee wrote to a long list of companies (ISPs mostly) asking them to detail their "deep packet" and other tracking programs and policies. The list reads like a who's who of connectivity:

AOL LLC (ISP and Content Provider)
Bresnan Communications (ISP)
Cable One, Inc. (ISP)
Cablevision Systems Corporation (ISP_
CBeyond (ISP)
CenturyTel (ISP)
Charter Communications (ISP)
Comcast Cable (ISP)
Covad Communications Company (ISP)
Cox Communications, Inc. (ISP)
Earthlink (ISP)
Frontier Communications Corporation (ISP)
Google (Nuff said)
Insight Communications Inc. (ISP)
Knology, Inc. (ISP)
Mediacom Communications Corporation (ISP)
PAETEC Holding Corp. (ISP)
Qwest Communications (ISP)
Suddenlink Communications (ISP)
TDS Telecom (ISP)
Time Warner Cable (ISP)
TW Telecom, Inc. (ISP)
United Online, Inc. (ISP, among other things)
Verizon (ISP)
Windstream Corporation (ISP)
XO Communications (ISP)
Yahoo (Nuff Said)

All of their responses are available in pdf form here.

Check out a copy of the request here.

The 11 questions they asked each company to respond to were (paraphrased):

1. Do you or have you tailored ads to user web surfing patterns?
2. If so, how did you address sensitive health, financial, PII, and how were those policies developed?
3. In what communities have you engaged in these practices?
4. How many consumers were affected?
5. Did you do an analysis of privacy laws as you developed your programs?
6. Did you notify consumers? How? Provide a copy of the notification.
7. Did you do opt in or opt out, and if opt out, why?
8. If opt out, how many did so?
9. If opt out, did you do a legal analysis of the opt out procedure and notification?
10. What is the status of the data collected? Has it been destroyed? Is it periodically destroyed?
11. Do your systems and process allow for the tailoring of ads based upon behaviors?

If you read my recent post on Embarq and NebuAd, you will see a high degree of similarity between this list and the list Embarq was asked to complete a few weeks ago.

Here are my response summaries (I read each doc carefully but I am not a lawyer, so if in doubt click on over and read it yourself.):

AOL: Nothing surprising here. They do BT, privacy policy notification, opt out. Estimate that "tens of thousands" have opted out.

Bresnan: NebuAd Test 4/1-6/26, in Billings MT, 6000 customers, users notified by email and a web site page in addition to privacy policy. Opt out, 18 opted out (3/10ths of one percent.)

Cable One: Small test, beginning last year, undisclosed vendor. Based upon the description of the vendor, it is likely NebuAd. Tested in Anniston, AL for 180 days beginning 11/20/2007. 14,000 customers. Notification via inclusion in acceptable use and privacy policies. Opt out, no indication of the number of people who opted out. Says they would do opt-in if they we're going to deploy network wide.

Cablevision: Hasn't done it.

CBeyond: Hasn't done it.

CenturyTel: Small test in Kalispell MT - small numbers of people in Idaho and Wyoming, NebuAd, 20,000 person test. Sent email notification to users affected in the test. Email said changes were made to the privacy policy but did not specify what they were -- invited the user to click and read policy to figure it out. Says they also sent email notification and bill stuffer to people noting the change in policy. Opt out. 82 persons opted out (4 tenths of one percent.)

Charter: Cancelled plans for a test.

Comcast: Hasn't done it.

Covad: Hasn't done it.

Cox: Hasn't done it.

EarthLink: Hasn't done it.

Frontier: Hasn't done it.

Insight: Hasn't done it.

Knology: Tested via NebuAd in parts of Panama City FL, Columbus GA, Knoxville TN, Huntsville AL, and Augusta GA. Stopped test as a result of Congress raising concerns. Opt out, notification via customer service agreement change. Change unannounced. No info on number of households affected or opt outs/opt out rates.

Mediacom: Hasn't done it.

PAETEC: Hasn't done it.

QWEST: Hasn't done it.

Suddenlink: Hasn't done it.

TDS: Hasn't done it.

TimeWarner: Hasn't done it.

TW Telecom: Hasn't done it.

United Online: Has considered deep packet inspection based BT, but has not implemented.

Verizon: Hasn't done it.

Windstream: Hasn't done it.

XO: Hasn't done it.

Yahoo: Does use BT but not deep packet, over 75,000 opt outs in July 2008 (still a fairly low number given that Yahoo reaches several hundred million users a month.)

Of all the responses, Google's have so far received the msost attention, chiefly because of the tremendous reach and market power of the giant. Here is what WaPo had to say on the topic in a recent article:

Alan Davidson, Google's director of public policy and government affairs, stated in the letter that users could opt out of a single cookie for both DoubleClick and the Google content network. He also said that Google was not yet focusing on "behavioral" advertising, which depends on Web site tracking.

But on its official blog last week, Google touted how its recent $3.1 billion merger with DoubleClick provides advertisers "insight into the number of people who have seen an ad campaign," as well as "how many users visited their sites after seeing an ad."

"Google is slowly embracing a full-blown behavioral targeting over its vast network of services and sites," said Jeffrey Chester, executive director of the Center for Digital Democracy. He said that Google, through its vast data collection and sophisticated data analysis tools, "knows more about consumers than practically anyone."

Microsoft and Yahoo have disclosed that they engage in some form of behavioral targeting. Yahoo has said it will allow users to turn off targeted advertising on its Web sites; Microsoft has yet to respond to the committee.

Said Markey:

Increasingly, there are no limits technologically as to what a company can do in terms of collecting information . . . and then selling it as a commodity to other providers," said committee member Edward J. Markey (D-Mass.), who created the Privacy Caucus 12 years ago. "Our responsibility is to make sure that we create a law that, regardless of the technology, includes a set of legal guarantees that consumers have with respect to their information."

I am sure there'll be more to come, and the oldest living gumshoe reporter will be there to parse it all for ya. ;-)

Thanks for reading, and don't forget to write.

NebuAddendum

Well, while I was on vacation Embarq replied to Congress’s request for information about the test they conducted with NebuAd, the ISP targeting ad network that has lately felt Congressional heat on its little piggies.

Tom Gerke, the President and CEO of Embarq, signed the response, which answered nine committee questions clearly and succinctly. The full text of Embarq’s response to Congressman Markey and his committee appears on this page of Broadcast and Cable.

Here are some highlights to that response:

NOTIFICATION

How were subscribers notified?: As I expected, the notification was in the privacy policy, and the rationale for that was that that is how ad networks do it.

Why not Opt-In: Because the industry does it opt-out. Which if I may editorialize for jut a mo’, doesn’t actually answer the question. But then we ALL know the answer.

WHAT IS ROBUST

The big news – or perhaps the sound bite – of the disclosure memo was that 15 people availed themselves of the opportunity to opt out of tracking, which was announced in the privacy policy.

15 out of 26,000 represents .06%, rather a low percentage. I say rather low because, according to a recent eMarketer report, the percentage of people who dislike the concept of BT is rather high. Specifically, 45% of consumers, according to a recent Harris Poll, were uncomfortable with BT-style tracking. .06%/45% leads to the mathematical conclusion that only about 1% of the people who are concerned about BT opted out. A bit of a googly for anyone who thinks that privacy policy notification meets the spirit of the FTC’s robust notice requirement. I’m not saying 99% couldn’t find it. I am just saying…

RAMIFICATIONS

Meanwhile, it appears that Embarq has suffered little for their NebuAd test – according to this article from the Kansas City Business Journal, their stock price is faring nicely despite the unwanted publicity.

It’ll be interesting if the ISPs get to skate through this controversy unscathed.

Rep Markey Wants More Info About Embarq and NebuAd

In this MediaPost news story, they report that NebuAd continues to be under Congressional scrutiny despite the generally friendly reception they got last week at the Commerce Committee hearing on BT and privacy.

According to the piece, ISP Embarq CEO Tom Gerke was sent a letter that questioned whether his company had provided robust notice to consumers about the tests they ran with NebuAd.

The text of the letter, which I found on Congressman Markey's site, appears below:

July 14, 2008

Mr. Tom Gerke
Chief Executive Officer
Embarq
5454 W. 110th Street
Overland Park, KS 66211

Dear Mr. Gerke:

We are writing with respect to a recent test conducted by Embarq to tailor Internet advertising to the web-browsing patterns of individual Embarq subscribers. We are interested in the nature of this test as well as the impact that this test, and the underlying technology it employed, could have on consumer privacy and other issues.

We understand that Embarq conducted a test earlier this year in a select community in conjunction with NebuAd to create consumer profiles for the purpose of serving ads to consumers based upon their search and surfing habits. As you may know, questions have been raised regarding the applicability of privacy protections contained in the Communications Act of 1934, the Cable Act of 1984, the Electronic Communications Privacy Act, and other statutes, to such practices.

In particular, we are concerned that Embarq may not have directly notified the subscribers involved in the test that their Web use was being analyzed and profiled. We therefore request that you answer the following questions in order for us to better understand the nature of the test conducted, its impact on consumers, and the broader public policy implications of this technology.

1. In what community was the test conducted and how was that community chosen?

2. How many subscribers were involved in the test?

3. How did Embarq notify subscribers in the affected community of the test? Please provide a copy of the notification. If Embarq did not specifically or directly notify affected subscribers, please explain why this was not done.

4. Did Embarq conduct a legal analysis regarding the applicability of consumer privacy laws on the service used in the test? If so, please explain what that analysis concluded.

5. Please explain why Embarq chose to conduct the test allowing consumers who objected to "opt out" rather than first asking customers to "opt in."

6. How did Embarq notify subscribers in the affected community of their opportunity to "opt-out" of the test? If Embarq did not specifically or directly notify effected subscribers of the opportunity to "opt-out," please explain why this was not done.

7. How many subscribers in the affected community opted out of participating in the test?

8. Did Embarq conduct a legal analysis regarding the adequacy of the "opt-out" notice and mechanism employed to allow consumers to effectuate this choice? If so, please explain what that analysis concluded.

9. What is the status of the consumer data collected during this test? Has it been destroyed?

Thank you in advance for your attention to this matter. We respectfully request a response by Monday, July 21, 2008.

I don't know if Embarq notified their customers or not beyond including info about it in its privacy policy, though this passage from the MediaPost article indicates that many ISPs that worked with NebuAd did not.

But software researcher Robb Topolski, who recently tested NebuAd and concluded that the program violated users' expectations of privacy, said the vast majority of the Internet service providers who worked with NebuAd did not seem to send separate notifications to subscribers. Instead, they apparently placed information about the program in their terms of service, privacy policies or other lengthy documents subscribers generally ignore.

I am anxious to see Embarq's response. What constitutes robust notice is ill defined by the government, at least in form. The government, to my knowledge, does not have a proscribed process by which consumers are to be informed.

Is it enough to put it in the privacy policy? Is it enough to put it in a brief and well organized privacy policy? If they put it in the privacy policy, do they then need to alter the customer that the privacy policy has been altered? If so, how must they notify? Would an on site notice do it? Is email OK? Do they need to send a letter?

Presumably the answer to this relates to whether each of the tactics described above resulted in satisfactory levels of consumer awareness.

The googly, from Embarq's perspective, is that the generally accepted means of notification in BT has been in privacy policies. Google, for example, does not send out letter before you download their toolbar telling you that all the places you visit are fair game for analysis.

Will ISP targeting be held to a higher standard than the rest of BT? I think that would be dead wrong. To me, the difference between ISP targeting and traditional BT from a privacy perspective seems to relate to the amount of info collected. A notificaiton process is either right or wrong, whether the BT provider collects 20% of my web visits or 100%. And if i am not mistaken, there are currently a number of companies out there diligently pairing BT data with PII, and they are doing so with modest consumer notification. For example, portals and Facebook. NebbuAd may be collecting more information, but other companies are collecting more PERSONAL information.

I'm not sure what I think the standard should be in terms of the form of notification. But I am sure that it should be applied to all BT, not just the technologies that collect the most complete picture. Because if the latter route were taken, at what point would the amount of data collected lead to the requirement of more outbound notification practices? 99%? 98%? 73%

Off my soapbox.

The challenge of this kind of notification is one of the classic push me pull yous of marketing. Often, the government looks at measures like opt out rates to determine whether the average consumer could be reasonably assumed to be notified. There is a lot of grey area between tucking it away where few will see it and sending out letters or emails.

One of the most interesting answers will be to question 5 -- about why they chose to do opt out rather than opt in.

Markey also released a statement when he informed the world about the request for information.

"Surreptitiously tracking individual users' Internet activity cuts to the heart of consumer privacy. The information collected through NebuAd's technology can be highly personal and sensitive information. Embarq's apparent use of this technology without directly notifying affected customers that their activity was being tracked, collected, and analyzed raises serious privacy red flags."

Ouch.

Thanks for reading, and don't forget to write.

Imperfect Synopsis (Not a Transcript): Senate Commerce Hearing on Privacy Implications of Online Advertising

Yesterday the US Senate Commerce Committee held a 1.75 hour hearing on privacy and online advertising. There to testify were NebuAd, MSFT, Google, FaceBook, Center for Democracy and Technology, and Competitive Enterprise Institute.

I wasn't there, of course, but did watch the entire webcast (twice -- I know, what a policy wonk I am,) and am going to both report on the happenings and give interpretations based upon those viewings.

Hey, I am not a reporter, but I am going to do my best to report rather than editorialize.

By no means is this a transcript. Rather, I am trying to summarize the gist because I don't think many people will watch the vid or read a transcript and because hearings like this are absolutely critical to the future of the industry and the shape it will take.

-----

Broadly, the purpose of the hearing was to determine whether more government oversight and regulation is required to protect consumer privacy. ISPs were invited to attend, but decided not to. Apparently there will be a future hearing of ISPs only.

Lydia Parnes, Director of the Bureau for Consumer Protection of the FTC, began the hearing with a prepared statement that noted that they have been examining BT for a long time and with particular concern over PII, health, and financial information.

FTC Lydia Parnes reviewed the FTC's past Town Hall on BT and privacy, and the three key findings:

1. BT may provide value to consumers.
2. BT raises privacy concerns and concerns about
3. Everyone believes in transparency and some level of consumer control.

Based upon the Town Hall and their past research, the FTC has four key beliefs about BT and how it should be conducted.

1. Companies that collect info should disclose the practice and let people choose. Note: the FTC has, in the past and currently, has found either opt-in or opt-out as acceptable for "non-sensitive, non PII info.
2. Companies must provide reasonable security and retain data only as long as necessary.
3. If companies want to use data in a way other than disclosed in 1., they must get consumer permission to do so (opt-in.)
4. Sensitive data (e.g., health) should only be collected on an opt-in basis.

FTC says it is "cautiously optimistic" about the ability for self regulation to do the job of offering consumer protection.

From there, they went to Jane Horvath, the Senior Privacy Counsel for Google.

Ms. Horvath said that Google always puts their users first. That users can with one click switch providers if they are dissatisfied with Google's privacy policies, so they must put their users first to protect consumer loyalty.

She then reviewed the economic and consumer value of BT.

She continued to say that three privacy design fundamentals drive everything at Google:

1. Transparency: She said they are very active in educating consumers about their privacy via the Google Privacy Channel on YouTube, among other means.
2. Choice: She said consumers have the option of what data is made available. She pointed to the off the record feature on GoogleTalk as an example.
3. Security: She also said they have incredibly intense security for data at Google.

She also said that Google targeting is primarily context- versus behavior-based.

They recommended the following:

1. Google supports establishing a comprehensive Federal privacy law with uniform standards and penalties.
2. Google supports FTC's efforts at developing principles/standards with industry.
3. Display ads should be better labeled.

Then she showed a video that explains how to remove cookies from a browser. The video is from their privacy YouTube channel. It was an example of their proactive approach to education.

Bob Dykes, CEO of NebuAd, was next. He outlined his own security background. He then reviewed their standards that he said ensure that no one can derive PII from their system.

He said that consumers significantly benefit from more relevant ads while they get robust privacy protections. BT also provides economic value to small web sites and ISPs.

He stressed anonymity and how important it is to their system.

The outline of his privacy foundation principles was as follows:

1. Prior robust notice about the service.
2. Time to choose whether to opt out and ongoing opps to opt out.
3. No PII.
4. Do not store raw data linked to identifiable individuals.
5. High data security.

He then said that those who claimed that they do not require robust notice or an opportunity to opt out are wrong. That those are central to their model. He also said that those who claim that they traffic everything are incorrect.

He further stated that they do not track:

1. Webmail
2. Email
3. IM
4. VOIP traffic
5. Info about password Protected Sites

as well as some other web traffic.

He said that their standards have been vetted by the Panama Institute and that they are engaging with a Big Four accounting firm to audit the veracity of their statements.

He then said that NebuAd supports the past privacy paradigm promulgated by the Committee.

Next up was Leslie Harris, President and CEO of the Center for Democracy and Technology.

She began by stating that their POV/argument centered on three points and several recommendations.

1. BT is growing and consumers are uncomfortable with it and don't have the tools to control their info. Aggregation on non PII can result in reverse engineering PII. There is a lack of transparency and meaningful controls. She said 59% of people are not comfortable with BT according to a recent poll.
2. ISP targeting adds consumer and legal concerns. That an ISP MAY give access to info on everything one does online to a third party. That consumers do not want traffic intercepted by an ISP and given to a third party. They also believe that the law requires prior opt in versus opt out. ISP targeting has not done this.
3. Self regulation is not enough. NAI is a failure. And only now that the FTC and the Senate have demonstrated concern has the NAI responded with modest improvements. Additional legislation is required.

She then made the following recommendations.

1. More hearings necessary on ISP targeting and sensitive info.
2. Need privacy legislation.
3. FTC needs to issue enforceable guidelines.
4. Do not track list should be offered.

Chris Kelly, CPO of FaceBook was next. He said that privacy is a foundation of the network. Specifically:

1. Consumers have the power of choice in who they share with and what communities they join and what info they share.
2. They are transparent in how they use info to serve relevant ads.

Specifically:

1. He said FaceBook is very focused on letting consumers choose. That default settings are high on the privacy meter. You choose what info to include and not include in profiles, and with whom you share your info.
2. You should have access to info others want to share.

He said controls are built into every aspect of FaceBook. That they offer easy to use tools to control personal info. They've created a lock icon to indicate that users can control info disclosure.

He also stated that ad targeting on FB is non-PII. That they make that clear in their policies and communicate the idea that targeting has value to consumers.

Next up was Clyde Wayne Cruz, Jr., VP Policy at the Competitive Enterprise Institute. He began by saying privacy will become a bigger issue in the future because of incredible new technologies on the horizon.

He said that it's very difficult to legislate privacy online because consumers have different wants and needs and because the environment is extremely complex and constantly changing.

He posited that firms alter info handling without law, so law is unnecessary. That consumers, and especially online, get to choose, and that that is a better force for regulation.

He said a lot more here about cyber crime and a variety of other issues but I am going to focus on the BT relevant stuff.

Finally, Mike Hintze, Associate General Counsel at Microsoft went. He reiterated the value of advertising online and how targeting was important to paying for the web and in tailoring online experiences.

He said that MSFT cares deeply about privacy. That they have done more than anyone else in the industry on this score. That they have a robust set of internal standards to govern privacy.

Last July, they issued MSFT standards revolving around:

1. Transparency - Clear link to privacy on every page of their sites and with simple and precise policies.
2. Control - Consumers can opt out and tie the opt out to the Live online account so that databases are not rebuilt as with cookie deletion.
3. Choice - MSFT uses anonymized identifier to disconnect PII from actions.

He said they recommend a federal privacy law and self regulation. They also work hard to educate consumers.

From here the hearing went to questions. I don't know the senators by sight and the super on the webcast obscured their name tags, so I am going to focus on the questions rather than the askers.

AGAIN, THIS IS NOT A TRANSCRIPT! I AM TRYING TO DO A DETAILED SUMMARY BUT THESE ARE MY INTERPRETATIONS OF WHAT THEY SAID, NOT WHAT THEY ACTUALLY SAID!

First question to NebuAd: What is the difference between NebuAd and wiretapping?

Dykes: I am not a lawyer, but NebuAd has a legal memo they will share attesting to their view that they are well within the law. The info collected is non PII. That all info is collected using anonymous identifiers and the data are relevant only inasmuch as they classify people into target groups, that page level data is not stored nor can they connect PII to the data using their system.

Question: This wouldn't be operable as an opt-in model, right?

Harris: Our wiretap laws don't require the collection of PII to be enforced. Also, while they may not be using all the info, they are collecting all the info.

Dykes: Only certain info is used and that is not stored. Only the category that someone falls into is stored. The rest is ignored and also not stored. And consumers can opt out, are offered robust notice, and they do opt out.

Question to FaceBook: Do 3rd party app providers have access to all info in user profiles?

Kelly: A user must actively add the app and acknowledge that they are collecting info. Then the app maker can request data but will only receive the data that the user has consented to share on FB. Then the app maker can only retain the info for 24 hours. If they violate this the app can be shut down.

Question: What is the best estimate of the degree of use of this info abusively -- beyond BT?

Harris: No one knows and there are no rules in place to control it. NAI members have made a commitment, but lots of companies are not in the NAI.

Dykes: As a result of abuses with AOL Search data in 2004 - when it became clear than non-PII data could be reconstructed into PII if associated with individuals, however anonymized, NebuAd wanted to avoid the risk. Their approach of bucketizing users into segments mitigates the risk. The bucket is stored, not all the data that put someone in the bucket. They resolved never to keep raw data that had the potential to create abuse. They don't have it or keep it. No data is connected to PII, only to anonymoized info.

Question: Would ensuring that all of this collection of data is made anonymous solve the problem of potential abuse?

Harris: You can't entirely mitigate the risk. When AOL made search data available, it took very little time to construct PII from it.

Dykes: In the case of AOL. certain kinds of info made it possible to interpolate PII like specific real estate searches that made it possible to identify people. But NebuAd stores the segments, not the specific data.

Harris: But profiling poses that risk. That profiles COULD include that. That for example if you search for your name you are essentially revealing PII.

Dykes: Which is why they don't store info like that. It is irrelevant to the model.

Question: Is true anonymity possible?

Dykes: I believe so.

Question: Is any legitimate benefit to consumers sacrificed by true anonymity.

Dykes: We chose not to collect PII.

Cruz: You're always taking a little risk online. The Internet is not a secure environment. Also, we're not going to WANT pure anonymity. Crime is always possible on an open network like the web. No guarantees possible online. We can try our best but there will always be risk.

Question: What would Federal law or principles entail?

Harris: We don't need a BT law, we need a privacy law. It's bigger than BT. There should be rules about transparency, time limits, opt out or opt in based upon the sensitivity. It's a complicated topic but technology shouldn't govern the basic principles of privacy. We don't want a law that freezes tech development. It's all a matter of balance.

Hintze: We need a national privacy law. We need to harmonize all the federal and state laws. Consuemrs need a common baseline protection.

Dykes: The law needs to focus on privacy. But it must also be careful not to stifle competition.

Harris: Companies stand in different positions to the consumer and we need to take that into account.

Question: Is there a way to approach this where we would govern the type of Internet connection used instead of the content?

Harris: Our laws are outdated. The potential risks are there, and the info would also be available to the government. That is a key danger. For example, email privacy has very little legal protection.

Question: Do you believe consumers are entitled to opt-in?

Harris: It depends on data and context. ISP yes because it is the center connection. It's complicated. PII and non PII are starting to merge. The risk is that an anonymous ID can be connected to PII. We need a baseline privacy bill.

Question: Has the FTC studied security -- storage and encryption?

Parnes: Data security is part of our principles as is the idea that data is stored only as long as necessary.

Question: Do you know everything I do online if I use your site, Google and MSFT?

Horvath: If you're signed in on Google, we know your searches, but not what you did off our site. It's only connected to IP addresses.

Question: How long do you keep records?

Horvath: 18 months.
Hintze: 18 months.

Question: If NebuAd comes to you and asks for a contract -- give us everything you have -- would you consider it?

Hintze: We aren't sharing that info with anyone.
Dykes: We don't want such data. We only use data to put people into innocuous categories.

Question: Does competition between sites protect consumers? Are sites competing or going to compete with privacy standards?

Harris: No There is not enough consumer understanding. Also, companies store the data for too long and anonymization is not as simple as it sounds.

Dykes: Not sure Harris understands what NebuAd actually does. Would like to calrify after the hearing with her.

Question: Summarize your points.

Harris: There are great benefits from advertising but companies are collecting more, increasingly personal info. Self regulation is good but not enough. We need a baseline privacy law.

Kelly: We are at the forefront. We only know what people decide to share. And if companies want to target using that info, advertiser does not get PII.

Dykes: We welcome regulation about privacy. Focus on the sensitivity of the type of info. Strong controls are necessary but room should be left for innovation. Self regulation will also be important.

Cruz: We need to worry about criminals - self regulation doesn't help us there. But law can stifle. We need to let the market evolve. We don't want to impede that.

Hintze: Must protect consumer privacy. If we don't we will undermine the business model. Microsoft leads but we are a small player in online advertising. We need legislation plus self regulation.

Parnes: We need baseline privacy legislation to give consumers assurance, plus we believe in self regulation.

-----

Well, there is my non transcript. If it had value for you I am happy. If you disagree with the interpretation of my summary anywhere, please say so and I will note your disagreement in the post. I did my best to get the gist.

I'm going to give my impressions of the info and its import this weekend in another post. Until then...

Thanks for reading, and don't forget to write.

Mediapost: Will It Be NebuAd Versus Publishers Next?

This report in Mediapost from last week indicates that they foresee some possibility of publisher backlash as Nebuad collects info from publishers without publisher permission.

While NebuAd would have the consent of publishers where it was serving ad, their model collects information from all (nonsecure)pages, including othe pages of publishers with whom they have no business relationship. It'll be an interesting second front for the company if it materializes as a threat.

Thanks for reading, and don't forget to write.

NebuAd Loses ISPs

You may know that ISP targeting solution and ad network NebuAd was working with a number of small ISPs before the Charter Bruhaha. Well, it appears, according to this report on DSL Reports, that they've lost at least one. The following section of the CenturyTel Privacy policy was dropped:

CenturyTel partners with a third-party advertising firm to deliver or facilitate delivery of targeted online advertisements to our High Speed
Internet subscribers for the purpose of providing these subscribers with a richer, more relevant Web surfing experience. By observing anonymous,
non-personally identifying information regarding a subscriber's Web surfing and search behavior, the ad network can infer the subscriber's interests in certain
product or service categories (e.g., automobiles/sports or travel/Europe). The third-party advertising firm can then display advertisements that are more likely to
be related to a subscriber's interests. It should be noted that you will not receive any more ads than you would otherwise receive, nor will the targeted online ads
you receive be any more intrusive than the standard online ads you would otherwise receive. It should also be noted that these targeted online advertisements
are based on the subscriber's anonymous online surfing behavior, and no personally identifying information is collected or used to deliver these advertisements.

CenturyTel's High-Speed Internet subscribers who choose not to receive targeted online advertisements can opt out at any time by clicking here
or visiting http://www.nebuad.com/privacy/optout.php. The opt out is accomplished through the placement of an opt out cookie and applies only to the
computer and browser through which the opt out selection was made. If, after opting out, you obtain a new computer, use a different browser, or delete the opt
out cookie, you must complete the opt out process again in order to maintain your opt out status. If you choose to opt out, you will continue to receive online
advertisements; however, these advertisements will likely be less relevant to your interests.

The post stream reports that CenturyTel is sending out the following email text when queried about NebuAd:

CenturyTel is not currently using online behavioral advertising tools in any of its markets, and we are delaying our plans to move forward with the deployment of online behavioral advertising services - either through NebuAd or any other vendor - at this time. CenturyTel is delaying its implementation plans so that Congress can spend additional time addressing the privacy issues and policies associated with online behavioral advertising.

CenturyTel highly values our customers' personal privacy, and we are committed to protecting our customers' personal information. More detailed information about CenturyTel's data collection and use practices can be obtained by reviewing our Privacy Policy at »www.centurytel.com/Pages/PrivacyPolicy/.

MediaPost reports that Embarq has also dropped its relationship with NebuAd.

NebuAd issued the following statement from CEO Bob Dykes, according to the media Post article:

"We support CenturyTel's decision to delay its implementation plans so that Congress can spend additional time addressing the privacy issues and policies associated with online behavioral advertising," Dykes said. "NebuAd and its ISP partners are actively working together to refine a rollout plan tailored for each ISP that continues to set the standard for privacy protection in advertising online to consumers. NebuAd looks forward to a continued open dialogue with legislators, regulators, and the advocacy community."

Can't be fun to be working in PR for NebuAd at the moment. This is a company that needs a real PR plan, not this sort of reactive approach.They've got a lot of VC money, but the burn rate for a hardware and software solution that is losing partners must be quite high.

Thanks for reading, and don't forget to write.

NebuAd Responds, and Robb Topolski Responds to the Response

Last week I reported in this post on the latest troubles facing NebuAd in the area of privacy. Well, NebuAd responded to the report that characterized their data collection practices as problematic from a privacy standpoint.

NebuAd responded to the report, and you can read the highlights in Broadcasting and Cable.

For those that don't remember the name, Robb Topolski is the man who discovered Comcast's secret e of slowing downloads to customers using BitTorrent applications. Robb's blog is here. I did not identify him as the author in my previous post and I apologize to him for the omission.

If I understand it, the key issue is that according to Topolski NebuAd appends web pages with an extra packet that appears to come from the publisher, not NebuAd. This, according to Topolski, is forgery. The second issue is about notification and whether the notification processes of ISPs have been robust enough to ensure consumers are aware of the activity and its potential benefits to them.

NebuAd's response:

"NebuAd cookies do not contain specific information about a user," the company said. "All ad networks use a small piece of code that is temporary and operates only within the security framework of the browser to invoke the placement of ad network cookies. The code NebuAd uses is no different, and is clearly demarcated outside of and does not modify any publisher code."

Topolski responded to this statement on his blog with the following (excerpted):

As detailed in my report, NebuAd's code is appended to the web page code, in an extra packet that appears to come from servers owned by Google or Yahoo (not NebuAd). This is why you can claim any demarcation. However, there is no demarcation between the publishers code and your injected code that indicates that the code is not from the publisher and that NebuAd is the source of the injected script. The packet is a forgery and the reason is obvious -- if the injected packet would properly identify its source in the IP header, the customer's computer would properly ignore it. This is by intentional design, and is why I characterize NebuAd's programming as usurping the intentions of the application and operating system designers.

More technical minds than mind should and will debate this.

For me this battle is an indication of the kind of thing we are going to see much more frequently in the future. My earlier post on Google's use of toolbar data for targeting is another example of the complexities of data collection, usage, and concerns about privacy.

I hope that this issue can be addressed with reason. NebuAd is clearly filled with smart people who have made decisions based upon what they believe is responsible business practice and reasonable protection of privacy. So characterizing them as evil would be unproductive.

Similarly, I sincerely hope that the debate will focus on the issue rather than the author of the report. Robb Topolski is not a kook. A read of his report, his blog, and indeed his comment to the earlier post on THIS BLOG show he's very passionate. But passion is something we should be pleased to see in a debate about privacy. He demonstrates a comprehensive point of view and an orientation toward thorough review and specifically outlining his findings.

Thanks for reading, and don't forget to write.

Not a Good Month PR Wise for NebuAd

I am sure some of you are already familiar with NebuAd, the ad network that partners with ISPs to capture all of your HTTP travels for the purposes of better ad targeting. That's ALL your nonsecure web travels, not just some.

As you know, BT has been a particularly controversial area for the past...couple years among privacy advocates. Naturally, because NebuAd captures more information about consumers, ISP based targeting has been particularly questioned.

NebuAd and FrontPorch have been quietly working with ISPs for some time doing this sort of tracking, but the big break in the industry came when NebuAd signed Charter ISP to be a part of its service. Before Charter, most of the participating ISPs have been small and quiet about their partnerships.

But as NebuAd and Charter made their announcement, the inquiring minds of privacy advocates really turned the klieg lights on this BT segment. Reps Ed Markey (D) and Joe Barton (R) -- yes you are seeing Democrats and Republicans work together for once -- sent a letter to Neil Smit, President and CEO of Charter, to ask him not to move forward without further review. When you visit the letter you'll see it's written in that impenetrable Congessional way, but as I read it the "request" is the governmental equivalent of getting a black rose in the mail from Mafiosi.

Charter postponed their move (natch), and the trades have been abuzz pretty much ever since.

But the story got a scosh darker for NebuAd with report from Free Press entitled "NebuAd and Partner ISPs: Wiretapping, Forgery and Browser Hijacking."

The press release for this study reads in part:

Topolski found that NebuAd, after being installed on the WOW! network, injects extra hidden code into a user’s browser that was not sent by the Web site being visited. That code directs the user’s Web browser to another site not requested or even seen by the consumer, where hidden code is downloaded and executed to add more tracking cookies. The consumer then sees ads based on NebuAd’s profile of a user’s browsing habits — built through the secretly collected information.

By changing the computer code for Web sites to insert information into the packets of data sent to consumers, NebuAd and its ISP partners “violate several fundamental expectations of Internet privacy, security and standards-based interoperability,” the report found.

The study itself is rather technical -- I had to read it seven times before I got the gist, and there are nine pages of packet trace code as an appendix -- but posits that there are fundamental issues with the NebuAd methodology. The parts I found most interesting were the connections it drew between what it said NebuAd is doing and browser hijacking (common manifestations are when your home page is changed of favorites appear on your list without your consent,) XSS attacks (when others have access and control of your PC,) that Intel serial number controversy of 1999 when Intel inserted unique codes into chips that made it impossible for users to remove encroachments to their anonymity, and something called a "man in the middle attack" which allows a third party to monitor messages sent between your PC and others.

I don't pretend to understand all of the above paragraph. What I do understand is that this is more evidence that the business of digital media and understanding it is becoming incredibly complex and technical.

The thought that comes to my mind, though, is that it's a little scary that our federal government will be making decisions on this stuff given that relatively few of our elected leaders have even my puny level of technical knowledge. Naturally there will be experts involved in setting guidelines and standards if it comes to that, but make no mistake...there are very few people in Congress or on Congressional teams that have even an iota of knowledge about the privacy issues raised by the Internet.

Let's hope that for the sake of the web and the future of media, the decisions are made not based on hyperbole or selective presentation of facts, but rather on a real assessment of the issues by people who have depth of Internet understanding.

In any case, it can't be a whole lotta fun to be NebuAd this week.

POST SCRIPT: I got two emails about my second to last sentence here. I did not mean to imply that either NebuAd's position, nor that of the study referenced above, are hyperbole or half truth. I am just weary of technical issues being resolved in "food fights" on cable news when the reality is that people who actually know what they are talking about should be helping guide the regulatory future of ISP-based targeting.