Rep Markey Wants More Info About Embarq and NebuAd

In this MediaPost news story, they report that NebuAd continues to be under Congressional scrutiny despite the generally friendly reception they got last week at the Commerce Committee hearing on BT and privacy.

According to the piece, ISP Embarq CEO Tom Gerke was sent a letter that questioned whether his company had provided robust notice to consumers about the tests they ran with NebuAd.

The text of the letter, which I found on Congressman Markey's site, appears below:

July 14, 2008

Mr. Tom Gerke
Chief Executive Officer
Embarq
5454 W. 110th Street
Overland Park, KS 66211

Dear Mr. Gerke:

We are writing with respect to a recent test conducted by Embarq to tailor Internet advertising to the web-browsing patterns of individual Embarq subscribers. We are interested in the nature of this test as well as the impact that this test, and the underlying technology it employed, could have on consumer privacy and other issues.

We understand that Embarq conducted a test earlier this year in a select community in conjunction with NebuAd to create consumer profiles for the purpose of serving ads to consumers based upon their search and surfing habits. As you may know, questions have been raised regarding the applicability of privacy protections contained in the Communications Act of 1934, the Cable Act of 1984, the Electronic Communications Privacy Act, and other statutes, to such practices.

In particular, we are concerned that Embarq may not have directly notified the subscribers involved in the test that their Web use was being analyzed and profiled. We therefore request that you answer the following questions in order for us to better understand the nature of the test conducted, its impact on consumers, and the broader public policy implications of this technology.

1. In what community was the test conducted and how was that community chosen?

2. How many subscribers were involved in the test?

3. How did Embarq notify subscribers in the affected community of the test? Please provide a copy of the notification. If Embarq did not specifically or directly notify affected subscribers, please explain why this was not done.

4. Did Embarq conduct a legal analysis regarding the applicability of consumer privacy laws on the service used in the test? If so, please explain what that analysis concluded.

5. Please explain why Embarq chose to conduct the test allowing consumers who objected to "opt out" rather than first asking customers to "opt in."

6. How did Embarq notify subscribers in the affected community of their opportunity to "opt-out" of the test? If Embarq did not specifically or directly notify effected subscribers of the opportunity to "opt-out," please explain why this was not done.

7. How many subscribers in the affected community opted out of participating in the test?

8. Did Embarq conduct a legal analysis regarding the adequacy of the "opt-out" notice and mechanism employed to allow consumers to effectuate this choice? If so, please explain what that analysis concluded.

9. What is the status of the consumer data collected during this test? Has it been destroyed?

Thank you in advance for your attention to this matter. We respectfully request a response by Monday, July 21, 2008.

I don't know if Embarq notified their customers or not beyond including info about it in its privacy policy, though this passage from the MediaPost article indicates that many ISPs that worked with NebuAd did not.

But software researcher Robb Topolski, who recently tested NebuAd and concluded that the program violated users' expectations of privacy, said the vast majority of the Internet service providers who worked with NebuAd did not seem to send separate notifications to subscribers. Instead, they apparently placed information about the program in their terms of service, privacy policies or other lengthy documents subscribers generally ignore.

I am anxious to see Embarq's response. What constitutes robust notice is ill defined by the government, at least in form. The government, to my knowledge, does not have a proscribed process by which consumers are to be informed.

Is it enough to put it in the privacy policy? Is it enough to put it in a brief and well organized privacy policy? If they put it in the privacy policy, do they then need to alter the customer that the privacy policy has been altered? If so, how must they notify? Would an on site notice do it? Is email OK? Do they need to send a letter?

Presumably the answer to this relates to whether each of the tactics described above resulted in satisfactory levels of consumer awareness.

The googly, from Embarq's perspective, is that the generally accepted means of notification in BT has been in privacy policies. Google, for example, does not send out letter before you download their toolbar telling you that all the places you visit are fair game for analysis.

Will ISP targeting be held to a higher standard than the rest of BT? I think that would be dead wrong. To me, the difference between ISP targeting and traditional BT from a privacy perspective seems to relate to the amount of info collected. A notificaiton process is either right or wrong, whether the BT provider collects 20% of my web visits or 100%. And if i am not mistaken, there are currently a number of companies out there diligently pairing BT data with PII, and they are doing so with modest consumer notification. For example, portals and Facebook. NebbuAd may be collecting more information, but other companies are collecting more PERSONAL information.

I'm not sure what I think the standard should be in terms of the form of notification. But I am sure that it should be applied to all BT, not just the technologies that collect the most complete picture. Because if the latter route were taken, at what point would the amount of data collected lead to the requirement of more outbound notification practices? 99%? 98%? 73%

Off my soapbox.

The challenge of this kind of notification is one of the classic push me pull yous of marketing. Often, the government looks at measures like opt out rates to determine whether the average consumer could be reasonably assumed to be notified. There is a lot of grey area between tucking it away where few will see it and sending out letters or emails.

One of the most interesting answers will be to question 5 -- about why they chose to do opt out rather than opt in.

Markey also released a statement when he informed the world about the request for information.

"Surreptitiously tracking individual users' Internet activity cuts to the heart of consumer privacy. The information collected through NebuAd's technology can be highly personal and sensitive information. Embarq's apparent use of this technology without directly notifying affected customers that their activity was being tracked, collected, and analyzed raises serious privacy red flags."

Ouch.

Thanks for reading, and don't forget to write.