NebuAd - another brilliant profit generator for Internet Access Providers

[David Farber <dave () farber net>]

________________________________________
From: David P. Reed [dpreed () reed com]
Sent: Monday, May 19, 2008 9:47 AM
To: Ip Ip; David Farber; Brett Glass; Lauren Weinstein
Subject: NebuAd - another brilliant profit generator for Internet Access Providers

I read a brief piece in the NYTimes this morning, pointing out a new
company that is heating up the investors' psyche because of its deal
with Charter Communications which will rake in lots of ad dollars by
violating the fundamental architectural principles of the Internet.

<http://bits.blogs.nytimes.com/2008/05/14/charter-will-monitor-customers-web-surfing-to-target-ads/>

Curious as to how it works technically, I googled it.  And found this
very interesting interview with its CEO (explaining that they both do
Deep Packet Inspection and rewrite Web pages returned to users, without
permission). Since Dave Farber and Brett Glass are so "balanced" in
their perspectives on such technology, I invite them to join the crew of
techies and MBA's defending NebuAd and Phorm, etc.   (and of course they
can defend Charter and BT as the primary users of these technologies as
well).

<http://www.dslreports.com/shownews/Ask-DSLReportscom-What-Is-NebuAD-91797>

One should note that the equipment and sites involved can be easily used
to analyze user's surfing behavior to target them for thought-crimes as
well.   Of course, they would NEVER be tempted to sell such services to
(say) the Mossad or the Chinese security services.

*Ask DSLReports.com: What Is NebuAD?*
The CEO tries to ease your privacy worries, explains Fair Eagle
01:02PM Tuesday Feb 12 2008 by Karl
<http://www.dslreports.com/useremail/u/141383>
tags: business <http://www.dslreports.com/blog?cat=14> · security
<http://www.dslreports.com/blog?cat=26> · privacy
<http://www.dslreports.com/blog?cat=29> · networking
<http://www.dslreports.com/blog?cat=45>
When it comes to the online advertising industry, consumers aren't
exactly a trusting bunch. That's understood, given the laundry list of
companies that have treated user PCs like a battlefield and used
consumer privacy as a punching bag. So when a company by the name of
NebuAD <http://www.nebuad.com/providers/providers.php> stated they'd be
deploying a new hardware device within ISP networks that would track
user behavior, consumers got nervous.

Consumer nerves weren't exactly soothed when reports emerged that in
addition to using surveillance hardware to monitor your browsing habits,
the company was also involved in an ad injection system
<http://www.dslreports.com/shownews/85222> that allowed ISPs to insert
their own ads into websites (regardless of the existing advertising
deals struck between webmaster and other advertisers). We spoke to
NebuAD CEO Bob Dykes to find out just what the company had planned, and
whether we should be terrified.

According to Dykes, the company is working with /"Multiple tens of
ISPs,"/ who have installed, free of charge, deep packet inspection
hardware on the ISP network. Deep packet inspection
<http://en.wikipedia.org/wiki/Deep_packet_inspection> hardware, as the
name suggests, analyzes the data and/or header part of a packet, and can
track data type based on any number of pre-set criteria.

Originally designed for security purposes, DPI recently found new life
in both NebuAD's implementation and in implementation by ISPs as a way
to identify and throttle p2p traffic. Deep Packet Inspection is also
expected to be at the heart of AT&T's proposed piracy filters
<http://www.dslreports.com/shownews/89255>.

NebuAD's hardware (each device can handle 10-30k users) tracks every
website an ISP user visits, at what speed, and for how long. ISPs pay
nothing, do nothing, and in return for the information, get checks
mailed to them monthly. In an age where ISPs are terrified of being dumb
pipe providers, and are trying to make an additional buck through
everything from DNS redirection
<http://www.dslreports.com/shownews/89282> to car sales
<http://www.dslreports.com/shownews/My-ISP-Sells-Cars-Too-90534>, such a
user-invisible profit stream is going to prove hugely appealing.


      Opting Out & Privacy


While that's certainly a nice deal for the ISPs, users are obviously
concerned about the privacy implications. From all indications, NebuAD
knows that in this age of malware, data leaks and warrantless wiretaps,
they could easily sink if they don't make user privacy a priority.
According to NebuAD, they're protecting your privacy by never actually
handling any data that identifies you, as you.

Each piece of deep packet inspection hardware converts any key
identifiers (such as IP address) to a one-way random number. The central
servers at NebuAd then only receive this hash number, not the original
identifiers. The company has a list of categories (e.g. Cars, SUV,
Lexus) and notes if the hash number goes to a site, or performs a
search, that is related to the category. If yes, it notes that interest
mapped to the hash number.

NebuAd doesn't map the URLs visited, just the user interest (think of it
as a tick-mark against that interest). /"NebuAd only maps qualifications
for interest categories against the hash,"/ spokesman Anthony Loredo
tells us. /"Interest categories are kept sufficiently broad to preclude
personal identification -- there are no categories for subjects that are
deemed too personal, such as sex."/

To aggregate data, NebuAd converts the data into another random number
and stores the URL visits in aggregate form. /"Because of the second
hash, it is never possible to deconstruct back to the original hash, or
the original user,"/ says Loredo. /"This data is stripped of personal
and personally identifiable information and held in aggregate only --
NebuAd does not take information from ISP data systems, and does not
share any data with ISP's, so no data concentration occurs,"/ he says.
/"ISPs are completely passive in our model."/

Dykes says that the advertisements fired your way once this data is
collected will also have limits, as in the company won't be watching
your WebMD searches to send you ads for gout medication, nor will they
be advertising to your personal porn preferences. /"There are absolutely
lines drawn,"/ says Dykes. /"The lines vary on where we are, but in the
U.S., there's no sex ads and no medical condition ads."/

When asked if NebuAd would find other uses for all of this user data,
such as selling it to researchers or other industries, Dykes insists
that /"we don't sell data, we only sell advertising."/ As for the
potential for data leaks, the company insists the data would be all but
useless if it got into the hands of scammers.

The idea of tracking behavior via ISP hardware /"certainly would give
people some cause for alarm,"/ admits CEO Dykes, though they say they've
gone /"out to extreme lengths"/ to make sure consumer identities aren't
at risk. Dykes also ensures us that part of their contract with ISPs
mandates that they clearly inform users if the ISP implements this new
system, and gives them a clear and easy way to opt-out
<http://www.nebuad.com/privacy/optout.php> (something we'll be watching
carefully).


      Changing The Advertising Game & Fair Eagle


As for advertising, Dykes, who used to work for Juniper Networks, thinks
his solution is going to change the advertising game. According to the
CEO, his system gets around the bane of many Internet advertisers:
cookie deletion. /"The advertising industry believes that about forty
percent of people delete the cookies about once a month,"/ notes Dykes.
But the most obvious perk is the ability to more specifically target ads
based on interest.

/"We can see not only that you went to a travel site, but we can see
what types of vacations you're looking for,"/ he says. /"That's just
impossible with a cookie based network today. We have much greater depth
of interest, and as a result we have about eight hundred potential
categories for advertisers, whereas today all of the other networks have
between twenty and forty."/

But what about the company's intrusive Fair Eagle project? Texas-based
ISP Redmoon managed to annoy the entire Internet
<http://www.techcrunch.com/2007/06/23/real-evil-isp-inserted-advertising/>
after they began forcing ads atop existing advertising arrangements. ISP
users were not informed, nor were they allowed to opt-out. Dykes insists
to us that, at least in the format that first caught our eye, the
project is no more.

/"Earlier in our exploration of advertising alternatives, we had
explored with Free Wi-Fi operators the notion that occasional pop-up
advertisements were more appealing to users than having their web
browser "framed" to a smaller size, with a permanent banner ad filling
the top of the screen,"/ says Dykes. /"It was accidentally deployed by a
wireline provider for a very brief time without our knowledge. We have
discontinued that offering."/

The company is not injecting ads over existing advertising
relationships, though there are companies who are
<http://www.dslreports.com/shownews/90134>.

From our conversations with the company, it's pretty clear that NebuAD
realizes they can't do business unless they place a priority on user
privacy and security. However, given how invisible the whole process is,
it's virtually impossible to gauge this independently. NebuAD says
they're working with /"multiple tens of ISPs"/ -- but we've yet to hear
a peep from any of these providers -- who likely don't want the PR
fallout from tracking user activity.

Do us a favor: keep a close eye on your privacy policy and tell us
<http://www.dslreports.com/news> if your ISP mentions the use of NebuAD
systems. We'd be curious to get your feedback on which ISPs are using
the system (NebuAD wouldn't say), how transparent these providers are
being about it, and how easy opt-out procedures are.


-------------------------------------------
Archives: http://www.listbox.com/member/archive/247/=now
RSS Feed: http://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com