According to the folks behind APML – the Attention Profiling Mark-up Language – there are four key end-user rights surrounding your attention data (that is, what you read on the web). #1 is control: you own your own attention and can store it wherever you wish. […]

According to the folks behind APML – the Attention Profiling Mark-up Language – there are four key end-user rights surrounding your attention data (that is, what you read on the web). #1 is control: you own your own attention and can store it wherever you wish. Increasingly, though, this is not the case: a raw power grab orchestrated by advertising companies and ISPs is trying to establish that your attention data in fact belongs to your ISP, and that they can sell it for whatever they can get to whoever they want.

We’ve previously covered some of the furor in the UK over the activities of ad network Phorm, who has partnered with major ISPs to collect attention data – or as the industry likes to refer to it, “anonymized browsing information” – by keeping an eye on exactly where people go on the net. What I hadn’t realized until today is that a company by the name of NebuAd is at least as far along this path in the US, without the level of public discussion that Phorm has kicked off in the UK.NebuAd came in for increased scrutiny this week when Charter Communications (one of the top 10 ISPs in the country) started sending out letters to several hundred thousand subscribers in Fort Worth, San Luis Obispo, Oxford, Massachusetts, and Newtown, Connecticut. These letters announced “an enhancement coming soon to your web browsing experience” that would make online ads “better reflect the interests you express through your web-surfing activity.” To their immense credit, Charter not only announced this pilot program in advance, but provided links to explanatory and opt-out pages.

Nevertheless, this move was enough to attract the attention (no pun intended) of Representatives Edward Markey (D-MA) and Joe Barton (R-TX). Markey (Chairman of the House Subcommittee on Telecommunications and the Internet) and Barton sent a public letter to Charter saying, among other things, “We respectfully request that you do not move forward on Charter Communications’ proposed venture with NebuAd until we have an opportunity to discuss with you issues raised by this proposed venture” and suggesting that the system would violate Section 631 of the US Communications Act unless it were opt-in rather than opt-out.

NebuAd have responded aggressively in the past to any suggestion that their service might represent a privacy issue. Their explanation is that their hardware devices at ISPs collect information that is anonymized through one-way hashes, that it only tracks the connection between your IP address and interest in certain categories of information (which do not include medical or sex-related surfing), and that all they do is buy ads and serve them with better targeting than other ad networks. But they’ve notably refused to answer other questions, including just exactly how those ads get into the web pages that you view, who their advertisers are, and the names of the “tens” of ISPs that they’re working with.

NebuAd’s own explanation of how they uphold the “highest standards of consumer privacy” is fairly short. The actual policy has the usual escape clause for the company at the end – they can change it at any time and will notify you by posting the changes on their web site.

If your ISP is selling your surfing data to NebuAd, it’s quite possible that you’ll never know. Many ISPs simple cover this in their terms of service, such as this clause in WOW! Internet’s TOS: “We use an advertising network provider, NebuAd, to deliver or facilitate delivery of advertisements to our users while they are surfing the web. These advertisements are based on users’ anonymous surfing behavior while they are online.”

Web workers should be concerned about NebuAd’s data collection and other activities for a couple of reasons. First, the web is our workplace, and we should have a reasonable expectation that we can go about our work activities without having them monitored by parties with whom we have not contracted. Second, our attention data is one of our assets; it should be up to us to decide how (or whether) to dispose of that asset.

The gravest threat here is not NebuAd’s current behavior, which appears to have been crafted to push the limits of what is acceptable without losing their audience (coupled with ISPs who try to hide or minimize what they’re doing here). The problem is that there’s nothing to prevent them increasing their data-collection efforts in the future (they already have the hardware plugged in at the ISPs) to store increasingly personal information or track increasingly intrusive browsing categories or break down the wall that prevents identifying you completely from stored data. Well, nothing except their own goodwill towards web consumers.

Unfortunately, your avenues for not getting caught in this system are few. Still, it’s worth thinking about them:

  1. Opt out of the tracking. If you’re going this route, I recommend that you visit NebuAd’s own opt-out form, instead of using your ISPs which (at least in the case of Charter) may be more intrusive than necessary. Unfortunately opting out is cookie-based, so you’ll have to repeat it on every computer you use and whenever you clear cookies.
  2. If you’re a Firefox user, install something like Adblock Plus. Due to the way NebuAd works, though, it’s not clear that this will be effective in keeping your data away from them – though it will certainly destroy their ability to deliver targeted ads back to you.
  3. Contact Representatives Markey and Barton to let them know you want a thorough and pointed investigation of the entire ad-targeting industry, not just a few narrow questions directed at Charter.
  4. Run your surfing through an anonymous routing network to camouflage your IP address.
  5. Again, this may not provide much protection against hardware installed at your ISP.

  6. Switch ISPs if yours is participating in this scheme. Unfortunately, this is not an option in many parts of the country where there is a single dominant high-speed provider. Another alternative is to pay a higher price for service such as a direct T1 line or Charter’s Business Internet, which (so far) is not being monitored in the same way as consumer options.

Given the difficulty of protecting yourself against this sort of stealth activity monitoring, it seems likely that any real relief will have to come through legislation or activism. It’s possible to imagine “don’t buy from” campaigns directed at advertisers who use NebuAd, for example (which may be why the company is being so protective of its advertisers’ identities). Whether this actually happens will depend on the level of consumer outrage that the spread of NebuAd (and others in its niche) generate.

You’re subscribed! If you like, you can update your settings

  1. I wrote a browser add on for Firefox to cover Phorm. With a little adaptation (and help from US counterparts) it might be possible to make it work for nebuad too.

    Opt out is the wrong way for consumers. This should be opt in. These DPI systems are so intrusive, and users consent cannot be assumed.

    Bear in mind too, apps like Microsoft Word, Open Office, Outlook, will all access content from the net from time to time. And these requests often can’t be distinguished from a web browser.

    But perhaps, in the context of webworkerdaily, the most significant concern is the server side… and the completely bogus assumption these sites make that all unencrypted communication is public and/or public domain.

    They violate the privacy of business communications, such as ecommerce sites. They steal copyright content ‘on the wire’ (rather than making a separate identifiable request for it). And they take visitors away from your web site using competitive advertising.

    If regulators won’t act (and thankfully it seems the US are more switched on than our hopeless UK regulators)… one option is copyright protection.

    I understand it is reasonable cheap to register a copyright in the US, and the penalties for wilful abuse of copyright are substantial.

    Good luck. We’re about 3 months ahead of you. Come and join us for a chat at BadPhorm… or enjoy http://www.parasitestxt.org over a coffee.

  2. Robb Topolski Saturday, May 17, 2008

    Public Knowledge did a piece this week on Charter’s decision to sell out their customersimprove the marketing experience for their users. You’ll find their take here: http://www.publicknowledge.org/node/1574

  3. Much hoopla about nothing. This is the way of the future. I much rather get ads that are related to what I like and might need than getting Ads that are just cluttering the page with no usefulness. We should all be happy on this as this will make the browsing experience much more fulfilling. Chill out and don’t be so paranoid.

  4. So Tom thinks much hoopla about nothing.

    I suppose he is also happy for all his private and personal letter mail to be opened by his mail delivery man to ensure he gets better targeted paper advertising as well!

    “Sorry, I will forget read that personal letter from the bank manager!” says the postman. “Honestly”

    There is little difference.

  5. 1984 has come Sunday, May 18, 2008

    Maybe Tom won’t mind his phone calls being wiretapped so that he can receive a more thorough profiling for enhanced targeted telemarketing calls from Dick and Harry.

    I don’t suppose there any prizes on offer for guessing the type of business Tom is in!

  6. John Swaringen Sunday, May 18, 2008

    As a Charter subscriber when I got the letter I was stunned. I’ve written my congressman (Joe Barton) and can’t believe that they would be allowed to do something like this. Conspiracy theories aside, this is an invasion of privacy and should be stopped. Viva Net-Neutrality!

  7. Get real. That is why I say you are all paranoids. What phone calls and what mail. This is web pages that you already are visiting and like it or not will be getting ads on them. no harry and no dick will call you. the back end system will show us ads that will be relevant hoping that we click on them and they make a few pennies. Believe me, the government can get all the dirt on you when they need to, and this won’t be their way, since this isn’t trackable back to you as an identifiable user anyways. If you think this is bad, then what would you say about every search you do on Google while you are logged into your gmail acct. Now, that is your identity. You think that doesn’t leave a track on you? If I were you, I would stop using the web and all other electronic communications altogether since I would be too worried someone out there cares about what crap I like and will be tracking me to show me an ad. Go get a life.

  8. it seems to me that once a 3rd party has an ISP Address database, then all they need to do is correlate that to your identity by learning who owns things like yahoo accounts. Since your yahoo mails is often sent from one or two ISP addresses, then it would be easy to build a database that could track all your web activity.

    This seems very feasible, no?

  9. Why is it that no one cares that Yahoo and Google and MSN are already doing this? You don’t think their ads are already targeted to you?

    I agree with Tom, this is much hoopla about nothing.

    By the way, this page the article is on is covered with Ads that are paying for this website. A bit hypocritical there, GigaOM?

Comments have been disabled for this post