Think You Own Your Own Clicks? Think Again.

According to the folks behind APML – the Attention Profiling Mark-up Language – there are four key end-user rights surrounding your attention data (that is, what you read on the web). #1 is control: you own your own attention and can store it wherever you wish. Increasingly, though, this is not the case: a raw power grab orchestrated by advertising companies and ISPs is trying to establish that your attention data in fact belongs to your ISP, and that they can sell it for whatever they can get to whoever they want.

We’ve previously covered some of the furor in the UK over the activities of ad network Phorm, who has partnered with major ISPs to collect attention data – or as the industry likes to refer to it, “anonymized browsing information” – by keeping an eye on exactly where people go on the net. What I hadn’t realized until today is that a company by the name of NebuAd is at least as far along this path in the US, without the level of public discussion that Phorm has kicked off in the UK.NebuAd came in for increased scrutiny this week when Charter Communications (one of the top 10 ISPs in the country) started sending out letters to several hundred thousand subscribers in Fort Worth, San Luis Obispo, Oxford, Massachusetts, and Newtown, Connecticut. These letters announced “an enhancement coming soon to your web browsing experience” that would make online ads “better reflect the interests you express through your web-surfing activity.” To their immense credit, Charter not only announced this pilot program in advance, but provided links to explanatory and opt-out pages.

Nevertheless, this move was enough to attract the attention (no pun intended) of Representatives Edward Markey (D-MA) and Joe Barton (R-TX). Markey (Chairman of the House Subcommittee on Telecommunications and the Internet) and Barton sent a public letter to Charter saying, among other things, “We respectfully request that you do not move forward on Charter Communications’ proposed venture with NebuAd until we have an opportunity to discuss with you issues raised by this proposed venture” and suggesting that the system would violate Section 631 of the US Communications Act unless it were opt-in rather than opt-out.

NebuAd have responded aggressively in the past to any suggestion that their service might represent a privacy issue. Their explanation is that their hardware devices at ISPs collect information that is anonymized through one-way hashes, that it only tracks the connection between your IP address and interest in certain categories of information (which do not include medical or sex-related surfing), and that all they do is buy ads and serve them with better targeting than other ad networks. But they’ve notably refused to answer other questions, including just exactly how those ads get into the web pages that you view, who their advertisers are, and the names of the “tens” of ISPs that they’re working with.

NebuAd’s own explanation of how they uphold the “highest standards of consumer privacy” is fairly short. The actual policy has the usual escape clause for the company at the end – they can change it at any time and will notify you by posting the changes on their web site.

If your ISP is selling your surfing data to NebuAd, it’s quite possible that you’ll never know. Many ISPs simple cover this in their terms of service, such as this clause in WOW! Internet’s TOS: “We use an advertising network provider, NebuAd, to deliver or facilitate delivery of advertisements to our users while they are surfing the web. These advertisements are based on users’ anonymous surfing behavior while they are online.”

Web workers should be concerned about NebuAd’s data collection and other activities for a couple of reasons. First, the web is our workplace, and we should have a reasonable expectation that we can go about our work activities without having them monitored by parties with whom we have not contracted. Second, our attention data is one of our assets; it should be up to us to decide how (or whether) to dispose of that asset.

The gravest threat here is not NebuAd’s current behavior, which appears to have been crafted to push the limits of what is acceptable without losing their audience (coupled with ISPs who try to hide or minimize what they’re doing here). The problem is that there’s nothing to prevent them increasing their data-collection efforts in the future (they already have the hardware plugged in at the ISPs) to store increasingly personal information or track increasingly intrusive browsing categories or break down the wall that prevents identifying you completely from stored data. Well, nothing except their own goodwill towards web consumers.

Unfortunately, your avenues for not getting caught in this system are few. Still, it’s worth thinking about them:

  1. Opt out of the tracking. If you’re going this route, I recommend that you visit NebuAd’s own opt-out form, instead of using your ISPs which (at least in the case of Charter) may be more intrusive than necessary. Unfortunately opting out is cookie-based, so you’ll have to repeat it on every computer you use and whenever you clear cookies.
  2. If you’re a Firefox user, install something like Adblock Plus. Due to the way NebuAd works, though, it’s not clear that this will be effective in keeping your data away from them – though it will certainly destroy their ability to deliver targeted ads back to you.
  3. Contact Representatives Markey and Barton to let them know you want a thorough and pointed investigation of the entire ad-targeting industry, not just a few narrow questions directed at Charter.
  4. Run your surfing through an anonymous routing network to camouflage your IP address.
  5. Again, this may not provide much protection against hardware installed at your ISP.

  6. Switch ISPs if yours is participating in this scheme. Unfortunately, this is not an option in many parts of the country where there is a single dominant high-speed provider. Another alternative is to pay a higher price for service such as a direct T1 line or Charter’s Business Internet, which (so far) is not being monitored in the same way as consumer options.

Given the difficulty of protecting yourself against this sort of stealth activity monitoring, it seems likely that any real relief will have to come through legislation or activism. It’s possible to imagine “don’t buy from” campaigns directed at advertisers who use NebuAd, for example (which may be why the company is being so protective of its advertisers’ identities). Whether this actually happens will depend on the level of consumer outrage that the spread of NebuAd (and others in its niche) generate.


Comments have been disabled for this post