Original URL: http://www.theregister.co.uk/2008/04/22/wide_open_west_users_with_nebuad/

Data pimping catches ISP on the hop

Who ate all the cookies?

By Cade Metz

Posted in Broadband, 22nd April 2008 12:02 GMT

What's the story with Phorm, NebuAd, and other behavioral targeting firms that track user data from inside the world's ISPs? In some cases, even the ISP can't tell you.

In February, the Silicon Valley-based NebuAd deployed its deep-packet inspection technology on a Middle America ISP known as WOW!, formerly WideOpenWest. The official word from NebuAd is that its partner ISPs are required to directly notify customers via letter or email before its hardware is turned on, but WOW! - America's 12th largest cable operator, serving Illinois, Michigan, and Ohio - says this did not happen on its service.

According to vice president of programming Peter Smith, WOW! updated its terms of service to include a mention of NebuAd, and in some cases, it told customers that the terms had been updated. But it didn't go any further.

"We started rolling out the service in February and we completed the roll-out the first week in March," Smith told us. "About the third week in March, we got an updated memorandum from NebuAd detailing their 'best practice' standards. That was not provided before we rolled the service out.

"When we got the memorandum, we put together a plan to comply with the best practices, and we're in the process of doing that right now, sending customers an email that explicitly alerts them to NebuAd and providing messages on bills."

At least two WOW! customers argue that the ISP's initial notification was not enough. Both of these Chicago-area customers were unaware that NebuAd was tracking their behavior until some unexpected Web cookies turned up on their machines. When they visited Google, non-Google cookies were being read by addresses such as "nebuad.adjuggler.com."

When these users contacted WOW! customer support, reps initially denied that the ISP was responsible for the cookies. So these customers did some digging on their own, eventually turning up the NebuAd mention in WOW's terms of service. Only then did reps confirm that NebuAd was a partner.

Someone else's cookies

When we contacted WOW! to discuss the matter, VP Peter Smith initially denied that NebuAd uses tracking cookies. "There's been a lot of rumors out there are not correct," Smith told us. "NebuAd doesn't drop cookies, so those were someone else's cookies." When pressed, Smith then said that NebuAd only drops a cookie when users opt-out of the service.

But NebuAd makes no bones about the fact that it drops cookies from the get-go. "We place just one cookie for each NebuAd ad-serving domain," said NebuAd CEO Bob Dykes. "It usually contains just an alphanumeric, which is not the number we use internally to identify the user anonymously, and some ad-serving related info such as ad frequency caps, which is similar to functionality used by almost all ad networks in their cookies. If the user opts out, then that is noted in the cookie and the alphanumeric is deleted."

Peter Smith negotiated WOW!'s contract with NebuAd, but he said that these negotiations carried on for months and that NebuAd's practices may have changed since the two companies first spoke.

NebuAd's behavior-tracking service is similar to ISP-based services used by Phorm in the UK and Front Porch here the US (though Front Porch shares its data with outside ad firms). Other operations that appear to be working on similar services include Adzilla and Project Rialto, a "stealth company" created by Alcatel-Lucent, but these firms did not respond to our interview requests.

According to NebuAd, its current ISP contracts give it access to the search and browsing activity of at least 10 per cent of American net surfers. It then uses this data to target advertisements.

NebuAd insists the data is never matched to personally identifiable information. But many - including the Center of Democracy and Technology - believe that end users should be actively notified before these services start tracking their behavior and given every opportunity to opt-out.

NebuAd aka Nebula

When one WOW! customer - we'll call him WOWed - first noticed those un-Google cookies on his machine, he assumed it was infected with spyware. "I realized that Google was loading slowly, and I spent hours trying to clean spyware off my system," WOWed told us. "Finally, I reinstalled my machine from scratch, installed all of Microsoft's patches, and the cookies came back. I was convinced that this was coming from the ISP."

And WOW! customer support did nothing to dissuade him. "They just said that I had spyware too, that they ran tests from their office and that when they went to Google, they didn't see a problem."

A second WOW! customer - we'll call him WOWed Again - had a similar experience. "When I first noticed this, I called customer support, and no one knew anything about it," WOWed Again told us. "Then I called again and pointed them to the new terms and conditions.

"The rep said 'Oh no, sir, we don't monitor any internet usage. We don't care what you're browsing.'" WOWed Again has since noticed that his January bill from WOW! mentioned that the ISP's terms of service had changed.

But the company eventually told both customers that its network was equipped with NebuAd hardware. According to WOWed, a company employee - believed to be the head of customer service - told him "You can opt-out if you go to Nebula's [sic] site."

NebuAd does provide an opt-out, but both WOW! users complain that this does not remove NebuAd's cookies from their machines. "NebuAd says they don't track you if you opt-out," WOWed Again said. "But if I go to Google, my browser is still calling back to NebuAd's servers. I'm not happy with this at all."

When we asked NebuAd about its opt-out cookie, the company called it an "industry-standard mechanism."

"Once a user opts out, the user’s surfing habits are no longer being observed by NebuAd," the company told us. "Once a user opts out, NebuAd removes the history on the user and will ignore the user's subsequent surfing habits. An opt-out flag in a cookie is the industry-standard way of signaling to the system not to track this user."

The company also said that some web surfers may notice a NebuAd cookie on their machine even if their ISP is not a partner. "Because we buy some media unrelated to our ISP partnerships, the fact that a user sees our cookie does not indicate that the user’s ISP is using NebuAd."

According to WOWed Again, when a WOW! customer support rep finally acknowledge the company had contracted with NebuAd, she assured him this wasn't a problem. "She said 'We really haven't gotten too many calls about this, so apparently people think there's value in getting targeted ads.'"

"I should have told her 'You haven't gotten many calls because no one knows about it.'"

Yes, NebuAd has now told WOW! that it needs to be more proactive when notifying customers. And WOW! says it began sending emails to customers early last week (though it doesn't have email addresses for all customers).

But according to WOW!, NebuAd didn't give the ISP its so-called best practices until after the company's service was discussed on Broadband Reports and in various news stories. Some have argued that behavioral ad trackers have received an unfair shake in the press. But on some level, press is necessary. ®