Original URL: http://www.theregister.co.uk/2008/07/17/house_nebuad_hearing/

Congress accuses American Phorm of 'beating consumers'

NebuAd and J. Edgar Google

By Cade Metz

Posted in Broadband, 17th July 2008 18:40 GMT

When US Congressman Ed Markey asked NebuAd CEO Bob Dykes whether his Phorm-like ad targeting system should require an opt-in, Dykes refused to answer.

"Do you support a policy where the consumer must say 'yes' before you roam through all their personal data and then turn it into an information product that is then sold to other companies?" asked the chairman of the House Subcommittee on Telecommunications and the Internet.

"Mr. Chairman," Dykes replied, "you're forcing me to answer one of those Have-you-stopped-beating-your-wife-recently questions."

"No," Markey said. "The question is 'Have you stopped beating the consumer?'"

Congressman Ed Markey

Ed Markey

This morning, Markey presided over a Subcommittee hearing that explored the privacy implications of NebuAd's system - a deep-packet-inspection setup that tracks the search and browsing activity of web surfers from inside American ISPs - and Dykes was on hand to defend his baby. Though most of the gathered Congresspeople agreed the system should require an opt-in, he insisted they were missing the point.

"I don't think opt-in or opt-out is nearly as important as robust notice to the consumer, so they truly understand what is going on, and then the opportunity to control that," he said.

To translate: He doesn't want an opt-in. That "robust notice" bit was Dykes' refrain throughout the more-than-two-hour hearing. Basically, he's saying that if NebuAd's ISP partners make a point of telling ISP users the system is turned on, an opt-in isn't necessary.

"Opt-in is rare. It's just for situations involving sensitive information, personal information that can harm or embarrass somebody. We've made a particular point of not having any personally identifiable information, not having any sensitive information."

According to Dykes, NebuAd uses a one-way hash to anonymize each user's IP address, and all that search and surfing data is merely used to place users in certain advertising categories. One category might include web surfers looking for luxury cars, Dykes once told us, and another might pool people researching French vacations.

But NebuAd is still tracking all your search and browsing activity. And it looks like this data is shuttled to its servers even if you opt-out.

Plus, the opt-out is cookie-based. And that "robust notice" bit is just talk.

NebuAd has already tracked users on multiple American ISPs, including WOW!, Knology, and Embarq, and notice wasn't always robust.

At the moment, NebuAd says partners are required to notify users via email or letter or some extra words in their billing statements. But it seems that even these low standards haven't always been met. Back in April, Knology was notifying users with no more than a paragraph posted to its web site. And when we asked whether it should provide more direct notice, it said "We're still in that test mode. Long term, we don't know how that will play out."

After continued public pressure from Markey and his Congressional cohorts, Dykes now says that NebuAd will remove the cookie from its opt out. And it's working on a system that would notify users with messages lobbed onto their web browsers. But again, these would just be messages. There wouldn't be a button where you actually give your consent.

NebuAd CEO Bob Dykes

Bob Dykes

What Dykes didn't say during today's hearing is that if NebuAd is opt-in only, relatively few will likely give their consent - and the company will struggle to pull in the dough.

But at one point, Congressman Greg Walden called him out. "You're in this business to make money," Walden said. "Aren't you betting that there are going to be consumers who ignore the notices or don't understand them?"

Dykes answered by saying that more than half the net is propped up by ad dollars. "It's a legitimate desire on the part of [ISPs] to increase the amount of ad dollars they receive to help fund the internet," he said. "This is a way to do it - with really robust privacy controls."

"Wouldn't the most robust privacy control be an opt-in?" Walden replied.

Naturally, Dykes answered the question without answering. ®

Bootnote

This was a hearing about NebuAd. But blogger and ISP advocate Scott Cleland was on hand to remind Markey and crew that the world is plagued by other privacy concerns.

"Let's consider the depth and breadth of the intimate information that Google already collects on you," he said. "Everything you search for. Everywhere you go on the web. What you watch through YouTube. What you read through Google News, Feedburner, and Blogger. What you say in your emails. What you produce in Google Docs. What your family and friends look like through Picasa. Your medical conditions and history through Google Health. Your purchase habits through Checkout. Your call habits and voice prints through Google Talk. Your travel habits and interests via Google Maps. Your interest in places through Google Earth and Street View. Your personal information through Orkut, Gmail, Checkout, and others. Where you hang out, which will come through Android. Where you'll be or where you were through Google Calendar."

Cleland compares the Mountain View outfit to a famous American cross-dresser. "Just like former FBI director J. Edgar Hoover was corrupted by his power and mastery of personally sensitive information, Google's unprecedented arbitrage of privacy law, combined with its exceptional lack of accountability, is fast creating this era's privacy-invading unaccountable equivalent which I call J. Edgar Google."

This doesn't forgive NebuAd. And we question Mr. Cleland's way with words. But it's a point worth making.