Original URL: https://www.theregister.com/2008/10/08/hitwise_compete_and_isps/

Hitwise and Compete: the user data ISPs do sell

Data pimping it old school

By Cade Metz

Posted in Networks, 8th October 2008 08:29 GMT

Testifying before Congress last month, three of America's four largest ISPs said they wouldn’t sell customer data to the likes of Phorm and NebuAd without getting consent. And the press applauded. But no one thought to ask one more question: Are they selling customer data to anyone else?

Addressing the Senate Commerce committee, AT&T, Time Warner, and Verizon said they do not engage in so-called behavioral ad targeting - and they would never do such a thing unless their customers gave the A-OK.

"Any technology that is used to track and collect customer online behavior for the purposes of targeting advertising - regardless of which company is doing the collecting - should only be used with the customer's knowledge and consent," Verizon executive vice president Thomas Tauke told the committee.

In other words, these ISP behemoths insisted they don't sell data to Phorm, NebuAd, Front Porch, or any other outfit that operates along similar lines - echoing words they tossed at House Telecommunications and the Internet Subcommittee this summer.

But amidst the ongoing controversy over ISP-level behavioral advertising - both in the US and in the UK - the world has forgotten that ISPs were already selling customer data to outside operations, including "web analytics" outfits like Hitwise and Compete. Hitwise traffic monitoring software sits inside 30 ISPs across the globe, tracking the online behavior of 25 million people, while Compete collects web user data from twenty ISPs or ASPs in the US.

According to year-old talk from former Compete CTO David Cancel, the company pays ISPs roughly 40 cents a month for each user's clickstream.

With Phorm and NebuAd, the problem wasn't that they were serving ads. The problem was that ISPs were passing them customer search and browsing data without necessarily getting consent. Hitwise and Compete are certainly buying data. The questions is whether they're getting consent - and whether the data can be traced back to individual users.

The word from Hitwise and Compete

Compete says its ISPs partners always get consent from users. "We have twenty partners who we work with that we won't do business with unless they have permission," Compete vice president and chief marketing officer told The Reg. But due to contractual reasons, he wouldn't say who the ISPs are, and he wouldn't say how consent is given. Consent may mean a sentence or two buried in the ISP's terms of service.

Meanwhile, Hitwise won't say whether its ISPs get consent or not. "We cannot speak on behalf of our ISP partners’ businesses," the company told us. "This isn't to say that ISPs don't notify users, but it's our company policy never to comment on partners' business activities."

Both companies also say that all data is anonymized before it leaves the ISP. "We have clickstreams on individual users which come in with a unique user identifier, so that they are anonymous users with anonymous identifiers that are persistent over time," Compete's DiMarco said.

Hitwise put it like this: "Hitwise does not receive raw data from its data partners. Our data partners send us anonymized and aggregated information after they have already processed and anonymized it using proprietary software. No data sent to Hitwise can be used to track back to an identifiable individual."

Of course, AOL has shown that if anonymized user data escapes into the wild, it isn't necessarily anonymous. When we pointed this out to DiMarco, he said: "I can't speak to an AOL example. But our reports don't generate names. They're not technically capable of generating names." Compete also said that when it shares stats with other companies, the data is aggregated in such a way that users cannot be identified.

Define Anonymous...

We asked both companies to supply us with samples of their anonymized data, so we could could judge its anonymousness for ourselves. But Compete declined, saying this would violate its privacy policy, and Hitwise did not answer.

There have also been rumblings that Hitwise has developed a system that serves up ads or otherwise customizes web pages based on user traffic, but the company says it is "not in the behavioral targeting business."

Of the three big-name ISPs that testified before Congress last month, Time Warner Cable and Verizon told us they do not sell customer data to any outside firms. Time Warner said this matter-of-factly.

A Verizon spokesman said: "We do not sell customer proprietary information in any case that I can think of...To your question about [whether we are] tracking customer behavior on the 'Net, the answer is 'no'."

AT&T did not respond to our request for comment. But the company's privacy policy states: "We may disclose aggregated information to third parties including advertisers, content providers, market research companies and other organizations."

As when Hitwise uses the word, it's unclear what "aggregated" really means. Does it mean that the data isn't gathered in real time? Or that the data describes groups of users? Can outside firms zero in on the clickstreams of individuals and/or small groups? Or not? Is this practice all that different from what NebuAd was doing? Or is it pretty much the same? ®