Thursday, June 19, 2008

Death of ISP based Behavioral Targeting?

Last month Charter Communications, an internet service provider (ISP), announced that it will share it's customers web browsing data with NebuAd, to show ads based on customer’s web browsing behavior. NebuAd has developed a product know as “deep-packet inspection boxes” for ISP to track user behavior online and then serve ads based on these behaviors.

Since announcement, Charter Communications have come under pressure from privacy advocates and Congress. According to an article in Mediapost, Charter Communications has now delayed its plans to start sharing information with NebuAd.

I wrote a blog post on NebuAd when I first heard about it. In that post I talked about the privacy issues that ISP based BT raises.There has been a lot of concern regarding privacy of user when it comes to Behavioral Targeting. ISP based BT raises this concern to even a higher level.

I wrote: "This kind of technology is beyond simply using anonymous tracking. ISP do have a lot more information than just the browsing behavior. They have name, location, age, social security number (SSN). They know what time users login to their machine, when is the internet being used, what kind of sites are visited at what times, which sites provided information before a user made a purchase etc. etc. This is far more information than companies like Revenue Science or Tacoda has."

In response to my post I got the following response from NebuAd:

"Below are a couple of quick points from NebuAd’s CEO Bob Dykes to explain and clarify some of the information.

There is no information shard between NebuAd and the ISPs - the only involvement between the two is the agreement that lets NebuAd place the appliance in the ISPs network. To further ensure privacy, NebuAd does not collect the websites visited and map those back to the specific user. Instead it converts, via an appliance located in the ISPs network, the key user identifiers, such as IP addresses, to a one way random number so that the central servers see this and not the original identifier.

NebuAd works by listing categories (e.g. “Cars – SUV – Lexus”) and noting if random number goes to a site, or perform a search, that is related to the category. If yes, then it notes that interest mapped to the random number, but do not map the URL’s visited, just the interest. This is why, since it doesn’t even have the info on sites visited, there's no mechanism to map the random number to specific URLs

Since NebuAd and the partner ISPs do not exchange data, the ISPs do not see the categories each random number visits, and NebuAd does not receive specific customer information, so there is no way for either NebuAd or the ISPs to match specific customer information with even the categories of information associated with the randomized numbers. NebuAd also does not retain the raw data mapped back to the anonymous user profiles."

However, Free Press conducted an investigation of NebuAd technology and tracking and concluded

“that NebuAd’s advertising hardware monitors, intercepts and modifies the contents of Internet packets using Transmission
Control Protocol on Internet Protocol (TCP/IP). In doing so, NebuAd commandeers users’ Web browsers and collects uniquely identifying tracking cookies to facilitate its advertising model. Apparently, neither the consumers nor the affected Web sites have actual knowledge of NebuAd’s interceptions and modifications.

NebuAd exploits several forms of “attack” on users’ and applications’ security, the use of which has always generated considerable controversy and user condemnation, including browser hijacking, cross-site scripting and man-in-the-middle attacks. These practices -- committed upon users with the paid-for cooperation of ISPs -- violate several fundamental expectations of Internet privacy, security and standards-based interoperability. Moreover, NebuAd violates the Internet Engineering Task Force (IETF) standards that created today’s Internet where the network operators transmit packets between end users without inspecting or interfering with them. For example, the TCP protocol would normally not accept code from a source that is a third party from the client-server connection. NebuAd engages in packet forgery to trick a user’s computer into accepting data and Web page changes from a third party like NebuAd."

In March, three British ISPs got into a similar controversy and now NebuAd.

Is this the death of ISP based behavioral targeting before it even got started?

We will have to wait and see. For now, it looks like that for ISP based behavioral targeting to live it will have to prove that it is not doing anything sinister. I have said time and again that BT companies should ask explicit permission from user i.e. they should ask them to opt-in instead of automatically opting them in.

What do you think?

Looking to fill your Web Analytics or Online Marketing position?
Try WebAnalytics360 Job Board

New Positions
1. Director, Web/E-Commerce Analytics at World Wrestling Entertainment, INC (Stamford, Connecticut)
2. Sr. Web Analytics Manager at NY Times Company (New York, New York)

No comments:

Post a Comment

I would like to hear your comments and questions.