Friday, July 18, 2008
NebuAD CEO defends web tracking-US lawmaker wants consent required for Web-tracking
Internet providers should be required to get their customers' permission before the companies are allowed to track their online visits, a key House lawmaker said on Thursday.
Democratic Rep. Edward Markey, chairman of the House subcommittee on telecommunications and the Internet, said broadband network operators should have to get "opt-in" permission from customers before using sophisticated technology that can track their movements online.
Markey cited the sophistication of the technology being used, known as deep-packet inspection, as well as the technology's capability and the obvious sensitivity of the personal information that can be gleaned from a consumer's Web use in backing the opt-in requirement. His comments came in a prepared statement at a subcommittee hearing on Thursday.
Deep-packet inspection, or DPI, has sparked privacy concerns among some lawmakers and consumer advocates. Those concerns were sharpened earlier this year when cable company Charter Communications (CHTR.O: Quote, Profile, Research) disclosed plans for a pilot program, in partnership with an advertising company called NebuAd, to track customers.
Charter said the service would be anonymous and would not collect or use any information that identifies individuals. It has pledged to protect customers' privacy and said they would be allowed to opt out of the program. But Charter later put the program on hold because of the privacy concerns.
NebuAd's chief executive, Bob Dykes, testified at Thursday's hearing, telling lawmakers that the company's advertising network benefits consumers by serving them with more relevant online ads.
Dykes assured lawmakers on the subcommittee that NebuAd does not collect personally identifiable information about Web users or store "raw data" linked to individuals.
Dykes said NebuAd requires the Internet service providers it works with to provide "robust" disclosure notices and the chance to opt out of the service.
But Markey said network operators should be required to take an "opt-in" approach and that there should be no "monitoring or data interception" of customers who do not consent
In a Senate hearing on targeted advertising this morning that eventually devolved into conversations about post-nasal drip, Senator Byron Dorgan (D-ND) did get in one good shot at NebuAd, the controversial firm that hopes to harvest ISP traffic data on an opt-out basis to deliver more relevant ads. "Isn't that just wiretapping?" Dorgan asked. NebuAd's CEO looked a bit uncomfortable with the question. "My lawyers have told me we're in compliance with the law," he offered.
The issue of behavioral advertising has gained increased traction on Capitol Hill recently, thanks in no small part to NebuAd and its trial with cable operator Charter (now on hold). At issue is whether NebuAd's boxes can legally slurp up all that web traffic without a user's express consent. We noted yesterday that NebuAd insists its opt-out stance is a "breakthrough," but it's hard to see how; a real "breakthrough" would be making the service completely opt-in.
Robert Dykes, NebuAd's CEO, stressed repeatedly that his company uses one-way hashes to obscure IP addresses and that it collects no personally identifying information. Instead, NebuAd analyzes web page data and notes whether a user is interested in certain ad categories; if so, web companies that partner with NebuAd can deliver targeted ads in those areas of interest. So what's the problem?
Leslie Harris of the Center for Democracy and Technology countered that federal and state law are the problems. The Wiretap Act, she said, doesn't care if information is personally identifying or not; it cares only whether wire data is being intercepted, not whether the interception is "good" or "bad." In her view, if the interception happens without "affirmative, express consent," it may well be illegal. In addition, many state laws require two-party consent for this sort of thing, and no matter how much "notice" a company gives people, without consent, such practices could run afoul of these laws.
"Consumers are largely uncomfortable with the practice" of third parties riffling through their web traffic without consent," she said, but Dykes countered that his company was really helping ISPs to pay for bandwidth upgrades (though somehow they've managed to do so up until now without selling their users' traffic to third parties).
The Federal Trade Commission was also on hand to assure Congress that it was looking into the general issue of behavioral advertising, but its current plan is to let the industry regulate itself. Harris noted that a major industry effort, the Network Advertising Initiative, has been around for years, but only launched an overhaul of its best practices after the FTC began looking into the issue.
Google, which is hoping to join the NAI, had initially refused to slap a "privacy" link on its front page like most other members did, and only last week did it relent. With a Google attorney testifying today at the hearing, Congressional scrutiny likely had something to do with the decision; no one likes to show up before Congress only to face questions about why their company can put links to advertising and business opportunities on the home page, but can't find space for privacy.
A Microsoft lawyer at the hearing took the opportunity to make an oblique attack on Google, though, pointing out that Microsoft has had a clear link to its privacy on its home page "for several years."
Not every company in attendance was against federal privacy law in this area, but the general sentiment seemed to be in favor of self-regulation. Clyde Wayne Crews of the Competitive Enterprise Institute was on hand to tell the senators that regulation (in general, apparently) wasn't needed, since everything is regulated already by "furious consumers and shareholders." This assumes, of course, both information symmetry and a truly competitive market; certainly, neither bit of "regulation" has done much for cable TV, which routinely comes up at the bottom of consumer satisfaction surveys and has prices increase by a 100 percent a decade.
The ISP market in much of the country is in a similar position, usually with only a pair of decent options. If more than a few ISPs began adopting NebuAd-style behavioral advertising on an opt-out basis and consumers don't like it, there may be little they can do. Senator Dorgan took issue with Crews' point, saying that if it were taken to a logical extreme, we wouldn't need the FDA inspecting food, since people would just stop buying products that made them horribly ill.
As for information symmetry, Dorgan noted that neither he nor most consumers "have the foggiest idea" about what's being tracked, how long it's maintained, and what it's being used for. No pending legislation appears to be in the works, especially with a few months until a new Congress, and most senators seemed inclined to wait for the FTC to conclude its own work on behavioral advertising in the next few months before visiting the issue seriously.