The privacy controversy around NebuAd and Phorm, two companies that harvest ISP clickstream data to extract ad targeting capabilities, is heating up the U.S. Senate today, as hearings are held to review the companies' standing with respect to applicable privacy policies. NebuAd, which operates in the U.S., has come under fire from the privacy advocacy group Center for Democracy & Technology, while Phorm, operating in the U.K., has been similarly criticized by a computer scientist from Cambridge University. NebuAd and Phorm, for their parts, have issued strong and unequivocal defenses of their systems, which do go to considerable lengths to address privacy issues and can make some legitimate claims of superiority to existing practices in the elimination of personally identifiable information and data retention. These arguments have naturally spawned a great deal of passionate commentary in the blogosphere, focusing on issues of consumer privacy rights and opt-out mechanisms, a fray I will not enter here.

What has received much less attention is the orientation of these systems toward Web sites that sit at the other end of the consumer's Internet connection. Media companies that operate these Web sites, especially those considered "premier" that count on online advertising revenue to build real businesses, have at least as great a stake in this debate as consumers, and yet their applicable rights, if they have any, are seldom considered.

The specific issue here is the methods that NebuAd and Phorm use to attach their own cookies to Web domains visited by participating consumers. This is done, in essence, by redirecting Web site requests that don't already carry such cookies to a server of their own, which tricks the user's browser into accepting their cookie as though it were issued by the requested Web site, to which the user is subsequently again invisibly redirected. The ISP-based systems then scan the newly cookied Web sites for behavioral targeting indicators that can help them determine whether the visit is indicative of an affinity with a relevant targeting category. If so, the interest indicator is stored, anonymously. In any case, the specific data about the visit is discarded, a point these services reiterate emphatically.

Web sites can opt out of being scanned using a standard "robots.txt" file, which informs all Web crawlers which parts of a site may be indexed. However, it's unclear whether this mechanism allows Web site owners to selectively opt out of scanning by Phorm or NebuAd specifically, and if so, the method for doing so doesn't appear to be disclosed. Therefore, it seems the default case is this: If a Web site wishes to be indexed by Google and other search engines, it will also be indexed, and its usage data harvested, by these ISP-based networks.

There are at least two reasons why Web site owners should care. First, these systems create a new form of third-party cookie that appears to a browser (and its privacy policies) as a first-party cookie. The cookie's status is thus a matter of interpretation, but could in principle violate the privacy policies of a site that specifically opts not to support third-party cookies as it seeks to establish a trusted relationship with its visitors, which is of particular sensitivity in areas like healthcare. The higher-level issue, however, is who (besides the consumer) should be able to profit from visiting a site? If site owners choose to participate in a behavioral targeting network, that's their choice. But if a new class of behavioral networks rises that extracts this information from a switch at the ISP level, then value is being explicitly tapped from the interaction without consideration to the site owners. The ISP-enabled networks may claim this is not a zero-sum game, that improvements in targeting efficiency can result in more revenue to go around, but it seems that if advertisers can get broader and better targeting results from ISP-based networks, they're likely to spend more with them and proportionately less with Web sites and networks that can't match the scale of a network fed by the traffic of multiple ISPs.

Phorm, for its part, departs from NebuAd by using this data to seed an open ad exchange rather than simply using it in an arbitraged ad network. Domain owners can thus claim their inventory on the exchange and, Phorm argues, benefit from the enhanced targeting Phorm (and any other third parties) can provide. Yet, it's still an exchange seeded by data acquired without the domain owner's consent, which to some publishers is likely to feel coercive.

While NebuAd, Phorm and their ISP partners examine alternatives to cookies for opt-out and tracking, they need to also consider providing a clear, granular mechanism by which Web sites can control - and benefit more directly from - their participation. Online media companies and ad networks need to recognize they have a clear stake in this, and to protect their interests, they need to make sure they have their own privacy house in order.

Submit a Comment | Permalink

Very timely article. It's surprising that it's not getting much attention by privacy and security advocates at this point.

I just did a quick summary of the technology, privacy and security implications, based on Steve Gibson's thorough review of it in the Security Now podcast.

My article is at:
http://securityviews.com/bl...

Phorm copies web site content on the fly, without first obtaining a licence from the copyright holder. Phorm then use that content to promote competitive products and services (effectively damaging the original author).

But further, it also gains marketing intelligence about the relationships between a company and its customers... its a form of mass industrial espionage.

Robots.txt isn't the right answer; its a denial mechanism (with presumed consent). What's required, to mimic copyright/wiretapping law, is an allow mechanism (with presumed denial). See http://www.parasitestxt.org for a (spoof) example.

In short, the effect of Phorm on ecommerce and the web will be profound if Governments and law enforcement don't intervene.

Expect to see widespread use of SSL encryption technology, expect content denied by some web sites to 'untrustworthy' ISPs, and a proliferation of copyright actions against ISPs.

And all because ISPs have decided to violate the privacy, security and integrity of internet comms.

Hey, you finally got there! This is just what we've been saying for weeks past; how does the website owner opt out of Phorm/NebuAdd, rather than face their painstakingly crafted site being raked over for 'keywords' just so that some Phorm-aligned website in OIX, say, can benefit from this knowledge without having to do a stroke of work?

Well, as we've seen in the music business, sample my tune and use it on *your* recording, wthout permission, and you'll kiss goodbye to your royalties when I complain. So, Phrom or NebuAd, sample my website and look forward to my hefty bill for the use of my material - backed up by copyright infringement proceedings if you demur.

Or how about I detect the cookie you so impertinently forged for my site, and rewrite it as a non-expiring opt-out one? Make it a condition of the consumer coming on my site that (s)he accepts that? Doesn't affect Phorm/NebuAd anywhere else (that's up to other website owners to decide) but turns it off, selectively, for my domain.

I'm sure Google, Anazon, Microsoft and the other big boys have been thinking about these sorts of countermeasures, and it will be very interesting to see what thery have in store....