dslreports logo
site
spacer

spacer
 
   
spc
story category
Ask DSLReports.com: What Is NebuAD?
The CEO tries to ease your privacy worries, explains Fair Eagle
by Karl Bode 01:02PM Tuesday Feb 12 2008
When it comes to the online advertising industry, consumers aren't exactly a trusting bunch. That's understood, given the laundry list of companies that have treated user PCs like a battlefield and used consumer privacy as a punching bag. So when a company by the name of NebuAD stated they'd be deploying a new hardware device within ISP networks that would track user behavior, consumers got nervous.

Consumer nerves weren't exactly soothed when reports emerged that in addition to using surveillance hardware to monitor your browsing habits, the company was also involved in an ad injection system that allowed ISPs to insert their own ads into websites (regardless of the existing advertising deals struck between webmaster and other advertisers). We spoke to NebuAD CEO Bob Dykes to find out just what the company had planned, and whether we should be terrified.

Click for full size
According to Dykes, the company is working with "Multiple tens of ISPs," who have installed, free of charge, deep packet inspection hardware on the ISP network. Deep packet inspection hardware, as the name suggests, analyzes the data and/or header part of a packet, and can track data type based on any number of pre-set criteria.

Originally designed for security purposes, DPI recently found new life in both NebuAD's implementation and in implementation by ISPs as a way to identify and throttle p2p traffic. Deep Packet Inspection is also expected to be at the heart of AT&T's proposed piracy filters.

NebuAD's hardware (each device can handle 10-30k users) tracks every website an ISP user visits, at what speed, and for how long. ISPs pay nothing, do nothing, and in return for the information, get checks mailed to them monthly. In an age where ISPs are terrified of being dumb pipe providers, and are trying to make an additional buck through everything from DNS redirection to car sales, such a user-invisible profit stream is going to prove hugely appealing.

Opting Out & Privacy


While that's certainly a nice deal for the ISPs, users are obviously concerned about the privacy implications. From all indications, NebuAD knows that in this age of malware, data leaks and warrantless wiretaps, they could easily sink if they don't make user privacy a priority. According to NebuAD, they're protecting your privacy by never actually handling any data that identifies you, as you.

Click for full size
Each piece of deep packet inspection hardware converts any key identifiers (such as IP address) to a one-way random number. The central servers at NebuAd then only receive this hash number, not the original identifiers. The company has a list of categories (e.g. Cars, SUV, Lexus) and notes if the hash number goes to a site, or performs a search, that is related to the category. If yes, it notes that interest mapped to the hash number.

This data is stripped of personal and personally identifiable information and held in aggregate only -- NebuAd does not take information from ISP data systems, and does not share any data with ISP's, so no data concentration occurs
-NebuAD
NebuAd doesn't map the URLs visited, just the user interest (think of it as a tick-mark against that interest). "NebuAd only maps qualifications for interest categories against the hash," spokesman Anthony Loredo tells us. "Interest categories are kept sufficiently broad to preclude personal identification -- there are no categories for subjects that are deemed too personal, such as sex."

To aggregate data, NebuAd converts the data into another random number and stores the URL visits in aggregate form. "Because of the second hash, it is never possible to deconstruct back to the original hash, or the original user," says Loredo. "This data is stripped of personal and personally identifiable information and held in aggregate only -- NebuAd does not take information from ISP data systems, and does not share any data with ISP's, so no data concentration occurs," he says. "ISPs are completely passive in our model."

Dykes says that the advertisements fired your way once this data is collected will also have limits, as in the company won't be watching your WebMD searches to send you ads for gout medication, nor will they be advertising to your personal porn preferences. "There are absolutely lines drawn," says Dykes. "The lines vary on where we are, but in the U.S., there's no sex ads and no medical condition ads."

When asked if NebuAd would find other uses for all of this user data, such as selling it to researchers or other industries, Dykes insists that "we don't sell data, we only sell advertising." As for the potential for data leaks, the company insists the data would be all but useless if it got into the hands of scammers.

The idea of tracking behavior via ISP hardware "certainly would give people some cause for alarm," admits CEO Dykes, though they say they've gone "out to extreme lengths" to make sure consumer identities aren't at risk. Dykes also ensures us that part of their contract with ISPs mandates that they clearly inform users if the ISP implements this new system, and gives them a clear and easy way to opt-out (something we'll be watching carefully).

Changing The Advertising Game & Fair Eagle


As for advertising, Dykes, who used to work for Juniper Networks, thinks his solution is going to change the advertising game. According to the CEO, his system gets around the bane of many Internet advertisers: cookie deletion. "The advertising industry believes that about forty percent of people delete the cookies about once a month," notes Dykes. But the most obvious perk is the ability to more specifically target ads based on interest.

"We can see not only that you went to a travel site, but we can see what types of vacations you're looking for," he says. "That's just impossible with a cookie based network today. We have much greater depth of interest, and as a result we have about eight hundred potential categories for advertisers, whereas today all of the other networks have between twenty and forty."


But what about the company's intrusive Fair Eagle project? Texas-based ISP Redmoon managed to annoy the entire Internet after they began forcing ads atop existing advertising arrangements. ISP users were not informed, nor were they allowed to opt-out. Dykes insists to us that, at least in the format that first caught our eye, the project is no more.

"Earlier in our exploration of advertising alternatives, we had explored with Free Wi-Fi operators the notion that occasional pop-up advertisements were more appealing to users than having their web browser "framed" to a smaller size, with a permanent banner ad filling the top of the screen," says Dykes. "It was accidentally deployed by a wireline provider for a very brief time without our knowledge. We have discontinued that offering."

The company is not injecting ads over existing advertising relationships, though there are companies who are.

From our conversations with the company, it's pretty clear that NebuAD realizes they can't do business unless they place a priority on user privacy and security. However, given how invisible the whole process is, it's virtually impossible to gauge this independently. NebuAD says they're working with "multiple tens of ISPs" -- but we've yet to hear a peep from any of these providers -- who likely don't want the PR fallout from tracking user activity.

Do us a favor: keep a close eye on your privacy policy and tell us if your ISP mentions the use of NebuAD systems. We'd be curious to get your feedback on which ISPs are using the system (NebuAD wouldn't say), how transparent these providers are being about it, and how easy opt-out procedures are.


99 comments .. click to read

Recommended comments




Dogfather
Premium
join:2007-12-26
Laguna Hills, CA

4 edits

2 recommendations

reply to dbmaven

Re: Ad injection is copyright infringement

said by dbmaven:

A general comment to several people who got 'stalled' on the ad inject piece.

Said in the article:

The company is not injecting ads over existing advertising relationships, though there are companies who are.

What part of "not injecting ads" seems to be causing the difficulty??
Because it's a total lie. They WERE injecting ads.

quote:
Consumer nerves weren't exactly soothed when reports emerged that in addition to using surveillance hardware to monitor your browsing habits, the company was also involved in an ad injection system that allowed ISPs to insert their own ads into websites (regardless of the existing advertising deals struck between webmaster and other advertisers).
And this

»ISPs Injecting Their Content Into Websites

Nebuad was actively testing ad injection and according to reports WAS IN USE by some small ISPs although now they claim it was an accident. Yeah right.

quote:
Perftech's tool has some similarity to an ad-injecting system being tested by NebuAd, which is now being used by smaller operators like Texas's Redmoon.
They've done it. That fact is not in dispute. Where the ads are placed is irrelevant. The fact that they modify copyrighted HTTP code to inject the ad (so that browsers render the ads) is completely relevant.

Now they're trying to do damage control to prevent the inevitable PR nightmare any ISP (like Rogers) would face if they dare implemented such a system.

»benanderson.net/blog/weblog.php?id=D20070622

I don't trust anything they now claim.