When it comes to the online advertising industry, consumers aren't exactly a trusting bunch. That's understood, given the laundry list of companies that have treated user PCs like a battlefield and used consumer privacy as a punching bag. So when a company by the name of NebuAD stated they'd be deploying a new hardware device within ISP networks that would track user behavior, consumers got nervous.

Consumer nerves weren't exactly soothed when reports emerged that in addition to using surveillance hardware to monitor your browsing habits, the company was also involved in an ad injection system that allowed ISPs to insert their own ads into websites (regardless of the existing advertising deals struck between webmaster and other advertisers). We spoke to NebuAD CEO Bob Dykes to find out just what the company had planned, and whether we should be terrified.

According to Dykes, the company is working with "Multiple tens of ISPs," who have installed, free of charge, deep packet inspection hardware on the ISP network. Deep packet inspection hardware, as the name suggests, analyzes the data and/or header part of a packet, and can track data type based on any number of pre-set criteria.

Originally designed for security purposes, DPI recently found new life in both NebuAD's implementation and in implementation by ISPs as a way to identify and throttle p2p traffic. Deep Packet Inspection is also expected to be at the heart of AT&T's proposed piracy filters.

NebuAD's hardware (each device can handle 10-30k users) tracks every website an ISP user visits, at what speed, and for how long. ISPs pay nothing, do nothing, and in return for the information, get checks mailed to them monthly. In an age where ISPs are terrified of being dumb pipe providers, and are trying to make an additional buck through everything from DNS redirection to car sales, such a user-invisible profit stream is going to prove hugely appealing.


While that's certainly a nice deal for the ISPs, users are obviously concerned about the privacy implications. From all indications, NebuAD knows that in this age of malware, data leaks and warrantless wiretaps, they could easily sink if they don't make user privacy a priority. According to NebuAD, they're protecting your privacy by never actually handling any data that identifies you, as you.

Each piece of deep packet inspection hardware converts any key identifiers (such as IP address) to a one-way random number. The central servers at NebuAd then only receive this hash number, not the original identifiers. The company has a list of categories (e.g. Cars, SUV, Lexus) and notes if the hash number goes to a site, or performs a search, that is related to the category. If yes, it notes that interest mapped to the hash number.

This data is stripped of personal and personally identifiable information and held in aggregate only -- NebuAd does not take information from ISP data systems, and does not share any data with ISP's, so no data concentration occurs -NebuAD

NebuAd doesn't map the URLs visited, just the user interest (think of it as a tick-mark against that interest). "NebuAd only maps qualifications for interest categories against the hash," spokesman Anthony Loredo tells us. "Interest categories are kept sufficiently broad to preclude personal identification -- there are no categories for subjects that are deemed too personal, such as sex."

To aggregate data, NebuAd converts the data into another random number and stores the URL visits in aggregate form. "Because of the second hash, it is never possible to deconstruct back to the original hash, or the original user," says Loredo. "This data is stripped of personal and personally identifiable information and held in aggregate only -- NebuAd does not take information from ISP data systems, and does not share any data with ISP's, so no data concentration occurs," he says. "ISPs are completely passive in our model."

Dykes says that the advertisements fired your way once this data is collected will also have limits, as in the company won't be watching your WebMD searches to send you ads for gout medication, nor will they be advertising to your personal porn preferences. "There are absolutely lines drawn," says Dykes. "The lines vary on where we are, but in the U.S., there's no sex ads and no medical condition ads."

When asked if NebuAd would find other uses for all of this user data, such as selling it to researchers or other industries, Dykes insists that "we don't sell data, we only sell advertising." As for the potential for data leaks, the company insists the data would be all but useless if it got into the hands of scammers.

The idea of tracking behavior via ISP hardware "certainly would give people some cause for alarm," admits CEO Dykes, though they say they've gone "out to extreme lengths" to make sure consumer identities aren't at risk. Dykes also ensures us that part of their contract with ISPs mandates that they clearly inform users if the ISP implements this new system, and gives them a clear and easy way to opt-out (something we'll be watching carefully).


As for advertising, Dykes, who used to work for Juniper Networks, thinks his solution is going to change the advertising game. According to the CEO, his system gets around the bane of many Internet advertisers: cookie deletion. "The advertising industry believes that about forty percent of people delete the cookies about once a month," notes Dykes. But the most obvious perk is the ability to more specifically target ads based on interest.

"We can see not only that you went to a travel site, but we can see what types of vacations you're looking for," he says. "That's just impossible with a cookie based network today. We have much greater depth of interest, and as a result we have about eight hundred potential categories for advertisers, whereas today all of the other networks have between twenty and forty."

But what about the company's intrusive Fair Eagle project? Texas-based ISP Redmoon managed to annoy the entire Internet after they began forcing ads atop existing advertising arrangements. ISP users were not informed, nor were they allowed to opt-out. Dykes insists to us that, at least in the format that first caught our eye, the project is no more.

"Earlier in our exploration of advertising alternatives, we had explored with Free Wi-Fi operators the notion that occasional pop-up advertisements were more appealing to users than having their web browser "framed" to a smaller size, with a permanent banner ad filling the top of the screen," says Dykes. "It was accidentally deployed by a wireline provider for a very brief time without our knowledge. We have discontinued that offering."

The company is not injecting ads over existing advertising relationships, though there are companies who are.

From our conversations with the company, it's pretty clear that NebuAD realizes they can't do business unless they place a priority on user privacy and security. However, given how invisible the whole process is, it's virtually impossible to gauge this independently. NebuAD says they're working with "multiple tens of ISPs" -- but we've yet to hear a peep from any of these providers -- who likely don't want the PR fallout from tracking user activity.

Do us a favor: keep a close eye on your privacy policy and tell us if your ISP mentions the use of NebuAD systems. We'd be curious to get your feedback on which ISPs are using the system (NebuAD wouldn't say), how transparent these providers are being about it, and how easy opt-out procedures are.