NebuAd uses spyware practices to track users
By TJ Kirchner
A recent report released by public interest groups Free Press and Public Knowledge brought to light the “spyware-like” practices of the NebuAd company. It’s been paying ISPs to allow it to eavesdrop on traffic passing through the network. In fact, it’s been taking a more active approach by inserting packets that redirect them to NebuAd sites which force users to download tracking cookies.
According to Wired, the author of the report, Robert Topolski, a former software testing professional for Intel and Quarterdeck, compared the company’s behavior to man-in-the-middle attacks and cross-site scripting, two common hacking practices. He argued that it violated internet protocols, since traffic should original from end devices, and it shouldn’t have access to this information.
“NebuAd breaks the rules of acceptable behavior on the Internet,” Topolski said. “It monitors what you do and see on the internet, it breaks in and changes the contents of your private communications, it keeps track of what you’ve done and if you know that its happening, its impossible to opt out of it.”
According to the Los Angeles Times, some of the employees at NebuAd are former managers and CEOs of Claria Corp, a.k.a. Gator, the notorious spyware company. It includes Scott Tavenner, the vice present of business development; Chuck Bilbert, senior product manager; Mike Millar, vice president of ad sales; Amy Auranicky, director of ad sales; and Jeannie Houwelingis, vice president of ad services.
NebuAd refuses to comment on its technology, how much data is stored, access to user profiles, or on the report by Topolski.
Although, the company did mention an opt-out program that users could use to delete their profiles and opt-out of the system. Unfortunately, they were unwilling to elaborate on the process. Plus, in a Wired comment, Topolski said that it “as been mentioned several times in the press, the Opt-Out is immediately canceled once a user routinely deletes cookies, installs certain security software, uses a different browser, or switches computers.”
Tracking users anonymously through cookies is not a new concept. DoubleClick, one of the biggest ad-serving companies in the world, uses this same technology to draw information from users that visit their sites. To make matters worse, in April 2007, they would be acquired by the world’s leading search engine company, Google.
What makes NebuAd different is how they go about tracking users. You’re tracked by DoubleClick whenever you visit websites with their ads on it. With NebuAd, they use packet inspection and insertion to track users and force them to download their cookies whenever their traffic enters a partnered ISP network, like WOW. That’s what violates internet standards and why it’s wrong.
Related:
Entry was posted
on Sunday, June 22nd, 2008 at 12:43 am
under
Read more entries by TJ Kirchner.
Stumble It!
June 22nd, 2008
Hi TJ,
Very good article.
I also make a comparison between NebuAd and DoubleClick in my paper. One thing that I learned in my research about this case is that DoubleClick quit its user-profiling efforts several years ago.
DoubleClick’s cookie, like NebuAd’s cookie, is used to track individual users. But the similarities end there, since 2002.
Unlike NebuAd, DoubleClick today doesn’t build an interest profile on its users. DoubleClick does track which ads a user has seen and the cookie helps DoubleClick advertisers show their ads in a sequence.
NebuAd chooses its ads based on what it thinks the users’ interests are by eavesdropping on the user’s Internet service.
By comparison, DoubleClick shows ads about cars on sites about cars, and may show ads about hotels on sites about travel. Google has also told me that DoubleClick’s “tracking” cookie intelligence is owned and controlled by the advertiser for use in their campaign.
My focus was primarily on the technical aspects on NebuAd’s cookie injection occurs. How it uses the cookies was secondary to my report. How DoubleClick uses cookies or profiles was likewise not the primary focus on my report, but I do believe that DoubleClick today does not create or use user interest profiles for targeted advertising.
Robb Topolski
June 22nd, 2008
Which ISPs have customer agreements that allow them to do this? Any of the big ones?
June 22nd, 2008
Thanks for the clarification Robb. I read the executive summary in your report, so I didn’t see the part where you discussed DoubleClick. I just remembered that DoubleClick use to do user profiling across sites using cookie tracking before they were acquired by Google. I’m glad to hear things are better now and they don’t generate interest profiles. Thanks again :)
To answer your question JB, I believe the companies are WOW!, Embarq, Broadstripe, CenturyTel and Metro Provider. They’re not the giants like Verizon, Comcast, and AOL, but they’re still reputable ISP companies.