Charter Watcher

Wired goes after NebuAD

Wired is back with another great article, this time about Charter’s partner-in-crime NebuAD. Everything about this company just oozes sleaze. Just look at their website. It’s not inviting or inventive, it’s just a blob. And wait until you see some of these quotes.

From the article:

“NebuAd does not overlay ads, inject ads or otherwise alter ads that are already displayed on a publisher’s web site,” [vice president of marketing Janet] McGraw said. “Observers should not infer from any patent how our business actually operates.”

Oh, so you’re going to team up with Charter to monitor us in a super secret way that has nothing to do with anything you’ve previously put on record? Thanks NebuAD, I feel so much better about my personal information being protected now.

McGraw says the company doesn’t need to read the cookie to respect the users’ opt-out request. The company has a way to create a unique identifier for each user based on information their browsers sends with any request for a web page.

“This association is done by applying proprietary patent-pending user identification algorithms that makes use of multiple elements of a browser request,” McGraw said in a written response to questions.

The company didn’t explain why it sets a cookie to begin with.

I’m starting to think that Janet McGraw went to the same school as Ted Schremp. “It doesn’t work like we said it did before, and it doesn’t work like Charter says it does. It’s something completely different, made from the breath of unicorns and programmed by elves in a far-off land.” How are we customers supposed to accept this program if the people running it can’t even pin down how it works? And where the hell do these companies find their marketing people?

THREAT LEVEL was unable to find a patent application for that system.

Wait, so you mean Janet McGraw, vice president of marketing for NebuAD and otherwise upstanding corporate citizen, was lying? You mean this system doesn’t completely protect every single aspect of my privacy despite its being kept completely secret? I didn’t know that companies were allowed to outright lie about how they protect customer privacy. I thought there were all sorts of laws about that.

NebuAd’s president Bob Dykes backed out of a planned interview with THREAT LEVEL last Tuesday, asking instead to answer written question. Days later, McGraw provided some information related to a few of the questions, but declined to answer most on the grounds they related to NebuAd’s “proprietary technology.”

Oh, it’s proprietary. Now I understand. You can’t tell me how you’re spying on me because you’ve found an incredibly clever approach that you don’t want your competition to find out about. Never mind the fact that there are a relatively limited number of ways to accomplish IP wiretapping, all of which are widely published. We all believe you when you say you’ve come up with something completely new to do to a protocol which has been around for over 30 years.

McGraw did not respond to a follow-up email Wednesday asking for clarification of how the opt-out system worked and for answers to the original, non-technical questions. The questions the company refused to answer are below.

• How deep into packets are you going to extract urls? How does Nebuads know what a given url means? Are the urls manually reviewed, ala the early days of ask jeeves, or do you use some sort of spider tied to a classification algorithm? How does the system handle search engine queries?
• How does opt-out system work with a cookie, given that NebuAd is a network appliance and can’t read the opt-out cookie unless the user goes to a specific site so that the cookie can be released and thus either read by Nebuad.com or read in the TCP stream. It seems that an ISP’s customers can opt out of the ads but not the monitoring? If that’s incorrect, please explain how the opt-out works? How does this system fit with the promises made on the NebuAd opt-out page?
• Why should an ISP’s customers want to allow your company to monitor their web usage?
• Is there anyone at the company with a background in privacy?
• If a customer wanted to see the profile NebuAd had built up about them, how would they do so?
• What exernal auditing has NebuAd had? Does the company plan to perform audits on an ongoing basis? Will any of those reports be public?
• Are your network boxes capable of injecting content into packets?
• What security measures does NebuAd take to lock down the network appliances and prevent NebuAd from being used for a Man-in-the-Middle attack?
• How long does NebuAd keep data?

This looks to me like a list of questions Congress needs to put in front of NebuAD. Heck, why not just let Ryan Singel do the questioning himself? He seems like a capable sort.

Does NebuAD sound like a company that you want snooping around in your web traffic? They don’t even know what they’re doing, and they certainly aren’t on the same page with Charter. Ultimately it is we the customer who should have the final say as to whether our activity is tracked, and we should be given every opportunity to review the methods by which it is accomplished.

Charter ranks dead last in customer satisfaction

In what will be a shock to absolutely no one, oanow.com reports today that Charter Communications has placed dead last in a customer satisfaction survey conducted by the American Customer Satisfaction Index at the Ross School of Business at the University of Michigan. Charter’s efforts to improve customer service and win back the respect of their subscribers obviously failed miserably last year, because they actually scored lower this time around than the last by two percent.

Charter got beat by Time Warner, Direct TV, DISH Network, Cox, and even the Internal Revenue Service. The only company terrible enough to match Charter at the bottom of the heap was Comcast, whose employees will crash on your couch while waiting for their own internal support to answer their calls. Isn’t it exciting to know that such an inept company as Charter is giving you guarantees that your personal information will be kept safe as they bundle it up and sell it to advertising companies?

From the article:

Lynne Coker, director of governmental affairs for Charter Communications, said the report is not a clear picture of what’s going on with the company.

Coker said the report may be measuring customer satisfaction only in regard to cable services and not the increased bundled services — cable, phone and Internet — the company offers.

“As people take advantage of those bundled services, those numbers should improve,” Coker said.

Wow. This Lynne Coker must hold an advanced degree from the Ted Schremp School of Delusional Business Doublespeak.

Charter wiretapping may be a “five-year felony”

PrivacyDigest.com has an interesting article up today suggesting that individual sysadmins and other employees at Charter Communications who participate in the wiretapping program may themselves be committing felonies! I wonder if that means that Ted Schremp could go to jail too?

From the article:

These schemes all seem to violate the Wiretap Act, a federal statute banning eavesdropping that comes with criminal and civil penalties. That law has some exceptions for service providers to monitor content, but only when necessary to deliver service, or to protect the company’s “rights and property.”

In fact, Ohm thinks network system administrators could themselves be in legal trouble, just for following orders from their bosses to install monitoring devices.

“Not only is this a five-year felony, it also has individual accountability,” Ohm said. “The sys admin could be sued individually and prosecuted individually If you are asked by your manager to go and do this kind of monitoring, you yourself may be legally exposed.”

What about call center workers? Could they all pick up jail time for repeating the company line on the matter too?

The legality of Charter’s snooping is not really even all that questionable. Most of the legal challenges are based on a law from 1984. In order for these monitoring programs to be legal we all have to believe that cable companies took 24 years to finally get around to reading that law and discovering that they could have been snooping on you all along!

Then again, given the intelligence displayed by the Charter management team such a thing just might be possible.

Poisoning Charter’s wiretapping data

Ever since I heard about Charter’s intention to capture my personal browsing habits and sell them to advertising companies, I’ve been looking for ways to protect my privacy against my own ISP. It’s not something any customer should have to do, and it says a lot about both Charter Communications and the elected representatives in the United States that we as customers find ourselves in this position.

Because of the specific manner in which Charter and NebuAD wiretap our connections, there is no way to route traffic around their snooping. We could use proxy servers, but there’s no guarantee that their deep packet inspection process couldn’t derive our intentions even from that. We could use encrypted proxies, but the average speed of a public encrypted proxy defeats the purpose of having broadband access anyway. We could just opt-out, but that’s a complete farce and would only give Adblock Plus new content to shut down. No, there just doesn’t seem to be a good technical way to get around Charter’s illegal monitoring program.

So why not just poison the data?

I’ve written a script which will access a random website, then randomly follow random links from that random website 30 times. It is called by a second script every minute which launches several iterations of the poisoning process, which runs several instances of the poisoning script concurrently. The result is a quick burst of activity which will mask any legitimate traffic my wife or I put on Charter’s system. Since NebuAD has no way of distinguishing the requests apart, the categorical interests which Charter and NebuAD assign to our household, and thus our advertising stream, will be completely useless to anyone.

It’s a shame that my only defense to being monitored by a private company in violation of several federal laws is to build a Linux workstation and script a custom solution. But that’s how it is, and until we either convince Charter to end their illegal wiretapping program or put them out of business, my Linux machine will visit thirty one web pages five times every minute.

That’s 155 pages per minute. 9,300 pages per hour. Over 220,000 pages per day.

You can download the poisoning script for yourself here. Feel free to modify and redistribute. If you find a way to significantly improve upon it, please send me a copy so that I can make it available.

My letter to The Consumerist

A letter I wrote to The Consumerist a few days ago was just published as an update to their previous coverage of Charter’s illegal wiretapping program. It’s good that they’re covering this, because Charter doesn’t seem to understand that their customers are pretty much universally pissed. Here’s my letter (areas highlighted by The Consumerist have been left as such):

Dear Consumerist,

I spent a long time last night looking into the way Charter is handling this program, and based on their own explanation it’s obvious that the cookie is not a “real” opt-out. Here’s why.

When a customer clicks a link, advertisement, or visits a page, Charter will capture the browsing data and send it to the third-party advertising provider. If Charter wanted to offer a functional opt-out, it would be at this deep-packet inspection level. The do not offer a way out of that service, however. The only thing they offer is the cookie-based solution you’ve previously covered, which merely tells the third-party organization not to match the machine with the DPI-harvested data or deliver the advertising. Customer browsing is still being captured and is still being turned over regardless of anyone’s individual opt-out status, but the third party is just blocked from doing anything with it by the cookie.

I might also point out that by doing this Charter is explicitly requesting that their customers choose not to follow safe browsing best practices. Every modern browser available today has an option for clearing cookies when the browser is closed, and many people choose to take advantage of this practice, myself included. Charter is either demanding that I and many others either fill out their form several dozen times per day (every time we open our browser) or specifically switch off browsing features intended to keep customers safe. Neither of these are acceptable, of course.

I am going to contact Charter’s executive team again this morning on the matter, as well as an attorney. I have not been notified of Charter’s changes through a letter or email, and learned about this program last night via other means. Having read through the Cable Privacy Act, which governs Charter’s use of personally identifiable information, I have discovered no fewer than three potential violations. Moreover, Charter is required by law to make any collected data available to its customers, so I would suggest that all Charter customers request their DPI browsing data on a daily basis, and file appropriate complaints when they fail to deliver it as required by law.

They’re not going to stop doing this until or unless they lose more money than they make on it. We have vehicles available to us to lose them vast sums of money on this project, if only the word gets out.

I did contact an attorney here in town, but he flat-out refused to consider the case. Maybe his being on the Chamber of Commerce, who bears partial responsibility for saddling myself and my neighbors with the scourge that is Charter Communications by granting them a monopoly, had something to do with his decision. Congress has since gotten involved, so I’m going to wait before I call another one. We might yet still get out of this without individual legal action being necessary.

Wired breaks down Charter’s pretend “opt-out”

Wired has done a great job of covering Charter’s new anti-customer-privacy advertising initiative, but their offering today simply takes the cake. Chock full of technical information, Wired takes a deep look at the technology employed by NebuAD in their collusion with Charter to spy on everything we broadband subscribers do online.

From the article:

NebuAd’s appliance categorizes users and their interests, and then uses the data to customize ads on the internet. Charter says the device will not actively inject NebuAd’s advertising into web sessions, but rather NebuAd will provide the profile information to third-party advertisers already paying to place their ads on major websites.

So now we’re learning that Charter sells our information to NebuAD, who then makes it available to even more companies? At exactly what point is the customer’s privacy taken into consideration in this chain of events? Is it before or after the data gets sold to NebuAD, who has no legal obligation not to resell your habits to every data-mining house on the planet?

Charter’s own opt-out page is careful not to claim that opted-out users won’t be monitored, saying only that if a user “would like to opt-out of this process” an opt-out cookie means they “will no longer receive ads that are tailored to your web preferences, usage patterns and commercial interests.”

Indeed, it is possible that the cookie system works to prevent opted-out users from receiving the third-party ads, and it could stop NebuAd from sharing a user’s profile with third-party ad networks — assuming those networks include a NebuAd image file, or some other embedded code, in the ads they serve on the web. But NebuAd’s claim that you can opt-out of the surveillance itself remains unexplained.

But don’t worry. I’m sure Ted Schremp has six or seven different explanations he can offer on the matter, each one more puppy dog and rainbow than the last.

In all seriousness, Charter Communications commits a federal crime every time it collects data on a customer which isn’t used to enhance their service. They commit a second federal crime every time they sell our information without our express consent allowing them to do so. Once the information is in NebuAD’s hands, though, they can do whatever they want with it. They’re not explaining their opt-out system because, to be blunt, they’re not under any obligation to reveal anything at all about it. Charter is the one on the hook for committing the crimes, so why not just let them lie about it?

There are also lingering questions about whether NebuAd’s systems are as non-invasive as described. A patent application filed by the company in March 2007 describes a monitoring system that actually manipulates data packets and replaces advertisements on third-party websites with their own ads.

Finally, Charter gets company as NebuAD commits federal copyright violations!

The legality of eavesdropping on Americans’ internet usage also isn’t clear. The practice could violate anti-wiretapping law, according to recent analyses of the legality of academic internet research, because the law says an ISP is only allowed to monitors its customers for security reasons.

Could violate the law? If the law says that an ISP can only monitor customers for security reasons, but Charter monitors its customers in order to sell their surfing habits for increased profits, then how exactly is that a matter of “could.” If I’m not mistaken, that’s a pretty direct violation.

But why wait for the lawyers to settle that? Charter wants to monitor you now.

Congress takes notice!

Two House Representatives, Massachusetts Democrat Edward Markey and Texas Republican Joe Barton, have joined forces and asked Charter to put its spying program on hold! Citing privacy and legal concerns, they have requested that Charter freeze the program until its legality can be determined. Can anyone guess how that will turn out?

From the letter:

As you are likely aware, Section 631 of the Communications Act contains privacy provisions regarding cable operators. The legislative history of Section 631 of the Communications Act of 1934, which was added as part of the Cable Act of 1984, notes that “[c]able systems, particularly those with a “two-way” capability, have an enormous capacity to collect and store personally identifiable information about each cable subscriber.” and that “[s]ubscriber records from interactive systems can reveal details about bank transactions, shopping habits, political contributions, viewing habits and other significant personal decisions.” (see H.Conf.Rep. No. 102-862, 1992 U.S. Code Cong. And Adm. News 1275-76).

It sounds to me like these two just might get it, at least in part. What’s interesting is that Charter’s system is specifically designed to capture exactly the kind of things this letter mentions. Shopping habits are precisely what NebuAD needs to develop your personal advertising profile!

Hopefully Charter will recognize this as a real issue and freeze their program as requested. To be fair, however, we all know that it will only take a couple of suitcases full of cash for Markey and Barton to somehow find what Charter is doing perfectly legal again. The fight goes on.

The full letter is available here. Wired also has coverage here.

Another Ted Schremp interview, this time with extra BS!

Ted Schremp, senior vice president of product management and strategy, is back again today with a second interview, this time with CNET’s Declan McCullagh. This time he claims that Charter’s program does not utilize deep packet inspection, and that their new “enhanced service” is no different than giving their customers faster broadband speeds at no additional cost.

From the article:

Q: If you’re conducting deep packet inspection, that means you know what data your customers are transferring. Are you going to look for evidence of copyright infringement, child pornography, and so on as well?

The enhanced advertising solution does not utilize deep packet inspection. It looks at URL level information only. That’s another point of misinformation on the Net.

Q: You’re saying that URL-level information is not deep packet?

Suffice it to say that we’re using URL-level information only.

Huh, so I guess all of those articles out there on every other technical site and in every other interview, including the patent data from NebuAD itself describing their deep packet inspection model, is only “misinformation” and isn’t really using deep packet inspection after all. Is it just me or does this Ted Schremp guy sounds like he feasts on a big bowl of bullshit in the morning before he starts giving interviews just so his breath smells right for the occasion?

Q: If you’re getting a new stream of revenue from NebuAd, does that mean lower prices for your customers?

As we’ve gone into these pilots, we’ve conducted a series of focus groups to help us understand from their perspective, does this technology add value to their Internet experience, talk through privacy concerns, and so on. What our customers have shared with us is that they understand the fact that advertising is part of the Internet model. To the extent that fuels the economics behind the Internet, they understand that. They appreciate the notion that ads that are being served are attuned to their interests or potential interests.

We view it the same way as offering faster Internet speeds. This is no different. It’s about taking the latest technology and applying it as a way to be useful to our customers.

Schremp regularly talks about these focus groups, which must have been made up of hand-selected individuals chosen for their complete lack of understanding about the Internet, privacy, and technology. Based on the comments and articles I’ve seen, the only thing that Charter’s customers have confronted them with is negativity regarding this program. Of course Schremp has been programmed from birth to ignore negativity when presented with a better, less comprehensible company line, and proves once again in this interview that he is the perfect man to be selling this “enhancement” to Charter customers. It’s a wonder they aren’t actually raising prices over this.

And for the record, none of the Charter customers or technical service associates I’ve spoken with consider this on par with offering faster speeds. I don’t understand how spying on your customers, selling their private information to an advertising company, then lying through your teeth about how you’re going to collect, store, transmit, and secure their data is on par with bumping up your broadband rates. But then again I’m no Ted Schremp.

The key from our perspective is that we’re very customer-oriented in everything we do. The privacy concerns and the ability of our customers to opt-out and the fact that we’re talking today is indicative of that as well. We want to be very clear that they have a choice.

That’s great, Ted. Now exactly where can I exercise my choice not to be a part of your illegal wiretapping program?

Broadband Reports covers Charter’s new program

Broadband Reports has a new article up about the NebuAD program too. It seems that everyone is getting in on the action now that Charter has made itself such a target for people concerned about online privacy. The article also addresses one of the many problems with the opt-out provided by Charter and NebuAD.

From the article:

Of course Charter’s FAQ on the service fails to inform customers that the cookie doesn’t stop them from tracking you, just from sending you personalized ads. Interestingly, Charter’s opt out form doesn’t bother to tell customers the name of the company (I assume it’s NebuAD, whose CEO I interviewed last February).

We know for sure that the company is indeed NebuAD. The article is also correct in that using the opt-out does not actually stop Charter from tapping your Internet connection, building an electronic dossier on your interests, then selling that information to NebuAD. Your request to be excluded from the system only impedes the advertising from actually being displayed in your browser. Behind the scenes, your privacy is still violated regardless of whether you opt out or not. Don’t count on Charter telling you that though. In this case, obscurity is their friend.

And although the story at Broadband Reports is short, there is one great gem at the very end:

Charter sells your browsing information for profit, while you get no reduction in service price and are forced to use an opt-out process that doesn’t entirely work. Sound like an enhanced online experience to you?

I couldn’t have put it any better myself.

The New York Times interviews Charter VP Ted Schremp

The New York Times is running an online article by Saul Hansell about Charter’s snooping program, complete with an interview with Ted Schremp, senior VP for product management and strategy. What did Mr. Schremp have to say about his company collecting private data to be turned over to an advertising firm?

From the article:

He offered his personal view that the system was harmless and well within the norms of the Internet these days. “The mainstream Internet user is hugely aware of the fact that the fundamental economic model on the Internet is advertising,” he said. While some people object to targeted advertising systems like Google’s Gmail, which displays ads related to the text of e-mail users are reading, many others don’t.

First of all, Mr. Hansell doesn’t seem to understand the critical difference between Google’s advertising system, which collects user data and feeds it into a Google-owned and operated advertising algorithm, and Charter’s, which collects user data and sells it to an advertising company not otherwise associated with Charter’s customers. In the interest of clarification, let’s just simplify the comparison by saying that one is legal, and the other is not. Mr. Schremp is partly correct in his assertion that the fundamental economic model on the Internet does seem to be advertising, but that only goes for companies other than ISP’s. For companies like Charter the economic model is very, very different. Google and other such services simply do not have the same level of access to a user’s interests and traffic, and are not responsible for facilitating a user’s actual connection to the Internet. Their model, quite simply, is advertising. Charter, on the other hand, does a poor enough job at fulfilling their own fundamental economic model, that being Internet access, that they have no business attempting to put themselves into competition with companies such as Google.

“All we are doing is, in an anonymous format, providing additional context to serve those ads. To the extent those ads are more meaningful to me as Ted Schremp, I will have a better Internet experience than the generic ads that are part of Yahoo and everything online.”

I want you to think about whether or not the advertisements you see on web pages are meaningful to you personally, and to ask yourself how much better your Internet experience would be if the advertisements you saw were more targeted to your interests. Now, is that worth letting your Internet provider monitor your every move to capture your habits, then sell that information to a company trying to convince you to buy things?

For those customers who disagree, Mr. Schremp said that Charter was offering the ability for them to choose not to be part of the system. I suggested that most privacy experts prefer opt-in systems where information isn’t collected until the user explicitly grants permission. He said that opt-out has become the norm for all targeting on the Internet.

Opt-out has become the norm because companies such as Charter have declared it to be the norm. It’s a lot easier to leave the majority of your customers in the dark about your programs and profit from their private information than to beg customers to let you make extra money from the content of their lives.

Mr. Schremp did acknowledge that raising revenue was a main goal for Charter in this: “We want to leverage technology in a way that makes sense for our economic model.”

Here’s the real reason this is happening. NebuAd is paying Charter “several dollars per subscriber a month,” and Charter could really use the money, seeing as their stock price recently dropped so low as to see them delisted by Nasdaq. It’s a shame that their management is so inept as to believe that the road to becoming profitable runs directly through the very privacy they’re required by federal law to protect.