NebuAD is as bad as we thought
June 19, 2008 9:12 am Doublespeak, Technical, Utter BSIt seems like everyone has a recent article on NebuAD’s technology, which was once thought to be simple deep packet inspection only. As it turns out, NebuAD is actually conducting browser hijacks and modifying packets. The legality of this kind of thing isn’t really questionable. NebuAD is actively engaged in criminal activity.
From the article at eWeek:
According to a new technical report (PDF) by Free Press and Public Knowledge, NebuAd uses special equipment that “monitors, intercepts and modifies the contents of Internet packets” as consumers go online. The report found that NebuAd inserts extra hidden code into users’ Web browsers that was not sent by the Web site being visited.
In turn, the code directs the browser to another site not requested or even seen by the consumer, where more hidden code is downloaded and executed to add more tracking cookies. Using the secretly collected information, NebuAd serves up ads based on the user’s browsing habits.
There have been concerns that NebuAD might modify packets or inject script. This comes on the heels of a report last week showing how a company providing the same kind of wiretapping in England is actually crashing people’s browsers. I wonder what the penalties are for modifying copyrighted content, spying illegally on users, then crashing a user’s browser. I guess it’ll all depend on how much cash Charter brings to the upcoming hearings.
What interests me even more about this revelation is that it completely negates NebuAD’s previous statements on anonymity. Even if Charter is handing NebuAD completely anonymous lumps of raw data, stripped of sensitive subjects and identifiable information, NebuAD can just use this data to redirect you to one of their sites in order to load your browser up full of additional tracking software not hindered by Charter’s anonymity attempts. With a few tracking cookies and a bit of javascript now and again NebuAD could conceivably build a personal dossier on every Charter customer, complete with names, emails, association, interests, and lifestyle choices.
From the article at Wired:
NebuAd has conceded that its boxes peer deep into internet packets to pull out URLs and search terms in order to classify each user’s interests. That profile is then used deliver tailored ads on various partner websites.
Wait a minute. Didn’t Charter’s Ted Schremp, senior vice president of product management and strategy, definitively say that this system did not use deep packet inspection? Why yes, he did, in an interview with CNET here. The exact quote, in fact, was:
“The enhanced advertising solution does not utilize deep packet inspection. It looks at URL level information only. That’s another point of misinformation on the Net.”
Misinformation? I guess you would know better than anyone else about that, Mr. Schremp. The only thing customers can be 100% sure about is the unending stream of complete and utter BS coming out of both Charter and NebuAD. Misinformation exists because it has been used as a tool by both of these companies to obfuscate the true nature of the technology being employed. Slowly but surely, however, the truth is coming out. And it’s not pretty, especially for NebuAD. They’ve been counting on their program running quietly behind the scenes and under the radar.
From the article at MediaPost:
NebuAd said in a statement Wednesday that it was “disappointed with the misleading characterization” of its company in the report. NebuAd stated that its technology is no different from that of other ad networks. “Similar to most ad networks, we place cookies on users’ machines … All ad networks use a small piece of code that is temporary and operates only within the security framework of the browser to invoke the placement of ad network cookies. The code NebuAd uses is no different, and is clearly demarcated outside of and does not modify any publisher code.”
These people are delusional. Their technology is “no different from that of other ad networks”?! Maybe the fact that their advertising is based on a constant stream of my personal information passing through their system makes it different. Maybe their access to each and every packet which comes or goes from my house makes it different. Maybe their injecting javascript and redirects into sites owned by other people makes it different. Maybe the fact that they refuse to disclose their technology makes it different. Maybe their lack of patents makes it different. Maybe the fact that it is nowhere near “anonymous” makes it different.
Sure, NebuAD uses a cookie just like every other advertising company out there, but there’s a lot more than just a cookie in play here. There are evil men (and women) working hard to profit from the personal lives of you and I. They’re willing to spy on us, wiretap us, and monitor our every communication to make a buck, and in the end the only thing we can be completely sure that we’re getting out of the deal is crashed browsers, stolen identities, broken websites, and violations of our right to free association.
Exactly what do we have to do to stop companies like NebuAD from spreading such terrible practices into the world? It really makes you wonder how some of these people live with themselves.
June 19th, 2008 at 6:16 pm
This is one of the best articles I’ve read on the subject. I especially like how you tied the different articles together. I also like that you caught the fib in the “The code NebuAd uses is no different.”
I’ve read a widely-spread rumor that employees (some say seven employees) of the former advertising company Gator are key employees in NebuAd. Indeed NebuAd started right about the time that Gator stopped, both are from Redwood City, and both had products that pushed all bounds of responsible advertising.
Could you perhaps research this rumor and cover it in a future article?
Thanks
Robb Topolski
(the author of the NebuAd technical report)
June 19th, 2008 at 7:19 pm
Robb,
I’ve not heard the Gator rumor, but if I come across anything I’ll definitely mention it here.
I’ve also read your report, which is the most informative thing I’ve seen yet on the matter. The only thing I’m left wondering is the end result of having this technology on tap. NebuAD’s code may start by making hashes and dropping IP addresses, and it even may protect a customer’s identity, but for how long? At what point do they decide tying a hash to a log on the script server is just another “enhanced service?” At what point do they then try to tie an email address to that IP? Then the IP to an address, then a name from the tax assessor , and so on. Next thing you know NebuAD has a full-on database, and all by using data they got legally from Charter.
It’s a total disaster. Your efforts are absolutely paramount in getting this stopped. Thank you for all of your hard work.
June 22nd, 2008 at 6:44 pm
I read the paper and I’m not impressed by Nebuad’s groundbreaking technology. They have, for the moment, seem to created nothing more than persistent cookies.
So far, denying Javascript pretty much kills their ad serving because it can’t drop any cookies tied to your “unique hash” and thus what information it knows about you goes unused.
However, I have to believe this is simply the first small step in further privacy infringements. I think Nebuad would much rather have it tied to something a bit more concrete, but the ISPs are worried about initial customer uproar, so they had to come up with this kludge. Given time, I’m sure that all parties will continue to whittle away at any appearance of anonymity and simply call it what it is: tracking what you do online and selling it to the highest bidder.
I hate to get into name calling, but this scheme is douche-baggery of the highest order. I work in the advertising industry and the big buzzword “behavioral advertising” has been thrown about for some time. The truth is that any time you start talking about the behavior of people, you’re pretty much helping yourself to a seat in their living room, their car or next to them when they enjoy their down time.
Online marketers are on a certain path to being in the same category as telemarketers; annoying, intrusive, inconsiderate and usually scammy.
Nebuad’s venture capital angels deserve to lose their investment as I’m sure the company won’t survive the public outcry.