Wired goes after NebuAD

May 30, 2008 5:03 am Jesse Doublespeak, Technical, Utter BS

Wired is back with another great article, this time about Charter’s partner-in-crime NebuAD. Everything about this company just oozes sleaze. Just look at their website. It’s not inviting or inventive, it’s just a blob. And wait until you see some of these quotes.

From the article:

“NebuAd does not overlay ads, inject ads or otherwise alter ads that are already displayed on a publisher’s web site,” [vice president of marketing Janet] McGraw said. “Observers should not infer from any patent how our business actually operates.”

Oh, so you’re going to team up with Charter to monitor us in a super secret way that has nothing to do with anything you’ve previously put on record? Thanks NebuAD, I feel so much better about my personal information being protected now.

McGraw says the company doesn’t need to read the cookie to respect the users’ opt-out request. The company has a way to create a unique identifier for each user based on information their browsers sends with any request for a web page.

“This association is done by applying proprietary patent-pending user identification algorithms that makes use of multiple elements of a browser request,” McGraw said in a written response to questions.

The company didn’t explain why it sets a cookie to begin with.

I’m starting to think that Janet McGraw went to the same school as Ted Schremp. “It doesn’t work like we said it did before, and it doesn’t work like Charter says it does. It’s something completely different, made from the breath of unicorns and programmed by elves in a far-off land.” How are we customers supposed to accept this program if the people running it can’t even pin down how it works? And where the hell do these companies find their marketing people?

THREAT LEVEL was unable to find a patent application for that system.

Wait, so you mean Janet McGraw, vice president of marketing for NebuAD and otherwise upstanding corporate citizen, was lying? You mean this system doesn’t completely protect every single aspect of my privacy despite its being kept completely secret? I didn’t know that companies were allowed to outright lie about how they protect customer privacy. I thought there were all sorts of laws about that.

NebuAd’s president Bob Dykes backed out of a planned interview with THREAT LEVEL last Tuesday, asking instead to answer written question. Days later, McGraw provided some information related to a few of the questions, but declined to answer most on the grounds they related to NebuAd’s “proprietary technology.”

Oh, it’s proprietary. Now I understand. You can’t tell me how you’re spying on me because you’ve found an incredibly clever approach that you don’t want your competition to find out about. Never mind the fact that there are a relatively limited number of ways to accomplish IP wiretapping, all of which are widely published. We all believe you when you say you’ve come up with something completely new to do to a protocol which has been around for over 30 years.

McGraw did not respond to a follow-up email Wednesday asking for clarification of how the opt-out system worked and for answers to the original, non-technical questions. The questions the company refused to answer are below.

  • How deep into packets are you going to extract urls? How does Nebuads know what a given url means? Are the urls manually reviewed, ala the early days of ask jeeves, or do you use some sort of spider tied to a classification algorithm? How does the system handle search engine queries?
  • How does opt-out system work with a cookie, given that NebuAd is a network appliance and can’t read the opt-out cookie unless the user goes to a specific site so that the cookie can be released and thus either read by Nebuad.com or read in the TCP stream. It seems that an ISP’s customers can opt out of the ads but not the monitoring? If that’s incorrect, please explain how the opt-out works? How does this system fit with the promises made on the NebuAd opt-out page?
  • Why should an ISP’s customers want to allow your company to monitor their web usage?
  • Is there anyone at the company with a background in privacy?
  • If a customer wanted to see the profile NebuAd had built up about them, how would they do so?
  • What exernal auditing has NebuAd had? Does the company plan to perform audits on an ongoing basis? Will any of those reports be public?
  • Are your network boxes capable of injecting content into packets?
  • What security measures does NebuAd take to lock down the network appliances and prevent NebuAd from being used for a Man-in-the-Middle attack?
  • How long does NebuAd keep data?

This looks to me like a list of questions Congress needs to put in front of NebuAD. Heck, why not just let Ryan Singel do the questioning himself? He seems like a capable sort.

Does NebuAD sound like a company that you want snooping around in your web traffic? They don’t even know what they’re doing, and they certainly aren’t on the same page with Charter. Ultimately it is we the customer who should have the final say as to whether our activity is tracked, and we should be given every opportunity to review the methods by which it is accomplished.

Leave a Comment

Your comment

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.