How to Protect Your Privacy

American ISPs already sharing data with outside ad firms
Multiple American ISPs are sharing customer data with outside firms that deal in so-called behavioral ad targeting, and according to one of these firms, the Silicon Valley-based NebuAd, roughly 10 per cent of all US web surfers are affected.These ad companies, which also include the Sonora, California-based Front Porch, won't say which ISPs have adopted their services. But two internet service providers, the Georgia-based Knology and the Sprint-spin-off Embarq, admit to using such platforms on a test basis, and according to multiple users who've posted their stories to Broadband Reports, NebuAd is tracking data on WOW!, an ISP serving the Chicago area.Using deep-packet inspection hardware - similar to technologies used by anti-virus vendors - NebuAd tracks the search and browsing activity of net surfers. But it says this data is never matched to personally identifiable information."With a one-way hash, we turn your IP address and other data into an anonymous profile, and we use that to see if you qualify for innocuous categories," NebuAd CEO Bob Dykes told us. "We can track someone looking for a luxury car, not just a car - someone searching not just for travel but travel to the south of France or Las Vegas." NebuAd then uses this information as a means of targeting ads. And naturally, the ISPs take a cut of its profits.Dykes - once chief financial officer at Symantec - also says that ISP customers are clearly notified before NebuAd begins tracking their behavior.
Ten per cent of all US net surfers
As reported by The Washington Post, NebuAd is tracking data from roughly 10 per cent of all US net surfers - though the company has already signed contracts that would broaden this scope. "We cover about 10 per cent today," Dykes told us. "But our contract could reach more than that."
Front Porch offers ISPs a service similar to NebuAd's, but it reaches little more than 100,000 US net surfers. Other operations that appear to be working on similar services include Adzilla and Project Rialto, a "stealth company" created by Alcatel-Lucent, but these firms did not respond to our interview requests. Yes, Front Porch and NebuAd are also doing something similar to Phorm - the behavioral advertising firm with controversial ties to three British ISPs: BT, Virgin Media, and Carphone Warehouse. And like Phorm, they're quick to play down the controversy. "Many customers are uneasy with the current status-quo," Front Porch CEO Zach Britton told us. "Our challenge, as an industry, is to communicate what is, and isn't transpiring. If successful, we will show that ISP-based behavioral targeting offers greater benefits and is less privacy invasive than typical Google searches. If not, the industry will be stillborn."

Ari Schwartz is the Vice President and Chief Operating Officer of the Center for Democracy and Technology (CDT). Schwartz's work focuses on increasing individual control over personal and public information. He promotes privacy protections in the digital age and expanding access to government information via the Internet. He regularly testifies before Congress and Executive Branch Agencies on these issues.

Schwartz also leads the Anti-Spyware Coalition (ASC) , anti-spyware software companies, academics, and public interest groups dedicated to defeating spyware. In 2006, Schwartz won the RSA award for Excellence in Public Policy for his work building the ASC and other efforts against spyware. He was also named one of the Top 5 influential IT security thinkers of 2007 by Secure Computing Magazine.

Schwartz currently serves as a member of the Department of Commerce National Institute of Standards and Technology Information Security and Privacy Advisory Board and the State of Ohio Chief Privacy Officer Advisory Committee.

If these companies steer clear of personally identifiable information - and they insist they do - their services are perfectly legal in US. But, says Ari Schwartz, chief operating officer of the Center for Democracy and Technology, the services may be "pushing the boundaries of what consumers expect". It all depends on whether these companies - and their ISP partners - are open about what they're doing.

"[These firms] are going to say they're not transferring any personal information, and all the US laws are based on personal information," Schwartz told us. "But there are some questions as to whether they're properly notifying people. "There has to be an unavoidable notice for consumers," he continued. "We think that burying the information in the terms of service is clearly not enough." And he would prefer that these companies use an opt-in model - rather than an opt-out. Like NebuAd, Front Porch insists that it properly notifies ISP customers. In the US, it has deployed its service on both residential ISPs and wireless hotspots. On the residential side, it says that users are notified via its very own browser-based "messaging system." "We mandate that all our ISP partners ensure that 100 per cent of users understand what's going on and, secondly, that 100 per cent of users get the choice about whether they want to participate or not."

The company's notification screen looks something like this:

Front Porch notification screen

Supplied by the company, this is a generic version of the screen - with 'insert logo here' used to indicate where the name of the participating ISP is posted. When it appears in a browser, users can bypass the screen by clicking on a link just above it, but the company says that if a user doesn't check 'yes' or 'no,' the screen will reappear at a later time.

Britton does acknowledge that the language on this screen changes from time to time - the 'yes' and the 'no' boxes might be reversed, for instance - but he insists that every user sees a screen like this.

On the hotspot side, things work a bit differently. The messaging service is not used. Instead, users are only notified from a lengthy terms of service that appears when they sign up - and there's no opt-out.

"If you're traveling through one of our airports or hotel chains or whatever, and it's offering free internet access, in that first page there's a clear part that says we will give you targeted advertising while you're on this network.

"This is a free service, so if you don't want targeted advertising, you just say no to the free access."

Meanwhile, NebuAd sent us a copy of its standard contract, where ISPs are required to "directly" notify customers. But Knology seems to contradict the company's definition of "directly." And although other ISPs, including WOW! and the Kansas-based Embarq, have added language to their terms of service indicating they're using a service like NebuAd's, it's unclear if they provide more direct notification.

Gov advisors: Phorm is illegal
The Foundation for Information Policy Research (FIPR), a leading government advisory group on internet issues, has written to the Information Commissioner arguing that Phorm's ad targeting system is illegal.

The accompanying announcement (pdf) explained how it envisaged its relationship with ISPs and their customers:

The company's business model revolves around distributing its PageSense technology to as many users as possible and showing users as many advertisements as possible, without causing negative reaction, to maximise response.

121Media currently acquires most of its users by integrating its PageSense Desktop technology with consumer software products known as distribution applications, which are offered free of charge to internet users in exchange for their permission to display advertisements.

PageSense Javascript can be embedded by a variety of partners, such as Internet Service Providers, serving pages to those connecting to the internet through them.

Sounds quite familiar, doesn't it? The difference between 121Media/Phorm and PeopleOnPage is that the newer company buys its targets direct from ISPs, rather than persuading people to download spyware.
Phorm is run by Kent Ertegrul, a serial entrepreneur whose past ventures include selling joyrides on Russian fighter jets. Previously, his most notable foray online was as the founder of PeopleOnPage, an ad network that operated earlier in the decade and which was blacklisted as spyware by the likes of Symantec and F-Secure.

Security firm F-Secure describes PeopleOnPage's software here.
It says: "The spyware collects a user's browsing habits and system information and sends it back to the ContextPlus servers. Targeted pop-up advertisements are displayed while browsing the web.
"Each installation is given a unique ID, which is sent to the ContextPlus server to request a pop-up advertisement." ContextPlus was the rootkit that PeopleOnPage used to harvest data and hide its presence.The similarities between this business model and that which will be kicked off by Phorm in the coming months are striking.

Congress spotlights another American data pimper
Congressman Ed Markey - chair of the House Subcommittee on Telecommunications and the Internet - has called out another American ISP for pimping user data to NebuAd, the Phorm-like behavioral ad targeter.

Yesterday, Markey and fellow Congressional big-wigs John D. Dingell
(chairman of the House Committee on Energy and Commerce) and Joe Barton
(ranking member of the House Committee on Energy and Commerce) lobbed an
open letter at the Kansas-based Embarq Corporation, questioning the NebuAd
tests it ran this spring.

Using deep packet inspection, NebuAd tracks the search and browsing
activity of ISP users in an effort to target online advertisements. The
system is opt-out-based, and though Embarq updated its privacy policy to
reflect the tracking of user data during the trials, it's unclear whether
customers were provided with more direct notification.

"Surreptitiously tracking individual users' Internet activity cuts to the
heart of consumer privacy," reads a canned statement from Congressman
Markey. "The information collected through NebuAd's technology can be
highly personal and sensitive information. Embarq's apparent use of this
technology without directly notifying affected customers that their
activity was being tracked, collected, and analyzed raises serious privacy
red flags."

snip

With their open letter, the Congressmen toss nine pointed questions at the
Sprint-spin-off, hoping to understand how those NebuAd trials were
conducted. Embarq has not said where the trials took place or how many
users were affected.

Markey and crew can't help but wonder whether those trials ran afoul of the Communications Act of 1934, the Cable Act of 1984, the Electronic Communications Privacy Act, and other wiretapping-related US statutes. In May, Markey and Barton sent a similar letter to the midwestern ISP Charter Communications, and early tomorrow morning, Markey's Subcommittee on Telecommunications and the Internet will convene for a hearing entitled "What Your Broadband Provider Knows About Your Web Use: Deep Packet Inspection and Communications Laws and Policies."
snip

Another ISP Suspends NebuAD Trials
Centurytel suspends trials in face of Congressional inquiry...

Of course, an employee at one ISP tells me NebuAD is promising ISPs that they're developing a new opt-out system that is IP-address based. The current cookie-based system only stops targeted ad delivery; it doesn't opt the user out of browsing tracking (potentially running afoul of three laws). Should NebuAD's new opt-out mechanism please Congress (something I'm sure lobbyists are already working on), you will see these plans revisited.
Related:
Swiss Bank, CA Court Censor Whistleblower Website
Embarq, WOW Bury Snooping In Terms Of Service
Congressmen Want To Chat With Charter Over Privacy
Behavioral Advertising Could Be Illegal
Consumer Groups Want Charter, NebuAD Investigated
Charter NebuAD Trials Delayed
Charter User Monitoring Plans Suspended
After Charter's Decision To Drop NebuAD, Will Other ISPs Follow?


Congress asks Embarq about selling customer info (AP)biz.yahoo.com Congress asks Embarq about selling customer info. - KANSAS CITY, Mo. (AP) -- Congress has asked Embarq Corp. about its work with a company that tracks online subscribers' Web traffic for advertising purposes, part of growing concern about Internet privacy.

Congress has asked Embarq Corp. about its work with a company that tracks online subscribers' Web traffic for advertising purposes, part of growing concern about Internet privacy.Overland Park, Kan.-based Embarq is the nation's fourth-largest traditional telephone company with 1.34 million

source The Missouri Public Service Commission will let Embarq Corp. set its own telephone rates for certain Missouri cities.
The PSC said in a Tuesday release that it had granted Embarq's June 3 request for competitive classification. The classification, which allows Embarq to control rates rather than the PSC, applies to business services in Buckner, Odessa, Oak Grove, Pleasant Hill and Salem, as well as residential services in Salem.
The change does not apply to exchange access service.
For competitive classification, at least two other nonaffiliated entities must offer local telecommunications service. One may be a wireless provider and the other a wireline company that offers local voice service using facilities it owns fully or partially.
Local phone companies are regulated, but others that also provide local phone service, such as cable companies, are not, Embarq spokesman Tom Matthews said in a June 6 interview.

| Jul 16, 2008Less than one week after NebuAd CEO Bob Dykes assured the Senate Commerce Committee that the company respects consumers' privacy, lawmakers are raising new questions about its platform. Embarq Corporation

- Company Profile Snapshot

CompanyProfile:Embarq Corporation
Ticker:EQ
Exchanges:NYSE
2007 Sales:6,365,000,000
Major Industry:Utilities
Sub Industry:TelecommunicationsCountry:
UNITED STATES
Employees:18000
Business Description Embarq Corporation
The Group's principal activities are to provide local and long distance voice, data, high speed Internet, wireless and satellite video services to consumer. The Group also provides access to local network and other wholesale communications services for other carriers, communications equipment for business markets and other communications-related services. The Group operates through two segments: Telecommunications segment and Logistics segment. Telecommunications segment provides regulated local communications services as an incumbent local exchange carrier to U.S. households. Logistics segment provides wholesale product distribution, logistics and configuration services. In May 2006, the Group completed the spin-offf from Sprint Nextel.