This week broadband provider Charter Communications revealed its plans to begin sharing its customers’ Web traffic with NebuAd, an advertising network. NebuAd’s service works by monitoring individuals’ online activities and creating profiles of those individuals’ interests. NebuAd then uses the profiles to serve targeted advertisements on the Web. Charter, with over 5 million subscribers, is the largest U.S. ISP to announce a deal with NebuAd thus far.

As we discussed in our comments to the FTC last month, this model – where an ad network strikes a deal with an ISP that allows the network to conduct “deep packet inspection” (or “DPI”) of individual Web traffic streams – raises numerous privacy questions. The main difference between these new ad networks and other kinds of online ad networks is that DPI-based ad networks may potentially gain access to all or substantially all of an individual’s Web traffic as it traverses the ISP’s infrastructure, including traffic to all political, religious, and other non-commercial sites (even those that do not use cookies and those that do not deliver ads). The prospect of having a third party handling all of this data likely defies most users’ expectations that the entire body of their Web surfing habits is not generally monitored by anyone, much less a third-party ad network they’ve never heard of.

One of the biggest outstanding questions about DPI-based ad networks is the legal basis that ISPs are using to justify the transfer of their subscribers’ data to a third-party ad network. In a letter addressed to Charter’s CEO, Rep. Ed Markey and Rep. Joe Barton have inquired about how the NebuAd deal can be reconciled with the Cable Act of 1984, which allows cable operators to share subscriber data with third parties only when subscribers give their prior approval. We are anxious to see Charter’s response.

While the Cable Act applies only to cable operators, there are also questions about how the Electronic Communications Privacy Act (ECPA) — which covers all kinds of electronic communications — can be applied to DPI-based ad networks. With certain exceptions, ECPA and its amendments to the federal Wiretap Act prohibit ISPs from intercepting their customers’ communications or disclosing the content of those communications to a third party without the customers’ permission. Again, this doesn’t seem to square with Charter’s recent announcement.

There are also many unresolved questions about how users can opt out of the Charter/NebuAd system. In order to opt out, Charter subscribers are required to input their names and addresses into a Web form. However, the opt out choice is stored in a regular browser cookie, which does not need and does not contain the user’s name and address. Why, then, is Charter requiring users to fork over their personal information just to opt out? (And why are they using opt-out cookies, a mechanism that has major drawbacks?)

Another concern: As we understand it, even if you opt-out, your entire communications stream is still copied and delivered to NebuAd.  NebuAd says it won’t read or store the data of those who have opted-out, but isn’t there a way to implement user choice that does not involve delivering your entire data stream to a third party when you have expressly opted out of the service?

Answers to all of these questions are necessary before consumers can understand the implications of DPI-based ad networks.

This entry was posted on Friday, May 16th, 2008 at 6:11 pm and is filed under CDT. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.