Behavioral Targeting May Be Illegal

from the smells-like-wiretapping dept

A bunch of ISPs have been experimenting with systems such as Phorm and NebuAd that monitor their users' online behavior and create profiles that help third parties create more targeted advertisements. Back in March we noted that behavioral advertising may be illegal under UK law. And last week we reported that Congress was asking some tough questions about the plans. CNet's Declan Declan McCullagh has an in-depth look at American law, and concludes that such systems are probably illegal here too. The problem is that what Phorm and NebuAd do sounds a lot like wiretapping, and wiretapping is illegal under several federal laws. At least three federal laws govern when electronic communications providers can disclose their customers' communications to third parties. One of the key questions Declan looks at is consent: the law generally allows eavesdropping with customer consent, but the exact nature of the consent isn't clear. ISPs have tended to be very secretive about their use of these systems, so at the very least, privacy laws would require that ISPs disclose what they're doing and give consumers a way to opt out. But Declan suggests that this might not be sufficient. Some of the legal experts he talked to think the law would require the ISPs to obtain the affirmative consent of customers before commencing the use of these programs. Since it's hard to imagine customers being enthusiastic about having their ISPs eavesdrop on them, such a requirement might make these programs non-starters.

Timothy Lee is an expert at the Insight Community. To get insight and analysis from Timothy Lee and other experts on challenges your company faces, click here.

15 Comments | Leave a Comment..

Questions Raised Over Phorm's Legality As BT Admits It Tested The Service Secretly

from the transparency,-transparency,-tranparency dept

While Phorm has gone on a charm offensive to try to convince people that its efforts are not as bad as some are making them out to be (including, by the way, using my post as a de facto forum), it appears that the effort still isn't convincing skeptics. Tim Berners-Lee made some news last week for suggesting he would switch ISPs if his started using a service like Phorm, but the bigger backlash may be coming from the legal arena. First, there was the news that BT (who had originally denied this) tested Phorm's technology, without letting users know, last summer. That has resulted in some people threatening a lawsuit. And, speaking of lawsuits, a bunch of scholars and think tankers are pointing out that Phorm may actually be illegal based on current UK laws, if it's used without first getting users to "opt-in."

6 Comments | Leave a Comment..

Phorm Goes On The Offensive To Defend Its Ad Program On Privacy Questions

from the but-do-you-believe-them dept

Last month, we wrote about the plan by a variety of UK-based ISPs to use all of your clickstream data to target ads to you as you surfed. That is, if you were surfing a golf site and then went and checked CNN, the system would still know that you liked golf and might serve up golf ads on CNN. At least that's the benign version of it. There are some serious questions raised by this. First of all, many people are likely to be uncomfortable with the idea that their ISP is watching what they do and then using it to target ads. Even worse, the company that the ISPs were partnering with to do all of this had previously been known as a spyware firm.

Phorm is now aggressively defending its reputation, insisting once again that it will keep all of the data it collects anonymized. However, while it says this and explains how it will try to anonymize the data, the company fails to address the fact that just about every time a company has tried to create an anonymized data set, it doesn't take long for someone to de-anonymize it. The company just assumes that it really can keep the data anonymous, when there are serious doubts as to whether or not that's really possible.

To its credit, the company isn't ignoring some of the complaints and has just done interviews with both the BBC and The Register to answer some of the concerns raised. Thankfully, both interviews do probe fairly deeply and ask some tough questions, and the Phorm execs answer each question directly. They claim that they were never "spyware" providers, only adware, but admit that the definition got blurred, which was why (they claim) they got out of the business. That sounds good until you look at some of the details about the company's former products, and the fact that it made a rather nasty rootkit injector.

That said, the execs do answer a bunch of questions about the privacy issues, noting that they're being audited by two separate firms to ensure they live up to the privacy promises. The clickstream data is immediately deleted and all the profiling is done at the ISP, not by Phorm, who is merely serving up the ads based on the profile kicked back by the ISP. While it's good to see the execs from Phorm willing to answer these questions, the company's history and the entire concept of what's being done still seems rather questionable. Phorm's insistence that this will actually decrease advertising seems like little consolation (and difficult to believe).

53 Comments | Leave a Comment..

British ISPs Hand Over Your Surfing Data To (Former?) Spyware Firm

from the privacy? dept

Earlier this month, we noted that three large UK ISPs had agreed to a questionable deal with a startup named "Phorm." The ISPs would share all of your surfing data with Phorm who would then target advertisements to you based on your surfing patterns. We raised some privacy concerns, and noted that Phorm's claims that it would anonymize the data were laughable, since every "anonymized" data set seems to get quickly de-anonymized. In the comments to that post, one commenter noted that the story was even worse, as Phorm was merely the reincarnation of a spyware firm that had made a rather infamous rootkit. Broadband Reports now has more on that story, noting that the firm has a very shady past. It makes you wonder why these big ISPs would link up with such a company and why more people aren't up in arms about what their ISPs are doing with their data.

8 Comments | Leave a Comment..

UK ISPs To Start Tracking Your Surfing To Serve You Ads

from the pirvacy-please dept

For years now, ISPs have been searching for alternative revenue streams to avoid just being "dumb pipes." A few years ago, they picked up on the fact that they have a tremendous amount of data about what you (yes, you!) do online. A bunch of ISPs then started selling your clickstream data to companies that could do something useful with it (though, those ISPs probably neglected to tell you they were doing this). Late last year, we heard about a company that was trying to work with ISPs to make use of that data themselves to insert their own ads based on your surfing history -- and now we've got the first report of some big ISPs moving into this realm. Over in the UK three big ISPs, BT, Carphone Warehouse and Virgin Media have announced plans to use your clickstream data to insert relevant ads as you surf through a new startup called Phorm.

While Phorm claims that it keeps your data private "by tracking individual users with an assigned number only," that's hardly assuring. After all, remember that both AOL and Netflix have released similar anonymized data where identifying info was replaced with an assigned number... and it didn't take long for both sets of data to be de-anonymized. While it's no surprise that ISPs would want to get into the advertising business, and to think that they could better target ads thanks to their knowledge of your entire surfing history, it's going to freak some people out (and potentially cause some serious privacy problems). All the more reason to figure out how encrypt your traffic and hide your activities from your ISP.

32 Comments | Leave a Comment..

ISPs Able To Use Your Surfing Data To Insert Their Own Ads Everywhere

from the privacy?-schmivacy dept

Earlier this year, we wrote about the fact that many ISPs were making good money selling your clickstream data to various companies for tracking purposes. Now there's a new advertising company that's come along to take advantage of this. The Associated Press has an article about NebuAd, a company that works with ISPs to use your clickstream data to better target advertisements to you. These aren't tracking cookies, which can easily be blocked, and depend on which websites you go to. This is your ISP, who has access to where you're surfing, using that data to insert more targeted ads. To its credit, the company has tried to be quite careful about keeping data private and setting it up in a way that it believes is impossible to trace the data back to an individual user. However, we've all heard stories about "anonymous" datasets that turn out to not be particularly anonymous. The company does also offer an "opt-out" solution, but how many people are even going to realize that their ISPs are a part of this program at all? It's also not entirely clear from the article where these ads are inserted, since most users spend little (if any) time on an ISPs own sites (however, some folks who have seen the ads suggest they appear... well... everywhere). While it's an extreme idea, just imagine an ISP combining this idea with something like what Rogers was caught doing in Canada (adding content to Google's page) and you could see how a greedy ISP might start putting its own, highly targeted, ads everywhere it wants, including places like Google's homepage. Hopefully, most ISPs recognize that this would lead to consumer outrage (and a lawsuit from Google), but would it be that much more complicated to be a bit more subtle and simply "replace" banner ads on certain sites without anyone really noticing? Yet another reason to encrypt all your traffic using a VPN or something to keep your ISP's prying eyes away from what you do.

20 Comments | Leave a Comment..