NebuAd Opt-Out Promises Are Nebu-Lous

« More SSH-Targeted Attacks, This Time for Debian et al | Main | Debian/Ubuntu SSL Keys Vulnerability Explained »

May 16, 2008

NebuAd Opt-Out Promises Are Nebu-Lous

Might as well end Friday on the story of the week. Wired’s Ryan Singel dug up more stuff on NebuAd, which is the company providing behavioral tracking services to ISP Charter.

Earlier in the week we noted the original story, which started innocently enough at The Consumerist. The next day the story seemed to grow beyond the inevitable first wave of paranoid hand-waving and generalized blog comment brain-fog, with the New York Times and others noticing.

A search of the news archives shows NebuAd had been enjoying a quiet period of VC love and media tolerance for vague answers about who the company was working with. Maybe it was inevitable that taking a client as large as Charter (ISP Planet says it’s number 8 in the U.S.) would expose the company to more scrutiny.

NebuAd also relied on simple corporate opacity on the part of its ISP clients to operate with such a low profile for so long. The NebuAd appliance that works the surveillance magic sounds like a turnkey, plug-n-play box, so the ISP’s support personnel don’t really need to know anything about it. The ISPs don’t care to describe the business relationship they’re using to “enhance the user’s browsing experience,” as they euphemize the surveillance, which means even if they do much to disclose the surveillance, its mechanisms remain largely obscured, sometimes requiring users to carefully sift through their own network traffic to understand why something is strange about their Internet connection’s behavior.

Today, Singel reports that a pair of Congressmen are interested in NebuAd’s business model, which involves tracking ISP users as they move about the Web, then buying targeted ads on a number of ad networks.

He also raises some questions about just how “out” a user is when he or she tries to opt out of NebuAd tracking:

“Charter’s own opt-out page is careful not to claim that opted-out users won’t be monitored, saying only that if a user ‘would like to opt-out of this process’ an opt-out cookie means they ‘will no longer receive ads that are tailored to your web preferences, usage patterns and commercial interests.’

“Indeed, it is possible that the cookie system works to prevent opted-out users from receiving the third-party ads, and it could stop NebuAd from sharing a user’s profile with third-party ad networks — assuming those networks include a NebuAd image file, or some other embedded code, in the ads they serve on the web. But NebuAd’s claim that you can opt-out of the surveillance itself remains unexplained.”

And there’s a security angle beyond the mundane concern that someone is skimming information about your browsing habits whether you like it or not, based on patents the company has applied for:

“A patent application filed by the company in March 2007 describes a monitoring system that actually manipulates data packets and replaces advertisements on third-party websites with their own ads.

“That more-intrusive technique would doubtless anger commercial websites and ad networks, and their lawyers. But, ironically, it would also allow the company to live up to its opt-out claims, because NetbuAds could inject a call to its own website into third-party sites, and thus read the opt-out cookie.

“But by injecting ads into packets on the wire, the system described in the patent application would also creates a single vulnerability point for every website on the internet — at least for users whose traffic moves through those boxes. A malicious hacker would only need to be able to find a way to compromise NebuAd’s server in order to insert links to malware into every page loaded by customers on that ISP.”

Nice!

(Link)