He's making a list,
Checking it twice,
Gonna find out who's naughty or nice.
Santa Clause is coming to town!
He knows when you've been sleeping,
He knows when you're awake.
He knows when you've been good or bad,
So be good for goodness sake!
[Chris Isaak: "Santa Claus Is Coming To Town"]
Back in February of 2006 I wrote a short essay here called The "new Hoover" and attention metadata about privacy concerns relating to our ability to collect metadata about our Web browsing. Usually, these metdata enhance our Web experiences as in the case of a site like Amazon which gets smarter about our preferences as we revisit the site. But this technology has also been used for government snooping. Again, I'm sure most of us don't mind when that's used against child porn distributors or real terrorists, but on the principle that "if it can be done, it will be done," it doesn't take too great a dose of paranoia to imagine less beneficial uses.
Now comes Bobby White of the Wall Street Journal with a distrubing story about companies (NebuAd, FrontPorch and Phorm are mentioned) that are supplying technology to Internet Service Providers to monitor your surfing and target ads to you based on the metadata it collects. Since your ISPs already have your name, address, phone number and payment information, it's a small step to associating you with the metadata. White writes:
... This technique -- called behavioral targeting -- is far more customized than the current method of selling ads online. Today, it's an imperfect process: companies such as Revenue Science Inc. and Tacoda Inc., which was recently bought by Time Warner Inc., contract with Web sites to monitor which consumers visit them, attaching "cookies," or small pieces of tracking data, to visitors' hard drives so they are recognized when they return. The targeting firms feed the data to Web site owners, who use it to charge premium rates for customized ads. But the information is limited, since the tracking companies can't monitor all of the sites an individual visits. ¶ The newer form of behavioral targeting involves placing gear called "deep-packet inspection boxes" inside an Internet provider's network of pipes and wires. Instead of observing only a select number of Web sites, these boxes can track all of the sites a consumer visits, and deliver far more detailed information to potential advertisers. ...
Link: Wall Street Journal.
According to the article, NebuAd says it "doesn't track traffic to sites related to sex, health or politics." Sure. How does it know you're headed there unless it's tracking some aspect of that? [See clarification from NebuAd CEO in Comments section below. It does sound like that company is making a good faith effort to protect privacy, but I feel that the following paragraph is still generally valid. --Dennis]
All this stuff is subject to subpoena and press scrutiny. Or, perhaps under the Patriot Act that's not even necessary. Ask a librarian. All this is extremely troubling and goes to the core of the value of information exchange to us all. These ISPs and technology companies want us to trust that they're not abusing this (the article notes that some ISPs are permitting consumers to opt out). OK, but we've gone far enough down the road of constitutional erosion in this country that it's not them I'm worried about. --Dennis
The following clarification by NebuAd CEO Bob Dykes was sent to me by a PR person working on behalf of that company:
NebuAd does not collect the websites visited and map those back to the specific user. Instead it converts, via an appliance located in the ISPs network, the key user identifiers, such as IP addresses, to a one way random number so that the central servers see this and not the original identifier.
It has a list of categories (e.g. “Cars – SUV – Lexus”) and it is noted if random number goes to a site, or performs a search, that is related to the category. If yes, then it notes that interest mapped to the random number, but do not map the URL’s visited, just the interest. This is why, since it doesn’t even have the info on sites visited, there's no mechanism to map the random number to specific URLs.
In addition, NebuAd and the partner ISPs do not exchange data, so the ISPs do not see the categories each random number visits, and NebuAd does not receive specific customer information – which wouldn’t be useful anyway as key identifiers are turned into random numbers before any information is collected. NebuAd does not retain the raw data mapped back to the anonymous user profiles. The only involvement between NebuAd and the ISPs is the agreement that lets NebuAd place the appliance in the ISPs
--Dennis, 13 December 2007