Digital rights groups hit ISP ad firm for spying on users

They called out NebuAd for privacy violations

A targeted advertising vendor being used by several U.S. broadband providers hijacks browsers, spies on users and employs man-in-the-middle attacks, according to a report released today by two advocacy groups.

NebuAd Inc., a behavioral advertising vendor being used by Charter Communications Inc., WideOpenWest Holdings LLC and other Internet service providers, also uses packet forgery, modifies the content of TCP/IP packets and loads subscribers' computers with unwanted cookies, according to the report by Public Knowledge and Free Press, two Washington-based organizations focused on digital rights.

"NebuAd exploits several forms of 'attack' on users' and applications' security," wrote report author Robert Topolski, chief technology consultant for the two groups. "These practices -- committed upon users with the paid-for cooperation of ISPs -- violate several fundamental expectations of Internet privacy, security and standards-based interoperability."

NebuAd violates Internet Engineering Task Force standards that "created today's Internet, where the network operators transmit packets between end users without inspecting or interfering with them," Topolski said.

Representatives of Charter Communications and NebuAd didn't immediately respond to requests for comment on the Topolski report. In late May, Charter issued a statement saying it was working with concerned lawmakers to address concerns about the targeted ad service.

"Charter takes the responsibility of protecting its customers' information seriously," the company said at the time. "We look forward to maintaining an open communication with policymakers to alleviate any concerns."

Charter Communications, a cable television and Internet provider based in St. Louis, announced in May that it was planning to use NebuAd to roll out a targeted advertising program that would track users' Web activity in order to deliver "relevant" ads. That announcement by Charter, the fourth largest cable operator in the U.S., sparked calls for an investigation by several privacy and consumer groups.

Two members of the U.S. House of Representatives Energy and Commerce Committee, Reps. Ed Markey (D-Mass.) and Joe Barton (R-Texas), wrote to Charter in mid-May, asking the company to delay rollout of the plan until they could have a discussion about the proposal. Any collection of cable subscribers' personal data without their consent "raises substantial questions" about whether it is legal under the Communications Act, the two congressmen wrote.

In his report, Topolski said he tested a connection on WideOpenWest in late May and early June. NebuAd's service injected new script into his browser session, preloaded identifying cookies on his machine and monitored his browsing, he wrote.

Topolski compared NebuAd's methods to browser hijacking, cross-site scripting and other forms of computer attacks. NebuAd is engaged in "eavesdropping on the content of Web messages as they were being sent and received," he wrote.

"This report shows that NebuAd's Internet wiretapping is highly questionable," Marvin Ammori, Free Press general counsel, said in a statement. "Phone and cable companies should press pause on NebuAd and any similar venture until consumers and members of Congress can address the serious concerns raised by this report."

Copyright © 2008 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon