Thursday, July 17, 2008, 9:30 a.m., The House Subcommittee on Telecommunications and the Internet held a hearing on the one of the most dangerous threats to Internet neutrality, privacy, and the integrity of data transmitted on the Internet now threatening the medium.
What Your Broadband Provider Knows About Your Web Use: Deep Packet Inspection and Communications Laws and Policies
The hearing focused on the company NebuAd, a company that has designed high-speed programs that do deep packet inspection of all traffic passing through an ISPs routers and MODIFY THE PACKET CONTENTS in order to track user habits and inject code to modify web pages being returned to users.
NebuAd's product and what it does is so wrong on so many levels it is hard to know where to begin.
Content deliverers on the Internet should be outraged because their content, their intellectual and economic property, is being modified without their consent or knowledge, for the purpose of commercial activity by the ISPs doing the injection.
End users should be outraged, because this represents the ultimate invasion of privacy. This software literally touches and tracks every last packet of every last transmission that retrieves data across the Internet back to the end user's computer.
Internet engineers, and Robert M. Topolski, see following, ARE enraged, because this packet inspection AND MODIFICATION is an unquestionable violation of the most fundamental principle underlying the nature of traffic control on the Internet, namely, YOU DON'T SCREW WITH THE CONTENT OF THE PACKETS, you just examine the headers, read the address, and do the delivery.
This principle is so blindingly obvious you would think it would not even be an issue, but as events have proven over and over again, greed will trump ethics and standards and the law every time, if not resisted.
A .pdf file with the findings of Robert M. Topolski, an expert in Internet data communications, who basically reverse engineered what NebuAd and its ISP partners were doing, can be found at this address.
NebuAd and Partner ISPs: Wiretapping, Forgery and Browser Hijacking
Following is the executive summary from Topolski's paper.
Robert M. Topolski
Chief Technology Consultant
Free Press and Public Knowledge
June 18, 2008
Executive Summary
This report addresses the technical aspects of NebuAd, a targeted behavioral advertising company with offices located in the United States and United Kingdom that recently began seeking deals with Internet Service Providers (ISPs). NebuAd recently made headlines when the cable operator Charter announced that it had struck a deal with the company. Charter’s announcement prompted public and congressional inquiries into NebuAd’s practices, including a letter from Rep. Ed Markey (D-Mass.) and Rep. Joe Barton (R-Texas). NebuAd has also been deployed by WOW!, Embarq, Broadstripe, CenturyTel, Metro Provider and others.
To determine NebuAd’s practices, this investigation used sound and reproducible network testing methods. The investigation concludes that NebuAd’s advertising hardware monitors, intercepts and modifies the contents of Internet packets using Transmission Control Protocol on Internet Protocol (TCP/IP). In doing so, NebuAd commandeers users’ Web browsers and collects uniquely identifying tracking cookies to facilitate its advertising model. Apparently, neither the consumers nor the affected Web sites have actual knowledge of NebuAd’s interceptions and modifications.
NebuAd exploits several forms of "attack" on users’ and applications’ security, the use of which has always generated considerable controversy and user condemnation, including browser hijacking, cross-site scripting and man-in-the-middle attacks. These practices -- committed upon users with the paid-for cooperation of ISPs -- violate several fundamental expectations of Internet privacy, security and standards-based interoperability. Moreover, NebuAd violates the Internet Engineering Task Force (IETF) standards that created today’s Internet where the network operators transmit packets between end users without inspecting or interfering with them. For example, the TCP protocol would normally not accept code from a source that is a third party from the client-server connection. NebuAd engages in packet forgery to trick a user’s computer into accepting data and Web page changes from a third party like NebuAd.
NebuAd has designed a hardware device it installs into an ISP’s network. This device has three purposes, and the bulk of this report concerns itself primarily with the NebuAd device’s unusual method for accomplishing the last purpose -- cookie preloading.
- Unique Identification: The NebuAd device ties a customer’s individual record maintained by the ISP to an alphanumeric code (called a "hash code"). This method allows NebuAd to uniquely and persistently to identify individuals without ISPs needing to release data from billing records.
- User Monitoring: The NebuAd system monitors user’s Web browsing activity. The device sees the pages visited, the search terms entered, and words that appear on the pages. This information is reportedly evaluated to determine the user’s interest in various marketing categories. Stored information is indexed to the end user’s
hash code.
- Cookie Preloading: The NebuAd device ensures that a Web browser is always preloaded with cookies providing unique identifying codes representing the ISP’s subscriber. A cookie is a parcel of text placed by a server on a Web client (usually a browser) and then sent back by the client each time the client accesses that server. It is used for authenticating, session tracking, and maintaining specific information
about users, such as site preferences or the contents of their electronic shopping carts. On pages where NebuAd or its partners have bought advertising space, the presence of NebuAd cookies enable advertisers to display targeted messages instead of random ones. Regardless of whether the end user changes computers, browsers or purposefully and frequently erases cookies, the device reloads the subscriber’s uniquely identifying cookies to allow the targeted advertising to continue.
More reading on this issue:
Congress goes after NebuAd... again
Wikipedia Article on NebuAd
Report: NebuAd Forges Packets, Violates Net Standards
And if you want to really read some of the most Orwellian double-talk you will ever see, try this on for size:
NebuAd Introduces Next-Generation Online Consumer Privacy Protections, Raising the Bar on Internet Privacy Protection Standards
NebuAd, an online media company that provides state-of-the-art online privacy protection for consumers, today announced it is introducing new industry-leading online privacy protections, offering alternatives for robust, direct consumer notification and unprecedented innovations in opt-out technology. This move further empowers Internet service provider (ISP) subscribers to control their web experience. In addition, it reinforces NebuAd's commitment to delivering world-class innovation in Internet advertising by setting unparalleled standards in online consumer privacy protection.
New Online Notice Option and Breakthrough Opt-Out Technology
NebuAd has developed a means to offer consumers direct, initial online notification and periodic reminders - thereby equipping users with more opportunities to make informed decisions about their web experience. While current mail and email notification practices remain the most reliable and acceptable means of ensuring consumer awareness for many companies, the ability to offer online notice adds another method of direct communication that NebuAd's partners may find appropriate in a variety of circumstances.
The breathtaking chutzpah of this statement leaves me almost speechless.
Except to point out it is pretty much a lie from the first to the last sentence. The product is designed to track everything someone connected does on the Internet, store and analyze that data, illegally modify packets being transmitted to inject content, modifying and possibly not only adding to but deleting from content the user has requested, e.g. from a remote web site.
In other words, the person viewing a web page that has been delivered through a router running the NebuAd product will have absolutely no confidence that they are seeing the page and its content as designed by the web site serving up the page.
This link was added as an update a couple hours after posting diary:
Every Click You Make Internet Providers Quietly Test Expanded Tracking of Web Use to Target Advertising, detailed article on the issues in the Washington Post Friday, April 4, 2008.
"You don't want the phone company tapping your phone calls, and in the same way you don't want your ISP tapping your Web traffic," said Ari Schwartz of the Center for Democracy and Technology, an advocacy group. "There's a fear here that a user's ISP is going to betray them and turn their information over to a third party."
In fact, newly proposed Federal Trade Commission guidelines for behavioral advertising have been outpaced by the technology and do not address the practice directly. Privacy advocates are preparing to present to Congress their concerns that the practice is done without consumer consent and that too little is known about whether such systems adequately protect personal information.
Meanwhile, many online publishers say the next big growth in advertising will emerge from efforts to offer ads based not on the content of a Web page, but on knowing who is looking at it. That, of course, means gathering more information about consumers.
Advocates of deep-packet inspection see it as a boon for all involved. Advertisers can better target their pitches. Consumers will see more relevant ads. Service providers who hand over consumer data can share in advertising revenues. And Web sites can make more money from online advertising, a $20 billion industry that is growing rapidly.
Think about this very carefully. If you think the mainstream media and its blatant manipulation of the news, it suppression of news, its manufacturing of phony news is bad, well, you ain't seen nothing yet.
A product like this will be the first step in controlling the nasty Net Roots. Because if we can no longer communicate openly on the Internet, the freedom and power that has grown the Net Roots movement, well then it is game over.
And our corporate masters have regained the control that they see slipping daily from their hands.
They will be happy. Will you?