This week broadband provider Charter Communications revealed its plans to begin sharing its customers’ Web traffic with NebuAd, an advertising network. NebuAd’s service works by monitoring individuals’ online activities and creating profiles of those individuals’ interests. NebuAd then uses the profiles to serve targeted advertisements on the Web. Charter, with over 5 million subscribers, is the largest U.S. ISP to announce a deal with NebuAd thus far. As we discussed in our comments to the FTC last month, this model – where an ad network strikes a deal with an ISP that allows the network to conduct “deep packet inspection” (or “DPI”) of individual Web traffic streams – raises numerous privacy questions.
One of the biggest outstanding questions about DPI-based ad networks is the legal basis that ISPs are using to justify the transfer of their subscribers’ data to a third-party ad network. In a letter addressed to Charter’s CEO, Rep. Ed Markey and Rep. Joe Barton have inquired about how the NebuAd deal can be reconciled with the Cable Act of 1984, which allows cable operators to share subscriber data with third parties only when subscribers give their prior approval. We are anxious to see Charter’s response. While the Cable Act applies only to cable operators, there are also questions about how the Electronic Communications Privacy Act (ECPA) — which covers all kinds of electronic communications — can be applied to DPI-based ad networks. With certain exceptions, ECPA and its amendments to the federal Wiretap Act prohibit ISPs from intercepting their customers’ communications or disclosing the content of those communications to a third party without the customers’ permission. Again, this doesn’t seem to square with Charter’s recent announcement.
There are also many unresolved questions about how users can opt out of the Charter/NebuAd system. In order to opt out, Charter subscribers are required to input their names and addresses into a Web form. However, the opt out choice is stored in a regular browser cookie, which does not need and does not contain the user’s name and address. Why, then, is Charter requiring users to fork over their personal information just to opt out? (And why are they using opt-out cookies, a mechanism that has major drawbacks?)
Another concern: As we understand it, even if you opt-out, your entire communications stream is still copied and delivered to NebuAd. NebuAd says it won’t read or store the data of those who have opted-out, but isn’t there a way to implement user choice that does not involve delivering your entire data stream to a third party when you have expressly opted out of the service? Answers to all of these questions are necessary before consumers can understand the implications of DPI-based ad networks.