Advertisers have long characterized the Internet as a marketing gold mine, with an abundance of granular data about the things we like, who we are, and what we shop for. The key has always been in harnessing this data, and online network advertising companies are continually seeking to cast wider and wider nets to learn more about individual users' tastes and preferences. In recent months, however, a new breed of companies has started tapping into the ultimate source of online information about you – your Internet Service Provider (ISP).
The basic operating model for these new kinds of ad networks goes something like this: they strike deals with ISPs that allow the ad networks to collect and categorize individual Internet traffic streams – so if you do Web searches for airline flights and basketball scores, the ad network might tag you as a traveler and sports fan. As you surf the Web, you will then start to see travel or sports-related ads on sites where the network has purchased advertising space. How much information the ad networks keep, how long they keep it for, and how they go about scrubbing the data to remove personal information varies from company to company.
Given the amount and scope of data that ISPs are beginning to share with these companies, this model raises some serious privacy questions (which I spoke briefly about at the FTC's recent behavioral targeting town hall meeting). And the early experiences of these companies are starting to prove just how difficult it will be to implement these systems in a privacy-protective manner – if it's possible at all. Take as an example Phorm, a publicly traded company in the UK. After starting its life as a spyware company known as ContextPlus (which we filed a complaint against in 2005), Phorm has shed its former business model, rebranded itself, and recently struck deals with three UK ISPs to deploy its user tracking technology and ad targeting service. Already, the company has taken heat for deploying a trial of the service on the British Telecom network without properly informing BT subscribers. Phorm is also facing some confusion over what happens to the data for users who opt out of the service – an issue that has caused British ISP TalkTalk to decide to offer the service on an opt-in basis (it was previously planned to be an opt-out). NebuAd, a U.S. company with a similar model, is likewise encountering some consumer frustration with the lack of notice about its user tracking. Perhaps the most difficult aspect of deploying these kinds of ad networks lies in notifying consumers of their existence, and since companies like NebuAd and Phorm have no prior relationship with the users whose data they are collecting, the task of notifying consumers often lies with the ISPs.
We have yet to hear of a notice strategy that would adequately inform users about these ISP-based tracking mechanisms and the choices that users have about participating. These initial missteps and consumer complaints deserve serious attention because they are indicative of the complexity of the privacy challenges associated with ISP-based user tracking. Until and unless these challenges are addressed, the Internet advertising gold mine may remain just a little further out of reach.