Home » Data Protection » Malware/Cybercrime

News

Groups: Ad Firm Used by ISPs Spies on Users

A targeted advertising vendor being used by several U.S. broadband providers hijacks browsers, spies on users and employs man-in-the-middle attacks, according to a report released Wednesday by two advocacy groups.

By Grant Gross, IDG News Service (Washington Bureau)

June 19, 2008 —

A targeted advertising vendor being used by several U.S. broadband providers hijacks browsers, spies on users and employs man-in-the-middle attacks, according to a report released Wednesday by two advocacy groups.

NebuAd, a behavioral advertising vendor being used by Charter Communications, WideOpenWest and other Internet service providers, uses also packet forgery, modifies the content of TCP/IP packets and loads subscribers' computers with unwanted cookies, according to the report, released by Public Knowledge and Free Press, two Washington, D.C., groups focused on digital rights.

"NebuAd exploits several forms of 'attack' on users' and applications' security," wrote report author Robert Topolski, chief technology consultant for the two groups. "These practices - committed upon users with the paid-for cooperation of ISPs - violate several fundamental expectations of Internet privacy, security and standards-based interoperability."

NebuAd violates Internet Engineering Task Force standards that "created today's Internet where the network operators transmit packets between end users without inspecting or interfering with them," Topolski added.

A Charter Communications representative didn't immediately respond to a request for comment on the Topolski report. Charter, in late May, issued a statement saying it was working with concerned lawmakers to address concerns about the targeted ad service.

"Charter takes the responsibility of protecting its customers' information seriously," the company said in a May statement. "We look forward to maintaining an open communication with policymakers to alleviate any concerns."

NebuAd called the report "misleading." The company places cookies on users' machines "using industry-standard techniques for standard ad serving purposes," NebuAd said in a statement.

NebuAd also allows users to opt out of the company's information-collection efforts, the company noted.

"We take issue with the inaccurate statements made in reference to NebuAd's consumer privacy standards and apparent disregard for the controls and policies we have in place to inform and protect internet subscribers," NebuAd's statement said. "Transparency and consumer privacy protection are core to our business. Reasonable review of materials that have been made available online would have educated the organization that NebuAd requires its ISP partners to provide robust notice to their subscribers prior to deployment of the service."

Charter Communications, a cable television and Internet provider based in St. Louis, announced in May that it was planning to use NebuAd to roll out a targeted ad program that would track users' Web activity in order to deliver "relevant" ads. That announcement by Charter, the fourth largest cable operator in the U.S., sparked calls for an investigation by several privacy and consumer groups.