NebuAd Responds, and Robb Topolski Responds to the Response

Last week I reported in this post on the latest troubles facing NebuAd in the area of privacy. Well, NebuAd responded to the report that characterized their data collection practices as problematic from a privacy standpoint.

NebuAd responded to the report, and you can read the highlights in Broadcasting and Cable.

For those that don’t remember the name, Robb Topolski is the man who discovered Comcast’s secret e of slowing downloads to customers using BitTorrent applications. Robb’s blog is here. I did not identify him as the author in my previous post and I apologize to him for the omission.

If I understand it, the key issue is that according to Topolski NebuAd appends web pages with an extra packet that appears to come from the publisher, not NebuAd. This, according to Topolski, is forgery. The second issue is about notification and whether the notification processes of ISPs have been robust enough to ensure consumers are aware of the activity and its potential benefits to them.

NebuAd’s response:

“NebuAd cookies do not contain specific information about a user,” the company said. “All ad networks use a small piece of code that is temporary and operates only within the security framework of the browser to invoke the placement of ad network cookies. The code NebuAd uses is no different, and is clearly demarcated outside of and does not modify any publisher code.”

Topolski responded to this statement on his blog with the following (excerpted):

As detailed in my report, NebuAd’s code is appended to the web page code, in an extra packet that appears to come from servers owned by Google or Yahoo (not NebuAd). This is why you can claim any demarcation. However, there is no demarcation between the publishers code and your injected code that indicates that the code is not from the publisher and that NebuAd is the source of the injected script. The packet is a forgery and the reason is obvious — if the injected packet would properly identify its source in the IP header, the customer’s computer would properly ignore it. This is by intentional design, and is why I characterize NebuAd’s programming as usurping the intentions of the application and operating system designers.

More technical minds than mind should and will debate this.

For me this battle is an indication of the kind of thing we are going to see much more frequently in the future. My earlier post on Google’s use of toolbar data for targeting is another example of the complexities of data collection, usage, and concerns about privacy.

I hope that this issue can be addressed with reason. NebuAd is clearly filled with smart people who have made decisions based upon what they believe is responsible business practice and reasonable protection of privacy. So characterizing them as evil would be unproductive.
Similarly, I sincerely hope that the debate will focus on the issue rather than the author of the report. Robb Topolski is not a kook. A read of his report, his blog, and indeed his comment to the earlier post on THIS BLOG show he’s very passionate. But passion is something we should be pleased to see in a debate about privacy. He demonstrates a comprehensive point of view and an orientation toward thorough review and specifically outlining his findings.

Thanks for reading, and don’t forget to write.