Free Press/Public Knowledge Investigation Finds NebuAd Wiretaps Consumers and Hijacks Web Sites

Contact Info: 
Art Brodsky, 202-518-0020 (o) or 301-908-7715 (c), abrodsky@publicknowledge.org, or Jen Howard, 202-265-1490 ext. 22 or 703-517-6273 (c), jhoward@freepress.net

Consumers are having their Web browsing intercepted and Web sites are having their computer code altered by NebuAd, a company that provides targeted advertising for Internet Service Providers (ISPs), according to a technical investigation by Free Press and Public Knowledge.

NebuAd is an online advertising company whose partnership with cable and phone companies has raised substantial privacy questions for House Subcommittee on Telecommunications and the Internet Chairman Ed Markey (D-Mass.) and Rep. Joe Barton (R-Texas).

In a new report, “NebuAd and Partner ISPs: Wiretapping, Forgery and Browser Hijacking,” Robert M. Topolski, the chief technical consultant for the organizations, found that NebuAd uses special equipment that “monitors, intercepts and modifies the contents of Internet packets” as consumers go online. Topolski, the network engineer who made public Comcast’s throttling of BitTorrent applications, said in the report that “NebuAd commandeers users’ Web browsers” to load tracking cookies and collects information from users in order to place ads from ISPs.

“Apparently, neither the consumers nor the affected Web sites have actual knowledge of NebuAd’s interceptions and modifications,” the report found.

NebuAd recently made headlines by announcing its partnership with cable company Charter Communications, but has also been deployed by WOW!, Embarq, Broadstripe, CenturyTel, Metro Provider and others. The NebuAd partnership with Charter was originally announced to start June 15, but Charter has delayed the implementation.

Topolski found that NebuAd, after being installed on the WOW! network, injects extra hidden code into a user’s browser that was not sent by the Web site being visited. That code directs the user’s Web browser to another site not requested or even seen by the consumer, where hidden code is downloaded and executed to add more tracking cookies. The consumer then sees ads based on NebuAd’s profile of a user’s browsing habits -- built through the secretly collected information.

By changing the computer code for Web sites to insert information into the packets of data sent to consumers, NebuAd and its ISP partners “violate several fundamental expectations of Internet privacy, security and standards-based interoperability,” the report found.

“This report shows that NebuAd’s Internet wiretapping is highly questionable,” said Marvin Ammori, Free Press general counsel. “Phone and cable companies should press pause on NebuAd and any similar venture until consumers and members of Congress can address the serious concerns raised by this report.”

“Once again, it shows that ISPs are putting themselves where they don’t belong – inserting themselves between consumers and Web sites,” said Gigi B. Sohn, president and co-founder of Public Knowledge. “Inserting unwanted information and advertising under false pretenses violates every concept of an open and free Internet.”

Topolski added, “NebuAd breaks the rules of acceptable behavior on the Internet. It monitors what you do and see on the Internet, it breaks in and changes the contents of your private communications, it keeps track of what you've done, and if you even know that it's happening, it is impossible to opt-out of it.”

The report is available at:
http://www.freepress.net/files/NebuAd_Report.pdf.

Read the Markey/Barton letter:
http://markey.house.gov/docs/telecomm/letter_charter_comm_privacy.pdf.

People + Policy

= Positive Change for the Public Good

people + policy = Positive Change for the Public Good