
Read a blog post on how users are watching their ISPs.
The magazines you read. The car you would like to own. Travel plans, favourite bands, sporting allegiances. For many of us, all this information and more can be gleaned from a log of the websites we visit. Until recently, the only people with access to the logs were you and your internet service provider (ISP), but gone are the days when ISPs simply piped the internet into your home.
They have woken up to the value of the information and started selling it on to advertisers, who use it to individually tailor ads, often without customers’ knowledge. They have also been accused of using the data for more insidious purposes. The result is a gathering privacy storm.
Advertisement
Although search engine and webmail providers Google, Yahoo and Microsoft already make billions of dollars annually by selling targeted advertisements based on the search terms people type in and the text of their emails, they are limited to data gathered on their sites – and those of any partners. In contrast, the data gathered by ISPs can be based on all the sites someone visits, allowing much broader profiles to be built up. That makes advertisers all the more excited. “There is going to be a lot more movement in this direction – because it works,” says Dave Morgan, a behavioural marketing specialist based in New York and a former AOL employee.
Many users are likely to object to this, though, and it makes privacy advocates queasy. Some even argue that selling the data to advertisers is paving the way for police or intelligence agencies to view the data without a warrant.
Just how do advertisers use the data? In most cases the ISPs sell access to companies that have specialised software for analysing the data. These then place ads on behalf of advertisers. The most well known is , which has offices in London, Moscow and New York. Its system examines internet packets as they flow from users’ computers to the ISPs and checks any URLs that they visit against a list of advertisers’ target categories – visiting the Mercedes site indicates an interest in luxury cars, for example, a travel site that the person is thinking of booking a holiday. Phorm uses this data to determine which of its clients’ ads to display to that individual.
In February, Phorm announced that it had made deals with BT, TalkTalk and Virgin Media, the three largest UK ISPs, and attracted attention because some customers were angry they were not made aware of these plans. Âé¶ą´«Ă˝ has discovered that similar tracking activity is already fairly widespread in Asia and the US.
One of Phorm’s rivals, of Redwood City, California, says it installed monitoring equipment with around 30 small ISPs late last year. That amounts to tracking the web movements of roughly 10 per cent of the US’s 100 million broadband subscribers. Meanwhile, two other US companies also claim to have deals with ISPs. One of these, of Sonora, California, claims to be tracking 8 million households in Asia too.
There is also talk of monitoring more US users in future. Although none of the major US ISPs has been publicly linked with a monitoring company, Laurence Chang of in Fairfax, Virginia, claims that his customers include some of the large providers and that they are running ad delivery trials using his firm’s Data Alchemist device. Chang wouldn’t name these ISPs, but when Âé¶ą´«Ă˝ contacted the ISPs AT&T, AOL and Verizon, they said that they were not considering using Data Alchemist. Cox, Qwest, Earthlink, Comcast and Time Warner Cable did not comment.
NebuAd and Phorm are quick to rebut allegations of Big Brother behaviour. “We have built a system that is truly ground-breaking in terms of protecting the privacy of users,” says Phorm spokeswoman Radha Burgess. She says that the computers they track are assigned a number that is not linked to personal information such as the user’s name or address. Phorm can then update someone’s preferences each time they visit a site without any reference to where their computer is or who they are.
The firms also point out that they don’t record the specific sites visited, only the categories of sites, and are selective about what categories they record. Visits to pornographic sites or those containing specific health information, are ignored, for example. “We bend over backwards not to invade privacy,” says Bob Dykes of NebuAd.
But while privacy advocates such as Simon Davies of in London welcome those measures, others warn that techniques for protecting users often have unexpected flaws. For example, in 2006, journalists managed to identify individuals from data released by AOL that had supposedly been anonymised. The release became known as a . Burgess says there is no chance of something similar occurring with the data collected by Phorm because the categories it saves on each user are too broad to identify individuals. “If we were to accidentally leak the data, there would be nothing there that would be of any use to anyone,” she says. Nevertheless, privacy expert Chris Hoofnagle of the University of California at Berkeley says he would be worried about any system claiming to distribute “anonymised” data.
Meanwhile, over the past year, some bloggers have accused ISPs of selling a different kind of data, also gleaned from their customers. People looking to buy a domain name often check to see if it is free by typing it into a browser. If the URL does not exist, an error message comes back called an NXD, for non-existent domain. The NXD data can be valuable, as anyone who has it can register the domains themselves, knowing that they are likely to be able to sell them on to the people who looked them up. Jay Westerdal, whose website, , is a community site for domain-name traders, claims to have been offered such data by ISPs. Contacted by Âé¶ą´«Ă˝, Cox, Earthlink, Comcast and Time Warner Cable would not answer a question about NXD data, while AOL, AT&T, Qwest and Verizon said they did not sell such information.
Aside from such risks, many users object on principle to having their internet browsing monitored, even by a computer (see “How to keep your clicks to yourself”). Because of this, privacy watchdogs insist that users must be made aware of the system and given a chance to opt out. Davies says Phorm is acceptable, but only if users can decide whether to join.
NebuAd, Phorm and others agree, but the trouble is that ISPs must enforce this, and they don’t have a great track record. In the UK, BT’s customers were unaware of a Phorm trial that took place last summer. In the US, although the ISP based in Denver, Colorado, now states in its terms and conditions that it works with NebuAd, some customers have complained that the provider did not notify them directly of the collaboration. Meanwhile, one US website owner said that he was not informed of monitoring carried out by his ISP , based in Glen Allen, Virginia, and only became aware of it when he examined his website’s traffic. Neither NET Telcos nor Wide Open West responded to requests for comment.
It’s not all doom and gloom. It’s possible users might even benefit from systems like Phorm and NebuAd. Better targeting would mean fewer irrelevant adverts, for a start. And if ISPs find they can generate enough revenue from advertising, they might also offer cheap or even free internet access to users who sign up for website monitoring.
The Electronic Frontier Foundation (EFF) and the in Washington DC say Phorm and NebuAd also pose long-term threats to privacy. Legal privacy decisions can hinge on whether an individual could reasonably have expected a communication to remain private. Bugging a telephone conversation using a hidden device is illegal, for example, but listening to someone calling from a busy train is OK.
In the case of internet traffic, the law is still evolving. At present, US law enforcement agencies such as the police and the FBI need a warrant to obtain browsing data from ISPs. But by allowing Phorm and others to monitor browsing, users may be unwittingly waiving this protection.
“By allowing companies to monitor browsing, users may be waiving privacy protection”
Phorm claims that its system “cannot be said to impinge on reasonable expectations of privacy”. Danny O’Brien of the EFF disagrees: “I fear a situation where law enforcement will attempt to obtain this information without a warrant as a result of this. That would mean communications on the web were stripped of their privacy.”
Read a blog post on how users are watching their ISPs.
How to Keep your clicks to yourself
If you find it unsettling to think that your every click is being tracked, here’s what you can do:
• Ask your ISP if they sell browsing data to advertising firms like Phorm or NebuAd. If they do, they should allow you to opt out of the scheme. If they don’t, find a new provider.
• Download Tor (), free software that prevents ISPs from determining which sites you are visiting. Normally data packets from a website can be traced because each one carries the IP address of the last server it passed through. Tor routes data through a server network that uses cryptography to hide the path that packets took.
• Run the online test () developed at the University of Washington, Seattle. It may detect if your ISP is trialling a device like Edge Technology’s Data Alchemist, which can be used to monitor browsing and deliver adverts. Be warned: the test only spots certain kinds of ad delivery and won’t detect techniques used by NebuAd and Phorm.