Senators question NebuAd, targeted ad privacy

NebuAd, the controversial online behavioral advertising vendor, does not collect personally identifiable information or keep the information it collects for an extended time, the company's chairman and CEO said Wednesday.

NebuAd, which has reportedly worked with more than a dozen ISPs in the United States, collects information about users' Web surfing habits, then delivers targeted advertising based on those results. Privacy critics have protested the service, saying it uses common Internet attacks to collect data and may be illegal because it does not get affirmative consent from both the ISP subscribers and the Web sites they visit.

But Robert Dykes, chairman and CEO of the California company, told a U.S. Senate committee that NebuAd collects limited data about users and it anonymizes the data it collects, including the IP numbers. In the data's aggregated forum, it would be impossible to identify a subscriber of an ISP that has a partnership with NebuAd, he told the Senate Commerce, Science and Transportation Committee.

If the U.S. government asked NebuAd to identify users, the company wouldn't be able to comply, Dykes told senators. "No one, not even the government, can determine the identity of our users," he said.

NebuAd only collects information to use to create profiles for a limited number of advertising categories, Dykes said. All other data collected is deleted, he said. In addition, users can easily opt out of NebuAd's data collection, he said.

The Senate committee scheduled the hearing after Charter Communications, one of the largest providers of cable-based broadband service in the United States, announced in May that it was testing NebuAd's service. After privacy objections, the ISP said last month it was suspending its partnership with NebuAd.

The practices of NebuAd and other behavioral advertising services have led to privacy questions, said Sen. Byron Dorgan, a North Dakota Democrat. "Many consumers express concerns about the privacy and data security implications of being targeted," he said.

On Tuesday, privacy advocacy group the Center for Democracy and Technology (CDT) released a report suggesting NebuAd's practice may be illegal under some state wiretap laws. In June, privacy advocates Public Knowledge and Free Press released their own report suggesting that NebuAd hijacks browsers, employs man-in-the-middle attacks, uses packet forgery, and installs unwanted cookies in order to track users' Internet habits.

NebuAd has disputed the information in those reports.

One NebuAd critic at the hearing said she was skeptical that the information the company collects is truly anonymous. NebuAd should be able to identify individual users based on their searches and other Web activity, said Leslie Harris, president and CEO of the Center for Democracy and Technology (CDT), a privacy and digital rights advocacy group.

"[NebuAd is] building profiles," Harris said. "I think it's pseudonymous. It can't be entirely anonymous."