[tt] NS: Ad men are homing in on your clicks

[Premise Checker]

Ad men are homing in on your clicks
http://technology.newscientist.com/article.ns?id=mg19826535.800&print=true
[Related material appended.]

24 April 2008
Jim Giles
Celeste Biever

The magazines you read. The car you would like to own. Travel plans,
favourite bands, sporting allegiances. For many of us, all this
information and more can be gleaned from a log of the websites we
visit. Until recently, the only people with access to the logs were
you and your internet service provider (ISP), but gone are the days
when ISPs simply piped the internet into your home.

They have woken up to the value of the information and started
selling it on to advertisers, who use it to individually tailor ads,
often without customers' knowledge. They have also been accused of
using the data for more insidious purposes. The result is a
gathering privacy storm.

Although search engine and webmail providers Google, Yahoo and
Microsoft already make billions of dollars annually by selling
targeted advertisements based on the search terms people type in and
the text of their emails, they are limited to data gathered on their
sites - and those of any partners. In contrast, the data gathered by
ISPs can be based on all the sites someone visits, allowing much
broader profiles to be built up. That makes advertisers all the more
excited. "There is going to be a lot more movement in this direction
- because it works," says Dave Morgan, a behavioural marketing
specialist based in New York and a former AOL employee.

Many users are likely to object to this, though, and it makes
privacy advocates queasy. Some even argue that selling the data to
advertisers is paving the way for police or intelligence agencies to
view the data without a warrant.

Just how do advertisers use the data? In most cases the ISPs sell
access to companies that have specialised software for analysing the
data. These then place ads on behalf of advertisers. The most well
known is Phorm, which has offices in London, Moscow and New York.
Its system examines internet packets as they flow from users'
computers to the ISPs and checks any URLs that they visit against a
list of advertisers' target categories - visiting the Mercedes site
indicates an interest in luxury cars, for example, a travel site
that the person is thinking of booking a holiday. Phorm uses this
data to determine which of its clients' ads to display to that
individual.

In February, Phorm announced that it had made deals with BT,
TalkTalk and Virgin Media, the three largest UK ISPs, and attracted
attention because some customers were angry they were not made aware
of these plans. New Scientist has discovered that similar tracking
activity is already fairly widespread in Asia and the US.

One of Phorm's rivals, NebuAd of Redwood City, California, says it
installed monitoring equipment with around 30 small ISPs late last
year. That amounts to tracking the web movements of roughly 10 per
cent of the US's 100 million broadband subscribers. Meanwhile, two
other US companies also claim to have deals with ISPs. One of these,
Front Porch of Sonora, California, claims to be tracking 8 million
households in Asia too.

There is also talk of monitoring more US users in future. Although
none of the major US ISPs has been publicly linked with a monitoring
company, Laurence Chang of Edge Technologies in Fairfax, Virginia,
claims that his customers include some of the large providers and
that they are running ad delivery trials using his firm's Data
Alchemist device. Chang wouldn't name these ISPs, but when New
Scientist contacted the ISPs AT&T, AOL and Verizon, they said that
they were not considering using Data Alchemist. Cox, Qwest,
Earthlink, Comcast and Time Warner Cable did not comment.

NebuAd and Phorm are quick to rebut allegations of Big Brother
behaviour. "We have built a system that is truly ground-breaking in
terms of protecting the privacy of users," says Phorm spokeswoman
Radha Burgess. She says that the computers they track are assigned a
number that is not linked to personal information such as the user's
name or address. Phorm can then update someone's preferences each
time they visit a site without any reference to where their computer
is or who they are.

The firms also point out that they don't record the specific sites
visited, only the categories of sites, and are selective about what
categories they record. Visits to pornographic sites or those
containing specific health information, are ignored, for example.
"We bend over backwards not to invade privacy," says Bob Dykes of
NebuAd.

But while privacy advocates such as Simon Davies of Privacy
International in London welcome those measures, others warn that
techniques for protecting users often have unexpected flaws. For
example, in 2006, journalists managed to identify individuals from
data released by AOL that had supposedly been anonymised. The
release became known as a "Data Valdez". Burgess says there is no
chance of something similar occurring with the data collected by
Phorm because the categories it saves on each user are too broad to
identify individuals. "If we were to accidentally leak the data,
there would be nothing there that would be of any use to anyone,"
she says. Nevertheless, privacy expert Chris Hoofnagle of the
University of California at Berkeley says he would be worried about
any system claiming to distribute "anonymised" data.

Meanwhile, over the past year, some bloggers have accused ISPs of
selling a different kind of data, also gleaned from their customers.
People looking to buy a domain name often check to see if it is free
by typing it into a browser. If the URL does not exist, an error
message comes back called an NXD, for non-existent domain. The NXD
data can be valuable, as anyone who has it can register the domains
themselves, knowing that they are likely to be able to sell them on
to the people who looked them up. Jay Westerdal, whose website,
DomainTools, is a community site for domain-name traders, claims to
have been offered such data by ISPs. Contacted by New Scientist,
Cox, Earthlink, Comcast and Time Warner Cable would not answer a
question about NXD data, while AOL, AT&T, Qwest and Verizon said
they did not sell such information.

Aside from such risks, many users object on principle to having
their internet browsing monitored, even by a computer (see "How to
keep your clicks to yourself"). Because of this, privacy watchdogs
insist that users must be made aware of the system and given a
chance to opt out. Davies says Phorm is acceptable, but only if
users can decide whether to join.

NebuAd, Phorm and others agree, but the trouble is that ISPs must
enforce this, and they don't have a great track record. In the UK,
BT's customers were unaware of a Phorm trial that took place last
summer. In the US, although the ISP Wide Open West based in Denver,
Colorado, now states in its terms and conditions that it works with
NebuAd, some customers have complained that the provider did not
notify them directly of the collaboration. Meanwhile, one US website
owner said that he was not informed of monitoring carried out by his
ISP NET Telcos, based in Glen Allen, Virginia, and only became aware
of it when he examined his website's traffic. Neither NET Telcos nor
Wide Open West responded to requests for comment.

It's not all doom and gloom. It's possible users might even benefit
from systems like Phorm and NebuAd. Better targeting would mean
fewer irrelevant adverts, for a start. And if ISPs find they can
generate enough revenue from advertising, they might also offer
cheap or even free internet access to users who sign up for website
monitoring.

The Electronic Frontier Foundation (EFF) and the Electron Privacy
Information Centre in Washington DC say Phorm and NebuAd also pose
long-term threats to privacy. Legal privacy decisions can hinge on
whether an individual could reasonably have expected a communication
to remain private. Bugging a telephone conversation using a hidden
device is illegal, for example, but listening to someone calling
from a busy train is OK.

In the case of internet traffic, the law is still evolving. At
present, US law enforcement agencies such as the police and the FBI
need a warrant to obtain browsing data from ISPs. But by allowing
Phorm and others to monitor browsing, users may be unwittingly
waiving this protection.

Phorm claims that its system "cannot be said to impinge on
reasonable expectations of privacy". Danny O'Brien of the EFF
disagrees: "I fear a situation where law enforcement will attempt to
obtain this information without a warrant as a result of this. That
would mean communications on the web were stripped of their
privacy."

Read a blog post on how users are watching their ISPs.

How to Keep your clicks to yourself

If you find it unsettling to think that your every click is being
tracked, here's what you can do:

Ask your ISP if they sell browsing data to advertising firms like
Phorm or NebuAd. If they do, they should allow you to opt out of the
scheme. If they don't, find a new provider.

Download Tor (www.torproject.com), free software that prevents ISPs
from determining which sites you are visiting. Normally data packets
from a website can be traced because each one carries the IP address
of the last server it passed through. Tor routes data through a
server network that uses cryptography to hide the path that packets
took.

Run the online test (http://vancouver.cs.washington.edu) developed
at the University of Washington, Seattle. It may detect if your ISP
is trialling a device like Edge Technology's Data Alchemist, which
can be used to monitor browsing and deliver adverts. Be warned: the
test only spots certain kinds of ad delivery and won't detect
techniques used by NebuAd and Phorm.

Related Articles

Web 3.0: Playing it safe with our data
http://technology.newscientist.com/article/mg19726471.700
14 March 2008
UK and US labelled 'endemic surveillance societies'
http://technology.newscientist.com/article/mg19726385.800
12 January 2008
Location-based phone features could aid snoops
http://technology.newscientist.com/article/mg19526116.300
04 July 2007

Weblinks

Phorm
http://www.phorm.com/
NebuAd
http://www.nebuad.com/
Front Porch
http://www.frontporch.com/html/index.html
Electronic Frontier Foundation
http://www.eff.org/
Electronic Privacy and Information Center
http://epic.org/
Privacy International
http://www.privacyinternational.org/
Edge Technologies
http://www.edge-technologies.com/
Data Valdez definition
http://www.doubletongued.org/index.php/dictionary/data_valdez/
Chris Hoofnagle, University of California
http://www.law.berkeley.edu/faculty/profiles/facultyProfile.php?facID=6494

How an email address can reveal your character
http://technology.newscientist.com/article.ns?id=mg19826535.500&print=true
26 April 2008

THINK twice about the email address you pick: it may speak volumes
about your personality.

Mitja Back and colleagues at the University of Leipzig in Germany
asked a panel of 100 students to guess the personalities of 600
teenagers simply by looking at their email addresses.

The panels' guesses agreed most with a personality survey the
teenagers had completed when it came to qualities like openness,
conscientiousness and narcissism, and diverged most on the trait of
extroversion. Addresses that gave away personality often contained
full stops, numbers or a name that was obviously not genuine
(Journal of Research in Personality, DOI:
10.1016/j.jrp.2008.02.001).

"This shows that personality seeps into almost everything we do,"
says Sam Gosling of the University of Texas.

Related Articles

See yourself as others see you online
http://technology.newscientist.com/article/mg19325975.200
31 March 2007
For a new personality, click here
http://technology.newscientist.com/article/mg18925406.700
25 February 2006

Weblinks

Mitja Back, University of Leipzig
http://www.uni-leipzig.de/~diffdiag/mitarbeiter/back_e.html
Sam Gosling, University of Texas
http://homepage.psy.utexas.edu/homepage/faculty/gosling/
How extraverted is honey.bunny77 at hotmail.de? Inferring
personality from e-mail addresses
http://dx.doi.org/10.1016/j.jrp.2008.02.001

E-mail me if you have problems getting the referenced articles.