Lawmakers question another ISP about NebuAd service

Three powerful U.S. congressmen have questioned a Kansas ISP’s apparent decision to test a controversial behavioral advertising service that tracks users’ Web activities, without notifying its customers of the test.

Representatives John Dingell, chairman of the House Energy and Commerce Committee; Edward Markey, chairman of the committee’s Subcommittee on Telecommunications and the Internet; and Joe Barton, the ranking Republican on the full committee, sent a letter to Embarq CEO Tom Gerke earlier this week.

[ Your source for the latest in government IT news and issues: Subscribe to InfoWorld’s Government IT newsletter. ]

Dingell, a Michigan Democrat; Markey, a Massachusetts Democrat; and Barton, a Texas Republican, raised concerns that Embarq has tested a targeted advertising service from NebuAd, an online ad company that has drawn repeated criticism from privacy advocates.

NebuAd’s targeted ad system tracks user behavior in order to deliver more relevant ads, and allows ISPs to profit from online advertising, but some privacy groups have accused the company of illegally wiretapping ISP subscribers’ connections and of using common Internet attacks to deliver its service.

“Surreptitiously tracking individual users’ Internet activity cuts to the heart of consumer privacy,” Markey said in a statement. “The information collected through NebuAd’s technology can be highly personal and sensitive information. Embarq’s apparent use of this technology without directly notifying affected customers that their activity was being tracked, collected, and analyzed raises serious privacy red flags.”

An Embarq spokeswoman said Wednesday the company has received the lawmakers’ letter. The company is “reviewing it for an appropriate response,” she said.

She did not answer questions about whether Embarq tested the NebuAd service without notifying customers.

Markey’s subcommittee is scheduled to examine the issue in a Thursday hearing titled, “What your broadband provider knows about your Web use: deep packet inspection and communications laws and policies.” Embarq is the second ISP to which lawmakers have sent a letter regarding its use of NebuAd.

The letter from the three legislators asks how Embarq, based in Overland Park, Kansas, conducted the test, if it provided any notification to customers and how it chose which customers to use in the test. The tests with NebuAd have raised questions about whether they comply with consumer privacy protections in several U.S. laws, the lawmakers wrote.

“We are interested in the nature of this test as well as the impact that this test, and the underlying technology it employed, could have on consumer privacy and other issues,” said the letter, sent Monday. “We are concerned that Embarq may not have directly notified the subscribers involved in the test that their Web use was being analyzed and profiled.”

Earlier this month, privacy advocacy group the Center for Democracy and Technology released a report suggesting NebuAd’s practice may be illegal under some state wiretap laws. In June, privacy advocates Public Knowledge and Free Press released their own report suggesting that NebuAd hijacks browsers, employs man-in-the-middle attacks, uses packet forgery and installs unwanted cookies in order to track users’ Internet habits.

NebuAd has disputed the information in those reports. NebuAd collects limited information about users and it anonymizes the data it collects, company CEO Robert Dykes told a U.S. Senate committee last week. “No one, not even the government, can determine the identity of our users,” he said.

Markey and Barton wrote a similar letter in May to Charter Communications, after the St. Louis cable broadband provider announced plans to test the NebuAd system. Last month, Charter announced it was suspending its plans to test the NebuAd product because of customer privacy concerns.