An online advertising firm called NebuAd that pays ISPs to let it eavesdrop on web users doesn't just passively record traffic, but actively injects fake packets into responses from other websites in order to deliver cookies to users, according to a technical report released by the advocacy groups Free Press and Public Knowledge on Wednesday.
The report from the open net advocacy groups describes the system as a "browser hijack," comparing it with two classic hacker attacks.
NebuAd first drew widespread attention after Charter Communications, the nation's fourth largest ISP, announced it would try out the company's technology, promising that users would love having more targeted ads served to them. That announcement brought unwanted media and congressional attention to NebuAd, which had already installed monitoring boxes inside the network of at least one smaller ISP, WOW.
NebuAd has conceded that its boxes peer deep into internet packets to pull out URLs and search terms in order to classify each user's interests. That profile is then used deliver tailored ads on various partner websites.
But Free Press and Public Knowledge found that sometimes when a WoW subscriber visited Yahoo or Google, NebuAd faked an additional packet of data that appears to be the last part of the downloaded Google webpage. The extra packet included NebuAd-written JavaScript that directs users' browsers to a NebuAd-owned domain named faireagle.com, where the company drops tracking cookies from other domains and companies on the user's computer. These can be used later to deliver customized ads based off analysis of where people have gone on the web or what search terms they have used.
The report (.pdf) was written by Robb Topolski, an engineer who started consulting for Free Press after gaining fame by detecting Comcast's forgery of P2P traffic early last year. He testified about the ongoing packet forgery by Comcast at a Federal Communications Commission hearing at Stanford in April.
"NebuAd and ISPs together cooperate in this attack against the intentions of the consumers, the designers of their software and the owners of the servers that they visit," he writes.
Topolski compares the behavior of NebuAd with that of two common hacking attacks: cross-site scripting and man-in-the-middle attacks. In the former, a hacker finds a way to get his own malicious JavaScript executed on a page he does not own. In the latter, an attacker wanting to steal passwords or listen to a conversation gets access to traffic running between two parties and records it, or distorts a communication for his own benefit.
He also argues that NebuAd is violating core internet protocols, which stipulate that packets originate from devices at the edge, while devices in the middle are supposed to route the packets, not modify or initiate them.
NebuAd has been been unwilling to talk about how its technology and opt-out process works, how long it stores data, whether users can see or delete their profiles, or even whether anyone at the company has any relevant privacy policy experience. The company's only publicly available patent application is for a system that forges packets and replaces a website's banner ads with its own as the data flows from a website to a user's computer. But the company says it is not replacing other sites' ads. (The company claims to have filed for a patent for its complicated opt-out system, but it has not turned up in patent searches and the company has declined to send Threat Level a copy of the application.)
NebuAd did not respond to a request for comment or clarification of the report's findings by deadline. SEE UPDATE.
The group's report raises further interesting questions about the legality of the system, including whether the company could run afoul of trademark law by making a site like Google look as if it is installing tracking cookies on a user's computer.
Charter has not yet begun the trials it announced for four cities in the U.S., but plans to very soon, according to a spokeswoman. Company executives also met with Congressman Ed Markey (D-Massachusetts) to discuss his concerns, and described the meeting as "productive," the spokeswoman said.
UPDATE Wednesday 3:45 p.m. PDT:
In response to Threat Level's questions about data access, retention and storage, NebuAd's VP of Marketing Janet McGraw writes:
NebuAd does not collect or use any personally identifiable information. Any non-personally identifiable information that is used is anonymous and cannot, by itself or in combination, identify a specific person. Since a web user (ISP customer) is always anonymous within the NebuAd system, anonymous user profiles can never be linked to an identifiable web user. Therefore, we could not provide this information to a customer. However, a web user may opt-out at any time, at which time the profile would be immediately deleted.
NebuAd also took issue with the report, but did not dispute the technical conclusions. Instead, they say the report disregarded the company's policy of making sure ISP customers know the system is there and that they can opt-out.
They also defend the use of a tracking cookie calling it a standard practice of an ad network.
See Also:
Photo: Herby Hönigsperger / Flickr