NebuAd: The Snoop is Dead; Long Live the Snoop!

By Robb Topolski on May 19, 2009 - 4:07pm

About a year ago, Free Press and Public Knowledge published a report indicating that NebuAd had conspired with over a dozen US ISPs to conduct no less than Wiretapping, packet forgery, and browser highjacking.

Over the past 24 hours, there have been several reports that NebuAd -- which never was a company that was quite square with the truth -- told a court in a civil case that they were shutting down: about to shut off the lights and close the door for the final time.

Or is it? This is, after all, NebuAd.

In an article entitled, Case Closed: Nebuad Shuts Down, reporter Wendy Davis explains:

The closing came to light over the weekend, when lawyers filed a letter notifying U.S. District Court Judge Edward Chen in San Francisco about the closure. "From a company that once employed over 60 people, NebuAd now operates with a skeleton staff, and shortly, that too will disappear," wrote attorney Alan Himmelfarb.
Monday, NebuAd filed court papers confirming that it had assigned remaining assets to an entity that will pay off creditors.
Himmelfarb notified the court about the impending shutdown as part of a request to inspect NebuAd's documents and records before they are placed in storage. NebuAd's lawyer opposed that application, stating that NebuAd had moved files from its now-closed Redwood City office to another office in Foster City months before this lawsuit was filed.
Himmelfarb, of the law firm KamberEdelson, represents more than a dozen Web users who sued NebuAd in November for allegedly violating their privacy by purchasing information about their Web activity from Internet service providers and using that data to send targeted ads.

Well, wait a second.

NebuAd was the company that said that users could opt-out, but upon further investigation it became clear that you couldn't opt-out of your ISP sending your data to the snooper, you could only opt-opt out of the targetted advertising that resulted from the snooping.

These are the guys, after all, that said they required the ISPs to proactively notify their customers before eavesdropping on their 'net conversations (when, as it turns out, none of NebuAd's ISP partners actually went out and told their customers anything about it).

So, just because NebuAd says it's closing doesn't necessarily mean that it's not still in business.

Alexander Hanff of nodpi.org reports that NebuAd still up and running in the U.K., now under the moniker of "Insight Ready."

Insight... heh, good name for an DPI-in-the-ISP snooper.

Says Hanff,

Nice try NebuAd but you really made it very easy for us to uncover your plans - you should have at least had the old NebuAd phone number changed for the new company and chosen a name which you had not already promoted 8 months previously.

Great work, Alex and friends! This site or this one appear to be a bit of a placeholder, but Alex reports someone is answering the phone under the new name.

NebuAd has some interesting parallel's with the company Phorm, who wants very badly to turn their algorythms on to everything Britons have to say through their ISPs. Both are US-based companies, both had roots in Spyware, and both snooped on consumers without telling them first.

While the United States has seemed to have successfully chased its vermin out of the country, those in the U.K. haven't been so lucky... according to recent media, Phorm seems ready to commence operations Real Soon Now.

Well, lookee here!The

Submitted by Robb Topolski on May 20, 2009 - 10:48am.

Well, lookee here!

The Register dug a bit deeper and found that NebuAd has indeed pulled another morph.

Hmmm. Morph ... Phorm ... interesting.

From the ashes of Claria came NebuAd and now from the ashes of NebuAd comes InsightReady. Oh, they're not going to bug the net, they're going to bug the net's websites. Writes El Reg in their article:

According to a source close to the new firm, Goad started Insight Ready with the blessing of what remained of NebuAd US, but the two firms have no business or technical relationship beyond having some of the same personnel.

Unlike NebuAd, Insight Ready will not seek to collect data from inside ISP networks. Instead, when it launches "in several weeks", it will aim to collect behavioural data in partnership with website owners. The data will be "anonymised" and sold on to ad networks, with the cash split between websites and Insight Ready.

It will be closer to a "traditional" behavioural targeting system than to the deep packet inspection-dependent plans of NebuAd and Phorm.

The new business may still prove controversial however. It's understood behavioural data will be collected via code embedded in an "invisible pixel" on websites. European regulators have recently said that explicit, informed consent must be a part of all behavioural targeting systems.

Well, now again I don't believe anything NebuAd says, and in fact before they allegedly busted up, they signalled this particular transformation.

But I think there's a lot of competition in the pixel-tracking space, and a lot of attention needs to be paid to the particular differentiators in their service. After all, this is a company of people that has never played it clean, never.

Robb Topolski

About the Author

Robb Topolski

Robb Topolski is Chief Technologist for the Open Technology Initiative of the New America Foundation and currently consults in the same role with the organizations Public Knowledge and Free Press.

His career includes 15 years in the fields of Software Testing and Quality Assurance at Intel Corporation and Quarterdeck Office Systems, with a focus on developing networking products. His experience with digital protocols spans over 25 years. In 2004, he was awarded the Certified Software Quality Engineer (CSQE) designation by the American Society of Quality (ASQ) and in 2006, he was named one of Microsoft’s Most Valued Professionals (MS-MVP) in the field of Networking. His 2008 report, NebuAd and Partner ISPs: Wiretapping, Forgery and Browser Hijacking, raised public awareness and helped launch congressional investigations into large-scale ISP use of DPI for commercial eavesdropping.