It's been a few weeks since our last report on NebuAd and its attempt to install Deep Packet Inspection (DPI) devices on broadband networks throughout the country for the purposes of behavioral advertising (if you're unfamiliar with NebuAd, you might want to start here). Quite a bit has happened since then: as you may have already heard, Public Knowledge, in partnership with 14 other consumer advocacy and privacy groups, urged members of Congress to open up a formal investigation into the privacy threat posed by companies like NebuAd. If such an investigation takes place, we're likely to learn a whole lot more about NebuAd and how the company does business with the ISPs. In the meantime, we decided to do a little investigating of our own. With the help of noted networking researcher Robb Topolski, Public Knowledge and Free Press conducted a technical analysis of NebuAd, in order to figure out exactly how the company's behavioral advertising technology works–and what specific risks it poses to the end user. What we found is that, in terms of actual methodology, NebuAd has more in common with hackers than it does with most web advertising companies.
In case you're not familiar with Robb, he's been credited as the first to discover that Comcast was using TCP reset packets to interrupt BitTorrent connections, back in May 2007. Additionally, Robb has over 25 years of experience in networking protocols, has worked for Intel and Quarterdeck for 15 years and has been both CSQE and MS-MVP certified. For the past few months, he's been serving as the chief technology consultant for Public Knowledge and Free Press and has been advising both organizations on a number of technological matters.
For the purposes of his test, Robb accessed a machine via Remote Desktop Protocol (RDP) which was directly connected to the WOW! (aka Wide Open West) cable Internet network (in March, WOW! was confirmed as having deployed NebuAd technology on its network). Before running the test, Robb performed a clean install of Microsoft Windows XP SP3 and then installed Wireshark, a network protocol analyzer, on the machine. Using Microsoft Internet Explorer 7, Robb navigated to www.google.com, while monitoring his Cookies directory.
Robb sums the practice up thusly: “NebuAd and ISPs together cooperate in this attack against the intentions of the consumers, the designers of their software, and the owners of the servers that they visit.” In forging TCP packets, NebuAd inserts itself in-between the user and the website in a manner that is appallingly similar to that employed by the common hacker. If a hacker forged TCP packets in order to steal your personal information, that would be illegal. Let's make sure that NebuAd is held to the same standard.
For more information, be sure to read Robb's paper (PDF Link).