Techs-on-Call Computer Blog Keeping you informed about the world of computer issues

Just imagine if every web page you ever visited was monitored. The monitoring program is done by a for-profit business that wants to sell user behavior to advertisers and marketing firms. Although no personal information is actively collected, the monitoring program does collect your IP address. The whole system is not actively monitored but uses a program to analyze your browsing habits in real-time. Then as you browse the internet, you will be given advertisements based on your entire browsing history. All of this is done with your internet provider at the source, so opting out is very difficult. Of course, if you just happen to give your personal information to an unsecured website, it will be in the database. Employees at the for-profit business are not likely to actively try to get your personal information. Still, the less than ethical might try and hackers would love that information. With personal information, a hacker can personalize a con or break personal passwords since people quite often use passwords that are related something personal.

This is not a what-if scenario. This is real life. The technology is called deep-packet inspection. That is just a fancy way of saying that your internet traffic is being inspected by a special machine at the internet service provider's internet backbone. The ISP gets paid to do this above and beyond money paid to run the equipment. Advertisers love it because your browsing habits cannot be erased or prevented using the traditional methods. One of the traditional ways is by tracking cookies. The cookie has a unique number that gets sent to the central database every time a page is loaded. But that can be easily blocked and deleted. Another way is unethical spyware. Some spyware does of course have full disclosure although it is always buried deep. This spyware is legal. Quite often this spyware is bundled with free programs or add-ons to the web browser, usually a toolbar. The illegal spyware is rarely used to monitor your internet behavior and it more often used to aid hacking of some kind. But legal and illegal spyware is quite often deleted by anti-spyware/anti-malware and antivirus programs. So advertisers need a reliable way to track your habits. That reliable way is deep-packet inspection.

Thankfully, such practices are illegal in the United States due to older laws. But other countries are not so blessed. Still it has been tried in the United States. The company that did try was called NebuAd. At one time, it was tracking 10% of American internet customers. Word leaked out thanks to a New York Times expose. And so some Americans do what Americans do best: sued. Then Congress became involved and this spelled doom for NebuAd.

Of course, NebuAd has a sordid history in of itself. NebuAd had people on its board of directors who worked for a company called Claria Corporation which was once called Gator Corporation which made a spyware program called Gain Gator. Gain Gator was a nefarious spyware program that people was bundled with free programs. (Of course, my #1 rule on the internet is that if it is free, it really ain't free. I know there are exceptions so always search to make sure it really is free.) Gain Corporation knew word was out about them so they changed the named to Claria Corporation which, despite what the official stance said, was an attempt to clean up its image so that it could continue to do what it wanted to do. But that didn't work and Claria eventually went belly-up. Almost at the same time it did, the domain name nebuad.com was reserved. Claria and NebuAd also had the same home city. After NebuAd went defunct in the US due to legal pressures, NebuAd changed its name again to Insight Ready and moved to the friendlier United Kingdom which already has a company doing what NebuAd wanted to do Stateside.

That company is Phorm and it operates in the United Kingdom. Phorm knows how unpopular this is and is quite dodgy and defensive and deceptive. In fact, all of these companies are dodgy and defensive because they know how unethical they really are. Phorm's public-relations staff uses specious logic to justify their actions. The UK in general is more into monitoring than the United States. There are plenty of traffic cameras in UK and it has one of the highest concentration of security cameras in the world. Thus there the legal hurdles in the UK are much less than in the US.

Although deep-packet inspection is illegal in the US, it is still being done by a company called Front Porch. For obvious reasons, Front Porch will not disclose who they are monitoring. But they are indeed doing the same thing NebuAd wanted to do, just more discreetly.

However, just because it is illegal for companies in the US to perform deep-packet inspection does not mean it is illegal for the US Government. The NSA does indeed use similar technology. This is all part of the "warrantless wiretapping" controversy which this blog will not deal with.

How do you know you are being monitored? It is not that hard actually. The first step is to read your entire terms-of-service from your internet service provider to see if it has anything relating to marketing. If it does, then you need to call your internet service provider and ask them directly: "Are you using deep-packet inspection?" "Do you contract with a 3rd party and market my browsing habits?" Remember, companies know how unpopular this really is, so they will try to dodge it as much as possible; be persistent.

You can verify what your ISP said by monitoring what cookies are being set. The first thing to do is go to a website which does not use cookies or does not have any advertisements on it. An exception would be something like Google's text ads while browsing google.com. Then clear all your cookies and temporary internet files. After you click on several links within this particular website, check your cookies again. You should only have cookies related to this website. If there are some that are not related to this website, then write down which website they came from. Then clear out your cookies and try again on this website. If you suspect you have a cookie from an advertiser even though the website does not have advertisements, use a search engine like Google or Yahoo, look up the website of each one to see what kind of information exists about the website. If one is from a web advertiser and you know for absolute certain that the website you visited at first did not have any web advertisements, then are likely being monitored.

Due diligence is required because money talks. Some company will try this again one day. Thus you need to be aware so that your habits are not secretly tracked for profit.

July 10, 2009 Update: All of Phorm's subscribers in the United Kingdom have terminated their service with Phorm in much the same manner as US internet service providers stop subscribing the NebuAd. Phorm is now relocating to South Korea and is working with Korea Telecom now.

References:

• http://en.wikipedia.org/wiki/NebuAd
• http://en.wikipedia.org/wiki/Front_Porch
• http://bits.blogs.nytimes.com/2008/04/09/how-should-isps-tell-you-if-they-want-to-track-your-surfing/
• http://bits.blogs.nytimes.com/2008/05/14/charter-will-monitor-customers-web-surfing-to-target-ads/
• http://news.cnet.com/8301-13578_3-9947499-38.html
• http://www.theregister.co.uk/2009/06/02/nebuad_and_resurrection/
• http://www.theregister.co.uk/2009/07/10/phorm/ (July 10, 2009 update)