May 21, 2024

Lessons from the Fall of NebuAd

With three Congressional hearings held within the past four months, U.S. legislators have expressed increased concern about the handling of private online information. As Paul Ohm mentioned yesterday, the recent scrutiny has focused mainly on the ability of ISPs to intercept and analyze the online traffic of its users– in a word, surveillance. One of the goals of surveillance for ISPs is to yield new sources of revenue; so when a Silicon Valley startup called NebuAd approached ISPs last spring with its behavioral advertising technology, many were quick to sign on. But by summer’s end, the company had lost all of its ISP partners, their CEO had resigned, and they announced their intention to pursue “more traditional” advertising channels.

How did this happen and what can we learn from this episode?

The trio of high-profile hearings in Congress brought the issue of ISP surveillence into the public spotlight. Despite no new privacy legislation even being proposed in the area, the firm sentiment among the Committees’ members, particularly Rep. Edward “When did you stop beating the consumer?” Markey (D-MA), was enough to spawn more negative PR than the partner ISPs could handle. The lesson here, as it often times is, is that regulation is not the only way, and rarely even the best way, of dealing with bad actors, especially in highly innovative sectors like Internet technology. Proposed regulation of third-party online advertising by the New York State Assembly last year, for example, would have placed an undue compliance burden on legitimate online businesses while providing few tangible privacy benefits. Proponents of net neutrality legislation may want to heed this episode as a cautionary tale, especially in light of Comcast’s recent shift to more reasonable traffic management techniques.

Behind the scenes, the work of investigative technologists was key in substantiating the extent of consumer harm that, I presume, caught the eye of Congress members and their staffers. A damaging report by technologist Robb Topolski, published a month before the first hearing, exposed much of NebuAd’s most egregious practices such as IP packet forgery. Such technical efforts are critical in unveiling opaque consumer harms that may be difficult for lay users to detect themselves. To return to net neutrality, ISP monitoring projects such as EFF’s Switzerland testing tool and others will be essential in keeping network management practices in check. (Incidentally and perhaps not coincidentally, Topolski was also the first to reveal Comcast’s use of TCP reset packets to kill BitTorrent connections.)

ISPs and other online service providers are pushing for industry self-regulation in behavioral advertising, but it is not at all clear whether self-regulation will be sufficient to protect consumer privacy. Indeed, even the FTC favors self-regulatory principles, but the question of what “opt-in” actually means will determine the extent of consumer protection. Self-regulation seems unlikely in any case to protect consumers from unwittingly “opting-in” to traffic monitoring. ISPs have a monetary incentive to enroll their customers into monitoring and standard tricks will probably get the job done. We all have experience signing fine-print contracts without reading them, clicking blindly through browser-based security warnings, or otherwise sacrificing our privacy for trivial rewards and discounts (or even just a bar of chocolate).

Interestingly enough, a parallel fight is being waged in Europe over the exact same issue but with starkly contrasting results. Although Phorm develops online surveillance technologies for targeted advertising similar to NebuAd’s, a UK regulator recently declared that Phorm’s technologies may be able to be introduced “in a lawful, appropriate and transparent fashion” given “the knowledge and agreement of the customer.” As a result, Phorm has continued its trials of their Internet surveillance technology on British Telecom subscribers.

Why these two storylines have diverged so significantly is not apparent to me. One thought is that Phorm got itself in front of the issue of business legitimacy– whereas U.S. regulators saw NebuAd as a rogue business from the start, Phorm has been an active participant on the IAB’s Behavioural Advertising Task Force to develop industry best practices. Another thought is that the fight over Phorm is far from over since the European Commission is continuing its own investigation under EU laws. I hope readers here, who are more informed than I am about the the regulatory landscape in the EU and UK, can provide additional hypotheses about why Phorm has, thus far, not suffered the same fate as NebuAd.


  1. Some thoughts on the current UK sitiuation. Let’s forget some of the more detailed technical and legal issues for now.

    (1) There is one ISP (British Telecommunications) to have trialed Phorm and admitted to this. That is from 2005. These early trials had no prior announcements and received little or no publicity except in some technical forums.
    (2) The latest trial was announced September 29 to start September 30. For 10000(?) users. With an opt-in(?) Again the media were, not suprisingly with that leadtime, behind the story.
    (3) The hardware is owned, run and operated by the ISP – not Phorm. This ISP controls not only a large retail market, but is a wholesale provider for many other ISP’s.
    (4) Two other ISP’s have signed provisional agreements with Phorm.
    (5) The ISP cited and Phorm have concocted a reason to opt-in. (Re-)branded Webwise or WebWise (they are not consistent) it offers to block known phising web addresses. Great marketing – and useful added value, of course.

    We must forget the Congress, the EU commission, the UK government et al. They are too slow although I do hope they catch up later. But for now, only customer power and the markets will matter. If you can find a truly independent ISP supplier then change to them – that matters. If Phorm shares drop off the radar – it matters (but not to me, thankfully.)

  2. This seems like a way to collect the same types of data that Google does, but at the ISP level. NebuAd’s system seems worse than Google’s because it is obvious what NebuAd and the ISPs are doing. Google can keep all that behavioral data, browsing history, and email text history entirely within the organization, which is not as obvious as giving that information to another company.

  3. It’s true that it’s the ISPs who are allowing the surveillance in the first place and that is where the focus should lie. But I don’t think it would behoove Phorm to assist the government in their surveillance effort since they are touting technology that supposedly protects consumer privacy.

    My best guess is that the issue of government surveillance could be keeping Phorm above troubled legal waters, even if the government has no intention of contracting with Phorm to do the actual surveillance. If the government suggests, even informally, that Phorm is illegal because it necessarily requires the interception and analysis of raw user traffic, it will be that much harder to justify their own program.

    Thanks to all the commenters for the continuing discussion.

    • Interesting read however the conclusions/conspiracy theories about the UK Government’s acquiescence to BT’s trials is a bit too far fetched.
      Ellacoya units have been utilized by hundreds of ISPs, including BT in the UK, for years now which already do all that Phormed equipment is “supposed” to do and more.

      The makers claim their systems “Based on deep packet inspection (DPI) technology…….enables carriers to analyze, identify and manage each packet of network traffic – by subscriber and application – in order to prioritize network activity, enforce policies and develop new service plans”

      Phorm is old news as far as technology goes which maybe explains the lack of concern shown by the powers that be.

  4. Phorm Must Be Stopped.


    Do Not Want It!!!!!!


  5. It’s either naive or disingenuous to suggest that UKGov would be interested in using an advertising system coded by Russians for the purposes of UKGov interception. Detica builds the interception systems for UKGov and build them to very different standards than commercial advertising systems.

    • It’s the law thats at issue here. will usi DPI kit, either their own or the stuff already installed it doesn’t matter.

      The point is is that in order for the government to be doing this they can’t break their own laws. By allowing Phorm to go through this process and ignoring and blanking protests and eventually green lighting such action, they clear the path to do this themselves without any hassle.

      By the time the big £12billion megabase is up and running, people will be used to being profiled and having all their internet traffic monitored.

  6. I think the problem is that, here in the UK, we, the end users, cannot understand why the regulatory authorities refuse to take action against a technolgy which many qualified observers believe breaks several UK laws. New of the Home Office plans to use similar DPI (Deep Packet Inspection) technology has inevitably led to suspicion of their motives, particularly in the light of the following statement in Phorm’s recent Interim results:-

    “In parallel with the current developments of OIX and Webwise, we are also looking at the strategic development of Phorm’s technology that we believe has applications beyond advertising.”

    For anyone interested, there are links to a number of relevant articles and papers on Phorm and it’s implementation by BT here:-,108.msg2896/topicseen.html#msg2896

  7. If Phorm does shift its technology toward a system for government spying, doesn’t this undermine their argument that their technology is protective of user privacy? Phorm claims that users are not personally identifiable within their system, so if their system actually “works,” the output would presumably not be very useful to the spy agencies. It seems that Phorm would essentially need to build a new system unrelated to their existing technology to help law enforcement in a meaningful way.

    Also, to what extent could the ongoing European Commission investigation affect the situation in the UK, especially if the Home Office and other regulators fail to enforce their own domestic data protection laws?

    • “If Phorm does shift its technology toward a system for government spying, doesn’t this undermine their argument that their technology is protective of user privacy?”

      But remember my original point. Phorm won’t HAVE to shift their position. The ISP are the ones who own the DPI snooping equipment in their own premises. It is THEY who will engage in mission creep if they are encouraged to do so by government. The Phorm side of the model
      (see here for an illustration of the 2 sides of the equation)
      can remain unchanged, devoted purely to targetting advertising.
      But once that DPI kit is installed in the exchange by the ISP and once it has been established that it is going to be allowed to intercept ALL data traffic on the customers connection, then who knows what it will be used for.
      Let’s swing the spotlight away from Phorm, (who are in pretty dire straits anyway judging by their share price today) and back where it belongs – on the ISP. Specifically, MY ISP, BT Retail. It was THEY who trialled this kit covertly and illegally in 2006 and 2007 and it was THEY who have had to pay affected users compensation, and it is THEY who are trialling it AGAIN in a way that invades my privacy and the privacy of all other BT customers.

      BT Retail have been and are now engaged in illegal interception of internet communications on a mind-boggling scale. Phorm are running a behavioural ad targetting system. I don’t like either of them, but it is BT Retail who are the villains of the piece and have forfeited their customer’s trust, much in the way that certain ISP’s in the States were found to have done.

      Thanks for raising this – great blog.

    • one other quick point, in terms of the privacy issue, their system intercepts and copies every page you visit, then phorm strip out the words they want to create your profile and deletes the copy. It only takes a trivial change to keep that copy of the page. They have stated that copies will be kept for up to 14 days before being deleted.

  8. The Home Office in the UK wants to implement a new suveilance system based on the Phorm model but with a few tweaks.

    “UK spy chiefs’ plan to store details of every call, email, text and web browsing session.” :

    You can imagine the delight of spy chiefs hearing Phorms proposals (ISPs are part of the UK critical national infrastructure), real time intercept of traffic through the ISP? wow that sounds great, it would be even better if we could do this without probable cause or even a warrant.

    So the Police, Home Office, government all decide to agree that the part of the law that this involves just doesn’t apply to Phorm or them. No reason given, no response to questions, just a blank, we say it’s legal and there’s nothing you can do.

  9. “Why these two storylines have diverged so significantly is not apparent to me.”

    Before I give an answer, can I correct an error? – Phorm have NOT trialled this technology in the UK. One UK ISP (BT Retail) is trialling the technology, not Phorm. And therein lies part of the problem. Phorm’s end of the equation, the conversion of user profile information into ad channels, and the delivery of ads to surfers, has impressed regulators with regard to the claims they make about privacy. While there are a number of llegislative and privacy and security problems still unresolved, with the Phorm model, it is not the Phorm end of the equation that presents the major problem.

    What our technophobe regulators here in the UK have totally FAILED to appreciate, is that there is another aspect to the model. The initial interception of communications by the ISP. This clearly breaches a number of existing UK and EU regulations but our regulators have failed to act. It is difficult to understand why until one realises that our government have an attitude to “total” surveillance of citizens, that makes the presence of Deep Packet Inspection technology within the ISP network very attractive, especially if someone else (the advertising industry) is paying for it.
    In order for the ISP to even find out whether a customer is opted in to this system, the ISP must engage in an illegal interception of communication, by means of a browser hijack, which they do not have consent for.
    We have also experienced the inability of legislators, parliamentarians, regulators, and our UK information commissioner to understand the technical aspects of the technology.

    There is another aspect of these systems which has not yet received much attention because the systems have not been rolled out in a transparent manner – and that is the one of webmaster consent to the interception of their communications with surfers, as well as the copying of their intellectual content, and the use of their intellectual property and the pattern of browsing of a visitor to profile the visitor so that they can later be targetted with advertisements for a website’s competitors..

    We in the UK have looked with envy at the vigour with which Congressional investigators have grilled NebuAd. We have so far seen a very feeble response from our own Parliament with the exception of a couple of peers in the House of Lords, our non-elected second chamber.
    More information on the UK model here

    Thank you for an excellent and thoughtful article.

  10. The reason why it unfolded so differently that the higher ups in the London Police met with Phrom’s directors and when they walked out of that meeting with an extra retirement fund as well as a promise to pass good bits of info to the police they decided not to investigate.

    NebuAd however had to deal with senators, and congress critters are expensive, minimum bidding would start at half a million or so which NebuAd couldn’t afford.

    If you think I’m being too harsh, think what the good publicity they got from being tough on NebuAd is worth to those politicians, and how much it would have cost in advertisements to get the same sort of publicity.

  11. Please do not consider the UK to be “Europe” in subjects related to surveillance and privacy regulation. While several EU countries now have their own surveillance laws, service providers in Germany, for example, would get into PR trouble at the moment for spying on their customers, thanks to a small couple of scandals around German Telecom (see for example , , etc).
    Let’s hope it stays like this.

  12. Unfortunately OUR Government no longer seems to respect the Rights of it’s Own Citizens??

    Nebuad UK have been according to 1 report talking to OUR HO & BERR 🙁 🙁 🙁