Fifteen American netizens have sued behavioral ad targeter NebuAd and several of its data pimping ISP partners, alleging wiretapping, packet forgery, and browser hijacking.
Filed Monday in a California federal court, the class action accuses NebuAd and its partners of violating the US Electronic Communications Privacy Act, the US Computer Fraud and Abuse Act, California’s Invasion of Privacy Act, and California’s Computer Crime Law. And that’s just a start.
Using deep packet inspection, NebuAd’s ISP-level hardware tracks a web surfer’s search and browsing activity and shuttles it to various advertising networks, where it’s used to target ads. If you search for, say, French vacations, you’ll soon see ads for French vacations.
By the late spring, NebuAd had deployed its hardware inside several mid-sized American ISPs. The Silicon Valley outfit claimed these partners explicitly notified customers before turning the system on, but this wasn’t always this case. NebuAd did provide a cookie-based opt-out and claimed to anonymize all user data with a one-way hash, but the law may require an opt-in.
Even if NebuAd eventually gets out from under most or all of these charges, this is the way it should be decided, with thorough discovery rather than just claims on both sides.
When you’re apparently violating the law, you don’t get to just skate by assuring people they should trust you to be doing things right. (I’m thinking of a burglar telling a cop, “Oh, sure Fred told me it was OK to drop by tonight and pick up the TV and the computer he’s giving me.”) I’d like to know the details of the explicit notification and opt-out system. I want to know that the hashing really is secure, and not subject to obvious attacks, and that the data was kept safe before it was hashed. And the company saying so with no details isn’t enough. If they have to give up their code to prove whether they were doing right or wrong, that’s the price they pay for operating as a lawful company rather than a gang of crackers. </rant>