California online behavioural targeting business NebuAd and six ISPs face a lawsuit by 15 web users, who say that by tracking their search and browsing activity and using it to serve targeted ads, the defendants have violated their privacy and at least four statutes. Stephen Groom inspects the packets.
Topic: Online advertising
Who: NebuAd & Others and 15 web users
Where: US District Court of Northern California
Law stated as at: 25 November 2008
What happened:
NebuAd, arch US exponent of tracking web user behaviour using so-called "deep packet inspection", was hit with a lawsuit issued in the US District Court of Northern California.
The Plaintiffs (unlike the UK, the sensible Americans have not changed this to the pedestrian "Claimants") are fifteen American web users who had their web surfing habits tracked by NebuAd.
Also sued are six ISPs (Bresnan Communications, Cable One, CenturyTel, Embarq, WOW (formerly WideOpenWest) and Knology). They tried out the NebuAd technology but withdrew in the summer of 2008 following concerns expressed in Congress about the privacy violation implications.
The case is also a trifle after the event so far as NebuAd is concerned. In September 2008 its CEO departed and it announced plans to scale back its deep packet inspection tracking business and "broaden its focus."
$5 million damages claimed
But these developments won't daunt the Plaintiffs. They are looking to have the suit classified as a class action and pressing for in excess of $5 million damages. Their causes of action include violation of the Electronic Communications Privacy Act of 1986, California's Computer Crime Law and the federal Computer Fraud and Abuse Act to name but a few.
The claim documents lodged with the court go on to allege colourfully "The collection of data by the NebuAd device was wholesale and all-encompassing…like a vacuum cleaner, everything passing through the pipe of the consumer's internet connection was sucked up, copied, and forwarded to [NebuAd]."
From the moment its "deep packet technology" was first trumpeted, NebuAd assured all who would listen that no personally identifiable information was involved.
Personally identifiable information used?
In the suit, the Plaintiffs question this, arguing that any anonymising happened too late in the process. At the point of first interception, they argue, the identity of the individual was known, with "all data, whether sensitive, financial, personal, private, complete with all personally identifying information" being recorded and transmitted to the NebuAd facility in California.
The Plaintiffs also lapse into web babble, alleging that NebuAd "exploits normal browser platform security behaviours by forging IP packets, allowing their own JavaScript code to be written into source code trusted by the web browser." A technical report issued by pro privacy action groups puts it another way by suggesting that NebuAd's technology does not just passively record traffic, but actively injects fake packets into responses from other websites in order to deliver cookies to users.
Powerful stuff, but what is "deep packet inspection" technology?
In essence it's the same tracking technology as used in the UK by organisations such as Phorm. It allows the ISP to peer deep into internet packets and pull out URLs and search terms in order to classify users' interests.
In its defence, NebuAd argues that there is an available opt out mechanism, though some have queried its whereabouts.
The case, as they say, continues.
Why this matters:
European behavioural advertising/targeting watchers will be following this case closely. On this side of the pond, although much hot air has been expended on the data protection implications of the practice, there has as yet been no reported UK case in which web users have taken up legal cudgels against tracking technology.
At the heart of the debate in Europe, some say, is the question of whether IP addresses are "personal data." So far, opinion has been divided on the point. Two recent German cases have taken diametrically opposite views on the issue.
Then there is the "Article 29 Working Party", a supergroup of all EU state data protection authorities. Generally its opinions on what does and does not breach European data protection law have to date been read with suitable reverence by data privacy anoraks, but blithely ignored by many businesses with no apparent ill effects.
On this issue the Working Party has opined that all IP addresses should be regarded as "personal data" and that deep packet inspection requires an express prior opt in.
UK regulator's view
The UK's Information Commissioner has taken the view that whether or not Phorm's technology uses web users' personally identifiable information, "traffic data" is arguably being used which in any event requires prior opt in under privacy and electronic communications regulations.
One issue on which the "is an IP address personal data?" question has often turned in Europe is whether an ISP could be called on, by court order if necessary, to disgorge the subscriber information behind an IP address and thus identify the individual web user involved. Some say that if this is possible, then QED, the IP address is "personal data." The Directive after all defines "personal data" as (the italics are ours) "any information relating to an identified or identifiable natural person ("data subject") ; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity."
Others say that this takes the definition to a ridiculous extreme in which just about any piece of data could be at least capable of being linked to an individual and must therefore be classified in its own right as personal data.
Whether the same issues will be argued in the NebuAd case we will have to wait and see, but we suspect that this will not be the first "deep packet inspection" case on which marketinglaw will report.