"Transparency and consumer-privacy protection are core to our business. Reasonable review of materials that have been made available online would have educated the organization that NebuAd requires its ISP partners to provide robust notice to their subscribers prior to deployment of the service."

• NebuAd's claims of transparency are hollow. Your company will not reveal the names of the ISPs that use your service, nor will you reveal the advertising networks where your targeted ads may appear, nor do you reveal how micro-targeted your service gets.
• NebuAd's claims of privacy are dubious, since we don't know who your ad partners are, we also don't know who we are trusting with the very specific information that you are sharing about us.  We do know that your management ranks are heavy with former employees of Claria (ex Gator), a company often linked to spyware. Your site does claim that your privacy practices were reviewed by the Ponemon Institute, with a September 2007 "Privacy Review of NebuAd, Inc.'s Behavioral Advertising Solution" report that cannot be located on Ask, Google, Yahoo, or on Ponemon's own site.
  
• NebuAd's claim that I did not review the website is false.  Naturally, I completely reviewed all of the materials on your website prior to authoring the report. I also reviewed other data and public statements by your CEO.
  
• NebuAd's claim of robust notification doesn't work. While you say that your ISP partners must provide robust notice robustly notify its customers prior to deploying NebuAd, the customers remain uninformed.  I observe that most ISPs that you are known to work with only quietly altered their Terms of Service or Technical Support files prior to going online with NebuAd.  Most customers are surprised to learn that everything they see and do on the Web was already being sold to you by their ISP.

• As mentioned in my report, NebuAd injects its cookies by forging TCP packets using a hardware device in the middle of the network.  This is not something that all ad networks do.
• As detailed in my report, NebuAd's code is appended to the web page code, in an extra packet that appears to come from servers owned by Google or Yahoo (not NebuAd).  This is why you can claim any demarcation. However, there is no demarcation between the publishers code and your injected code that indicates that the code is not from the publisher and that NebuAd is the source of the injected script.  The packet is a forgery and the reason is obvious -- if the injected packet would properly identify its source in the IP header, the customer's computer would properly ignore it. This is by intentional design, and is why I characterize NebuAd's programming as usurping the intentions of the application and operating system designers.