Robb Topolski's Journal

Robb and Ann's $1 Billion Adware

Fri, 04 Jul 2008 02:21:19 GMT

Targeted and Transparent Is Right Combo for Online Ads

Posted by Ann All on July 3, 2008 at 3:30 pm

The primary pitch of companies that target online advertisements to consumers based on their Internet activities is telling us how much more we’ll appreciate — even enjoy — ads if they are relevant.

I think this oversells the idea. In a post from January, I likened targeted advertising to anesthesia during non-elective surgery. Sure, it makes the process less painful, but don’t patronize me by trying to make it sound enjoyable.

In another similarity to anesthesia, this kind of advertising makes us nervous because it’s invasive. It takes control away from us and gives it to some shadowy entity.

(read the article)

Ann,

I'm the TechnoGeek that blew the whistle on NebuAd's under-the-hood protocol-forging cookie-forcing shenanigans. I just read your suggestion that Opt-In is the way to go with something like this. Too bad they didn't listen to you. Hey let's go into business together. You rock! There is a way to do this -- one that leaves the user in complete control of all of her or his data.

Let's say that a user runs a program from Ann & Robb's SuperAdware and it monitors traffic for a while -- not all of the traffic, but just about 3-5% of it. Nothing that would slow down the system. Storing and processing a little at a time, without ever sending any of it anywhere, the results of the analysis are built and stored on the user's computer. After a week or a month (user's choice), it prompts the user "SuperAdware has detected some of your interests. Click to learn more. No data will ever be sent to us without your permission, first."

SuperAdware then waits patiently, not ratting the user out to anyone until the user approves. When the user clicks, he reads that our program has discovered that he seems very interested in Ireland Travel, Live Concerts, and Lavender Curtains. He can uncheck "Lavender Curtains" if he wants, or any or all of the marketing segments that were detected, and submit all or none of these categories. "Hmmm... yeah, I actually have thought about Lavender Curtains but I never thought to search for them." If he submits, he can see a page full of relevant ads right away, at any time later, or just as time goes on as the user encounter "our" ads that appear on web pages. (We won't even need a database to store the user's interests, because the user's program will set, modify or clear "our" cookies -- again only with the user's permission.)

It's not only opt-in, the user has total control over which of his or her most private and personal thoughts ought to be shared. Nothing other than the categories is ever sent. The program (again, with notice and explicit permission) would have to download the current category list and some analysis code so that the on-computer analysis could take place. That code, along with all of our code, will be Open Source. Why? Because we'll build consumer loyalty by trust! The best code is not important if the users won't run it.

What the heck would the Click-Through rate be then? How much could -those- ads be worth?

And let's really be different. Let's have a trusted consumer authority like the Underwriters Laboratory or the Consumers' Union choose a third lab to perform a double-blind test of all of our claims every 6 months. No shill organizations. We'll be the ad software that content sites recommend because they trust it, their advertisers trust it, and which truly returns value to the user. Our program can even let the user know which of his favorite sites he helped support. We'd have the certified ad program with no secrets and no broken promises -- the one that makes sense as it makes cents. We'd be the software that makes subscription websites turn free. The one that is actually un-installable, the one that does exactly and only what it says, the one that doesn't add its own pop-up ads nor interfere with anyone else's ads.

PS: Marketers will tell me that such intelligence doesn't count if I'm aware that it's being gathered. I call that bullpuckey -- the used car lot doesn't refuse to tell me about the great qualities of a car just because I happen to know that I'm interested in it.

PSS: No, I'm not serious. But this is an idea that anyone can steal. Please, steal it. If you make a Billion, I'd love it if you'd donate something to the Harmony Foundation.

--
Robb Topolski (robb@funchords.com)
Hillsboro, Oregon USA
http://www.funchords.com/

Behavioral Insider Interview with Bob Dykes, November 2007

Thu, 03 Jul 2008 22:07:57 GMT

Bringing ISPs Into The Behavioral Mix

Posted November 14th, 2007 - 12:45 pm by Phil Leggiere

http://blogs.mediapost.com/behavioral_insider/?p=208

Once the vital center of the Internet eco-system, Internet Service Providers are now more frequently looked at commodities, marginal if not entirely irrelevant to the emerging future of Web advertising. Yet, as Bob Dykes, CEO of NebuAds explains below, ISPs are a crucial, still largely untapped, component of a behaviorally based advertising infrastructure.

Behavioral Insider: How does NebuAds work with ISPs in behavioral targeting?

Bob Dykes: We started out with a very unique orientation. The challenge we set ourselves was to add value to ISPs and publishers of currently untargeted inventory, which includes about three-quarters of all current ad impressions. ISPs have been a neglected aspect of online's evolution over the past several years. But the fact is the depth of aggregated data they have to offer, anonymous data, is an untapped source of incredible power. In an era when cookie deletion is becoming more and more common, it's also more reliably continuous data.

BI: How does the personalization and behavioral methodology you've evolved differ from what most of us are familiar with?

Dykes: The conventional approach to behavioral targeting has been to place cookies on specific Web sites or pages. We've gone about it in a very different way. We place an appliance in the ISP itself. Therefore we're able to get a 360-degree, multidimensional view over a long period of time of all the pages users visit. So what we're really talking about for the first time is a truly user-focused, though still anonymous, targeting, taking the totality of anonymous behaviors rather than just a subset of sites on a network.

BI: It seems at first glance this could open up a Pandora 's box of privacy problems. How do you avoid that?

Dykes: We've had the advantage of coming onto the scene relatively recently when concern about privacy was growing. So we've architected our targeting platform from the ground up to addressing privacy concerns. For one thing, in addition to being committed to only using anonymous data, we have developed a privacy guidelines list which includes providing consumers with robust notice and choice such as instruments for opting-out of ads.

BI: So tracking is not by individual identifiers?

Dykes: We don't track individual consumers. We set up a taxonomy of commercial interest categories, for instance, ‘Porshe SUVs,' and simply keep track of content interests. We exclude data from sensitive areas, say sex sites or HIV Drugs. By anonymous we mean we collect no personally identifiable email addresses, last names, home addresses, social security or phone numbers, financial or health information. The kind of data we do aggregate includes Web search terms, page views, page and ad clicks, time spent on specific sites, zip code, browser info and connection speed.

BI: How does the granularity arise?

Dykes: Within this vast universe of information we create a map of interest categories, beginning with the widest definitions, auto, finance, education, what have you. But within those we can provide far greater granularity. So if you're talking about auto, we can drill down into particular interest segments, say SUVs, luxury cars, minivans, and then even to particular brands or models. Within the interest category of travel, we can identify consumers interested in learning about Martinique, the south of France or Las Vegas.

Most interest categories age fast, of course, so one very critical component of analysis is identifying optimal cycles for reaching customers in each area. For flowers, say, there's a cycle that's at most hours in which to reach an interested consumer. With auto, obviously, the cycle is far more complex and includes several phases stretching out over days or weeks. By having a far more comprehensive view, from an ISP rather than site by site vantage point, we can identify from the highest level to the minutest level where consumers are in the funnel.

BI: What's the key advantage for advertisers?

Dykes: The advantage of having a more granular picture of user interests for an advertiser is that they have the capability to adjust and vary creative to suit customer interests. That's an incredible opportunity that often takes brands and agencies some time to really wrap their heads around.

When we work with media buyers we educate them that targeting isn't only about serving your message to the most appropriate consumer prospects, but about serving those prospects the most interesting and relevant creative to get those messages across. It can be as simple as an iced-tea advertiser knowing whether and when to serve a creative using snowboarding or windsurfing.

A more complex example would be, say you're an advertiser of high-end clothing and you're serving an ad to a woman who's very interested in high-end clothing and accessories and is on MySpace. Instead of just serving the same ad for Fendi handbags several times, you can serve a series of ads with different varieties of handbags. The notion of retargeting as conventionally deployed is very limited. You need to mix up different types of creative or it gets boring.

Another advantage of having a more comprehensive set of data points is that advertisers can learn to better mix their ads in an optimal sequence to match consumer interests according to where they are in the buying cycle. They can learn to know when to serve a first impression which is very soft-sell, when to provide more detail and invite more engagement, and, finally, when to really try to drive a transaction. This not only provides more variety but integrates creative, marketing strategy, consumer interest and the product sales cycle in much stronger alignment.

Fair Use Statement: This article is copyrighted material, the use of which has not been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes. For more information go to: http://www.law.cornell.edu/uscode/17/107.shtml. If you wish to use copyrighted material from this site for purposes of your own that go beyond fair use, you must obtain permission from the copyright owner.

Tweets for Today

Thu, 03 Jul 2008 07:16:12 GMT

18:18 @comcastcares -- this guy at tinyurl.com/3mvcty seems to be getting the runaround. :-( #
18:39 @comcastcares -- thanks frank! :-) #
18:55 Enjoying the Barbershop Harmony Society webcast! #

Automatically shipped by LoudTwitter

Thu, 03 Jul 2008 01:55:50 GMT

Enjoying the Barbershop Harmony Society webcast!

NebuAdWords!

Mon, 30 Jun 2008 23:37:49 GMT

Gotta Love Slashdot!

Mon, 30 Jun 2008 22:56:56 GMT

Originally posted by anonymous at
http://tech.slashdot.org/comments.pl?sid=599087&cid=23996987
(tune is "Heard It Through The Grapevine")

I'll bet you're wondering how I knew,
Why my packets never made it through,
With some other peer I was sharin' files,
Between the two of us Comcast was runnin' wild,
Reset me by surprise (reset by surprise),
I'm afraid, From the R-I-Double-A, Don'tcha know,

I heard it through the Sandvine.
Not much bandwidth's gonna be mine.
Oh, I heard it through the Sandvine...
Oh, I'm just about to lose my mind,
Honey, honey, yeah...

I know a geek ain't supposed to cry,
But these fears I can't hold inside,
Losin' the 'net and it's neutrality,
Yeah, it means that much to me,
You coulda told me (you coulda told) yourself,
That you're forgin' packets for someone else,

Instead I heard it through the Sandvine...
Not much bandwidth's gonna be mine.
Oh, I heard it through the Sandvine...
Oh, I'm just about to lose my mind,
Honey, honey, yeah...

People say "Believe half of what you see,
Son, and none of what you hear",
But my router's mighty confused,
So if it's true, please tell me dear,
Do you want (do you want) to make me go,
Back to the ISP (and USENET feed) I used before,

Or should I drop packets from your Sandvine...
Plenty bandwidth's gonna be mine.
Oh, I don't listen to your Sandvine...
MPAA's 'bout to lose its mind,
Honey, honey, yeah...

Why Firefox isn't really Broken but they Should Fix It Anway

Sun, 29 Jun 2008 20:21:09 GMT

prelim wrote the following on reddit:

I noticed that Thunderbird would, for no reason at all, sometimes try to contact a server over SSL. I looked up the ip address 63.245.213.32 and found it belonged to Mozilla.

On researching the problem further I found that the cause of the connection is a feature that can only be disabled from the about:config configuration page.

Look up extensions.blocklist.enabled for more information. It's present in Firefox also and is enabled even if all the options are disabled through the menus.

And that has started a riff, not over Firefox's growing list of features that phone home, but that they do so without telling the user.

To suggest that Firefox is spyware almost certainly qualifies one for admission into the Tinfoil Hat Club. The truth is that Firefox was born as a response to the excesses that other software publishers pushed upon their users. That said, the debate is a healthy one.

Firefox ought to be modeling the right behavior, not taking advantage of the trust it has gained throughout the Internetdom. Steve Gibson captured the thought in his "Code of Backchannel Conduct", when he wrote:

"You may use my Internet connection, but you must first help
me to understand why you want to use it and how you will use
it, then receive my explicit consent before using it. Then, if I
ever change my mind, you must cease such use and go away."

That many of these features will access the network automatically can be presumed from their names: Live Bookmarks, the anti-Phishing filter, the anti-Malware filter, add-on update checking are but four examples. But Mozilla Firefox should not rest on that excuse. Most users don't visit the Options panel (which is why it is called Options). Instead, when these features become enabled either through Options, an Update, or the installation of an Add-On, the user ought to be asked to give his consent "Just this time", "Every time", or "Never (Disable Feature)". In this way, Firefox trains its users on what to expect from software that treats its users well.

The current behavior is not a bug, but it's a missed opportunity. It ought to be fixed.

Tweets for Today

Sun, 29 Jun 2008 07:16:25 GMT

10:48 CenturyTel to NebuAd: We Quit ping.fm/KjKXa #

Automatically shipped by LoudTwitter

Sat, 28 Jun 2008 17:48:18 GMT

CenturyTel to NebuAd: We Quit http://ping.fm/KjKXa

CenturyTel to NebuAd: We Quit

Sat, 28 Jun 2008 17:42:40 GMT

Just a quick heads up that CenturyTel appears to have quietly quit NebuAd as of only yesterday.

I'm happy to report that CenturyTel has dropped NebuAd. In a private email to me from a CenturyTel subscriber, the company told him today that it is no longer using NebuAd or any other Behavioral Targeting service.

The subscriber also observed, and I have confirmed, that the paragraph mentioning the service and the links to Opt Out of it, have been removed from CenturyTel's Privacy Policy page.

Here is the text that they appear to be sending to people who write in to ask about NebuAd:

CenturyTel is not currently using online behavioral advertising tools in any of its markets, and we are delaying our plans to move forward with the deployment of online behavioral advertising services - either through NebuAd or any other vendor - at this time. CenturyTel is delaying its implementation plans so that Congress can spend additional time addressing the privacy issues and policies associated with online behavioral advertising.

CenturyTel highly values our customers' personal privacy, and we are committed to protecting our customers' personal information. More detailed information about CenturyTel's data collection and use practices can be obtained by reviewing our Privacy Policy at http://www.centurytel.com/Pages/PrivacyPolicy/.

I am keeping the NebuAd article on Wikipedia as up to date as possible as to which ISPs have or have dumped NebuAd. The press is not investigating this story, as most of these customers still do not know that every word they see and say is being sold by their ISP. Of the ISPs listed there, most have never been mentioned in any article regarding NebuAd.

Tweets for Today

Thu, 26 Jun 2008 07:14:19 GMT

12:02 Dodd, Feingold To Fillibuster Telecom Spying Immunity + evidence appears that Telcos bought Democrat votes ... ping.fm/MlLrF #

Automatically shipped by LoudTwitter

TV News with Video: Charter hits the backspace key on NebuAd DPI Tracking Program

Thu, 26 Jun 2008 06:29:13 GMT

Note: the video link inside the story seems to prefer Internet Explorer --Robb

Robb has sent you an item from http://www.ksby.com.

Charter hits the backspace key on its San Luis Obispo area Internet tracking program
The pilot program was originally scheduled to begin as early as this month.
http://www.ksby.com/global/story.asp?s=8555925

Find more items like this at http://www.ksby.com

Copyright 2008 KSBY

Worth a Click: The Internet is Big and Beautiful

Thu, 26 Jun 2008 05:17:27 GMT

It's been a long time since I've done a "Worth a Click" so I'll do one today.

Mapping the Internet

Routing traffic through peer-to-peer networks could stave off Internet congestion, according to a new study.

Well, "new study" isn't really true anymore. It's actually a one-year-old study and while the study is technically fascinating in light of our recent debates, it's the three pictures that are really worth a click. One of them is below...

This 2007 image, published by TechnologyReview, shows a representation of the Internet based on the connections between hosts. In the past year, the Internet has grown beyond 500,000,000 (500 million) hosts.

P2P fans should recognize that rings of hosts connected in parallel (see picture 3 in the linked article). While we enjoy the personal interconnectedness that the Internet brings, part of the 'Net's robustness against failure or congestion is that not all connections pass through the center.

Oh, wait -- too technical. Pretty picture! Pretty picture!!

Welcome dPacket.org - The Global Deep Packet Consortium

Thu, 26 Jun 2008 03:20:18 GMT

If you've been reading my journal, I've been torturing you with a lot about something called Deep Packet Inspection (DPI). People that make DPI gear are not having a great time. It seems that every network that buys DPI stuff ends up being on the losing end of a user-led hissy fit over privacy issues or another torturous subject known as Network Neutrality.

A parade of hardware manufacturers, Allot Networks, Bivio Networks, Cloudshield Technologies, Arbor Networks (Ellacoya), LSI Corp., nPulse Networks, Qosmos, Sandvine and Solera Networks have joined hands to ask "can't we all just get along?" The name of the organization is the Global Deep Packet Consortium. Funny that they dropped the word "Inspection" from their title, isn't it? Ah well, that's marketing.

Strike 1.

Their new club's website, www.dPacket.org, begins with the most ironic twist: it redirects the users' browser into a DPI-resistant encrypted session! That's right -- surf to http://www.dPacket.org and you'll see that you're connected to https://www.dPacket.org when your browser finishes. Hmmm, something that they don't want ... um ... themselves to see?

Strike 2.

Hey, but their site's content is not protected by traditional copyright but by a Creative Commons Attribution-Share Alike license. So they can't be all bad.

Ball 1.

“You can’t tell what’s running on the network without DPI,” said Kyle Rosenthal, dPacket’s Executive Director. “If you want to manage a network you need to be able to have that kind of identification.”

Now Kyle, Kyle, Kyle ... a lie is a terrible way to start a friendship. DPI is new. The Internet has grown from just over 200 hosts to over 500,000,000 without it. Was that somehow accomplished without management?

Stri... Wait a minute. This gets really old.

Let's start as friends. I am not against all DPI. Along with its considerable benefits to administrators of private workplace networks, I have advocated its optional and opt-in use on the public Internet to enable end user consumers to realize the benefits of QoS with a minimum of fuss and hardware outlay. In that way, important aspects of Network Neutrality are preserved because the users remain in control. Think about that, box makers, before poo-pooing the idea. If a user opts-in, you don't need to read a privacy-breaking 1500 bytes to figure out what to do with a packet, you only have to read about 60. With the remaining processor headroom, you can juggle a few easy user-set instructions.

0 strikes, 0 balls, 0 score.

Let's not make points off of each other, instead lets have a heads-up and intelligent discussion. We've never needed DPI to manage the Internet. But now that we have it, how can we all exploit its abilities in a way that preserves standards-based interoperability, end-user privacy, and network transparency? We promise not to mind if it saves the ISP a buck or two, just as long as they don't sell us out with it.

Wed, 25 Jun 2008 19:02:00 GMT

Dodd, Feingold To Fillibuster Telecom Spying Immunity + evidence appears that Telcos bought Democrat votes ... http://ping.fm/MlLrF

Tweets for Today

Wed, 25 Jun 2008 07:11:21 GMT

14:36 I am responding to #NebuAd Inc's disinformation campaign: ping.fm/MzNwc #privacy #phorm #
15:12 #Charter cancels #NebuAd deal!!!! ping.fm/5duGu #phorm #privacy #

Automatically shipped by LoudTwitter

Tue, 24 Jun 2008 22:12:50 GMT

#Charter cancels #NebuAd deal!!!! http://ping.fm/5duGu #phorm #privacy

Tue, 24 Jun 2008 21:36:50 GMT

I am responding to #NebuAd Inc's disinformation campaign: http://ping.fm/MzNwc #privacy #phorm

An Open Response to NebuAd

Tue, 24 Jun 2008 20:34:31 GMT

Dear NebuAd,

In your statement regarding my recent report, “NebuAd and Partner ISPs: Wiretapping, Forgery and Browser Hijacking” you state the following:

"Transparency and consumer-privacy protection are core to our business. Reasonable review of materials that have been made available online would have educated the organization that NebuAd requires its ISP partners to provide robust notice to their subscribers prior to deployment of the service."

For the record, I would like to make it clear that:

NebuAd's claims of transparency are hollow. Your company will not reveal the names of the ISPs that use your service, nor will you reveal the advertising networks where your targeted ads may appear, nor do you reveal how micro-targeted your service gets.
NebuAd's claims of privacy are dubious, since we don't know who your ad partners are, we also don't know who we are trusting with the very specific information that you are sharing about us. We do know that your management ranks are heavy with former employees of Claria (ex Gator), a company often linked to spyware. Your site does claim that your privacy practices were reviewed by the Ponemon Institute, with a September 2007 "Privacy Review of NebuAd, Inc.'s Behavioral Advertising Solution" report that cannot be located on Ask, Google, Yahoo, or on Ponemon's own site.
NebuAd's claim that I did not review the website is false. Naturally, I completely reviewed all of the materials on your website prior to authoring the report. I also reviewed other data and public statements by your CEO.
NebuAd's claim of robust notification doesn't work. While you say that your ISP partners must provide robust notice robustly notify its customers prior to deploying NebuAd, the customers remain uninformed. I observe that most ISPs that you are known to work with only quietly altered their Terms of Service or Technical Support files prior to going online with NebuAd. Most customers are surprised to learn that everything they see and do on the Web was already being sold to you by their ISP.

"All ad networks use a small piece of code that is temporary and operates only within the security framework of the browser to invoke the placement of ad network cookies. The code NebuAd uses is no different, and is clearly demarcated outside of and does not modify any publisher code."

This, too, requires a response.

As mentioned in my report, NebuAd injects its cookies by forging TCP packets using a hardware device in the middle of the network. This is not something that all ad networks do.
As detailed in my report, NebuAd's code is appended to the web page code, in an extra packet that appears to come from servers owned by Google or Yahoo (not NebuAd). This is why you can claim any demarcation. However, there is no demarcation between the publishers code and your injected code that indicates that the code is not from the publisher and that NebuAd is the source of the injected script. The packet is a forgery and the reason is obvious -- if the injected packet would properly identify its source in the IP header, the customer's computer would properly ignore it. This is by intentional design, and is why I characterize NebuAd's programming as usurping the intentions of the application and operating system designers.

Having read this response, I expect that you will stop misinforming the public about my report. This matter deserves debate, not disinformation.

Sincerely,

/s/
Robert M. Topolski
Chief Technology Consultant
Free Press and Public Knowledge

Tweets for Today

Tue, 24 Jun 2008 07:12:16 GMT

19:55 *I* have to go to court because my 27 year old kid went through a photo radar trap & the city of Beaverton is too frackin' lazy to to pr ... #

Automatically shipped by LoudTwitter

Tue, 24 Jun 2008 02:55:59 GMT

*I* have to go to court because my 27 year old kid went through a photo radar trap & the city of Beaverton is too frackin' lazy to to properly enforce the law.

NebuAd's CEO: We Know... We Know... We Know...

Mon, 23 Jun 2008 19:56:42 GMT

Robert Dykes (CEO) presenting NebuAd at OnMediaNYC-01/28/2008

1:20 ... We know that it's the same user over and over again...

3:15 ... We see every site you go to, and what you did on those sites. ... We know you're going to Vegas

5:30 ... We not only know which of our ads you clicked on, we know every other ad you've clicked on!

Fire-Rainbow over Epcot Orlando May 10, 2008

Mon, 23 Jun 2008 05:53:33 GMT

I didn't know it at the time, but apparently this cirrus-rainbow effect is
one of the rarest weather phenomena to ever be captured on camera. I would
have thought the "green flash" was rarest, but what do I know.

I took this picture over Epcot in Orlando on May 10th, 2008.

A very good NebuAd recapper...

Mon, 23 Jun 2008 01:54:56 GMT

If you're wondering what all this fuss is about NebuAd, HERE is a good blog entry that sums it up from the author's point of view as a Charter customer...

MIT building on Vasser St in Boston

Mon, 23 Jun 2008 01:20:34 GMT

MIT building on Vasser St in Boston...

It looks like rubble ... But it was designed to look that way.

Thought: Everyone can be an outstanding example.