A story in the New York Times tells us that Charter Communications (the United States’s fourth-largest cable company) is going to start tracking user behavior and using it to sell ads. They spin this as a potential problem because of privacy implications — it means that the cable company is watching your web surfing so it knows what ads to show you. While they say it will be anonymous (i.e. they only know that a specific tracking cookie is associated with one user, but not who the user is), when it comes to an ISP this simply isn’t true — they do know who you are (due to billing information) and if they were not-so-politely asked (i.e. with a subpoena) they would be able to associate your tracking cookie with you as the individual user. As a matter of policy they don’t associate the tracking profiles with individual users’ personal information and share it with their advertising partner — but they have the data, which means law enforcement can have the data.
However, all the discussion about privacy in the article is, in my opinion, a secondary issue. As I’ve discussed before, using an ad replacer has other effects that may be much more serious. It means Charter is now mounting a man-in-the-middle attack on all its customers and editing the web pages they view. Thus, if there are any security flaws in the NebuAd software (like, say, a cross-site scripting vulnerability as we saw with Barefruit in a previous post), they are now embedded in every web site viewed by every Charter customer. When you’re a large ISP like Charter, this makes it worthwhile for hackers to try to attack the system — being able to steal the bank account passwords of every Charter customer at a given bank is almost as good as being able to do it to all customers of the bank. It may only be 10% of people, but 10% of everyone is still a lot of people. In addition, Charter customers are no longer contributing to the revenue of the web sites they visit (which could be interpreted as an attack on those websites by Charter — they just stole all their revenue.) I don’t much expect Charter to care, nor their customers, but the more ad replacers that are out there, the less advertising is able to support web sites.
So, what to do if you’re a Charter customer? Well, you can opt out of the tracking system by setting a cookie, which means the ads you’re served will not be targeted. However, the ads probably will still be replaced, so you’re still not helping pay for the web sites you visit. And chances are that Charter could still come up with a record of all your web surfing if they were served a subpoena. If you want to avoid that, the only choice is using an encrypted tunnel and mix network like TOR (which law enforcement has probably at least partially compromised, but this puts them in a situation like the Allies after they broke the Enigma machine — if they use evidence from a TOR compromise to prosecute you, then they give away that they’ve compromised the network and criminals will stop using it. Thus, you’d need to do something pretty serious for them to be willing to admit they know about it.) And what to do if you’re an advertiser-supported website? Not much. You can lobby for net neutrality laws, or ban Charter customers outright (which will hurt you more than it hurts them.) However, I would expect Google, DoubleClick, and other ad networks to start working on obfuscating their ads soon if more major ISPs embrace ad replacement.