Free Press and Public Knowledge have just released an important new report, NebuAd and Partner ISPs: Wiretapping, Forgery and Browser Hijacking. In it, they provide strong evidence that NebuAd injects cookies into web pages without the knowledge of either the sender or the recipient of the page. Wired’s Ryan Singel has a good run-down:
NebuAd first drew widespread attention after Charter Communications, the nation’s fourth largest ISP, announced it would try out the company’s technology, promising that users would love having more targeted ads served to them. That announcement brought unwanted media and congressional attention to NebuAd, which had already installed monitoring boxes inside the network of at least one smaller ISP, WOW.
NebuAd has conceded that its boxes peer deep into internet packets to pull out URLs and search terms in order to classify each user’s interests. That profile is then used deliver tailored ads on various partner websites.
When this kind of “deep-packet injection” is done to a web page from a NebuAd partner, the level of surveillance is creepy, but the consent of the web page provider eliminates some of the legal concerns. In that scenario, NebuAd is just an ad-serving network on steroids; by sitting closer to the end-user in the network, NebuAd could dial up the quality of the ad targeting another few micro-notches. Things are much more troubling, however, when—as the report concludes—NebuAd injects its code into the web pages of unsuspecting third parties. Now, not only is the user in the dark about this skulduggery, but so its the web page owner whose consent was previously being used to legitimize the practice. And that shift could mean serious legal trouble.
It should be obvious that there may be privacy issues with this practice; in order to inject its cookies and ads, NebuAd must look very closely inside your Internet traffic to know when you’re loading a web page it could insert them into. That is, every instance of deep-packet injection must have been accompanied by an instance of deep-packet inspection. Declan McCullagh has a good discussion of whether that would violate the Electronic Communications Privacy Act, the Communications Act, and the Cable TV Privacy Act. The short answer is that a great deal depends on how meaningful the user’s consent to the practice is.
I’d like to raise another set of issues that NebuAd-style deep-packet injection raises: the threat of copyright and trademark liability for NebuAd, its advertisers, and its partner ISPs. The basic point is that almost any web page from a commercial site will contain copyrighted content and trademarks owned by the page’s provider. Take Amazon. Its layout is copyrighted (more dramatically, so are the news stories on the New York Times’s side). Its page also contains its logomark, the wordmarks AMAZON and AMAZON.COM, the trademarks associated with various Amazon products and services (e.g. KINDLE), and its distinctive layout and design, which function as identifying trade dress. Altering the page in-flight, without Amazon’s consent, could give Amazon grounds to sue.
Start with copyright. Ordinarily, the actions of any ISP in delivering web content to you are completely and utterly shielded from copyright liability by 17 USC 512(a). But one of the conditions of 512(a)’s immunity is that “the material is transmitted through the system or network without modification of its content.” Whoops. Tim Wu pointed out this one. The counterargument, I suppose, would be that the immunity still applies to every part of the page that NebuAd doesn’t change. I wouldn’t bet my ISP business on that one; the more natural reading of 512(a)(5) is that one looks at “material” as a whole to see whether its “content” has been modified, not that one slices the “material” into modified and unmodified parts. Since an ISP would be obviously and directly liable for any copyright infringement in any material it itself inserted, the ISP-friendly reading of 512(a)(5) would make that language superfluous.
The ISP’s other defense to copyright infringement would be that Amazon provided it with a license to transmit the page by responding to the user’s request for it. Just as Amazon is giving the user a license to download and view the page, the ISP would say that Amazon is giving it a license for the transmission. Perhaps. But it seems logical to say that the license Amazon gives the ISP is to transmit the page in the form Amazon provided it. By changing the page, the ISP exceeds the scope of its license. Amazon could also always be more explicit about its license, for example by sending a warning letter to the ISP.
The bottom line is that an ISP trying out this technology should be very concerned that at least one of the web sites caught up in the net will be angered enough to bring a copyright lawsuit. The lawsuit might or might not succeed, but the legal risks are serious. NebuAd, as the company supplying the ISP with the technology that makes these changes, would be at risk as well, as one or more of a direct, a contributory, a vicarious, or an inducing infringer. More strikingly, NebuAd’s advertisers might even be at risk: that would depend on how much they knew about what NebuAd was doing on their behalf and how they benefitted from its actions. It’s a longer shot, but I can’t imagine that advertisers would be happy with any legal risk from their choice of ad-serving partners.
Trademark law is, if anything, even more dangerous for NebuAd. The problem here is what trademark lawyers call “passing off.” The classic form of passing off is giving a customer who asked you for a Coke your house-brand cola instead. The harm consists in using your competitor’s trademark (and all the trust people have in it) to pass off your own goods on consumers.
When an ISP delivers a page to a user, there’s an implicit statement involved: “This is the page you asked for.” If you typed in “nytimes.com,” you don’t want to see the Fox News homepage, you want the New York Times. When your ISP delivers you a page with a NebuAd cookie injected, the statement that this is the page you asked for is false. The ISP is passing off the NebuAd cookie as being from Amazon. It’s not.
Yes, the cookie isn’t directly something you’re paying for, like the cola. But I think it’s close enough that trademark law would say, “Hey, knock it off!” The cookie is used in selling you other goods (since profiling for ad targeting is NebuAd’s business model). More importantly, when you run a web browser, you decide which cookies to allow and which ones to block. I’ll let Amazon set a cookie; I trust them enough. I won’t let malware.ru set a cookie; I don’t trust them. I express this difference in trust, in part, by pointing my browser to amazon.com but not to malware.ru. NebuAd’s packet injection blows away this safeguard. It tricks me into accepting a cookie I wouldn’t have otherwise wanted. That’s a misuse of the Amazon trademark (in particular, of the amazon.com URL).
There’s also a common-law unfair competition problem. Amazon does work in making its site attractive and useful. That work convinces consumers to visit amazon.com. Amazon then turns those site visits into money by selling things and by profiling its users. Other sites that invest in attracting users make money by showing ads. When NebuAd and its parters come along and use Amazon’s site visits to build better ad profiles, there’s a strong argument that they are “reaping where they have not sown.” That is, they’re free-riding on the relationship between Amazon and its users. This end of IP law can be a little murky, but were I NebuAd, I’d want my lawyers to look very closely at the case law.
All in all, I’d say that NebuAd opens up some unpleasant cans of worms by injecting cookies. (And I’m not even getting into the security concerns, or the privacy issues!) While I’m not entirely happy that IP law reaches as far as it does, given that it does, companies like NebuAd need to tread carefully. Injecting cookies into traffic from unsuspecting websites seems like a very risky step.