Quote:
Originally Posted by Phormic Acid
It looks like I need to take that back. It seems NebuAd is not using a completely passive system as originally described. Previously, news articles had described a system where data was simply mirrored, processed and then stored against a hash value derived from the user’s IP address. A report by Robert Topolski for Free Press and Public Knowledge has found that NebuAd’s system behaves very much like Phorm’s obsolete PageSense.
Free Press/Public Knowledge Investigation Finds NebuAd Wiretaps Consumers and Hijacks Web Sites |
I've been following the reports about Nebuad, there were reports early on about user's acquiring cookies when visiting google so it was clear early on that it wasn't entirely passive.
One user mentioned acquiring cookies when he googled from:-
a.faireagle.com
ad.yieldmanager.com
ads.addynamix.com
adtrgt.com
burstnet.com
contextweb.com
doubleclick.net
fastclick.net
nebuad.adjuggler.com
network.realmedia.com
realmedia.com
trafficmp.com
Unlike PageSense, as Nebuad are less sensitive than Phorm about looking at IP addresses, it would only need to occassionally inject script tags into some requests for pages from certain sites, so that it could link the user's current IP address (and the profile built since the last injection) to their unique ID from their faireagle cookie and possibly also to transfer the profile ID to its partner ad-network's cookies.
Only modifying pages from certain sites would allow you to test for and avoid the sort of problems that affected pagesense (such as injected javascript appearing in posts on some forums *).
As most users use major search engines and the searches submitted to search engines provide the most valuable data, Google,Yahoo etc are logical targets.
I'm some what surprised that it actually injects a javasript (if that is what it is doing) as I expected it to simply include multiple script tags (src= the site they want to set/read cookies for) to pass parameters and the cookies and use the response to set cookies but return no actual javascript - the same way as the opt-in works.
EDIT: I also wondered if they might take a temporary hash of your google cookie, so they could identify specific users searches where a connection is shared, and would detect if the IP address has changed hands without needing to inject script tags into every google response.
* actually I'm surprised that Phorm overlooked this pitfall, the same issue affected a couple of firewall products that injected javascript to block certain page content and also a proxomitron script some years before.