Free Press and Public Knowledge love to lob bombshells at ISPs. Free Press was a big backer of the FCC complaint against Comcast's traffic management system for dealing with P2P uploads, and the two groups have now issued a new report (PDF) that takes aim at a new ISP practice: selling user Internet data to advertisers. The report calls out NebuAd, which recently began a high-profile partnership with cable operator Charter, and it doesn't mince words. The NebuAd system "commandeers users' Web browsers," makes use of a "browser exploit," and operates "by using what is effectively a classic man-in-the-middle attack."

Robert Topolski, a technology consultant for both groups, prepared the report. Instead of taking a wide-ranging look at the NebuAd system or digging deep into potential illegal activity under the Wiretap Act, Topolski confines himself to looking at the system by which NebuAd gear places various tracking cookies on user machines.

NebuAd works its targeted advertising magic by partnering with ISPs and installing a box in their network. The box examines inbound and outbound traffic from all users, and it builds a highly-targeted profile for each Internet user by taking a look at the sites that people visit and the keywords displayed there. These profiles are then used by NebuAd to insert relevant advertising into web pages that have elected to use to the NebuAd network (NebuAd does not override ads displayed on sites that are not part of its advertising network).

To do all of this, NebuAd relies on a set of tracking cookies that are placed on each machine. Such cookies are pretty standard fare in the web advertising world and aren't themselves of much note, but Topolski's report takes issue with the way that the cookies are placed onto people's machines. A subscriber to Wide Open West (WOW!) gave Topolski remote access to his machine, and Topolski then verified that WOW's NebuAd system was planting its own cookies when users visited Google and Yahoo, among other sites.

This couldn't normally happen, since neither Google to Yahoo serves up NebuAd tracking cookies and NebuAd is not a partner to either firm. After examining the TCP/IP packet data more closely, Topolski concluded that the NebuAd box was simply appending its cookies to the HTML code served up by Google and Yahoo. To do this, the box creates a new packet and forges the same IP address and port number of the Google or Yahoo server that just sent data to the user. In addition, it uses TCP's ACK and SEQ system to "prevent the [user's] system from rejecting the forged packet."

This extra packet carries a bit of JavaScript data not actually served up by the sites in question; the code directs the browser to visit NebuAd-related sites in order to grab a cookie. This is the basis for Topolski's statements that "NebuAd's code injected into another's page source is a cross-site exploit (XSS) and the subsequent behavior of loading cookies it normally would not load is a browser hijack. NebuAd accomplishes its XSS by using what is effectively a classic man-in-the-middle attack."

Deleting the cookies in question simply leads the system to send them again on future visits to various web sites, though NebuAd says that it respects opt-out requests.

In a statement sent to Ars Technica, NebuAd expressed disappointment with the "misleading characterization" of its system. The company stresses that it uses standard tracking cookies, but when it comes to the details of how these cookies are placed on people's machines, it says only that it uses "industry-standard techniques and that cookie code "is clearly demarcated outside of and does not modify any publisher code." As the question at issue, whether NebuAd uses its boxes to "fake out" users and slip third-party cookies onto their machines by forging packet information—well, that's not addressed.

Also not addressed is the far more important question of whether this entire system is legal. Such concerns have been raised on both sides of the Atlantic, since wiretapping rules might seem to prohibit this interception of traffic on an opt-out basis. In the US, such a system may also run afoul of the Communications Act, which generally requires that this type of data collection can only be done with "prior written or electronic assent of the subscriber." That was the basis for a bipartisan letter sent to Charter earlier this month from the two ranking members on the House Telecommunications Subcommittee. When both Ed Markey (D-MA) and Joe Barton (R-TX) think your program should be halted until Congress can take a look at it, that's a pretty good sign that the political resistance around these kind of schemes could be stiff, at least until they are fully opt-in.