Once is not enough
Several months ago we watched a behavioral targeting software company called NebuAd go straight off a cliff, burst into flames, and crash in a truly spectacular fashion. Having watched one of its cohorts completely self-destruct, the folks at behavioral targeting software company Phorm apparently thought it would be interesting to do the exact same thing. And then, oddly enough, they did. Once word got out that Phorm relies on deep packet inspection (DPI) to track consumer behavior, just like NebuAd, the same sequence of events played out, in almost the exact same fashion. Phorm’s customers are distancing themselves just as fast as they can, the privacy advocates are hollering at the top of their lungs, legislators are starting to sit up, and Phorm has just burst into flames (crash to follow soon).
What is the lesson here? Although errors in judgment are often easy to spot in hindsight, one rarely has the opportunity to apply foresight to an error in judgment. Phorm had that opportunity, and they still managed to blow it. The painful lesson (learned twice) is that deep packet inspection as a targeting mechanism is not going to fly. The problem with DPI is not just a lack of awareness on the part of the consumer that they’re being tracked, it’s that the tracking mechanism is deeply embedded in the user experience without any contextual framework. DPI does not track explicit behavior, but implicit behavior. As an example, when I’m on line I tend to hit around 12-15 sites per any given session; I go to my bank, check my e-mail, hit Amazon, zip through Facebook, etc. In each case I am explicitly identifying myself to the site in question (usually by logging in); I announce “I am here, now cater to me!” and the site owner does (as they should).
If I’m at an e-commerce site and I click on a banner ad, it’s reasonable for that merchant to assume I’m interested in the product or service, and track my behavior accordingly. But I have made an explicit choice to go to that site, and to click on that banner (or enter a search query, etc.).
The problem with DPI is the lack of any operating context (it doesn’t matter where you are or what you’re doing, we’re going to track you). Because ISPs provide the access infrastructure, they touch everything the consumer does, and most of the time they’re invisible. They’re in an ideal position to know everything you do, and there’s been a tacit understanding that the information would be kept private. The folks at NebuAd and Phorm were smart enough to see the value of Deep Packet Inspection, and dumb enough to rush forward without gauging public reaction, resulting in two very entertaining events.