Welcome to Talking Justice Sign in | Join | Help
in
Justice Talking About All Blogs Today's Blog Forums
The Center for Democracy and Technology works to promote democratic values and constitutional liberties in the digital age. With expertise in law, technology, and policy, CDT seeks practical solutions to enhance free expression and privacy in global communications technologies. CDT is dedicated to building consensus among all parties interested in the future of the Internet and other new communications media.

About Leslie Harris
Leslie Harris joined the Center for Democracy and Technology in the fall of 2005 and became Executive Director at the beginning of 2006. Ms. Harris brings over two decades of experience to CDT as a civil liberties lawyer, lobbyist, and public policy strategist Her areas of expertise include free expression, privacy and intellectual property. Ms. Harris is a recognized expert on Internet and technology policy, and she writes and speaks frequently on these subjects. Ms. Harris has served in leadership positions in the American Bar Association, including as the Chairperson of the Section on Individual Rights and Responsibilities. For many years, she served as the Co-Chair of the CDT Public Interest Advisory. She currently serves on the Board of the Health Privacy Project. Ms. Harris received her law degree cum laude from the Georgetown University Law Center and her BA at the University of North Carolina at Chapel Hill, where she graduated Phi Beta Kappa.

An Ill-Conceived Harvest

Your Internet Service Provider may be offering up every click you make online and selling it to a company determined to know any thing and every thing about you, down to the fake name you use when logging on to the “Always ABBA” fan site.

That’s a wiretap by any other name; I apologize for the subtly. 

The technique used in this ill-conceived information harvest is called “deep packet inspection” (DPI).  In practice it’s used by ad networks engaging in “behavioral tracking,” in principle it is fraught with unresolved privacy, regulatory and legal issues.

Previously, an Internet user’s online information was likely collected by a third party ad network only when visiting web sites participating in the network.  Online surfing habits were often combined into profiles to serve up targeted ads geared to a user’s interests. The privacy concerns about this so-called behavioral targeting by web operators are significant. But they pale in comparison to the “always on” collection scheme of DPI recently launched by some ISPs.

Charter Communications this week announced that it was going to start rummaging through each user’s click stream in an effort to provide its subscribers with--I’m not making this up--“[A]n enhanced online experience that is more customized to your interests and activities.”  

You’ll love this new intrusion into your life, Charter promises, because now you’ll see ads that are “more likely” in keeping with your “interests.” Browsing the web “can become more like flipping through your favorite magazine,” a promise that should bring chills to those   who value the open and free wheeling Internet

Imagine for a moment… perhaps the “magazine” you’re flipping through is a web site dedicated to supporting incest survivors or a cancer research information center or that of a fringe political group.  I don’t even want to think about what kind of “targeted ads” might be served up in one of those scenarios.  I’m more concerned about what happens to all that information if it has “nowhere to go”?  Such information, in the wrong hands, could cripple a person’s life. And while the information collected by itself may not be personally identifiable, it takes no more than a click for an ISP to combine it with billing information (at least name and address) used to set up an account.

At least Charter had the corporate decency to alert its subscribers ahead of time; Other ISPs involved in DPI have been reluctant to own up to the practice or, when discovered, provide only vague explanations as to how and why it’s being used. 

The ad companies on the receiving end of this information promise that they respect privacy, that no particular bit of information can actually be tied directly to any unique user. 

Charter specifically address this question, telling its users that the service “[S]pecifically and explicitly does not track or display ads related to confidential medical information, racial or ethnic origins, religious beliefs or content of a sexual nature.” Of course, in order to exclude this information, someone (or something) has to riffle through your searches and web browsing to make the cut as to what is over the line. Interestingly, political speech appears to be fair game.

Charter also claims that it doesn’t retain any data, such as the web sites you’ve visited. Likewise, those companies buying your information make similar claims, that they don’t retain your information, nor can it be traced back to any particular users.  In addition, those using DPI, including Charter, point to their opt-out policies.  OK, fair point.  But the existence of an opt-out policy alone, particularly one buried in fine print when you sign up for service, is unlikely to give consumers the choice they deserve.

My organization has researched “DPI-based behavioral ad networks,” for lack of a better phrase, and found that in some cases the data of users that have opted-out still gets passed to the ad network before it’s discarded or ignored. The companies also appear to be using cookies – which are susceptible to deletion especially by privacy-conscious users – to store users’ opt-out status. Given the comprehensiveness of the Web data these companies can potentially collect, we question the effectiveness of these kinds of opt-out procedures in honoring consumers’ choices.

And then there’s that pesky legal issue.  The Electronic Communications Privacy Act (ECPA) is intended to protect the privacy of Internet communications. With certain exceptions, ECPA and its amendments to the federal Wiretap Act, prohibit ISPs from intercepting their customers' communications or disclosing the content of those communications to a third party without the customers' permission. 

So, how do the ISPs working with DPI-based behavioral ad networks justify under ECPA their role in copying or disclosing the content of their customers’ communications without prior consent?  And how do the ad networks justify their obtaining customer communications?  The Federal Trade Commission should insist that the ISPs and DPI-based behavioral ad networks already engaged in these practices answer these questions on the record.

If implementations of the DPI model continue on their current path, we do not see how an opt-out requirement alone will protect consumer interests. The burden is on the ISPs and the ad networks to demonstrate that it will. And if ECPA demands it, these DPI-based behavioral ad networks should be held to an opt-in only standard, requiring an individual’s affirmative express consent prior to collecting an his or her full packet stream for behavioral advertising.


Published Wednesday, May 14, 2008 10:31 AM by Leslie Harris

© Leslie Harris/Center for Democracy and Technology. All rights reserved.

Anonymous comments are disabled. Click "Join" at top-right to add comments.

Closed to Comments

Note: Justice Talking ceased production on June 30 of 2008. The Talking Justice blogs and forums are provided as a read-only resource for historical interest only. Commenting on blog posts has been suspended.

All opinions expressed are those of the author. The Annenberg Public Policy Center makes no claim as the the accuracy of claims or continued availability of any third party web links found on this site.

This Blog

Select Blog by Day

Syndication

Groups

©2008 Trustees of the University of Pennsylvania unless otherwise noted.