ISP Behavioral Targeting Triggers State Laws, Say Activists
Though federal wiretapping law may prohibit Internet service providers’ plans to target their customers with online advertising, state laws may present a bigger hurdle, digital activist groups told reporters Tuesday. But the vague wording of some state wiretapping laws and a shortage of case law may fall short of a slam-dunk case against targeting, they conceded. The best-known targeting firm in the U.S., NebuAd, is trying to get around consent concerns by offering “direct, initial online notification and periodic reminders” to Internet users being targeted, and talking up endorsements by privacy experts.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The Senate Commerce Committee will hold a hearing Wednesday on the privacy implications of online advertising. It will feature Bob Dykes, CEO of NebuAd, whose customers recently have been fleeing its services. Charter Communications and CenturyTel are holding off on targeting trials amid customer and Hill scrutiny (WID July 1 p3). Wide Open West said it was “suspending” NebuAd services while Congress reviews the practice. Embarq also has halted the service.
ISP targeting is built “on top of a regime that we consider to be broken,” said Center for Democracy and Technology Executive Director Leslie Harris, referring to traditional online advertising networks. The self-regulatory model embodied in the Network Advertising Initiative -- through which Internet users can opt out of ad networks’ targeting -- is “largely a failure,” and activists’ privacy concerns are “amplified” when ISPs enter the picture, Harris said.
NebuAd’s system “mirrors” all traffic from participating ISPs to its California offices, said Rob Topolski, the technology consultant who first exposed Comcast’s surreptitious shaping of BitTorrent traffic. Pairing ads against traffic is possible only using the new generation of dual-core processors in deep-packet inspection hardware devices that each can handle 30,000 to 50,000 customers, he said. The NebuAd system originally injected a Javascript packet into each Internet customer’s stream -- what’s known in spyware research as a “man in the middle attack,” using cross-site scripting to “force-load cookies” into a user’s browser with every session, Topolski said. NebuAd has since stopped injecting Javascript into traffic, he added, citing his own tests.
ECPA Frowns on Targeting, States May Prove Insurmountable
ISPs using NebuAd seem to be violating the Electronic Communications Privacy Act, which bars interception of communications and divulging to third parties without consent, said CDT Vice President Ari Schwartz. None of ECPA’s exceptions seem to apply, he said: NebuAd services aren’t “necessary for the rendition of the [Internet] service itself,” ISPs only use NebuAd because they have a “direct financial motivation,” and ECPA’s consent provision seems to require “affirmative” opt-in, judging by court decisions. Though NebuAd lets Internet users opt out of targeting, it’s still collecting all traffic from participating ISPs, which may run afoul of ECPA, Schwartz said.
ISP targeting could also violate several states’ laws on “two-party consent,” which got Hewlett-Packard in trouble for monitoring employees’ calls with journalists, Schwartz said. Under ECPA, only one party needs to consent to the interception or recording of communications. Online that’s usually the Web site taking part in an advertising network. A dozen states have two-party consent laws, though several apply only to “oral conversations,” said a report by CDT released at the briefing. Connecticut is the only one that doesn’t cover electronic communications, Schwartz said. Florida and Illinois laws are clearer in their application to Internet communications, the report said.
NebuAd is known to have provided services in Illinois, through Wide Open West, Schwartz said. Charter’s planned tests were in Massachusetts, another two-party consent state, and staff to House Telecom Subcommittee Chairman Ed Markey, D-Mass., a vocal targeting critic (WID May 19 p5), have raised the issue, Schwartz said. Connecticut’s attorney general also told Charter to back away from its NebuAd plans. But Schwartz said it was unclear except for Massachusetts whether the two-party laws were a basis for opposition.
Though the California Supreme Court has held that state’s two-party law applies to those out of state who call into California, there’s no case law on whether the law applies to the Internet, the report said. “In a lot of cases it’s unclear” whether state two-party consent laws apply online, Alissa Cooper, chief computer scientist for CDT, told us later. If they do, that could rule out even opt-in behavioral advertising by ISPs, because of the difficulty of getting consent from every site an opt-in customer visits, the report said.
NebuAd Shifts Gears on Notice, ‘Reminders’
NebuAd said Tuesday it has developed a system to provide “direct, initial online notification and periodic reminders” to Internet users being targeted, though it’s not changing its collection practices. The system won’t be based on e- mail notice, though NebuAd said that remained “the most reliable and acceptable means of ensuring consumer awareness for many companies.” NebuAd is also developing a “network- based opt-out mechanism” that doesn’t use opt-out cookies, which privacy activists have long faulted as easily deleted through browser settings or security software. A NebuAd spokesman said the company couldn’t immediately describe how the notice and reminder system would work.
NebuAd emphasized its privacy bona fides, noting it requires ISP partners to give subscribers “advance, direct notice” to opt out before the service takes effect, and “ongoing notice and choice mechanisms” through an ISP’s privacy policy. Countering privacy activists, NebuAd said it meets “both the letter and the spirit” of ECPA and the Cable Communications Policy Act, an earlier basis for opposition to targeting. Larry Ponemon, chairman of the privacy-focused Ponemon Institute, called the company “among the most privacy conscious vendors we have worked with” in online advertising, though he didn’t make any legal claims. NebuAd will also bring in “additional privacy audit experts from a major accounting/audit firm,” CEO Dykes said.
“All the original concerns still exist” despite NebuAd’s changes, Schwartz said at the briefing -- especially its reliance on an opt-out model. NebuAd’s history is rooted in adware, he said. Several Claria employees left that company for NebuAd, like Claria based in Redwood City, Calif., once Claria left the adware business after tussles with the FTC and antispyware researchers (WID March 22/06 p1). NebuAd’s practices could draw opposition in particular from traditional advertising networks, whose performance would be readily discernible in data analyzed by rival NebuAd, Topolski said.
ISP targeting, net neutrality and network management fall into the same category of concern for privacy activists, said Harris. But they don’t want to see all dealt with in the same law or agency effort, which could delay action, she said.