ISP Targeting Hubbub Ignores Web Giants’ Tracking, House Telecom Hears
The extent to which Internet service providers are in a unique position to track their subscribers’ Web use was hotly disputed at the House Telecom Subcommittee Thursday. Some witnesses and lawmakers pointed to what they called nearly identical use of deep-packet inspection (DPI) by Web giants. ISPs should give users “meaningful opt-in consent” before targeting advertisements to users’ online behavior, said Chairman Ed Markey, D-Mass. Witnesses gave uniformly murky answers when asked whether they favored mandatory opt-in. Bob Dykes, CEO of targeting firm NebuAd, reprised his role from last week’s Senate Commerce Committee hearing as the only person to defend ISP targeting (CD July 10 p5).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Anticipating criticism that he would ignore longstanding targeting by ad networks, Markey noted his sponsorship of the enacted Children’s Online Privacy Protection Act and a bill to require destruction of search-engine queries. But there are “notable differences” between sites and ISPs collecting data, not to mention a more extensive legal regime for ISPs, he said. “Consumers deserve, at the least, at the minimum, one clear, conspicuous notice” of what DPI entails and “no monitoring or interception” of their traffic if they decline, Markey said.
“Why are we just focusing on broadband providers?” said Ranking Member Cliff Stearns, R-Fla., when privacy standards “should apply to everyone,” including Google, Yahoo and Microsoft. But targeting must “already be shown to harm the consumers” before Congress can regulate and risk harming small business in particular, he said. The FTC told Senate Commerce Committee that legislation isn’t “immediately necessary,” he said. Rep. Gene Green, D-Texas, said the subcommittee doesn’t have jurisdiction to review targeting by Web giants.
In a written statement, House Commerce Chairman John Dingell, D-Mich., faulted the FCC for putting Congress in the position of scrutinizing DPI. Agency Chairman Kevin Martin told Dingell that the FCC would add privacy protections for wireline broadband before this year, Dingell said. “Clearly, much work remains to be done at the FCC.” Dingell also warned that DPI can have “nefarious” purposes in slowing or blocking content.
Mimicking the Low-Value Mobile Internet Market
There are “unique risks” to ISP targeting, including tracking of political speech, said Alissa Cooper, chief computer scientist for the Center for Democracy and Technology (CDT). The Wiretap Act prohibits tracking even “completely anonymous” communication without a legal mechanism, she said. Congress should encourage the FTC to discuss DPI in its draft principles for targeting, Cooper said.
NebuAd’s Dykes compared himself to Galileo: “The science exists today and NebuAd is using it to create truly anonymous profiles.” Dykes said he met this week with CDT and found “common ground” on creating “simple but complete” prior notice and “easy and obvious means” to opt out. But U.S. privacy laws generally raise the bar for notice and consent only for sensitive information, which NebuAd doesn’t collect, he said.
David Reed, who helped create the Internet in 1976, said DPI violates core design principles of the Internet, acting as a “high-speed X-ray technology” for mail in transit. Early engineers made packet privacy “sacrosanct” because of the multiple jurisdictions that would govern the Internet, said the Massachusetts Institute of Technology adjunct professor. Venture capitalist Bijan Sabet compared DPI to the low-value mobile Internet market in the U.S., where carriers largely control where users can browse on their phones. The low U.S. ranking in broadband penetration won’t be improved with ISPs deploying DPI, he said.
Internet companies have a “perverse incentive… to push the envelope” as Congress frets over targeting by ISPs, where privacy rules are deeply ingrained, said Scott Cleland, CEO of consultancy Precursor. He rattled off a list of Google services that he said collect vastly more personal information than NebuAd, assailing the “unauthorized Web surveillance” of a company that he termed “J. Edgar Google.” Cleland noted his think tank NetCompetition.org is funded by ISPs.
Dykes: ‘We'd Be Satisfied with Any Law You Passed’
Markey sparred with NebuAd’s Dykes over his refusal to say whether he supports opt-in. “You've got to get the consumer to say ‘yes,'” Markey said, calling NebuAd “Google times a hundred.” Dykes said: “You're forcing me into a ‘have you stopped beating your wife?’ question,” to which Markey replied the actual question was “have you stopped beating your customer?” NebuAd doesn’t track users that “we are convinced don’t want to be tracked,” Dykes said. “That’s basically saying that silence is consent,” Markey said, an “incredible leap” toward saying the mailman can open any letter.
Stearns faulted Dykes for not giving straightforward answers. “You've got to make the case here strongly this morning that this is not the same analogy” -- snooping mail compared to analyzing packets. “A dialog box would come up all the time” to ask users to opt-in under Markey’s logic, Stearns said. Rep. Mike Doyle, D-Pa., disagreed: “It could be a simple one, opt in, opt out. I don’t know anybody that reads their damn privacy statements in their bills,” which are in fine print. Dykes, whose company is working on a network-based opt-out method that would provide online notice and consent, said he agreed about privacy-policy notices. “We'd be satisfied with any law you passed, sir,” even to mandate opt-in, Dykes told Rep. Bart Stupak, D-Mich. But after several comparisons to mail delivery, Dykes snapped that NebuAd wasn’t the U.S. Postal Service.
The result of widespread DPI by ISPs could be an unhealthy increase in traffic encryption as users -- and Web sites -- try to foil tracking, Reed said. Beyond the difficulty of designing an encryption system that distributes the “keys” to the right users, too much encryption online would complicate legitimate law enforcement, he said.
‘Distinctions Without Differences’
Rep. Charlie Gonzalez, D-Texas, echoed Stearns on the “overarching duty” of Congress to make privacy rules that didn’t create “distinctions without differences,” saying: “The holy grail here appears to be an opt-in,” for ISP as well as ad network. “Why does it matter whether it’s Embarq or whether it’s Google?” he said. “All these sinners are still worshiping at the commercial altar of advertising.”
Rep. Hilda Solis, D-Calif., said ISPs were unique in facing two-party surveillance consent laws in California and other states. Cooper, whose group first raised the state issue, said it’s actually less certain how those laws apply online. NebuAd lawyers said those laws weren’t a problem, Dykes said. Perhaps oddly, none of the witnesses explicitly said they supported mandatory opt-in, following Markey’s question. Consumers need “informed, meaningful control,” CDT’s Cooper said.
Markey told Dykes to hire a reputable firm to audit NebuAd’s compliance with its stated policies on information collection. “This is only going to become an escalating subject” for House Commerce, Markey said.