Web monitoring for ads? It may be illegal

Online advertising has ballooned into a roughly $45 billion-a-year business, to the benefit of Google, Yahoo, ad networks, and innumerable speciality and hobbyist Web sites.

One corner of this ecosystem that hasn't managed to cash in on advertising is, by some measurements, the largest: broadband providers. So it may have been inevitable that they would seek additional revenue by monitoring their customers' online activities and creating behavioral profiles that could yield hyper-relevant ads.

The only problem with this practice is that it may not be entirely, well, legal. The first warning sign came last week when two members of the U.S. Congress sent a letter to Charter Communications, a large cable provider, raising "substantial questions" about the legality of deep packet inspection and asking the company to hold off. (See our Q&A with a Charter executive.)

In interviews with News.com over the last few days, privacy advocates and attorneys pointed to a collection of federal laws--written in the 1980s when broadband services were merely a pipe dream--that combine to create a treacherous legal landscape for broadband providers that plan to conduct Web monitoring.

It's "a problem for cable providers because the very collection of personal information is prohibited without consent," said Al Gidari, a partner at Perkins Coie in Seattle, whose clients include Google and broadband providers. "It's plainly a problem for Charter. I'm amazed we haven't seen a class action lawsuit on this."

The problem for broadband providers is that intercepting customers' Web browsing, analyzing the protocols to see what's going on, and reviewing the packets' contents starts to look a lot like wiretapping. And there are federal and state laws, complete with civil and criminal sanctions, that broadly prohibit wiretapping.

It's unclear how many providers are performing Web monitoring for advertising, not least because all of the companies providing deep packet inspection are highly secretive.

Wide Open West is using technology from Redwood City, Calif.-based NebuAd, as it discloses in its privacy policy. Charter and (reportedly) Knology are experimenting with it, too. CenturyTel told us that "we are doing business" with NebuAd and that it did a trial of NebuAd's technology in one of its markets late last year.

Embarq talks about "preference advertising" in its privacy policy and confirmed it has tested NebuAd "in one of our markets," but added that "we are not currently using those tools and have not decided whether to move forward with them." Rivals to NebuAd include Front Porch of Sonora, Calif., and U.K.-based Phorm.

NebuAd refused to disclose what advertising networks--such as DoubleClick or Microsoft's Aquantive--it uses, or what broadband providers it counts as customers. So did Phorm and Front Porch (which said it could not arrange an interview).

When asked why it won't disclose that information, NebuAd told us in e-mail: "We would like to respect the trust and relationship that already exists between an ISP and their end customer. We want to stress that we do not publicly discuss our ISP partner relationships because of the direct relationship that already exists between an ISP and their customers. Our belief is that our ISP partners have a direct, trusted relationship with their customers; and communication, public or otherwise, should be directly from our ISP partner to their end customer." NebuAd does provide an opt-out mechanism through browser cookies.

The stakes are high. The advertising industry is moving toward behavioral targeting, meaning compiling dossiers (anonymized or not) on individuals and using those to display targeted ads. Theoretically, this benefits everyone: Internet users see ads that match their interests, and advertisers sell more products.

Because deep packet inspection can, barring the use of encryption, monitor everything that a customer does online, a broadband provider is in the enviable position of being able to know exactly what each customer is doing. The odds of successful monetization are high. But so are the legal risks.

Three federal laws, three legal hurdles

At least three wiretapping-related federal laws restrict what broadband providers can do: the Electronic Communications Privacy Act of 1986 (ECPA); the Communications Act of 1934; and the Cable TV Privacy Act of 1984. The cable privacy law is the most restrictive and applies only to cable broadband providers--meaning, thanks to a law written when the Apple Macintosh was new, they're at a competitive disadvantage to AT&T and Verizon.

The cable privacy law is unusually onerous because it requires the "prior written or electronic consent of the subscriber" before any personally identifiable information can be collected. What that means is sending a postcard or e-mail telling customers that they can opt-out (which is what cable providers are doing so far) may not be good enough.

"They have to worry about it more," said Gidari, the attorney at Perkins Coie, referring to cable operators. "Their rules are much more restrictive. They have the obligation to give notice to their customers before they disclose information. They have the obligation not to collect information without prior consent...Cable operators have the most exposure in doing this."

"Do (broadband providers) think they own that data? If they own that data, there are no limits on what can be done with it? Can they give it to an employer? Can they give it to a credit bureau? Can they give it to a potential landlord?"

--Barry Steinhardt, ACLU's Technology and Liberty Program

One irony of this situation is that broadband providers are seeking to do precisely what companies like Google and Yahoo have done for many years: monitor what users are doing and display relevant advertisements. But cultural expectations are different. And by an accident of history, or a quirk of fate, those laws don't apply to Google and Yahoo and other Web sites. They single out Internet service providers.

For their part, cable providers insist that they're following the law. Charter tells us it is "confident" that "all legal requirements" have been met. Wide Open West, a cable operator in the Midwest that's using NebuAd's hardware, said: "We feel that the service and our use of it is in compliance with current regulations."

But other laws apply to all Internet providers. ECPA says, in general, that "a person or entity providing an electronic communication service to the public shall not intentionally divulge the contents of any communication." Two exceptions to that general rule allow monitoring that is a "necessary incident" to providing the service and monitoring with a user's "lawful consent."

Translation: Obtaining "lawful consent" may mean more than sending e-mail notifying customers that the terms of service have changed. At the least it means that an opt-in process is less risky, legally speaking, than an opt-out one.

The 2003 In Re Pharmatrak decision from the U.S. Court of Appeals for the 1st Circuit offers a glimpse of how judges view consent. The court ruled in a case involving Web tracking "that it makes more sense to place the burden of showing consent on the party seeking the benefit of the exception." The judges approvingly cited a second case, which said "consent can only be implied when the surrounding circumstances convincingly show that the party knew about and consented to the interception."

Yet another legal obstacle for Web monitoring is the Communications Act, which says companies engaged in "transmitting" communications shall not "divulge" those contents.

"The question is whether or not a third party like this can track usage for things other than for routine maintenance of a network--they are entitled to do that," said Barry Steinhardt, director of the ACLU's Technology and Liberty Program. "But where you're actually tracking the content of what users do, there are serious questions there about the Electronic Communications Privacy Act and the cable laws."

Steinhardt added: "I think Congressman (Edward) Markey is exactly right to raise this issue. The implications here are profound...Do (broadband providers) think they own that data? If they own that data, there are no limits on what can be done with it? Can they give it to an employer? Can they give it to a credit bureau? Can they give it to a potential landlord?"

Another possible threat to broadband providers is the Federal Trade Commission, which can file lawsuits alleging unfair or deceptive business practices. The FTC has posed suggested guidelines for behavioral advertising after convening a workshop last fall, and the Center for Democracy and Technology filed comments with the agency last month raising questions about NebuAd and its peers. (Disclaimer: I spoke at last fall's workshop.)

CDT's comments allege that broadband providers do "not appear to be adequately disclosing this involvement" and suggests that the Electronic Communications Privacy Act regulates the practice. They also suggest that the FTC "should address" advertising-related monitoring and require affirmative consent from customers instead of an opt-out mechanism. In its privacy principles, the FTC said "companies should obtain affirmative express consent from affected consumers" before substantially changing privacy policies.

In the past, the FTC has taken a relatively strict view of informed consent. In its lawsuit filed against Odysseus Marketing, the FTC argued that it was unlawful for a company not "to adequately disclose" to customers that it was sharing information with third parties. The case ended in a settlement.

There's one final legal twist that could imperil NebuAd and similar companies that conduct deep packet inspection. The way they work is to perform a Carnivore-like interception of all customers' Web browsing. Then Web traffic with NebuAd's opt-out cookie is discarded.

What that means in practice is that, if you've chosen to opt-out through your Internet provider, the contents of your communications are nevertheless continually disclosed to a third party--even if for a microsecond--which is exactly what federal privacy laws seem to prohibit.

News.com's Anne Broache contributed to this report

[R.Jefferson]

We have no rights only privledges. We dont own nor can we control our personal information, it is content that corporations and industry regulate and own and have sole exculsive use thereof.

Comon now, I know I want spam emails and ads for things I might buy, not just suspect pharmaceuticals or FREE* iPods.

[pgp_protector]

What about the fact that they are also modifying other pages, not giving the client what was sent from the server.

Site "A" has deal with company "B" to display ads.
Site "A" puts company "B"'s ads on the web page
Site "A" sends page with company "B"'s ads to Visitor.
Visitor sees company "C"'s ads that neither Site "A" or Company "B" approved.

[declan00]

pgp_protector: That is _not_ what they're doing, according to our Q&A with Charter:
http://www.news.com/8301-13578_3-9945309-38.html

Q: Let's say NebuAd has a relationship with DoubleClick, and let's say CNN.com uses DoubleClick for advertising. If you visit car Web sites and then visit CNN.com, you're more likely to see a car ad as a result, right?
A: Yes. If you look at the transaction flow, if CNN has a relationship with DoubleClick, we, through this anonymous model, have provided information to NebuAd. The ads that are already being served are being served on an informed basis. We're informing the model to an additional degree. There is a level of misinformation about how that works.

[Renegade Knight]

When I pay directly for a service there is no need for ads. Some pay services like to throw in ads anyway (Cable for example) but they are nothing more than an optional plan to try and make more money on the same service you are already buying. In other words, Corporate Double Dipping.

[steelhoof]

Declan, once again I think you are striking at the heart of the issue. What is, in reality, the difference between deep monitoring of packets used by a computer vs the packets used by voice communication systems? The easy difference is Voice monitoring is on a one to one basis between to endpoints, in a serial fashion. Computer connections, ie "surfing" is parallel, but not all we do on the net is performed by a browser. Also, when we go to sites with "secure" connections, the idea is to keep data secret from others, and sniffing each packet defeats that.

We talk about the lack of trust when it comes to electronic voting. Can we really trust the software or the vendor? What of this deep packet hardware? Who vets the vendor, the software or the firmware used? I use gmail, and I know it is all "sniffed" by google, but if I need to keep it secure, i will use a different resource. What is to keep someone sniffing packets with the blessing of the ISP from sorting and the selling the information like Lawanda Jackson did with the medical records of celebrities at UCLA Medical Center?

The risk of sniffing online communications for discrete data is too high, and the potential damage too great to allow.

Would you like others to know that your kids are checking out porn? Or that you are seeing a secret lover in a chatroom,? And that you have $10,238.67 in a bank account your husband knows nothing about?

The reading of packets to develop a profile is totally wrong. What if you surf porn at night, and your kids go to sesamestreet during the day? Will you trust the computer delivering content not to get confused if you 6 year old goes online at 2 am because she woke up and wanted to play?

[higginsoft]

I contacted Charter and asked them about the monitoring. This is what they sent back:

We are monitoring the site that you go to in order to have the advertising you see on website become customized to the website's you are looking at. if you wish to not take part in this you can got to www.charter.com/onlineprivacy to stop it. We are currently only doing this in 4 cities, so this may not affect you. the cities are Newtown, CT, Fort Worth, Texas, San Luis Obisop, CA, and Oxford, Massachusetts. If you wish to discuss this as it regards your particular account, you can chat in at charter.com or call us a 888-438-2427. Due to FCC regulations, we can not discuss individual accounts by email.
Thanks,
Don

When you go there, you enter you name and address. They return the following:

Opt-Out is Complete
Your opt-out request has been received and processed.
Please note that the opt-out cookie is specific to the browser and computer you are using right now. Your opt-out choice cannot be honored if you access this site using a different browser on this computer or from a different computer. Additionally, your opt-out choice cannot be honored if the cookies on your computer(s) are deleted. As a result, you should repeat this process with each browser and computer you use to access this site and whenever cookies are deleted from your computer(s).

[zeroplane]

Although currently the service is a joke, I am finding the freenet service idea more and more desirable. http://freenetproject.org/

From my observation is can easily be as lame as the normal internet, and from what I have seen it is like stepping back into the early 90es. But the advantage is providing a backbone that can not be tracked and is a virtual private network between computer on the internet.

[zeroplane]

So what is stopping someone from releasing a proxy that works with Seek and Destroy to make it permanent. http://www.safer-networking.org/en/index.html

[royc]

All the ISP really needs to do is amend the terms of use and say to use (or continue to use) our service you must agree to the new terms of use. If you do not agree your service will be terminated.

I tried to check on a new service provider based on billing trouble and there are none in my area so I'm stuck with a monthly battle over my bill or going backwards to 1998 and 33Kb/sec.

[mraardvark]

So they give a special opt out cookie. Considering I have at least three different programs deleting cookies (firefox, ccleaner, and my antivirus) keeping something like that around would end up being a royal pain in the backside. Most people wouldn't even notice it was gone let alone know all the random cache cleaners running around will delete it. Of course I'm sure these guys are counting on it .