Reps Give Thumbs Down to Sniffing Online Activity

July 17, 2008
By Chloe Albanesius -PC Mag

Should ISPs and Web site owners be banned from keeping track of your online activity just as the Post Office is banned from going through your snail mail?

Absolutely, according to several members of the House Subcommittee on Telecommunications and the Internet, who grilled the owner of a behavioral advertising company Thursday over the inability of consumers to opt out of Internet monitoring.

Specifically, the committee was concerned about a technology known as deep-packet inspection, a technique that allows for the detailed inspection of data as it travels across the Internet. ISPs can use it to filter out the illegal transfer of copyrighted material or harmful viruses and spam, but providers like Comcast have come under fire for allegedly using the technology to block certain file-sharing applications.

“As opposed to individual Web sites that know certain information about visitors to its websites and affiliates, deep packet inspection technologies can indicate every Web site a user visits and much more about a person’s web use,” said subcommittee chairman Edward Markey, a Massachusetts Democrat.

“In my view, consumers deserve, at a minimum: clear, conspicuous, and constructive notice about what the broadband provider’s use of deep packet inspection will be; meaningful, ‘opt-in’ consent for such use; and no monitoring or data interception of those consumers who do not grant consent for such use,” Markey said.

Much of the subcommittee’s fire was reserved for Bob Dykes, chief executive of NebuAd, an online advertising company that aggregates information to serve up targeted ads.

The Post Office is not allowed to go through your mail and neither should your ISP, Markey said. The idea that NebuAd might be exempt because it is a private company is not a valid argument because private companies like FedEx and UPS are also banned from going through consumers’ packages.

When asked by Markey to support to an opt-in standard for authorizing the use of consumers’ data, Dykes deferred.

“I would say to characterize opt-in or opt-out is probably not as important as saying there should be a very robust notice” of what NebuAd is doing with a persons’ data, he said.

Markey was not convinced. “No, you have to get the consumer to say yes,” he pushed. “Do you support that?”

“I think you’re forcing me into one of those ‘have you stopped beating your wife?’ questions,” Dykes responded.

“Have you stopped beating the consumer?” Markey asked.

At this point, ISPs include notices of impending deep-packet inspection as bill inserts or in e-mails to customers, Dykes said.

His company is working with the Center for Democracy and Technology (CDT) to instead have those notices pop when a user signs on to their account. That notice would tell the customer that their activity would be tracked and give them the option to opt out. If they took no action, however, their activity would be tracked by default.

That seemed to be the point of contention between Dykes and several Democratic members of the subcommittee.

“I think most Americans would believe the information they have about themselves is theirs. Just because I belong to an ISP doesn’t give me the right to be tracked,” said Rep. Bart Stupak, D-Mich. “Why should the burden be on the American consumer?”

“I think that there should be a common set of laws around privacy in this country that generally treats various techs in the same manner,” Dykes said.

“The idea that anyone can examine what you do, where you go … I think goes against everything that the country’s been founded on and that most Americans believe,” said Rep. Mike Doyle, a Pennsylvania Democrat. “And I don’t care if an ISP is doing it or Google’s doing it, it shouldn’t be happening.”

Ranking member Cliff Stearns, a Florida Republican, defended Dykes somewhat by pointing out that online notifications could be burdensome.

“If Congress mandates that, isn’t it possible that when I go on the Internet … there would be a constant dialogue box and every consumer will have to click in and click out” of every Web site, Stearns asked.

“It doesn’t have to be a box on every Web site you visit, just [one notice from] your ISP,” Doyle countered.

This has been a rough month for Dykes and NebuAd. He faced the firing squad in the Senate last week where Sen. Byron Dorgan, a North Dakota Democrat, compared NebuAd’s activities to wiretapping.

At that hearing, Dykes clashed with Leslie Harris, president and CEO of CDT. Dykes said he believed that data collection on the Internet could indeed be truly anonymous but Harris disagreed, pointing to AOL, which in 2006 mistakenly released 20 million search queries that included identifiable data.

NebuAd and CDT are now working together to reach a “common ground” on consumer notification, Dykes said. The two groups met Wednesday and came to a “high-level understanding” about how to allow Web users to opt-out of NebuAd’s targeted advertising.

Earlier this week, the House Energy and Commerce Committee penned a letter to Embarq Corporation regarding a test the company recently performed in conjunction with NebuAd to create consumer profiles based on consumers’ web browsing data.

The committee asked Tom Gerke, CEO of Embarq, to provide detailed information on when and where it conducted its test with NebuAd, whether Embarq conducted a legal analysis of the practice, and its policy on opt-in vs. opt-out.

Gerke was asked to respond by July 21.

The American Civil Liberties Union (ACLU) voiced its opposition to deep-packet inspection Thursday.

“Every time we visit the Internet, everything we read, everything we see – all of it is up for grabs with DPI,” Timothy Sparapani, ACLU senior legislative counsel, said in a statement. “If that information is obtained by the government, then you have exactly zero privacy online.”