ISPs, Behavioral Advertising, and Privacy

By Stephanie Jordan
in

This summer The Center for Democracy & Technology (CDT) put into question the legal standing of a new approach to online advertising being considered by Internet Service Providers (ISPs) and Internet advertising networks. Under the new scheme, an ISP allows an advertising network to copy the contents of the individual Web traffic streams of the ISP’s subscribers. The advertising network then creates a record of each individual’s online behavior and uses it to target ads to the consumer. “Based on what we know so far, this new advertising model appears to defy reasonable consumer expectations and may violate communications privacy laws,” comments CDT President and CEO Leslie Harris.

CDT analysis concludes that this use of Internet traffic content by ISPs may run afoul of federal and state wiretap laws. Federal law would allow the practice with the consent of the subscriber. However, CDT notes, that consent should not be obtained through a notice buried in a “terms of service” agreement or inserted in a billing statement. State law may be even more stringent, requiring consent from all parties.

In a testimony before the Senate Commerce, Science & Transpor-tation Committee, Harris notes, “In the last year, Internet Service Providers (“ISPs”) have begun to form partnerships with ad networks to mine information from individual Web data streams for behavioral advertising. Ad networks that partner with ISPs could potentially collect and record every aspect of a consumer’s Web browsing, including every Web page visited, the content of those pages, how long each page is viewed and what links are clicked. Emails, chats, file transfers and many other kinds of data could all be collected and recorded.”

Harris believes the ISP model raises some particularly serious questions, especially due to consumers not expecting their ISP to be selling the information to third parties and advocates without clear notice and consent. “The use of Internet traffic content from ISPs for behavioral advertising is different from the “cookie”-based model in significant ways and raises unique concerns. Among other differences, it copies all or substantially all Web transactions, including visits to sites that do not use cookies. Thus, it may capture not only commercial activity, but also visits to political, advocacy, or religious sites or other non-commercial sites that do not use cookies.”

Does likening the practice to wiretapping seem extreme? Not from the CDT’s perspective. In its memo, An Overview of the Federal Wiretap Act, Electronic Communications Privacy Act, and State Two-Party Consent Laws of Relevance to the NebuAd System and Other Uses of Internet Traffic Content from ISPs for Behavioral Advertising, CDT defends its position. “When an ISP copies a customer’s communications or allows them to be copied by an advertising network; those communications have undoubtedly been ‘intercept[ed].’ Therefore, unless an exception applies, it seems likely that placing a device on an ISP’s network and using it to copy communications for use in developing advertising profiles would constitute illegal interception.”

Harris notes that the Wiretap Act permits interception of electronic communications when the activity protects the rights of property of the provider of the service—for instance filtering and monitoring for spam, virus and phishing. “But this cannot be extended to advertising activities, which, while they may enhance the service provider’s revenue, do not ‘protect’ its rights.”

For Your Reference

Center for Democracy & Technology: www.cdt.org

Federal Trade Commission: www.ftc.gov

Ferris Research: www.ferris.com

Proofpoint, Inc.: www.proofpoint.com

TRUSTe: www.truste.com

Published August 1, 2008