RealTime IT News

House Panel Begins Work on Online Privacy Law

Privacy legislation

WASHINGTON -- Members of a House panel today held the first in a series of planned hearings on electronic privacy, receiving widely varying recommendations from industry executives and Internet advocates as they begin work on a bill that would set limits on how online companies collect data about their consumers.

The debate over online privacy has been simmering on Capitol Hill for more than a decade, and lawmakers continue to struggle to find a balance between protecting consumers from deceptive marketing practices and establishing an overly rigid legal framework, which many in the industry warn could choke off the advertising that has been the revenue engine of the Web. Ads, after all, are the reason that most content and services are available on the Web for free.

The nominal focus of today's hearing was ISPs' use of deep-packet inspection (DPI), a technique of examining the contents of Internet traffic passing across a network. That issue vaulted onto the congressional radar last summer, when groups began raising concerns about a startup called NebuAd that had partnered with several ISPs to use the technology to monitor people's Web browsing activities to serve more relevant ads.

NebuAd doggedly maintained that it wasn't profiling individuals, merely applying an automated technology to improve the quality of ads Web users saw. But the damage was done. NebuAd's CEO took his lumps on Capitol Hill in a well-publicized series of hearings, and ultimately left the company after its ISP customers started shelving their trials of the service. NebuAd eventually dropped its DPI-based technology.

But fast forward to today, and many of the same questions remain unanswered. How should Web firms ensure consumers are giving informed consent? How should personally identifiable information be defined? How should a legal framework distinguish between the legitimate uses of DPI, such as fighting malware and blocking spam, and what Rick Boucher, D-Va., sees as the more sinister applications of the technology.

"Its privacy intrusion potential is nothing short of frightening," said Boucher, the chairman of the Subcommittee on Communications, Technology and the Internet. Boucher said that he and Florida's Cliff Stearns, the ranking Republican on the panel, plan to work on the bill together, reprising an unsuccessful earlier effort by the pair in 2005 to advance online privacy legislation.

The NebuAd flap helped broaden the Internet privacy debate beyond the advertising practices of Web firms like Google, Microsoft and the hundreds of smaller ad-tech and network outfits that all engage in various data-collection practices. That episode highlighted the reality that ISPs are increasingly looking to grab a piece of the Internet ad revenue, a policy challenge compounded by a glut new mobile applications and efforts by cable providers to introduce sophisticated targeting technologies to television ads.

Partisan fissures emerged as the representatives discussed the scope the bill should take in their opening remarks this morning.

"Our focus should go beyond only broadband providers and look at the entire Internet universe" to include search engines, ad-tech firms and others, said Stearns. "We cannot have this discussion without addressing them as well."

But Anna Eshoo, a California Democrat who represents Silicon Valley -- home to many of the Web firms long opposed to rigorous online privacy legislation -- said that companies like Google or any online content provider should be held to looser privacy obligations than "common carriers" when it comes to privacy. ISPs, Eshoo said, have a different relationship with their consumers than those Web firms, who have already obtained a higher level of consent by virtue of the consumer selecting to use their services.

[cob:Special_Report]"A healthcare provider and a stock broker shouldn't be regulated under the same structure," Eshoo said.

In terms of network providers and DPI, today's witnesses said that, to their knowledge, no ISP is currently using the technology for the purposes of serving behaviorally targeted ads.

The representatives tried to pin down Dorothy Attwood, AT&T's chief privacy officer, about the possibility of her company using the technology for ad serving without obtaining consumer consent in the form of opting in to the data collection. The issue of opt-in consent was the subject of a testy exchange between NebuAd's then-CEO Bob Dykes and Rep. Ed Markey at a hearing on the same subject last July.

But Attwood skirted a direct answer, telling the panel that "opt-in is an old term."

Page 2: Pro-consumer purposes for DPI?