House Panel Begins Work on Online Privacy Law

Privacy legislation

WASHINGTON — Members of a House panel today held the first in a series of planned hearings on electronic privacy, receiving widely varying recommendations from industry executives and Internet advocates as they begin work on a bill that would set limits on how online companies collect data about their consumers.

The debate over online privacy has been simmering on Capitol Hill for more than a decade, and lawmakers continue to struggle to find a balance between protecting consumers from deceptive marketing practices and establishing an overly rigid legal framework, which many in the industry warn could choke off the advertising that has been the revenue engine of the Web. Ads, after all, are the reason that most content and services are available on the Web for free.

The nominal focus of today’s hearing was ISPs’ use of deep-packet inspection (DPI), a technique of examining the contents of Internet traffic passing across a network. That issue vaulted onto the congressional radar last summer, when groups began raising concerns about a startup called NebuAd that had partnered with several ISPs to use the technology to monitor people’s Web browsing activities to serve more relevant ads.

NebuAd doggedly maintained that it wasn’t profiling individuals, merely applying an automated technology to improve the quality of ads Web users saw. But the damage was done. NebuAd’s CEO took his lumps on Capitol Hill in a well-publicized series of hearings, and ultimately left the company after its ISP customers started shelving their trials of the service. NebuAd eventually dropped its DPI-based technology.

But fast forward to today, and many of the same questions remain unanswered. How should Web firms ensure consumers are giving informed consent? How should personally identifiable information be defined? How should a legal framework distinguish between the legitimate uses of DPI, such as fighting malware and blocking spam, and what Rick Boucher, D-Va., sees as the more sinister applications of the technology.

“Its privacy intrusion potential is nothing short of frightening,” said Boucher, the chairman of the Subcommittee on Communications, Technology and the Internet. Boucher said that he and Florida’s Cliff Stearns, the ranking Republican on the panel, plan to work on the bill together, reprising an unsuccessful earlier effort by the pair in 2005 to advance online privacy legislation.

The NebuAd flap helped broaden the Internet privacy debate beyond the advertising practices of Web firms like Google, Microsoft and the hundreds of smaller ad-tech and network outfits that all engage in various data-collection practices. That episode highlighted the reality that ISPs are increasingly looking to grab a piece of the Internet ad revenue, a policy challenge compounded by a glut new mobile applications and efforts by cable providers to introduce sophisticated targeting technologies to television ads.

Partisan fissures emerged as the representatives discussed the scope the bill should take in their opening remarks this morning.

“Our focus should go beyond only broadband providers and look at the entire Internet universe” to include search engines, ad-tech firms and others, said Stearns. “We cannot have this discussion without addressing them as well.”

But Anna Eshoo, a California Democrat who represents Silicon Valley — home to many of the Web firms long opposed to rigorous online privacy legislation — said that companies like Google or any online content provider should be held to looser privacy obligations than “common carriers” when it comes to privacy. ISPs, Eshoo said, have a different relationship with their consumers than those Web firms, who have already obtained a higher level of consent by virtue of the consumer selecting to use their services.

[cob:Special_Report]”A healthcare provider and a stock broker shouldn’t be regulated under the same structure,” Eshoo said.

In terms of network providers and DPI, today’s witnesses said that, to their knowledge, no ISP is currently using the technology for the purposes of serving behaviorally targeted ads.

The representatives tried to pin down Dorothy Attwood, AT&T’s chief privacy officer, about the possibility of her company using the technology for ad serving without obtaining consumer consent in the form of opting in to the data collection. The issue of opt-in consent was the subject of a testy exchange between NebuAd’s then-CEO Bob Dykes and Rep. Ed Markey at a hearing on the same subject last July.

But Attwood skirted a direct answer, telling the panel that “opt-in is an old term.”

Page 2: Pro-consumer purposes for DPI?

Page 2 of 2

A nine-page privacy policy written in the densest of legalese does little to secure informed consumer consent, since most Web users readily admit they typically click the box marked “I agree” without reading the agreement, she said.

“The customer is not really participating in that decision,” Attwood said. “I think ‘engagement’ is actually a better to describe what we’re talking about, which is customer awareness.”

“We will in fact bring the customer into the decision about how their information is used before we use DPI for any form of advertising,” she said.

The panelists generally agreed that the debate needs to move beyond the opt-in/opt-out dichotomy to craft new methods of educating consumers about what data is being collected and how it is being used. That consensus broke down when they were asked bluntly whether they thought a baseline privacy law was necessary.

Kyle McSlarrow, president and CEO of the National Cable and Telecommunications Association (NCTA), the trade group representing the cable industry, urged the panel to forgo a law in favor of prodding the industry toward a policy of self-regulation, a position long championed by other industry groups like the Interactive Advertising Bureau.

McSlarrow also downplayed the sinister connotations associated with DPI, lamenting how the technology, despite all of its good an necessary applications, has become unfairly equated with big corporations setting up an electronic surveillance state.

“I think everyone concedes that deep-packet inspection has beneficent and pro-consumer purposes,” he said. “The only tracking that I want to do is actually track down the engineer that came up with the term ‘deep-packet inspection’ and shoot him.”

An opposing view came from the witness to McSlarrow’s immediate right in the person of Leslie Harris, president an CEO of the Center for Democracy and Technology, a digital-rights group that was among the loudest critics of NebuAd’s practices last year and is calling for a comprehensive law that would apply to all forms of electronic data collection.

“In our view, deep-packet inspection is really no different than postal operators opening letters and reading what’s inside,” Harris said. “Consumers simply do not expect to be snooped on by their ISPs or other intermediaries in the network.”

She added that “as DPI matures and becomes more widely employed, our concern is that any notion of limited use is going to give way to mission creep.” Her group has raised concerns about cybersecurity legislation currently under consideration in the Senate, which she fears could give the government sweeping control to bypass existing privacy laws and order the wholesale interception of consumers’ electronic communications.

Other groups raised concerns about ISPs using DPI to screen for copyright violations of digital content through an automated filtering mechanism they say would inevitably produce false positives that blocked legitimate traffic.

Ben Scott, policy director of the media-reform group Free Press, also warned that ISPs could be tempted to deploy DPI technology across their networks to throttle or slow transmissions from rival services, such as Internet hone providers.

News Around the Web