Net Privacy Could See Action in Next Congress

online privacy

The debate over online privacy may be headed for a lull in the coming weeks, but you can expect it to resume in earnest next year, when legislation is likely to appear before a new Congress calling for baseline safeguards for Internet users.

Rep. Ed Markey (D-Mass.), who chairs the Subcommittee on Telecommunications and the Internet, is planning to introduce legislation in the next session to create something like an online bill of rights.

“The general idea here is to strengthen consumer privacy protections [and] ensure that consumers are aware of who is collecting their information and when they are collecting it,” Markey’s communications director, Jessica Schafer, told InternetNews.com.

Congress, which is in recess now, is not likely to revisit the issue of online privacy in the three remaining weeks it will be in session before adjourning again Sept. 26 for the presidential election.

Nevertheless, this year has seen increasing government scrutiny into the privacy policies of online advertisers. That trend may be likely to carry over into the new Congress and administration, particularly as Internet companies develop increasingly sophisticated techniques for targeting ads.

Informing Markey’s bill will be the responses from more than 30 Internet companies — mostly ISPs — to a letter Markey and his colleagues sent out asking the companies for details about how they target advertisements online. The letters followed a hearing Markey’s committee held looking into an emerging technique that some ISPs have been experimenting with to target ads to their subscribers based their Web activities.

In addition to Markey, the signatories were Reps. John Dingell (D-Mich.), who chairs the House Energy and Commerce Committee; Joe Barton (R-Texas), the ranking GOP member on the committee; and Cliff Stearns of Florida, the ranking Republican on the Subcommittee on Telecommunications and the Internet, which Markey chairs.

Deep-packet inspection under the microscope

While privacy advocates have long warned about companies like Google (NASDAQ: GOOG) and Yahoo (NASDAQ: YHOO) developing detailed profiles about their users’ interests and preferences, the most recent dustup centered around a company called NebuAd.

NebuAd, a Redwood City, Calif.-based startup, partners with ISPs to collect the Web activities of their subscribers, and filter that information into different product categories, which then instruct the placement of an ad. The idea is to glean an inference about a person’s interests, and show an ad that matches those interests.

In that sense, NebuAd’s is allowing ISPs to do the same thing that every online advertiser is trying to do: show ads that the consumer will find more relevant and be more likely to click on.

The problem is the method. NebuAd, which did not respond to requests for comment for this story, has become a lightning rod for privacy concerns ever since it was came to light that it uses a technique called deep-packet inspection (DPI) to discern the content of Internet traffic.

The scandal became national news when Charter Communications, the nation’s fourth-largest cable provider, announced that it was abandoning its plans to trial the technology June 25. In the time since, NebuAd CEO Bob Dykes has testified before at least two congressional committees, insisting that the technology does not collect personally identifiable information, and that it ignores information on sensitive topics such as health or finance.

NebuAd’s system has an opt-out mechanism. But for Markey, who has likened what NebuAd enables an ISP to do to the U.S. Postal Service opening people’s mail instead of simply reading the address label, that’s not enough.

“He has a lot of serious concerns about DPI tracking and feels very strongly that consumer should have to opt in to that kind of tracking,” Schafer said.

Page 2: ISPs reveal behavioral tracking efforts

Page 2 of 2

ISPs reveal use of NebuAd

The letters from Markey and his fellow legislators to the tech companies were meant as a fact-finding mission, Schafer added.

“We’re trying to get a comprehensive picture of what’s happening and what’s out there,” she said. “As we do develop some kind of legislation for the next session, we want to have all the information in front of us.”

An examination of the responses from the 29 ISPs that received letters shows that five deployed NebuAd’s technology. Each has since abandoned it.

Four ISPs — Cable One, Bresnan Communications, CenturyTel and Knology — conducted limited trials in small towns or rural areas before discontinuing the experiment. Save for Cable One, each ended the trial in either June or July, after the highly publicized move by Charter to drop the service.

The fifth, Wide Open West, or WOW, had deployed NebuAd’s technology for about four months to 330,000 of its subscribers throughout the Midwest, before ending the partnership on July 8, the day before the first hearing in which Dykes testified.

In response to a question asking whether they had collected any health, financial or other sensitive information, each said it had not, and that NebuAd offered the assurance that it was only collecting anonymous data that fit into one of its innocuous ad categories.

Each also said that it had notified subscribers about the trial, and that its trial was within the boundaries of the law.

Earlier this year, the policy-reform group Center for Democracy and Technology released a legal analysis claiming that ISPs using NebuAd’s technology could run afoul of state and federal wiretapping laws.

Legislation establishing protections for handling consumer data online would be welcome to the privacy advocates who have long been frustrated with congressional inaction on the subject.

For their part, heavy hitters like Google and Microsoft have expressed support for a baseline privacy law that would apply to all industries, not just the Internet. Online advertising, they argue, is evolving so quickly that legislation wouldn’t be able to anticipate new developments, which could ultimately stifle innovation. The Internet, they argue, is best served by a policy of self-regulation, which is the approach the Federal Trade Commission has taken.

“The type of pushback we receive is going to depend on the kind of legislation we draft,” Schafer said, noting that Markey’s staff is only beginning to sort through the responses. Still, for a long-time privacy advocate such as Markey, Schafer can guess at the bill’s scope.

“It’s going to be an Internet-based piece of legislation, I expect,” she said. “It’s a concept now.”

News Around the Web