September 1, 2008
A curious, slow-motion momentum is building for new rules on online privacy. The Federal Trade Commission, after three years of inquiries, sent a report to Congress in June with sobering findings about just how thoroughly Internet companies are tracking their customers’ Web use so they can be targeted with advertising. Committees of both the Senate and the House held hearings this summer.
Meanwhile, technology is ushering a major new player into the online advertising arena, which has been confined to the huge array of content providers — search engines like Google and Yahoo and myriad Web sites. Now online advertising has drawn the Internet service providers (ISPs), the indispensable giant telecoms that control the pipelines to the vast computer farms that constitute the Internet.
Until recently, since online advertising was the exclusive preserve of content providers, they were the focus of privacy fears. They pitch advertisers on their ability to drop telltale bits of code known as cookies onto the computers of visitors to their sites. Having marked those individuals as ripe for certain ads, they can then follow them and zap them with ads elsewhere on the Web, sharing revenues with other sites.
Of 1,400 Web sites the FTC surveyed, 85 percent collect such personal information. Ninety-two percent of the 674 commercial sites gather data and only 14 percent tell people they’re doing so. Of sites for children, 89 percent compile personal information and under 10 percent let parents restrict what’s gathered.
Now, however, Deep Packet Inspection technology enables ISPs to conduct online tracking in a more comprehensive way than even Web sites can. Until now, as online pioneer David Reed of MIT told a House hearing in July, the Internet rested on a clear distinction between shipping and content. The ISPs are shippers, with no more reason to peer into the packets of text, music or video than the postal service has to read your mail.
But DPI lets the shippers see into those packets and, depending on what’s there, insert material that will flag them as signaling an advertising prospect.
The telecoms claim that in light of the sorry state of online privacy, fretting about DPI is like worrying about window blinds on a house that has no walls, as an industry consultant said at the same hearing.
But packet inspection is different. Using a Web site, even mighty Google, is free and optional. But ISPs aren’t free and they aren’t optional. You can’t access the Internet without them.
Worse, ISPs know everything — everywhere you browse, how long you stay there and, oh, who you really are. They can record the full range of your online behavior, and know enough about you to link up with innumerable conventional data sources. They can rent out a roadmap to where you’ve been and what you’ve done that reveals more than anything even you could compile.
The U.S. public has been remarkably quiescent about this. In Britain, when news leaked out that an advertising firm called Phorm had run secret DPI trials with British telecoms, consumers were furious, and the government declared companies would need to seek explicit consent from consumers.
But when Charter Communications, with 2.7 million customers one of the bigger U.S. ISPs, announced a pilot DPI program with the ad company NebuAd, coverage was sparse and public reaction muted. Although surveys consistently show consumers are uncomfortable about having their browsing histories pimped, sites that do so don’t seem to incur public wrath.
FTC staff has proposed principles intended to give Internet users details about what information is used for and by whom, and allow them to opt for privacy (albeit at the cost of access to some Web sites.) Lawmakers are talking about an online privacy bill of rights in the next Congress.
But it’s a curiously limp reform effort, less a movement than a gesture. Unlike the broad public outrage in 2003 over broadcasting ownership consolidation, online privacy, which especially in its DPI form is even more disturbing, has a thin and lonely constituency. That’s too bad. History suggests that the window for adopting sensible and fair-minded rules on a new medium opens only early in its development, and shuts quickly.
(Disclosure: Despite my sympathies, for personal reasons I put money into an online advertising startup that would probably benefit from weak privacy rules.)