anonymous final1

							                        Online Behavioral Advertising: A Suggested Solution



        The advent and proliferation of online behavioral advertising has sparked a heated

debate: Should lawmakers take action and pass legislation to regulate the online advertising

industry or should they step aside and allow for a self-regulatory framework? Both sides in this

debate have proposed legitimate reasons for either enacting or withholding governmental

legislative efforts. However, this paper proposes a bifurcated solution which will allay the

concerns of privacy advocates while allowing for the flexibility that the Internet and online

advertising industry need in order to grow.

        The current landscape in online behavioral advertising can be broken down into two

sectors: third-party behavioral targeting and internet service provider-based behavioral targeting

(“ISP-BT”). Third-party behavioral targeting entails “anonymously monitoring and tracking the

content read and sites visited by a designated unique user . . . by serving tracking codes, which

are implemented as cookies, on a user’s computer as s/he is served ads from various online

advertising networks.”1 Using the collected information, third party advertising networks build

profiles on unique users which are then used to match and deliver relevant advertisements to

them as they navigate from website to website. ISP-BT is achieved at the network level by way

of deep packet inspection (“DPI”). DPI allows ISPs to examine the data and header part of a

packet as it passes an inspection point, searching for non-protocol compliance, viruses, spam,

intrusions or predefined criteria to decide if the packet can pass or if it needs to be routed to a

different destination, or, more relevant to this paper, for behavioral targeting.2 The behavioral

1
   Loren Baker, Behavioral Targeting and Contextual Advertising, Search Engine Journal, Sept. 1, 2004,
http://www.searchenginejournal.com/behaviroal-targeting-and-contextual-advertising/836.
2
  See Wikipedia, Deep packet inspection, http://en.wikipedia.org/wiki/Deep_packet_inspection.
                                                                                                     Page 1 of 4
targeting aspect of DPI is concerning to many privacy advocates given that this technology

would allow ISPs access to the “mailing address” as well as the contents inside the “letter” for

ISPs targeted advertising efforts. I propose allowing for a self-regulatory framework to police

behavioral targeting by third-party networks and adopting light legislation to regulate the more

intrusive ISP-BT.

       The benefits of third-party behavioral advertising (i.e., allowing for free Internet content,

expanding growth opportunities for small businesses and delivering more relevant

advertisements) outweigh the current privacy concerns in this sector. Self-regulatory agencies are

enacting tough policies to police the industry and technology is available in the marketplace that

allows Internet users to take effective self-help measures. These two market forces provide a

comprehensive and flexible solution that makes privacy legislation in this sector unnecessary and

burdensome.

       The self-regulatory agencies such as the Network Advertising Initiative (“NAI”) have

garnered support from the Federal Trade Commission (“FTC”) in efforts to develop a workable

self-regulatory framework. The NAI and the FTC are working in concert to promulgate

principles of notice, consumer choice, data security, material change consent and sensitive data

consent. Given the NAI’s broad membership within the online advertising industry and the

FTC’s backing of a self-regulation, the current solution for third-party behavioral targeting

should focus on self-regulation.

       In addition, Internet users can take privacy measures into their own hands by configuring

their browsers to reject third-party cookies. Also, there are software programs available that

allow more cautious Internet users greater precision and control over the management of cookies.

The availability of these self-help technologies further makes privacy legislation and regulation

                                                                                         Page 2 of 4
in this sector superfluous given that Internet users concerned about third-party targeting can

effectively eliminate this specific threat altogether with a few simple keystrokes.

       ISP-BT and DPI present a far greater concern in the world of behavioral advertising

given the highly intrusive nature of DPI and its transparency. That said, DPI is not a technology

without merit and valuable uses. ISPs may employ DPI to manage network traffic and

congestion, filter out spam, and to combat viruses. These legitimate uses should not fall victim to

a blanket policy prohibiting ISPs from utilizing DPI technology.

       With that in mind, this paper supports a legislative framework that emphasizes consumer

control by way of opt-in consent from users before ISPs can utilize DPI for behavioral targeting

and advertising purposes. Furthermore, the pillars of transparency with full notice and security

must also be incorporated into the legislation. These three pillars are discussed briefly below:

          Consumer Control. Any legislation regulating ISP-BT and DPI must incorporate

           affirmative, opt-in consent before ISPs are allowed to use DPI for targeted online

           behavioral advertising. This measure should be simple for consumers to utilize and

           change at their own discretions and when they so choose.

          Transparency with Full Notice. The legislation must ensure that consumers are given

           full disclosure concerning what DPI technology is and how it works, the information

           collected and its intended uses as well as any changes in the intended uses, and the

           consumers freedom to partake in the ISP-BT efforts or not to. Furthermore, this

           notice should be direct and prominently displayed.

          Security. Lastly, the legislation must direct ISPs to provide for adequate means to

           safeguard personal information that is collected via DPI. It should also prevent the



                                                                                        Page 3 of 4
           ISPs from sharing the collected information with third-parties without consumers’

           affirmative consent.

Legislation addressing ISP-BT and DPI must incorporate the three pillars discussed above given

the highly intrusive and transparent nature of behavioral targeting in this sector.

       In summary, online behavioral advertising is an exciting industry growing almost

exponentially. However, privacy concerns in this arena must be addressed to ensure that

consumer confidence in the Internet remains high. Given the different technologies involved in

the online behavioral advertising industry, a best case solution should not risk stifling the

industry with a chainsaw approach when a scalpel is more than enough to address the privacy

concerns. Third-party behavioral targeting is better suited to self-regulation given the broad

participation by the online industry in this effort as well as the relative ease at which concerned

users can effectively eliminate the threat by self-help measures. ISP-BT is more of a concern

given its highly obtrusive nature and transparent implementation. Legislation in this sector

should include consumer control via opt-in consent, transparency with full notice, and adequate

security to protect the collected data.




                                                                                         Page 4 of 4