Rep Ed Markey _Democrat_ - The Peter Swire Homepage

Document Sample
Rep Ed Markey _Democrat_ - The Peter Swire Homepage Powered By Docstoc
					        Protecting Consumer Privacy in the Digital Millennium: A Legislative
        Solution to Behavioral Advertising and Deep Packet Inspection

                            Michael Duffy (as Congressman Ed Markey)

                                        I. EXECUTIVE SUMMARY

        The online advertising industry has encroached upon the privacy of Americans over the

last decade as the Internet and broadband access have grown. While most Americans are aware

of the threat that malicious hackers pose1, many are unaware that strangers are legally watching

their every move online, collecting information about them, and selling that information to third

parties. Advertising service providers are converting the personal information of consumers into

profiles for sale to advertisers. This activity falls under the umbrella of “behavioral advertising”

and has generated substantial controversy as powerful corporate entities like Google position

themselves for expansion into this market.

        The newest threat to consumer privacy, Deep Packet Inspection (DPI) technology,

exposes the need for a legislative framework that establishes basic online privacy rights for

Americans. While other behavioral advertising methods are capable of tracking a user’s activity

across multiple websites, the tracking ability was limited to websites using the same cookie

technology. DPI technology gives advertising service providers access to every communication

that users transmit to each other including emails and instant messaging. Consumers are at the

mercy of an advertising service whose only current constraints are a weak patchwork of narrow

statutes and self-regulatory privacy policies. Americans deserve greater legal safeguards against

intrusions into their privacy.

  This issue was brought to national attention most recently by the hacking of Gov. Palin’ s Yahoo account. See
Farhad Manjoo, Gov., WASH. POST, Sept 21, 2008, at B05, available at (last accessed October
10, 2008).

        Specifically, Americans need legislation that recognizes their fundamental online privacy

rights. First, those seeking to collect information about Americans by tracking their online

activities must give clear notice in plain language about what information will be collected and

how it will be used. Second, the notice should be followed by an opt-in mechanism allowing

consumers to consent to their information being collected and used in the manner outlined in the

notice. Third, information should not be collected from a consumer until the consumer has made

the decision to opt-in. This legislation will encourage more stringent self-regulation within the

industry, and such self-regulation should adequately address changes in technology and policy


                                             II. INTRODUCTION

        While online advertising has grown over the last decade to provide useful subsidization

for online services and content, it has also become increasingly invasive of individual privacy.

Older methods of advertising include renting out banner ad space on a website. Companies like

Google use "contextual advertising" to display ads relevant to the information that users

specifically request.2 For example, when a user enters a search query such as "toy boats" or

"apples" on, ads from a toy manufacturer or grocer might be displayed on the page

distinctly from the search result. This method of advertising has propelled Google to the

successful position to occupies today. Advertisers using it need not obtain any personal

information about the consumer under this system, and the privacy of the consumer is generally


  Privacy Implications of Online Advertising: Hearing Before the Senate Committee on Commerce, Science, and
Transportation, 110th Cong. 4(2008) [hereinafter Senate Hearing 1] (statement of Leslie Harris, President/CEO,
Center for Democracy and Technology), available at
LeslieHarrisCDTOnlinePrivacyTestimony.pdf; Google recently explained some of its advertising services and
information collection policies in a letter to several House Representatives. The letter is available at google_080808.pdf.

        Unfortunately, advertising service providers are moving away from these less invasive

methods in favor of highly intrusive behavioral advertising methods that capture more personal

information from Americans. Advertisers now have the ability to track Americans as they surf

the Internet in order to compile consumer interests, purchases, and personal information into

valuable consumer advertising profiles.3 The practice of collecting this information and using it

to target consumers for the delivery of ad content is known as "behavioral advertising."4 Many

consumers have no idea that they are being tracked.5 While advertisers obtain richer information

on their consumer targets, they invade the privacy of Americans who never gave their consent. If

these tracking methods are used on Americans, individuals must be informed on how their

information will be collected. Furthermore, information should not be collected from a consumer

unless the consumer gives his informed consent to the collector. Congress should pass legislation

to recognize these basic privacy rights and ensure that the advertising industry respects them.


        The focus of this paper is not on traditional, non-behavioral advertising methods such as

contextual advertising. These methods were sufficient to sustain companies like Google and do

not infringe upon the privacy of consumers. However, while a company may use contextual

advertising, it might also decide to collect some basic information on a user including his IP

address. While an IP address identifies a person's computer at a specific point in time, it may be

combined with other information to identify the person himself. Companies like Google argue

PRINCIPLES, 2 (2007),
  Id.; Press Release, FTC Staff Proposes Online Behavioral Advertising Privacy Principles, (Dec. 20, 2007),
available at
  A recent poll shows that 61% of consumers believe information on their online activities cannot be shared without
their consent. ConsumersUnion, Consumer Reports Poll: Americans Extremely Concerned About Internet Privacy
Most Consumers Want More Control Over How Their Online Information is Collected and Used, (Sept 25, 2008), (last visited October 10, 2008).

that an IP addresses is not personal information because it can't always be used to identify the

person using the computer.6 In contrast, others argue that it is personal.7 Some companies take

measures to make the address more anonymous. For example, Google ultimately shortens IP

addresses over time in order to make it harder to identify the user, and it claims that the IP

addresses are needed to maintain the quality of its service to the user.8 However, the IP address

controversy is not the only concern. Behavioral advertising methods using "cookie" or DPI

technology effectively increase the likelihood that a user may be identified and connected with

his online activity. Thus, these new advertising strategies seriously undermine any sense of

anonymity and privacy a user may have on the internet. A brief analysis of behavioral

advertising based on "cookie" and DPI technology reveals why legislation is needed:

        1. Behavioral advertising through tracking cookies is a growing threat to consumer

        The growth of behavioral advertising threatens to consolidate a mass wealth of personal

information on millions of Americans into the hands of powerful corporate entities. Currently,

behavioral advertising technology is largely cookie based. When users visit a website, a small

file called a cookie is deposited on their computers' hard drives. When users visit another website

that recognizes the cookie, that website can log the presence of the users via their IP address and

the tracking cookie. This technology enables ad networks to associate an IP address with a

cookie and trace the activity of a user across the internet. A company called DoubleClick has

implemented this technology.9 Accordingly, Google’s recent acquisition of DoubleClick places

  Aoife White, IP Addresses are Personal Data, E.U. Regulator Says, WASH. POST, Jan. 22, 2008, at D01, available
at (last accessed
October 10, 2008).
  See YouTube, Google Search Privacy: Personalized Search, v=UsUBnPRtTbI
(last visited October 19, 2008).
9, Privacy, (last visited October 18, 2008).

it in a position to track a user’s activity across the internet via third party cookie technology.10

Other powerful companies including Microsoft possess this technology as well.11 In a recent

hearing, Senator Dorgan compared this behavior to that of a marketer who stalks consumers

inside a local shopping mall while writing down everything they do.12 Currently, while these

companies can implement their own privacy policies to safeguard consumer information, there is

no baseline of statutory protection for consumers against the liberal use of tracking cookies.

        While cookie technology enables companies like Microsoft to track users as they surf the

internet, users do have some limited means of preventing such tracking. Users may delete the

cookies manually or automatically with the use of browser settings or using a third party

program called a cookie killer.13 Manual deletion can be tedious and unrealistic as a consumer

may have to delete his cookies every time he moves to a different page on the web.14 Automatic

deletion is problematic as well. This method often has the side effect of deleting or refusing

desirable cookies along with the unwanted cookies.15 Some newer browsers allow users more

control by allowing a user to manually designate some sites for cookie acceptance and others for

rejection, but this process costs the consumer an investment of his time.16 Ultimately, the

advertising industry has thrust the burden on the consumer to educate himself about cookie

technology and to take affirmative action to protect his privacy.

        If a website permits, users may opt-out of having their information collected and tracked

   See Google Press Center: Press Release, Google Closes Acquisition of DoubleClick (Mar. 11, 2008), available at (last visited October 18, 2008).
   See e.g. Microsoft Online Privacy Statement, Display of Advertising, (last visited Oct. 10, 2008).
   Senate Hearing 1, supra note 2, available at rtsp://
   See Mozilla, Cookies, (last visited October 21, 2008);,
Cookie Killer 1, (last accessed Oct. 10
   See Mozilla, Supra Note 13.
   See Id.

by accepting a proprietary opt-out cookie. This special cookie tells other websites that recognize

it not to collect information on the user. Unfortunately, users must get different opt-out cookies

for different websites and ad networks in order to ensure that they aren't being tracked. The

Network Advertising Initiative (NAI) has attempted to simply this process by providing a single

website where several opt-out cookies can be obtained simultaneously.17 Nevertheless, the

system only includes those who have agreed to be NAI participants.18 Furthermore, if consumers

choose to delete their cookies to remove unwanted tracking cookies, they lose the opt-out

cookies as well.

        Unfortunately, even a user's careful use of browser settings and opt-out cookies is not

sufficient to keep his private information from being taken and copied by advertisers. These

techniques do not prevent a user’s IP from being logged and connected with search inquiries on

sites like Google. Furthermore, new companies such as NebuAd and Phorm have utilized a new

technology that gives them total access to a user’s online activities while leaving the user without

simple technological safeguards.

        2. Consumers need clear privacy safeguards against Deep Packet Inspection

        The greatest and most recent threat to the online privacy is the emerging use of Deep

Packet Inspection technology. An advertising service company like NebuAd may partner with

Internet Service Providers (ISPs) to gain access to the basic transmissions between users across

the Internet.19 These basic transmissions are called “packets” and contain bits of information

   See Id.
   Network Advertising Initiative, Opt Out of NAI Member Networks,
managing/opt_out.asp (last visited Oct. 10, 2008).
   See What Your Broadband Provider Knows About Your Web Use: Deep Packet Inspection and Communications
Laws and Policies: Hearing Before the Subcomm. on Telecommunications and the Internet of the H. Comm. on
Energy and Commerce, 110th Cong. 10-19 (2008) [hereinafter House Hearing] (statement of Dr. David P. Reed),
available at

about the a user.20 Everything that the user sends or receives over the internet is contained in

these packets.21 Therefore, total access to these packets effectively equates to access to a user’s

entire online activity. Companies including NebuAd and Phorm have the technology to

effectively intercept packets, open them, glean their contents, and record the information for

commercial sale.22 While they claim to have implemented sufficient safeguards to delete any PII,

it is still possible for a third party to identify a person based on the aggregation of information in

the profile.23

        In July, the Subcommittee on Telecommunications and the Internet held a hearing on the

issue of DPI which shed light on why this new technology should be considered a serious

violation of consumer privacy. Dr. David P. Reed, an innovator of the internet and MIT adjunct

professor, used a post office analogy to describe the use of DPI technology on data packets.24

Users of the internet frequently send letters (data packets) to each other containing information

about the sender.25 Through DPI, the postal carrier (an ISP) or his associate (a company like

NebuAd) unnecessarily opens the letter or package that one person tries to send to another and

examines all of its contents.26 Over time, he opens hundreds or thousand's of letters and sells the

information as a commercial product to advertisers. If an American discovered that a U.S. Postal

worker or FedEx worker engaged in such a practice, he would be understandably outraged at the

invasion of his privacy. The fact that this activity takes place in a digital environment does not

make a difference to the consumer. In both cases, his privacy is violated as his personal

   See Id., available at wmedia/energycommerce/071708.ti.web.use.hrg.wvx.
   House Hearing, supra note 19 at 7, 10-15 (Statement of Dr. David P. Reed), available at

correspondence is open and read without his consent.

        Proponents of DPI have presented an unpersuasive argument that self-regulating privacy

policies alone are sufficient to safeguard the interests of the consumer. These privacy policies

often do not even require that consumers give their consent to the inspection of their

communications before their information is collected and marketed as a product.27 At a hearing

in July, NebuAd testified that it removed sensitive information and personally identifiable

information before marketing a user’s profile. Id. Unfortunately, as NebuAd has admitted, the

technology is not perfect as a user may still be identified as his information is aggregated.28

Even if anonymity was perfectly maintained, the policy still does not respect the need for

consumer consent. Consumers would still be angry at the postman for opening their mail even if

he promised them that he didn’t copy any of their personal information as he defined it. The

existence of companies like NebuAd has increased the need for basic statutory mandate on the

industry to establish meaningful opt-in consent policies that respect consumer privacy rights.

                                     IV: A LEGISLATIVE SOLUTION

        The emergence of behavioral advertising and DPI heightens the need for a basic online

privacy bill of rights for consumers to protect them from inadequate self-regulation.29 This

legislation would not attempt to solve every problem in the online advertising industry. It merely

establishes the groundwork for a self-regulatory system that respects the fundamental right of a

consumer to make an informed choice on whether to allow others access to his information. It

recognizes that consumers should have a legal recourse against those would clandestinely

   See e.g. House Hearing, supra note 19, at 4-5 (Summary of Testimony of Bob Dykes, CEO NebuAd, Inc.),
available at
   Senate Hearing 1, supra note 2, available at rtsp://
   See House Hearing, supra note 19, at 4 (Statement of Alissa Cooper, Chief Computer Scientist, Center for
Democracy and Technology), available at

monitor them and record their activities without informing them of their actions or asking for

consent. Appropriate legislation should include the following provisions:

        1. Consumers must be given clear, unambiguous notice detailing any collection or
        use of their information.

        While many websites contain privacy notices that give consumers a rough idea of

whether or not their information will be collected, consumers often neither understand nor see

these notices. Unfortunately, the advertising service providers often rely on consumer ignorance

to turn a profit. They don’t expect consumers to click on obscure privacy notice links and wade

through all of the legal jargon on every website they access.30 Consequently, many consumers

are never meaningfully informed before their personal information is copied and archived.31

Furthermore, in the case of behavioral advertising, consumers have no knowledge that their

information is being shared among ad network participants to track their activity across many

unrelated sites.32

        Consumers deserve clear notice in plain language detailing the intentions and privacy

policies of all who wish to monitor consumers and retain information about their online

activities. The notice should explain how the information may be used and how long it will be

retained. It should detail how the information might be modified, manipulated, and sold to third

parties. If the information collected from the consumer will be modified to ensure the consumer's

anonymity, the notice to the consumer should explain how the information is made anonymous

and the likelihood that anonymity might be compromised. It should also direct the consumer to

plain language sources explaining the significance of IP addresses and other potential source

identifiers that could be used to identify the consumer.

   See J. Howard Beales, III & Timothy J. Muris, Choices or Consequences: Protecting Privacy in Commercial
Information, 75 U. CHI. L. REV. 109, 113-115.

        Appropriate legislation should contain a safe-harbor provision that allows self-regulatory

bodies to determine more specific standards for appropriate notice. This legislation cannot hope

to contemplate how technology will change over the course of time. The industry is in a better

position to adapt to these changes. Ultimately, this legislation should encourage the advertising

industry to strive towards higher standards in order to ensure that they comply with this act.

Self-regulatory bodies may offer guidance on what constitutes appropriate notice. Accordingly,

those who act according to these standards in good faith compliance with this legislation should

have safe harbor.

        2. Consumers must be given a meaningful opt-in mechanism for consenting to the use
        of their information.

        An effective opt-in mechanism is an essential safeguard for the online privacy of

Americans. A meaningful opt-in mechanism would ensure that consumers have the ability to

make an informed choice to participate a program that collects their personal information. In the

case of Deep Packet Inspection, an opt-in system would ensure that packet inspection does not

violate the principles of the Wiretap Act.33 It would give consumers greater bargaining power to

determine what benefits they will receive in exchange for their personal information. Currently,

consumers bear the unfair burden of opting out from every attempt to collect their information

online. This practice is wrong because it allows strangers the authority to decide what

information a consumer should give up in exchange for any benefits from online advertising.

        An opt-in system should accompany the clear and thorough notice of an advertising

service’s collection policies. The opt-in system serves to protect both the consumer and the

advertising service. If the opt-in mechanism follows a clear notice of the policies that the

  ConsumersUnion, Supra Note 5.
  See House Hearing, supra note 19, at 22-32 (Statement of Alissa Cooper, Chief Computer Scientist, Center for
Democracy and Technology).

consumer is being asked to agree to, the opt-in mechanism can act as proof that the consumer

received the notice. The entity collecting the information could use the opt-in selection in

connection with the notice in order to prove that it complied with the law. Furthermore, the

collector may implement additional safeguards. For instance, it could require the consumer to

answer a brief questionnaire to ensure he understands and complies with individual points in the

privacy policy. The opt-in agreement ultimately strikes a balance between each party's interests.

          3. Consumers should not be monitored or subject to data collection without their
          express consent.

          Advertisers should not be allowed to collect information on consumers by default. Prior

to delivering notice and receiving consent through an opt-in mechanism, an advertising service

should not collect information on a consumer. In the case of sensitive data including an

individual's health information, an opt-in system is an essential privacy safeguard. Sensitive

information should never be collected without the consumer's express consent. NebuAd

proposed a system under which it would attempt to guess whether a user would want to agree to

its data collection efforts initially based on the consumer's browser settings.34 The purpose of

notice and opt-in requirements is to ensure that consumers are the ones who make the initial


          While this legislation is primarily concerned with addressing the threat of emerging

behavioral advertising techniques, it applies broadly to include all attempts to collect a

consumer’s personal information. For example, Google may collect and store the IP addresses of

users of its site for many legitimate purposes that are not directly tied to advertising. While

Google’s use of IP addresses in this fashion serves a legitimate purpose in the consumer’s

interest, the consumer should still be the one to decide whether the benefits outweigh the privacy

     House Hearing, supra note 19 (Testimony of Bob Dykes, CEO NebuAd, Inc).

risks. Therefore, Congress should implement this legislation to encourage Google and other

companies to private adequate notice to consumers with an opt-in consent system to ensure

consumers receive and understand the notice before they collect any information.

                                         V: SELF-REGULATION

        This legislation would not take the place of self-regulation in the advertising service

industry. It merely establishes a baseline of rights that any set of regulatory rules should include

at a minimum. The provisions above will allow consumers to make informed decisions on

whether they should allow others to track their online activities and use that information for

commercial or non-commercial purposes. Accordingly, the FTC should promulgate regulations

on the industry to ensure that consumer privacy is respected in accordance with the statutory

provisions. Additionally, the industry itself could adopt self-regulatory measures to address

other, more specific issues not addressed by the proposed bill.

        There are many privacy policy principles that ISPs and advertising service providers can

agree upon and adapt to technological change. For example, the issue of security is one that is fit

for self-regulation. AT&T, Microsoft, and Verizon all expressed a desire to work together on

some key privacy issues including transparency, control, and security.35 As technological

standards change, cooperation of the various players in the advertising business through a

self-regulatory mediator like the Network Advertising Initiative may prevent the need for further

statutory regulation.

        Once consumers have made the fundamental privacy decision to opt-in, self-regulatory

   Senate Hearing 1, supra note 2, at 3 (Statement of Mike Hintz, Associate General Counsel, Microsoft
Corporation), available at
Testimony.pdf; Broadband Providers and Consumer Privacy: Hearing Before the Senate Committee on Commerce,
Science, and Transportation, 110th Cong. 7 (2008) (Statement of Dorothy Attwood, Senior Vice President, Public
Policy & Chief Privacy Officer, AT&T, Inc.), available at
AttwoodTestimony.pdf; Broadband Providers and Consumer Privacy: Hearing Before the Senate Committee on
Commerce, Science, and Transportation, 110th Cong. 4-5 (2008) (Testimony of Thomas J. Tauke, Verizon

principles may govern the range of acceptable policy terms. For example, self-regulation may be

an appropriate way of setting limits on information retention and anonymity. Ultimately, if the

terms of evidence collection are disagreeable to the consumer, he may choose not to opt-in.

Similarly, if a competitor offers a better policy, the consumer may decide to opt-in to another

policy instead. Therefore, this legislation compels the industry to adopt standards that are fair

and appealing to the consumer.

        Self-regulatory principles should also govern the specific technological methods by

which advertisers conform to the proposed legislation. For example, consumers would likely be

annoyed by a barrage of pop-up notice dialogue boxes asking them to opt-in every time they

click on a link. Accordingly, this legislation encourages greater and more meaningful

self-regulation by compelling the industry to operate under a common set of technical and policy

guidelines that satisfy the consumer and industry.

         Several majors corporations have expressed a willingness to work together and operate

under a common set of rules. Those at the recent senate hearing stressed that appropriate

legislation should apply across the board so that no one has a competitive advantage.36

Currently, cable ISPs face more stringent legal restraints than other ISPs as they must conform to

the privacy provisions of the Cable Act.37 This legislation will place all ISPs and advertisers on a

more equal footing as they work together to ensure that consumer privacy and choice are


Executive Vice President), available at
   See Broadband Providers and Consumer Privacy: Hearing Before the Senate Committee on Commerce, Science,
and Transportation, 110th Cong. (2008), available at

                                            IV: CONCLUSION

        The expansion of traditional online advertising models into behavioral advertising models

including DPI threatens to place every online activity of a consumer under an uncomfortable

microscope. This country is founded on a tradition of respect the individual privacy and liberty.

Accordingly, Americans need legislation from Congress that recognizes and respects their

privacy expectations in a digital environment. They need a standard of meaningful notice and

informed, opt-in consent. This legislation will prompt more players in the advertising industry to

come together and engage in self-regulation to address privacy concerns as they emerge and

prevent the need for further legislation.

        While the pressure on the industry to respect privacy has already led NebuAd to suspend

its DPI activities38, other companies like Phorm continue along this controversial path.39

Recently, the CEO of a behavioral advertising company called Front Porch suggested that an

opt-in policy with consumer incentives is the only feasible model as opt-out systems tarnish the

reputation of companies like NebuAd.40 This path could ultimately rescue the reputation of

behavioral advertising by promoting a system in which advertisers bargain fairly with consumers

for commercially useful data. Therefore, Congress should adopt the measures outlined in this

paper to ensure that advertising service companies seek and obtain consumer consent before

spying on them.

   See 18 U.S.C.A. § 2702.
   Ellen Nakashima, NebuAd Halts Plans for Web Trafficing, WASH. POST, Sept 4, 2008, at D02, available at (last
accessed October 19th, 2008).
   While Phorm claims to ensure that the anonymity of a consumer is maintained under its system, it collects
information from consumers without their consent. Phorm, How Form Technology Works: A Privacy Revolution, (last accessed October 19, 2008).
   See Laurie Sullivan, BT Crash Takes Adzilla Down With It, (last accessed October
19, 2008).


Shared By: