Panelists at a conference Dec. 5 at University of Colorado Law School agreed that technology allows many ways for Internet service providers (ISPs) to track and record the behavior of private users on their networks. The trick, they said, is balancing legitimate needs for network management with privacy laws and an ethical sense of where to draw the line between using technology for good and evil.
Panelists at a conference Dec. 5 at University of Colorado Law School agreed that technology allows many ways for Internet service providers (ISPs) to track and record the behavior of private users on their networks. The trick, they said, is balancing legitimate needs for network management with privacy laws and an ethical sense of where to draw the line between using technology for good and evil. (An article by CU Law Professor Paul Ohm that helped set the agenda for the event, “The Rise and Fall of Invasive ISP Surveillance,” is available here.)
A panel on the changing climate of network monitoring included Dr. Elan Amir, president and CEO of Bivio Networks; Dirk Grunwald, professor of computer science at CU; David Reed, executive vice president and chief strategy officer at Cablelabs; and Steven Worona, director of policy and networking programs for Educause. The group began by defining the term “monitoring,” which might range from simple caching and Spam filtering to targeting advertisements based on a user’s browsing history. “Network monitoring” carries negative connotations, panelist Reed said, but basic network management requires administrators to take some interest in the information flowing through their systems. Amir noted that every piece of electronic communication can be – and probably is – stored, redirected, tracked or manipulated in some way by ISPs, meaning that the real question is not so much what the technology can do, but whether it is deployed to do something useful or malicious. Thus, without a regulatory framework that focuses on acceptable use of technology, Amir suggested, society risks “throwing the baby out with the bathwater” by presuming all technology capable of network monitoring is inherently evil.
A critical point emphasized by the panelists is that ISPs must be honest and transparent about how they use information obtained through monitoring, panelists agreed. They said backlash against services such as NebuAd – which targets advertisements based on browsing history – shows that consumers resent being surprised at how their information is used. At the same time, Grunwald pointed to a British study that found people were willing to trade their work computer passwords for a chocolate bar, suggesting that ISP subscribers might similarly agree to sell their browsing history to advertisers for a discounted fee, he said, but they should be able to choose with full knowledge of the implications. Thus, Grunwald concluded, “people may be willing to sell their privacy, but they get frustrated if it is sold for them.”
A second panel discussed network monitoring from a legal perspective, particularly under the Electronic Communications Privacy Act of 1986 (ECPA). Panelists included Mark Eckenwiler, associate director for the Office of Enforcement Operations, U.S. Department of Justice; Terence Gill, a partner at Sherman & Howard; Phil Gordon, a partner at Littler Mendelson; and Gerry Stegmaier of Wilson Sosini Goodrich & Rosati. ECPA amended the Federal Wiretap Act of 1968 with expanded prohibitions on the interception of computer communications. The law provides for penalties up to five years in prison but makes exceptions for user consent and protection of “rights and property.” The “rights and property” exception traces back to a desire to protect telecommunications companies from people stealing phone service by tapping telephone wires, so it may not be as relevant to ISPs, panelists said. Stegmaier said an ISP could argue in good faith that some monitoring is required to protect its network from hackers, but that goes only so far. The consent exception is a stronger argument for ISPs that include disclosure of monitoring in their terms of use, although companies are still concerned that a “click to accept” agreement may be insufficient protection against litigation, he said.
Overall, ECPA deals with outdated technology and is too vague about modern privacy issues to be much help in the debate over network monitoring by ISPs, the panel agreed. “It is drafted such that it is almost impossible to convict anyone or advise a client about its implications,” Gill said.
The last panel discussed the potential for the industry to self-regulate through ethical norms rather than expanded law enforcement. The group included Kevin Bankston, senior staff attorney for the Electronic Frontier Foundation; Wendy Bohling, vice president of sales and marketing for Magpie Telecom; Kyle Dixon, a partner at Kamlet Shepherd & Reichert, LLP and former media bureau deputy chief for the Federal Communications Commission; and Wendy Seltzer, a fellow at the Berkman Center for Internet and Society at Harvard University.
The Internet has evolved from a small, academic network with a uniform audience to a worldwide presence where there are many different uses and community standards, Seltzer said. Any concept of ethical norms should center on an average user’s expectations of privacy – for example what a typical AOL subscriber would know about search tracking and behavioral advertising, Bankston added. The panel proceeded to consider whether users concerned about their privacy should take responsibility for protecting it by installing encryption software or other “self help” measures, but they agreed that would place an unfair burden on the average user. “I don’t think we can make the general public’s expectation of privacy dependent on technology, even if the technology improves,” Seltzer said.
Notwithstanding license agreements that give ISPs a legal right to monitor, panelists said there should be an ethical norm in the industry that click-through consent does not amount to a broad license to intercept any personal communication for any reason. After all, Americans cannot consent to sell organs or sell themselves into slavery because society has decided those activities are harmful even among willing parties, Bankston said. Along the same lines, he said, it’s not enough to merely give Internet users the ability to opt out of violations of their basic civil rights. “That is a very slippery slope, and it is going to hurt all of us,” he said.
A video of this conference is available here.