Verizon draws fire for monitoring app usage, browsing habits

"We're able to view just everything that they do," Verizon Wireless exec has boasted. Privacy groups say initiative -- including linking databases showing whether customers own pets -- may violate wiretap law.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
5 min read

Verizon Wireless has begun selling information about its customers' geographical locations, app usage, and Web browsing activities, a move that raises privacy questions and could brush up against federal wiretapping law.

The company this month began offering reports to marketers showing what Verizon subscribers are doing on their phones and other mobile devices, including what iOS and Android apps are in use in which locations. Verizon says it may link the data to third-party databases with information about customers' gender, age, and even details such as "sports enthusiast, frequent diner or pet owner."

"We're able to view just everything that they do," Bill Diggins, U.S. chief for the Verizon Wireless marketing initiative, told an industry conference earlier this year. "And that's really where data is going today. Data is the new oil."

Verizon logo

Verizon Wireless says that its initiative, called Precision Market Insights, is legal because the information is aggregated and doesn't reveal customers' identities. Also, the company says, its customers can opt out at any time.

But hyper-detailed monitoring of customers' activity looks a lot like the deep packet inspection techniques that landed NebuAd in hot water -- including a congressional investigation -- four years ago. NebuAd's chief executive, Robert Dykes, claimed he had created "anonymous profiles that cannot be hacked or reverse-engineered," but the controversy led to the company's demise.

Hanni Fakhoury, a staff attorney at the Electronic Frontier Foundation in San Francisco, said a wireless carrier that discloses information about which URLs a customer visits could run afoul of the Wiretap Act. In general, the law says, carriers may not "divulge the contents of any communication."

"I don't see any substantive difference between collecting content from one person and turning it over to someone, and collecting it from multiple people, aggregating that information and then turning the aggregated data over to someone else," Fakhoury says. "In the end, there is still a capturing of content from the user at some point -- and that's what the potential (Wiretap Act) problem is."

Paul Ohm, a professor at the University of Colorado Law School currently working at the Federal Trade Commission, concluded in a law review article that federal privacy law "likely forbids many invasive forms of ISP monitoring."

In a video that was posted of the industry event sponsored by PricewaterhouseCoopers in Los Angeles, Verizon's Diggins touted the carrier's extensive monitoring abilities: "We're able to analyze what people are viewing on their handsets. If you're at an MLB game, we can tell if you're viewing ESPN, we can tell if you're viewing MLB, we can tell what social networking sites you're activating, if you're sending out mobile usage content that's user-generated on video."

Verizon Wireless declined to answer questions that CNET posed last week about how its technology works, but it did provide this statement:

Verizon is committed to customer privacy and takes the issue seriously. The Precision program complies with the law and protects the privacy of our customers. The reports available through the program will not disclose the content of specific customer communications because each report will contain aggregate data from a large number of customers to protect privacy. Customers who do not want their data used as part of the program can opt-out at any time.

"Deep" vs. "shallow" packet inspection

It's true, of course, that any company selling Internet connectivity needs to know the destination of packets so it can route them properly, a practice sometimes referred to as shallow packet inspection.

But monitoring which mobile apps customers are using and which URLs are visited typically means engaging in deep packet inspection, which is controversial because it's more intrusive.

Verizon Wireless' marketing literature acknowledges that it sells "mobile-usage data that offers insights on the mobile-device habits of an audience, including URL visits, app downloads and usage." (Not all carriers do: Google guarantees that its proof-of-concept Google Fiber project "will not engage in deep packet inspection" except when necessary to fend off network attacks.)

Ryan Radia, associate director of technology studies at the Competitive Enterprise Institute think tank, agrees with the EFF's Fakhoury that disclosing aggregated URLs visited can be legally risky. "If Verizon Wireless discloses the URLs you've accessed without your consent, it has violated (the Wiretap Act) -- even if Verizon Wireless doesn't disclose any other identifying information," Radia said.

But, Radia argues, Verizon has obtained consent for its Precision Market Insights program by updating its privacy policy and allowing customers to opt out. That's sufficient to satisfy the Wiretap Act by putting the company's subscribers on notice, he says, and notes that a lawsuit that arose out of NebuAd's monitoring was dismissed last year (PDF).

The 2003 In Re Pharmatrak decision from the U.S. Court of Appeals for the 1st Circuit offers a glimpse of how judges view whether customers truly consented. The court ruled in a case involving Web tracking "that it makes more sense to place the burden of showing consent on the party seeking the benefit of the exception." The judges approvingly cited a second case, which said "consent can only be implied when the surrounding circumstances convincingly show that the party knew about and consented to the interception."

In addition, a Florida appeals court has ruled that a state law closely resembling the Wiretap Act is violated when information about "websites visited by the user" is intercepted without consent. Wiretap Act violations can be punished by damages of $100 per victim per day or $10,000 per victim, whichever is greater.

Verizon's Diggins said the carrier had created "a very sophisticated system" so advanced it can predict what customers will want: "We're able to identify what that customer likes not by filling out a form, but by analyzing what they do on a day-to-day basis. We're able to serve them products that we know they like because we've seen that they've gone through and downloaded products like it." One potential customer for the Precision program, he said, is a sports arena that wants to know more about who's attending a game.

There is an irony here: as the online advertising market is shifting toward behavioral targeting, sometimes called interest-based ads, companies like Facebook, Yahoo, Google, and Microsoft are able to compile detailed profiles on their users. But because of legal twists -- and, perhaps, an old-fashioned cultural norm skeptical of the telephone company listening in on calls -- broadband and wireless providers are being left behind.

However, ads make Facebook and Google free to use. Says Christopher Soghoian, principal technologist with the ACLU's Speech, Privacy and Technology Project: "When you pay a company $80 a month, they have no business monetizing the data they're collecting."