Web monitoring for ads? It may be illegal

NebuAd and other companies have been offering broadband providers a way to monitor customers and display relevant ads. But the legality of it is anything but settled.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
7 min read

Online advertising has ballooned into a roughly $45 billion-a-year business, to the benefit of Google, Yahoo, ad networks, and innumerable speciality and hobbyist Web sites.

One corner of this ecosystem that hasn't managed to cash in on advertising is, by some measurements, the largest: broadband providers. So it may have been inevitable that they would seek additional revenue by monitoring their customers' online activities and creating behavioral profiles that could yield hyper-relevant ads.

The only problem with this practice is that it may not be entirely, well, legal. The first warning sign came last week when two members of the U.S. Congress sent a letter to Charter Communications, a large cable provider, raising "substantial questions" about the legality of deep packet inspection and asking the company to hold off. (See our Q&A with a Charter executive.)

In interviews with News.com over the last few days, privacy advocates and attorneys pointed to a collection of federal laws--written in the 1980s when broadband services were merely a pipe dream--that combine to create a treacherous legal landscape for broadband providers that plan to conduct Web monitoring.

It's "a problem for cable providers because the very collection of personal information is prohibited without consent," said Al Gidari, a partner at Perkins Coie in Seattle, whose clients include Google and broadband providers. "It's plainly a problem for Charter. I'm amazed we haven't seen a class action lawsuit on this."

The problem for broadband providers is that intercepting customers' Web browsing, analyzing the protocols to see what's going on, and reviewing the packets' contents starts to look a lot like wiretapping. And there are federal and state laws, complete with civil and criminal sanctions, that broadly prohibit wiretapping.

It's unclear how many providers are performing Web monitoring for advertising, not least because all of the companies providing deep packet inspection are highly secretive.

Wide Open West is using technology from Redwood City, Calif.-based NebuAd, as it discloses in its privacy policy. Charter and (reportedly) Knology are experimenting with it, too. CenturyTel told us that "we are doing business" with NebuAd and that it did a trial of NebuAd's technology in one of its markets late last year.

Embarq talks about "preference advertising" in its privacy policy and confirmed it has tested NebuAd "in one of our markets," but added that "we are not currently using those tools and have not decided whether to move forward with them." Rivals to NebuAd include Front Porch of Sonora, Calif., and U.K.-based Phorm.

NebuAd refused to disclose what advertising networks--such as DoubleClick or Microsoft's Aquantive--it uses, or what broadband providers it counts as customers. So did Phorm and Front Porch (which said it could not arrange an interview).

When asked why it won't disclose that information, NebuAd told us in e-mail: "We would like to respect the trust and relationship that already exists between an ISP and their end customer. We want to stress that we do not publicly discuss our ISP partner relationships because of the direct relationship that already exists between an ISP and their customers. Our belief is that our ISP partners have a direct, trusted relationship with their customers; and communication, public or otherwise, should be directly from our ISP partner to their end customer." NebuAd does provide an opt-out mechanism through browser cookies.

The stakes are high. The advertising industry is moving toward behavioral targeting, meaning compiling dossiers (anonymized or not) on individuals and using those to display targeted ads. Theoretically, this benefits everyone: Internet users see ads that match their interests, and advertisers sell more products.

Because deep packet inspection can, barring the use of encryption, monitor everything that a customer does online, a broadband provider is in the enviable position of being able to know exactly what each customer is doing. The odds of successful monetization are high. But so are the legal risks.

Three federal laws, three legal hurdles

At least three wiretapping-related federal laws restrict what broadband providers can do: the Electronic Communications Privacy Act of 1986 (ECPA); the Communications Act of 1934; and the Cable TV Privacy Act of 1984. The cable privacy law is the most restrictive and applies only to cable broadband providers--meaning, thanks to a law written when the Apple Macintosh was new, they're at a competitive disadvantage to AT&T and Verizon.

The cable privacy law is unusually onerous because it requires the "prior written or electronic consent of the subscriber" before any personally identifiable information can be collected. What that means is sending a postcard or e-mail telling customers that they can opt-out (which is what cable providers are doing so far) may not be good enough.

"They have to worry about it more," said Gidari, the attorney at Perkins Coie, referring to cable operators. "Their rules are much more restrictive. They have the obligation to give notice to their customers before they disclose information. They have the obligation not to collect information without prior consent...Cable operators have the most exposure in doing this."

"Do (broadband providers) think they own that data? If they own that data, there are no limits on what can be done with it? Can they give it to an employer? Can they give it to a credit bureau? Can they give it to a potential landlord?"
--Barry Steinhardt, ACLU's Technology and Liberty Program

One irony of this situation is that broadband providers are seeking to do precisely what companies like Google and Yahoo have done for many years: monitor what users are doing and display relevant advertisements. But cultural expectations are different. And by an accident of history, or a quirk of fate, those laws don't apply to Google and Yahoo and other Web sites. They single out Internet service providers.

For their part, cable providers insist that they're following the law. Charter tells us it is "confident" that "all legal requirements" have been met. Wide Open West, a cable operator in the Midwest that's using NebuAd's hardware, said: "We feel that the service and our use of it is in compliance with current regulations."

But other laws apply to all Internet providers. ECPA says, in general, that "a person or entity providing an electronic communication service to the public shall not intentionally divulge the contents of any communication." Two exceptions to that general rule allow monitoring that is a "necessary incident" to providing the service and monitoring with a user's "lawful consent."

Translation: Obtaining "lawful consent" may mean more than sending e-mail notifying customers that the terms of service have changed. At the least it means that an opt-in process is less risky, legally speaking, than an opt-out one.

The 2003 In Re Pharmatrak decision from the U.S. Court of Appeals for the 1st Circuit offers a glimpse of how judges view consent. The court ruled in a case involving Web tracking "that it makes more sense to place the burden of showing consent on the party seeking the benefit of the exception." The judges approvingly cited a second case, which said "consent can only be implied when the surrounding circumstances convincingly show that the party knew about and consented to the interception."

Yet another legal obstacle for Web monitoring is the Communications Act, which says companies engaged in "transmitting" communications shall not "divulge" those contents.

"The question is whether or not a third party like this can track usage for things other than for routine maintenance of a network--they are entitled to do that," said Barry Steinhardt, director of the ACLU's Technology and Liberty Program. "But where you're actually tracking the content of what users do, there are serious questions there about the Electronic Communications Privacy Act and the cable laws."

Steinhardt added: "I think Congressman (Edward) Markey is exactly right to raise this issue. The implications here are profound...Do (broadband providers) think they own that data? If they own that data, there are no limits on what can be done with it? Can they give it to an employer? Can they give it to a credit bureau? Can they give it to a potential landlord?"

Another possible threat to broadband providers is the Federal Trade Commission, which can file lawsuits alleging unfair or deceptive business practices. The FTC has posed suggested guidelines for behavioral advertising after convening a workshop last fall, and the Center for Democracy and Technology filed comments with the agency last month raising questions about NebuAd and its peers. (Disclaimer: I spoke at last fall's workshop.)

CDT's comments allege that broadband providers do "not appear to be adequately disclosing this involvement" and suggests that the Electronic Communications Privacy Act regulates the practice. They also suggest that the FTC "should address" advertising-related monitoring and require affirmative consent from customers instead of an opt-out mechanism. In its privacy principles, the FTC said "companies should obtain affirmative express consent from affected consumers" before substantially changing privacy policies.

In the past, the FTC has taken a relatively strict view of informed consent. In its lawsuit filed against Odysseus Marketing, the FTC argued that it was unlawful for a company not "to adequately disclose" to customers that it was sharing information with third parties. The case ended in a settlement.

There's one final legal twist that could imperil NebuAd and similar companies that conduct deep packet inspection. The way they work is to perform a Carnivore-like interception of all customers' Web browsing. Then Web traffic with NebuAd's opt-out cookie is discarded.

What that means in practice is that, if you've chosen to opt-out through your Internet provider, the contents of your communications are nevertheless continually disclosed to a third party--even if for a microsecond--which is exactly what federal privacy laws seem to prohibit.

News.com's Anne Broache contributed to this report