Online Behavioral Advertising: Discussing the ISP-Ad Network Model
The practice of "behavioral advertising" involves the compilation of detailed information about an Internet user’s online activities for the purpose of sending them targeted online advertisements. In the traditional behavioral advertising model, online ad networks contract with many different Web site publishers on one side and many different advertisers on the other, placing ads online according to the context of the Web page content and expected audience. However, as behavioral advertising networks seek to create increasingly detailed consumer profiles, companies have begun to form partnerships with Internet Service Providers (ISPs) to mine information from the entire stream of an individual customer’s Web use for behavioral advertising purposes.
2) Existing Implementations of ISP-Based Behavioral Advertising May Violate Federal Law
3) House Investigation Reveals Problematic Behavioral Advertising Practices
1) Using ISP Data for Behavioral Advertising Raises Critical Privacy and Internet Functionality Concerns
The practice of "behavioral advertising" involves the compilation of detailed information about an Internet user’s online activities for the purpose of sending them targeted online advertisements. In the traditional behavioral advertising model, online ad networks contract with many different Web site publishers on one side and many different advertisers on the other, placing ads online according to the context of the Web page content and expected audience. However, as behavioral advertising networks seek to create increasingly detailed consumer profiles, companies have begun to form partnerships with Internet Service Providers (ISPs) to mine information from the entire stream of an individual customer’s Web use for behavioral advertising purposes.
This new ISP model amplifies the privacy implications of behavioral advertising at large, defies reasonable user expectations, and can be disruptive to Internet and Web functionality. Despite these concerns, several ad network companies seem to be moving forward with plans to use ISP data for behavioral advertising. The major U.S. company in this market, NebuAd, has scaled back some of its efforts in the face of congressional inquiry and the withdrawal of several major clients; the company continues to wait as ISPs undertake further efforts to gauge the marketplace. Meanwhile, the most prominent ad network in the U.K., Phorm, has switched to an opt-in model and has received preliminary approval from the U.K.’s Business, Enterprise and Regulatory Reform agency to proceed with its plans.
Here is how the basic ISP model works: ad networks that partner with ISPs potentially gain access to all or substantially all of an individual’s Web traffic as it travels through the ISP’s infrastructure, including traffic to all political, religious, and other non-commercial sites. While traditional ad networks may be large, few (if any) provide the opportunity to collect information about an individual’s online activities as comprehensively as in the ISP model, particularly with respect to activities involving non-commercial content. These companies use what is known as "deep packet inspection" technology to collect information as consumers surf the Web. (Bits of data that consumers send back and forth on the Internet are known as "packets.") Although we have yet to see it in action, these new ad networks also have the potential to mine emails, chats, file transfers, financial information, and many other kinds of data for targeting purposes.
While the creators of these systems have taken steps to disassociate data from the individual as it is captured, the use of Internet traffic content for behavioral advertising still defies expectations about what happens when a person uses the Web and communicates online. Absent unmistakable notice, consumers simply do not expect their ISP or its partners to be looking into the content of their Internet communications.
Additionally, independent analyses of existing systems have revealed that these systems engage in an array of practices that are inconsistent with the usual flow of Internet traffic, by virtue of their ability to intercept traffic in the middle of the network and track individual Internet users. This kind of conduct has the potential to create serious security vulnerabilities in the network, hamper the speed of users’ Internet connections, and interfere with ordinary Web functionality.
A Primer on Behavioral Advertising (July 31, 2008)
Privacy Implications of Online Advertising (July 8, 2008)
NebuAd and Partner ISPs: Wiretapping, Forgery and Browser Hijacking (June 18, 2008)
2) Behavioral Advertising Implementations May Violate Federal Law Without Express Consent of Subscribers
The ISP behavioral advertising models that have been deployed thus far have failed to obtain affirmative, express opt-in consent. Several companies have neither notified consumers nor obtained consent for tests of the NebuAd system. Others have buried vague information about their deals with NebuAd in the ISP’s terms of service. Charter Communications, the largest U.S. ISP that had planned to partner with NebuAd, notified its subscribers that they would be receiving more relevant ads, but did not explain its plans to intercept subscribers’ traffic data, and did not provide a way for subscribers to give or withhold consent. Charter has since suspended its plans; as mentioned earlier, NebuAd has abandoned its plans to deploy this ISP model for behavioral advertising.
CDT’s analysis of federal laws concluded that the use of Internet traffic content from ISPs for the purpose of behavioral advertising might run afoul of federal wiretap laws, unless the activity is conducted with the consent of the subscriber. Such consent should not be buried in terms of service, or inferred from a mailed notice.
Wiretap Act/ECPA
Depending on how an ISP behavioral advertising model is implemented, it may run afoul of existing communications privacy laws. The federal Wiretap Act, as amended by the Electronic Communications Privacy Act (ECPA), prohibits the interception and disclosure of electronic communications – including Internet traffic content – without consent. Although exceptions to this rule permit some interception and disclosure without consent, it is unlikely that any of these apply to the interception or disclosure of Internet traffic content for behavioral advertising purposes.
We believe that the Wiretap Act requires unavoidable notice and affirmative opt-in consent before Internet traffic content may be used from ISPs for behavioral advertising purposes. Certain state laws may take this one step further, requiring consent from both the consumer and the Web site he or she is visiting.
Cable Communications Policy Act
Some experts have also suggested that the Cable Communications Policy Act also may apply to this business model. The law prohibits cable operators from collecting or disclosing personally identifiable information without prior consent. While the term "personally identifiable information" (PII) in the law is defined by what it does not include – "any record of aggregate data which does not identify particular persons"- it is unlikely that a user’s entire Web traffic stream, unique to that individual, often containing both PII and non-PII, would be considered aggregate data as that term is commonly understood. Shoehorning the collection and disclosure of a subscriber’s entire browsing history for advertising purposes into the statute’s exception for collection or disclosure of information that is necessary to render service does not seem workable. Thus, cable-based ISPs that wish to disclose customer information to advertising networks would also have to meet the consent requirements of the Cable Communications Policy Act.
ECPA Memo (July 8, 2008)
3) House Investigation Reveals Problematic Behavioral Advertising Practices
Members of Congress have recently joined consumers and privacy advocates in their concern over behavioral advertising practices. In early August, the House Energy and Commerce Committee, led by Subcommittee Chairman Ed Markey (D-MA) and Ranking Member Joe Barton (R-TX), launched an inquiry into the current advertising practices with a hearing and then a direct inquiry to 33 ISPs and Web companies. More hearings, and possibly an online consumer privacy law, are in the works.
The Committee’s letters asked whether the companies are using targeted advertising based on data collected about consumers’ online activities. The Committee wanted specifics about each company’s behavioral advertising systems: how many customers are affected, how consumers are notified, whether consumers are provided with choice, whether legal analyses of these systems were conducted, and what has happened to the data collected by these systems. The companies were also asked whether they treat sensitive information differently than other kinds of consumer information, and whether they can correlate information about a single consumer collected across multiple sites or services.
In many cases, the companies’ responses were quite revealing. Two small ISPs, Knology and CableOne, confirmed that they had conducted tests using deep packet inspection technology for behavioral advertising without providing notice to consumers. Although Knology cited an opt-out mechanism located in its customer service agreement, CableOne indicated that its customers were provided with no means whatsoever of opting out of the trial. Several other ISPs described their trials of behavioral advertising technology, many of which involved notice to consumers that likely falls short of the "unavoidable" standard described in the previous section.
The largest ISPs to respond – AT&T, Comcast, and Verizon – all indicated that they have not used their ISP facilities for behavioral advertising purposes.
Several of the Web companies that received letters used their responses as opportunities to announce new practices. In a move that has been anticipated since Google acquired DoubleClick last year, Google announced that it would begin using a single DoubleClick cookie to identify a user across the network of sites where Google and DoubleClick serve third-party ads. Although Google emphasized that this change is primarily to allow Google to track the frequency with which a single user sees the same ad, it may also facilitate increased tracking of consumer behavior across a broader range of sites.
Yahoo indicated that it would be providing consumers with the opportunity to opt out of behavioral advertising on Yahoo sites themselves (in addition to pre-existing opt-out choices for advertising served by Yahoo on other Web sites). Microsoft began offering a similar option earlier this year.
Because behavioral advertising takes place largely without user involvement or knowledge, the details of how it works are not always immediately evident. As the companies’ responses indicate, in the absence of a baseline federal privacy law, online tracking and targeting practices are all over the map.
Inquiries like the one conducted by the House Energy and Commerce Committee are critical to the public’s ability to assess the privacy impact of online tracking and targeting. With this new information as its launching pad, Congress is continuing to pursue answers through its power to call hearings. Chairman Markey has suggested that this inquiry will continue, and an online consumer privacy law may be introduced. Congressional involvement, and hopefully a comprehensive federal standard, are important parts of clarifying these practices and working towards protecting consumer privacy online.
Committee Letters (Aug. 1, 2008)
List of responses to Committe letter (Aug. 8, 2008)
