Do ISPs pose a bigger online privacy threat than Google?

Law professor warns of "a coming storm of unprecedented and invasive" surveillance of users by ISPs

The increased monitoring and profiling of Internet users by companies such as Google and its DoubleClick online advertising subsidiary is widely seen as one of the biggest threats to online privacy. But in reality, said university professor Paul Ohm, the potential for the same kind of activities by ISPs poses a much greater privacy risk.

Ohm, an associate professor of law at the University of Colorado Law School in Boulder, published a research paper titled "The Rise and Fall of Invasive ISP Surveillance" late last month. The 77-page document chronicles the different market pressures and technology advances that are shaping the behavior of ISPs and warns of "a coming storm of unprecedented and invasive" surveillance of users by such companies.

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and , both from InfoWorld. ]

It isn't an opinion that is shared by everyone, but the issue has been getting an increasing amount of attention from privacy advocates and lawmakers.

Much of Ohm's concern has to do with the vantage point that ISPs have on the Web and their ability to take advantage of it in a hitherto unprecedented manner. In many ways, ISPs are far more able to track, monitor, and profile user behavior than Google and other online advertising vendors are, he said in an interview.

"I'm not saying that they are invading your privacy right now," Ohm said. "What the paper does is to play out the possibilities. ISPs have the power to obliterate privacy."

According to Ohm, ISPs have been fairly good custodians of online privacy -- until recently, at least. But a couple of factors are driving a change in the status quo, he claimed. One of them is the growing availability of sophisticated deep-packet inspection technologies that enable companies to collect and mine huge amounts of very granular information about Internet usage. ISPs looking to broaden their revenue sources could increasingly look to monetize this data -- for instance, by selling it to behavioral advertising firms, Ohm said.

Google's enormous success in the online advertising market has "redefined expectations for both profitability and privacy online," Ohm wrote in his report. He predicted that ISPs will attempt to replicate Google's success by trying to monetize user data at the expense of privacy protections. Offering them potential help are advertising firms such as NebuAd Inc. and Phorm, which are looking to partner with ISPs to access, analyze, and categorize the behavior of users for targeted advertising purposes.

Another incentive for ISPs to be more intrusive about gathering usage information comes from copyright owners that are offering service providers "great sums for their users' secrets," Ohm said in his report. As an example, he noted that the recording and movie industries "view ISP monitoring as an avenue for controlling what they see as rampant infringing activity, particularly on P2P networks."

In addition, ISPs, which already are saddled with a requirement that they comply with a 1994 federal wiretapping law called the Communications Assistance for Law Enforcement Act, or CALEA, are feeling increased pressure from the federal government to configure their networks so they are able to quickly assist monitoring activities by law enforcement agencies, Ohm said.

Several existing laws, including the Federal Wiretap Act and the Pen Register Act, would appear to address many of the potential monitoring activities that concern Ohm. But the laws "are full of confusing ambiguities," he said. "I think the ISPs are interpreting these laws not to apply" -- at least to some of the monitoring plans that companies have proposed.

One area in which those laws could be misinterpreted to the advantage of ISPs involves the issue of user consent, said Alissa Cooper, chief computer scientist at the Center for Democracy and Technology in Washington.

According to Cooper, communications privacy laws prevent ISPs from engaging in many kinds of user monitoring except under certain situations, such as for network security purposes or when they have gotten explicit consent from users to do monitoring. In general, the Federal Wiretap Act would apply to behavioral advertising programs and require ISPs to get the "express informed consent" of users for monitoring activities, she said.

But, Cooper added, what hasn't been tested in court yet is whether the implied consent that a user might give to such monitoring when agreeing to a privacy statement is the same thing as clear and informed consent on the user's part -- or whether it could be interpreted that way.

The problem is compounded by the fact that user expectations are much different when dealing with ISPs than they are when dealing with companies such as Google, Cooper said. Many users might assume that they're being given a greater degree of privacy protections by ISPs than is actually the case, she noted.

John Pescatore, an analyst at Gartner, said that in at least some cases, ISPs potentially have more visibility into user activities on the Internet than companies such as Google do.

Pescatore added, though, that communications laws aren't the only thing that ISPs interested in doing more monitoring would need to contend with. In many cases, he said, companies would have to invest substantial amounts of money to install the kind of deep-packet inspection, filtering and analysis technologies that are needed to monitor user activity on a scale that makes commercial sense.

And just because ISPs could do monitoring doesn't mean it would always make financial sense for them to actually do so, especially in light of the potential legal issues they could find themselves mired in, Pescatore said. In contrast, Google and other online advertising vendors have no such legal constraints in place yet -- and, as such, have been operating in a manner that poses a far greater risk to online privacy, he said.

"The much bigger privacy threat continues to be Google," agreed Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington. "Google's business model -- its primary source of revenue -- is based on building detailed profiles of Internet users for advertising purposes. This is simply not the case for ISPs, who are primarily in the business of selling access to the Internet."

Bashing ISPs on privacy "has become very popular," Rotenberg said. He added that existing laws clearly prohibit ISPs from intercepting communications for advertising purposes. As a result, recent proposals to capture network traffic for advertising purposes "would be unlawful," and therefore don't pose a long-term threat to online privacy, Rotenberg said.

Lawmakers also are paying attention to the issue. In August, for instance, the U.S. House Committee on Energy and Commerce sent a letter (download PDF) to 33 phone, cable, and Internet companies inquiring about their data collection practices.

The letter was prompted by what committee members said was the growing trend among companies to deliver targeted online advertisements based on data collected about a user's Web surfing habits. One of the goals was to find out whether existing communications privacy laws applied to ISP monitoring activities and whether those laws needed to be amended to address that issue, the letter said.

ISPs themselves are downplaying the privacy concerns and have sought to assure legislators that any monitoring activities they may be planning are innocuous compared to what companies like Google are doing.

For instance, in a response to the House committee's letter, Dorothy Attwood, a privacy executives at AT&T, said that the company doesn't track the "overall" Web browsing or search habits of users for behavioral advertising purposes. Attwood's response (download PDF) drew attention to what she claimed was Google's ability to observe a user's "entire Web browsing experience at a granular level," including the URLs that he enters and the searches that are conducted, and then said that AT&T hasn't installed such capabilities.

Attwood added that if done right, behavioral advertising holds lots of potential benefits for Internet users. But she said that if AT&T ever embarked on such an effort, it would do so only with the full, informed consent of customers.

More than two dozen other companies also responded to the House committee's letter. In its response (download PDF), Phoenix-based Cable One Inc. acknowledged that it had engaged in a "small-scale test" of technology that would have enabled the company to deliver targeted ads to its users.

The test involved 14,000 customers over a 180-day period, but Cable One ultimately decided not to implement the technology, according to the response. Cable One added that if it had decided to go ahead with the project, it would have done so only with the full consent of users and in full compliance with applicable laws.

Computerworld is an InfoWorld affiliate.

This story, "Do ISPs pose a bigger online privacy threat than Google?" was originally published by Computerworld.

Copyright © 2008 IDG Communications, Inc.