Messaging News - August 2008 - (Page 13) This summer The Center for Democracy & Technology (CDT) put into question the legal standing of a new approach to online advertising being considered by Internet Service Providers (ISPs) and Internet advertising networks. Under the new scheme, an ISP allows an advertising network to copy the contents of the individual Web traffic streams of the ISP’s subscribers. The advertising network then creates a record of each individual’s online behavior and uses it to target ads to the consumer. “Based on what we know so far, this new advertising model appears to defy reasonable consumer expectations and may violate communications privacy laws,” comments CDT President and CEO Leslie Harris. CDT analysis concludes that this use of Internet traffic content by ISPs may run afoul of federal and state wiretap laws. Federal law would allow the practice with the consent of especially due to consumers not expecting their ISP to be selling the information to third parties and advocates without clear notice and consent. “The use of Internet traffic content from ISPs for behavioral advertising is different from the “cookie”-based model in significant ways and raises unique concerns. Among other differences, it copies all or substantially all Web transactions, including visits to sites that do not use cookies. Thus, it may capture not only commercial activity, but also visits to political, advocacy, or religious sites or other non-commercial sites that do not use cookies.” Does likening the practice to wiretapping seem extreme? Not from the CDT’s perspective. In its memo, An Overview of the Federal Wiretap Act, Electronic Communications Privacy Act, and State Two-Party Consent Laws of Relevance to the NebuAd System and Other Uses of Leslie Harris, President and CEO Center for Democracy & Technology ISPs, Behavioral Advertising, and Privacy How much is being monitored by enterprises today? “When Proofpoint first started surveying enterprises about their use of monitoring techniques and technologies, more than four years ago, we found that about one third of companies performed regular audits of outbound email content and (to our surprise at the time) that about 40 percent of large companies employed staff to read/ monitor the content of outbound email,” reveals Crosley. “These numbers have stayed relatively constant over time. For example, our 2008 research showed that 38 percent of surveyed companies performed regular audits of outbound email content and that 41 percent of large companies employ staff to read/ analyze outbound email content.” David Ferris, president and senior analyst of Ferris Research, thinks that certain aspects of email monitoring have been going on for a very long time, but it is our awareness that is growing. “I recall in 1991 talking with Exxon. The company the subscriber. However, CDT notes, that consent should not be obtained through a notice buried in a “terms of service” agreement or inserted in a billing statement. State law may be even more stringent, requiring consent from all parties. In a testimony before the Senate Commerce, Science & Transportation Committee, Harris notes, “In the last year, Internet Service Providers (“ISPs”) have begun to form partnerships with ad networks to mine information from individual Web data streams for behavioral advertising. Ad networks that partner with ISPs could potentially collect and record every aspect of a consumer’s Web browsing, including every Web page visited, the content of those pages, how long each page is viewed and what links are clicked. Emails, chats, file transfers and many other kinds of data could all be collected and recorded.” Harris believes the ISP model raises some particularly serious questions, Internet Traffic Content from ISPs for Behavioral Advertising, CDT defends its position. “When an ISP copies a customer’s communications or allows them to be copied by an advertising network; those communications have undoubtedly been ‘intercept[ed].’ Therefore, unless an exception applies, it seems likely that placing a device on an ISP’s network and using it to copy communications for use in developing advertising profiles would constitute illegal interception.” Harris notes that the Wiretap Act permits interception of electronic communications when the activity protects the rights of property of the provider of the service – for instance filtering and monitoring for spam, virus and phishing. “But this cannot be extended to advertising activities, which, while they may enhance the service provider’s revenue, do not ‘protect’ its rights.” SJ/TMP messagingnews.com 13
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.