Tuesday, August 12, 2008

New Revelations in DC ISP-Based "Deep Packet" BT Scrutiny

Early emanations from the House Energy and Commerce Committee's examination of privacy issues primarily related to ISP based BT are pretty interesting and revealing. Here are some highlights:

30 companies were asked about their Deep Packet BT and other tracking practices. Based upon the information provided to the committee, Chairman Markey has stated his intention to introduce opt-in privacy legislation next year. Reports WaPo:

Markey said he and his colleagues plan to introduce legislation next year, a sort of online-privacy Bill of Rights, that would require that consumers must opt in to the tracking of their online behavior and the collection and sharing of their personal data.

But some committee leaders cautioned that such legislation could damage the economy by preventing small companies from reaching customers. Rep. Cliff Stearns (R-Fla.) said self-regulation that focuses on transparency and choice might be the best approach.

But let's not get ahead of ourselves in this post. Here are some of the things that the inquiry uncovered.

On August 1, the committee wrote to a long list of companies (ISPs mostly) asking them to detail their "deep packet" and other tracking programs and policies. The list reads like a who's who of connectivity:

AOL LLC (ISP and Content Provider)
Bresnan Communications (ISP)
Cable One, Inc. (ISP)
Cablevision Systems Corporation (ISP_
CBeyond (ISP)
CenturyTel (ISP)
Charter Communications (ISP)
Comcast Cable (ISP)
Covad Communications Company (ISP)
Cox Communications, Inc. (ISP)
Earthlink (ISP)
Frontier Communications Corporation (ISP)
Google (Nuff said)
Insight Communications Inc. (ISP)
Knology, Inc. (ISP)
Mediacom Communications Corporation (ISP)
PAETEC Holding Corp. (ISP)
Qwest Communications (ISP)
Suddenlink Communications (ISP)
TDS Telecom (ISP)
Time Warner Cable (ISP)
TW Telecom, Inc. (ISP)
United Online, Inc. (ISP, among other things)
Verizon (ISP)
Windstream Corporation (ISP)
XO Communications (ISP)
Yahoo (Nuff Said)

All of their responses are available in pdf form here.

Check out a copy of the request here.

The 11 questions they asked each company to respond to were (paraphrased):

1. Do you or have you tailored ads to user web surfing patterns?
2. If so, how did you address sensitive health, financial, PII, and how were those policies developed?
3. In what communities have you engaged in these practices?
4. How many consumers were affected?
5. Did you do an analysis of privacy laws as you developed your programs?
6. Did you notify consumers? How? Provide a copy of the notification.
7. Did you do opt in or opt out, and if opt out, why?
8. If opt out, how many did so?
9. If opt out, did you do a legal analysis of the opt out procedure and notification?
10. What is the status of the data collected? Has it been destroyed? Is it periodically destroyed?
11. Do your systems and process allow for the tailoring of ads based upon behaviors?

If you read my recent post on Embarq and NebuAd, you will see a high degree of similarity between this list and the list Embarq was asked to complete a few weeks ago.

Here are my response summaries (I read each doc carefully but I am not a lawyer, so if in doubt click on over and read it yourself.):

AOL: Nothing surprising here. They do BT, privacy policy notification, opt out. Estimate that "tens of thousands" have opted out.

Bresnan: NebuAd Test 4/1-6/26, in Billings MT, 6000 customers, users notified by email and a web site page in addition to privacy policy. Opt out, 18 opted out (3/10ths of one percent.)

Cable One: Small test, beginning last year, undisclosed vendor. Based upon the description of the vendor, it is likely NebuAd. Tested in Anniston, AL for 180 days beginning 11/20/2007. 14,000 customers. Notification via inclusion in acceptable use and privacy policies. Opt out, no indication of the number of people who opted out. Says they would do opt-in if they we're going to deploy network wide.

Cablevision: Hasn't done it.

CBeyond: Hasn't done it.

CenturyTel: Small test in Kalispell MT - small numbers of people in Idaho and Wyoming, NebuAd, 20,000 person test. Sent email notification to users affected in the test. Email said changes were made to the privacy policy but did not specify what they were -- invited the user to click and read policy to figure it out. Says they also sent email notification and bill stuffer to people noting the change in policy. Opt out. 82 persons opted out (4 tenths of one percent.)

Charter: Cancelled plans for a test.

Comcast: Hasn't done it.

Covad: Hasn't done it.

Cox: Hasn't done it.

EarthLink: Hasn't done it.

Frontier: Hasn't done it.

Insight: Hasn't done it.

Knology: Tested via NebuAd in parts of Panama City FL, Columbus GA, Knoxville TN, Huntsville AL, and Augusta GA. Stopped test as a result of Congress raising concerns. Opt out, notification via customer service agreement change. Change unannounced. No info on number of households affected or opt outs/opt out rates.

Mediacom: Hasn't done it.

PAETEC: Hasn't done it.

QWEST: Hasn't done it.

Suddenlink: Hasn't done it.

TDS: Hasn't done it.

TimeWarner: Hasn't done it.

TW Telecom: Hasn't done it.

United Online: Has considered deep packet inspection based BT, but has not implemented.

Verizon: Hasn't done it.

Windstream: Hasn't done it.

XO: Hasn't done it.

Yahoo: Does use BT but not deep packet, over 75,000 opt outs in July 2008 (still a fairly low number given that Yahoo reaches several hundred million users a month.)

Of all the responses, Google's have so far received the msost attention, chiefly because of the tremendous reach and market power of the giant. Here is what WaPo had to say on the topic in a recent article:

Alan Davidson, Google's director of public policy and government affairs, stated in the letter that users could opt out of a single cookie for both DoubleClick and the Google content network. He also said that Google was not yet focusing on "behavioral" advertising, which depends on Web site tracking.

But on its official blog last week, Google touted how its recent $3.1 billion merger with DoubleClick provides advertisers "insight into the number of people who have seen an ad campaign," as well as "how many users visited their sites after seeing an ad."

"Google is slowly embracing a full-blown behavioral targeting over its vast network of services and sites," said Jeffrey Chester, executive director of the Center for Digital Democracy. He said that Google, through its vast data collection and sophisticated data analysis tools, "knows more about consumers than practically anyone."

Microsoft and Yahoo have disclosed that they engage in some form of behavioral targeting. Yahoo has said it will allow users to turn off targeted advertising on its Web sites; Microsoft has yet to respond to the committee.

Said Markey:

Increasingly, there are no limits technologically as to what a company can do in terms of collecting information . . . and then selling it as a commodity to other providers," said committee member Edward J. Markey (D-Mass.), who created the Privacy Caucus 12 years ago. "Our responsibility is to make sure that we create a law that, regardless of the technology, includes a set of legal guarantees that consumers have with respect to their information."

I am sure there'll be more to come, and the oldest living gumshoe reporter will be there to parse it all for ya. ;-)

Thanks for reading, and don't forget to write.

1 comment:

Because people have been abusing the comment platform to place phony links to deceptive sites, I am now moderating all comments. If your comment is legit and contains a relevant link, it will be published.