This week broadband provider Charter Communications revealed its plans to begin sharing its customers’ Web traffic with NebuAd, an advertising network. NebuAd’s service works by monitoring individuals’ online activities and creating profiles of those individuals’ interests. NebuAd then uses the profiles to serve targeted advertisements on the Web. Charter, with over 5 million subscribers, is the largest U.S. ISP to announce a deal with NebuAd thus far.

As we discussed in our comments to the FTC last month, this model – where an ad network strikes a deal with an ISP that allows the network to conduct “deep packet inspection” (or “DPI”) of individual Web traffic streams – raises numerous privacy questions. The main difference between these new ad networks and other kinds of online ad networks is that DPI-based ad networks may potentially gain access to all or substantially all of an individual’s Web traffic as it traverses the ISP’s infrastructure, including traffic to all political, religious, and other non-commercial sites (even those that do not use cookies and those that do not deliver ads). The prospect of having a third party handling all of this data likely defies most users’ expectations that the entire body of their Web surfing habits is not generally monitored by anyone, much less a third-party ad network they’ve never heard of.

One of the biggest outstanding questions about DPI-based ad networks is the legal basis that ISPs are using to justify the transfer of their subscribers’ data to a third-party ad network. In a letter addressed to Charter’s CEO, Rep. Ed Markey and Rep. Joe Barton have inquired about how the NebuAd deal can be reconciled with the Cable Act of 1984, which allows cable operators to share subscriber data with third parties only when subscribers give their prior approval. We are anxious to see Charter’s response.
(more…)

Proving again the adage that “bad cases make bad law,” the federal U.S. Attorney in Los Angeles today obtained an indictment of a woman named Lori Drew, a mother in Missouri who is alleged to have created a false profile on MySpace (posing as a teenage boy) that led a neighboring girl to commit suicide. Background on the case can be found in the Washington Post.

The incident is a horrible and tragic one, and if the allegations are true, Ms. Drew could certainly face civil liability for her actions, and – at least under some states’ laws – she could face state criminal liability as well. But just because a grievous wrong may have been committed does not mean under our system that there should be a federal case to address the wrong.

If the theory of today’s indictment is allowed to stand, it would represent a gross and inappropriate expansion of federal power to regulate speech and communications over the Internet. It is important to understand the underlying “crime” here. The indictment does not really have anything to do with the alleged mistreatment of the girl in this case – the alleged crime is the asserted fact that Ms. Drew did not follow MySpace’s “terms of service.” The charges are based on an anti-hacker statute, and in this indictment, the “victim” is MySpace, not the girl. (more…)

Earlier this month Yahoo! launched a new Business & Human Rights Program, intended to formalize its commitment to human rights, starting with full-fledged support at the highest levels of the company. The program also aims to build a culture within the company to identify and manage human rights risk associated with delivery of its services in difficult markets.

Yahoo! learned the hard way that inattention to human rights can have devasting consequences. While some may see the new program as no more than an effort to restore the company’s reputation, we strongly applaud this new effort. Companies have an obligation to respect human rights and rigorous due diligence and risk assessment are the right place to start. Recently, John Ruggie, the U.N. Special Reporter on Business and Human Rights released a proposed framework for Business and Human Rights which strongly endorses this approach.
(more…)

Back in April, I blogged about how Department of Homeland Security Secretary Michael Chertoff was “dead wrong” when he testified before the Senate that personal information can’t be “skimmed” from an unencrypted barcode, which all driver’s licenses will have under the REAL ID program. Chertoff completely denied that there are any privacy risks associated with the REAL ID card’s “machine-readable zone.”

Sen. Feingold, D-WI, was right to question Chertoff’s testimony that day and followed up with a letter asking the Secretary to further explain why he thought citizens’ personal information wasn’t at risk or why they couldn’t be tracked by scanning REAL ID cards during a multitude of transactions. Just this week, DHS responded to Sen. Feingold via letter. The Department again shirked responsibility for ensuring that Americans’ personal information stored on REAL ID cards is protected and not accessible by unauthorized parties – businesses and government agencies alike.

As with virtually all REAL ID privacy issues, DHS has punted the security of the machine-readable zone (i.e., barcode) to the states. CDT has consistently highlighted this as a key privacy issue (among many), arguing that the REAL ID program in total should be scrapped. Or, at the very least, the privacy and security shortfalls should be addressed by new legislation. Congress must act soon because DHS clearly can’t be trusted to meaningfully protect personal privacy.

Chertoff did not sign the DHS response letter. This saved the Secretary the embarrassment of admitting that he was the one who was wrong on this matter and not the privacy advocates seeking to protect the security of Americans from identity theft and other threats by raising the issue.

There’s an appealing simplicity to “all-you-can-eat” service plans. But at the buffet, there’s a natural limit to how much any individual can consume. Just think what would happen if a few large-volume eaters with virtually limitless appetites started slurping up virtually all the food at the buffet as fast as the restaurant could put it out. The rest of the diners either would face slim pickings, or would have to pay a lot more for the ticket to the buffet line, essentially subsidizing the mega-eaters, so the restaurant could afford to put out a lot more food. All of a sudden, “all-you-can-eat” wouldn’t seem like such an appealing arrangement.

Broadband Internet service in the United States has been sold as an all-you-can-eat offering, but that pricing system is showing some cracks. Time Warner Cable in January announced a trial of usage-based pricing, albeit in just one town. This week BroadbandReports.com was reported that Comcast is considering implementing a monthly usage cap, with overage charges for those who exceed the cap more than once. Usage caps are common in other countries.
(more…)

Earlier this week, I had the pleasure of participating on a panel about location-based services at the FTC’s town hall meeting, Beyond Voice: Mapping the Mobile Marketplace. Now that the number of U.S. consumers who own a mobile device has outpaced the number of U.S. Internet users, the policy issues in the mobile space are taking on increased importance. And with numerous new technologies that can determine the location of a mobile device – not to mention a government mandate that mobile phones should be locatable for 911 emergency purposes – location privacy issues are sure to be front and center.

In a separate proceeding at the FTC, the Commission recently asked for input about what kinds of data should be considered “sensitive” in the behavioral advertising context, where consumers’ online activities are tracked for the purposes of displaying relevant advertisements to them. CDT suggested that geographic location information should be considered as a sensitive data category that deserves special protections, in part because of the unique privacy challenges that location information presents.
(more…)

Today, CDT posted an updated memorandum on the most recent version of the Global Online Freedom Act (”GOFA”). GOFA was first introduced by Rep. Christopher Smith (R-NJ) several years ago in response to troubling reports of company complicity in Internet censorship and cooperation in prosecutions of dissidents who posted political material online. The late Rep. Tom P. Lantos, (D-Ca) took up the cause last year and the bill was reported out of the Committee on Foreign Affairs late last year. Industry opposition to the bill has been fierce and efforts to bring the bill to the floor on suspension have thus far been thwarted.

CDT strongly believes that technology companies doing business in countries that broadly surveil and censor the Internet must take serious steps to identify and minimize the human rights risks associated with providing services and technology solutions in those countries. For several years, we have been co-facilitating a multi-stakeholder initiative aimed at developing global principles to guide ICT companies facing free expression and privacy challenges. We remain hopefully that these principles will grow into a global industry standard that will give the industry a road map for collective action in this area.

We also believe that companies must not hide from these challenges. They should advocate for changes in public policy that protect the rights of their users, challenge laws where possible and collaborate with human rights groups and other stakeholders to build support for an open Internet that supports human rights. (more…)

A federal appellate court ruled that the government can freely search and save the files travelers maintain on their laptops when coming back to the U.S. from an out of country trip. The case, United States v. Arnold, No. 06-50581, 2008 U.S. App. LEXIS 8590 (9th Cir., April 21, 2008) has put business travelers in a tizzy and may pique the attention of members of Congress.

The case turns on the travails of Michael Arnold. As Arnold was re-entering the U.S. from a trip to the Philippines, he was pulled out of line at the checkpoint, questioned about his travels, and directed by an official of U.S. Customs and Border Patrol (CBP) to turn on his computer so they could verify that it was functioning. CBP officials opened files that appeared on the computer’s desktop screen, discovered that they contained pictures of nude women, then opened other files and found images depicting what they believed to be child pornography. Arnold was arrested and his computer was seized.
(more…)