As we discussed in our comments to the FTC last month, this model – where an ad network strikes a deal with an ISP that allows the network to conduct “deep packet inspection” (or “DPI”) of individual Web traffic streams – raises numerous privacy questions. The main difference between these new ad networks and other kinds of online ad networks is that DPI-based ad networks may potentially gain access to all or substantially all of an individual’s Web traffic as it traverses the ISP’s infrastructure, including traffic to all political, religious, and other non-commercial sites (even those that do not use cookies and those that do not deliver ads). The prospect of having a third party handling all of this data likely defies most users’ expectations that the entire body of their Web surfing habits is not generally monitored by anyone, much less a third-party ad network they’ve never heard of.

One of the biggest outstanding questions about DPI-based ad networks is the legal basis that ISPs are using to justify the transfer of their subscribers’ data to a third-party ad network. In a letter addressed to Charter’s CEO, Rep. Ed Markey and Rep. Joe Barton have inquired about how the NebuAd deal can be reconciled with the Cable Act of 1984, which allows cable operators to share subscriber data with third parties only when subscribers give their prior approval. We are anxious to see Charter’s response.

While the Cable Act applies only to cable operators, there are also questions about how the Electronic Communications Privacy Act (ECPA) — which covers all kinds of electronic communications — can be applied to DPI-based ad networks. With certain exceptions, ECPA and its amendments to the federal Wiretap Act prohibit ISPs from intercepting their customers’ communications or disclosing the content of those communications to a third party without the customers’ permission. Again, this doesn’t seem to square with Charter’s recent announcement.

There are also many unresolved questions about how users can opt out of the Charter/NebuAd system. In order to opt out, Charter subscribers are required to input their names and addresses into a Web form. However, the opt out choice is stored in a regular browser cookie, which does not need and does not contain the user’s name and address. Why, then, is Charter requiring users to fork over their personal information just to opt out? (And why are they using opt-out cookies, a mechanism that has major drawbacks?)

Another concern: As we understand it, even if you opt-out, your entire communications stream is still copied and delivered to NebuAd.  NebuAd says it won’t read or store the data of those who have opted-out, but isn’t there a way to implement user choice that does not involve delivering your entire data stream to a third party when you have expressly opted out of the service?

Answers to all of these questions are necessary before consumers can understand the implications of DPI-based ad networks.

The incident is a horrible and tragic one, and if the allegations are true, Ms. Drew could certainly face civil liability for her actions, and – at least under some states’ laws – she could face state criminal liability as well. But just because a grievous wrong may have been committed does not mean under our system that there should be a federal case to address the wrong.

If the theory of today’s indictment is allowed to stand, it would represent a gross and inappropriate expansion of federal power to regulate speech and communications over the Internet. It is important to understand the underlying “crime” here. The indictment does not really have anything to do with the alleged mistreatment of the girl in this case – the alleged crime is the asserted fact that Ms. Drew did not follow MySpace’s “terms of service.” The charges are based on an anti-hacker statute, and in this indictment, the “victim” is MySpace, not the girl.

The government’s theory is that if someone signs up for an online service and then does not follow the rules of that service, the use of the service is “unauthorized” and thus (according to this indictment) a federal crime. The underlying statute, 18 U.S.C. § 1030, is appropriately used to prosecute people who hack into a computer system. The federal government in this case is stretching this statute far beyond that scenario by saying that it is now a federal crime to use a public website if you do not follow every rule set by the website.

This indictment should make all Internet users wary of signing up for any online service without reading each and every “term of service” – because if you violate any term, you are committing a federal crime. This could seriously chill the robust interactivity of the Internet.

The inappropriateness of this federal indictment is made plain by where it was brought – in Los Angeles. Both the alleged perpetrator and the true victim – the young girl – are in Missouri, but the indictment was brought in Los Angeles, because that is where MySpace is based. At the end of the day, this tragic – but decidedly local – situation is one that is appropriately dealt with in Missouri, under the laws of Missouri, and not in a federal courthouse a thousand miles away.

Yahoo! learned the hard way that inattention to human rights can have devasting consequences. While some may see the new program as no more than an effort to restore the company’s reputation, we strongly applaud this new effort. Companies have an obligation to respect human rights and rigorous due diligence and risk assessment are the right place to start. Recently, John Ruggie, the U.N. Special Reporter on Business and Human Rights released a proposed framework for Business and Human Rights which strongly endorses this approach.

The report notes “[t]o discharge the responsibility to respect requires due diligence. This step describes the steps a company must take to become aware of, prevent and address adverse human rights impacts.” It is not enough, the report notes, to do good deeds to compensate for human rights harms elsewhere. “Companies must take proactive steps to understand how existing and proposed activities may affect human rights… and should refine their plans to address and avoid potential negative human rights impacts on an ongoing basis,” the report says.

With a Senate hearing coming up next week on the Internet and Human rights that will put the Internet industry in the spotlight once again, the report provides a sensible path forward for policymakers and companies.

As it’s described, the new Yahoo! program seems spot on with Ruggie’s recommendations, and while it is hard not to think about what might have been if such a program were in place several years ago, the company is clearly on the right path now. We hope that other companies in the technology sector see fit to follow Yahoo!’s lead.

Yahoo has been an active participant in the multi-stakeholder process that CDT has been co-facilitating with Business for Social Responsibility to develop a set of principles and supporting processes to guide the ICT sector facing privacy and free expression challenges in a growing number of countries. While that process–which includes our colleagues at the Berkman Center and a diverse group of human rights groups, academic institutions and social investment funds–is not yet complete, Yahoo! has clearly integrated what it has learned in that process into the design of its Business and Human Rights Program.

Sen. Feingold, D-WI, was right to question Chertoff’s testimony that day and followed up with a letter asking the Secretary to further explain why he thought citizens’ personal information wasn’t at risk or why they couldn’t be tracked by scanning REAL ID cards during a multitude of transactions. Just this week, DHS responded to Sen. Feingold via letter. The Department again shirked responsibility for ensuring that Americans’ personal information stored on REAL ID cards is protected and not accessible by unauthorized parties – businesses and government agencies alike.

As with virtually all REAL ID privacy issues, DHS has punted the security of the machine-readable zone (i.e., barcode) to the states. CDT has consistently highlighted this as a key privacy issue (among many), arguing that the REAL ID program in total should be scrapped. Or, at the very least, the privacy and security shortfalls should be addressed by new legislation. Congress must act soon because DHS clearly can’t be trusted to meaningfully protect personal privacy.

Chertoff did not sign the DHS response letter. This saved the Secretary the embarrassment of admitting that he was the one who was wrong on this matter and not the privacy advocates seeking to protect the security of Americans from identity theft and other threats by raising the issue.

Broadband Internet service in the United States has been sold as an all-you-can-eat offering, but that pricing system is showing some cracks. Time Warner Cable in January announced a trial of usage-based pricing, albeit in just one town. This week BroadbandReports.com was reported that Comcast is considering implementing a monthly usage cap, with overage charges for those who exceed the cap more than once. Usage caps are common in other countries.

Some say that users in the United States are accustomed to all-you-can-eat and will reject these new pricing models. But as in the buffet analogy, it depends what the alternative is. Flat-rate service for “unlimited” use sounds like a good deal, other things being equal It might not turn out to be such a good deal if the result is congestion due to a small percentage of users who engage in constant, high-volume file sharing or other high-volume activities. More modest users could suffer slower service due to congestion; could find their traffic subject to a new level of gatekeeper control and interference as the ISP responds to congestion by throttling back selected traffic, a la Comcast’s throttling of BitTorrent, or could end up paying higher prices to subsidize network expansion.

In the end, wouldn’t it just be more fair to put the burden on those users who are causing the congestion?

In saying this, I don’t mean to suggest that the high-volume users are necessarily doing anything inappropriate. While large-scale copyright infringement and spamming can drive volume, there also may be perfectly legitimate reasons for high-volume usage, whether file sharing or other applications. The problem really isn’t high-volume users per se — it’s the wide disparity in usage volumes among different users. When the disparities are that large, the all-you-can-eat model has major drawbacks. Asking the high-volume users to bear the costs of their usage doesn’t seem like a radical concept for avoiding those drawbacks. And it carries far less risk to the openness of the Internet than having ISPs pick and choose whose traffic will get dropped or bogged down and whose traffic will sail through.

As for consumer acceptance, it may be that nobody wants to have the sense that “the meter is running” with every second spent online. But it should be easily possible to design pricing plans in which only a tiny percentage of users has to worry about surcharges or volume caps. This week’s report about the plan Comcast may be considering offers a case in point. According to the article, only the top 0.1% of all subscribers would hit the usage cap and owe surcharges. For everyone else, the service would feel the same way it does today — essentially unlimited.

Of course, the service today isn’t entirely unlimited. Most carriers have vague restrictions against excessive usage, which they reportedly sometimes enforce. Now, maybe making the bandwidth limitations clear and explicit would change the way some consumers feel about their broadband service. But letting them know that their bandwidth allotment isn’t infinite wouldn’t be a bad thing. Today, users have no reason to inquire about the bandwidth usage of applications they use, much less to steer clear of ones that are inefficient bandwidth guzzlers. Encouraging users to place some value on bandwidth efficiency, the same way they may with energy efficiency, could help address congestion issues in a way that doesn’t raise a whole host of Internet neutrality concerns .

Two final points. First, any move to capped or usage-sensitive subscription plans should be accompanied by the provision of easy-to-use tools so subscribers can see how much bandwidth they are using and where they stand vis-a-vis any applicable caps or surcharge thresholds. Greater consumer awareness of bandwidth usage requires . . . (drumroll) . . . greater consumer ability to see what bandwidth they’re using. Even if the caps or surcharges are only going to affect a tiny percentage of users, anyone should be able to check their status. And providing such tools should not be difficult.

Second, any usage caps or thresholds will need to rise over time, if the idea is to target only the most active users. A cap that affects only 0.1% of users today could in the future start affecting a large proportion of average users once (for example) high-definition video becomes commonly available over the Internet. But this is something that network operators could monitor and adjust over time. Pricing plans can be usage-sensitive and still impose negligible additional complication or hassle on average users.

In a separate proceeding at the FTC, the Commission recently asked for input about what kinds of data should be considered “sensitive” in the behavioral advertising context, where consumers’ online activities are tracked for the purposes of displaying relevant advertisements to them. CDT suggested that geographic location information should be considered as a sensitive data category that deserves special protections, in part because of the unique privacy challenges that location information presents.

Unlike clickstream data, location information can be collected all the time and everywhere. Although many consumers may not realize this – 35% of respondents in a recent study did not believe law enforcement had the ability to track the location of their cell phones – mobile devices are constantly making location information available, even when they’re not in active use. Location information can also reveal potentially sensitive destinations, like government buildings and medical clinics, and it has the potential to be abused for physical stalking or domestic violence. All of these qualities differentiate location information from other kinds of data.

What location privacy does have in common with other kinds of privacy issues is the lack of a uniform set of rules governing the use and disclosure of the information. Telecommunications carriers are held to one set of standards for commercial use and disclosure of location information, while VoIP providers are held to a slightly different set, and third-party applications providers are covered under neither. The standards for government access to location information are also unclear; the case law in this area has not fully coalesced around what is required of government investigators before they can request real-time or historical location information from companies that have it.

Clearing up some of these uncertainties will help to foster consumer trust in the burgeoning location-based environment. On the FTC panel we heard about both the wide array of services that may be able to leverage location and about the kinds of self-regulatory and internal company policies that are helping to shape the creation of location-based initiatives. If these are developed with privacy in mind from the beginning, consumers may soon realize, in a new mobile way, the promise of the age-old saying: location, location, location.

CDT strongly believes that technology companies doing business in countries that broadly surveil and censor the Internet must take serious steps to identify and minimize the human rights risks associated with providing services and technology solutions in those countries. For several years, we have been co-facilitating a multi-stakeholder initiative aimed at developing global principles to guide ICT companies facing free expression and privacy challenges. We remain hopefully that these principles will grow into a global industry standard that will give the industry a road map for collective action in this area.

We also believe that companies must not hide from these challenges. They should advocate for changes in public policy that protect the rights of their users, challenge laws where possible and collaborate with human rights groups and other stakeholders to build support for an open Internet that supports human rights. In most cases, we believe the presence of U.S. ICT companies and the services they offer provide a powerful platform for political discourse and democracy building. Thus we do not believe that the withdrawal of U.S. companies from Internet-restricting countries would serve the aims of Internet freedom. To be sure, there may be times that the restrictions imposed by such countries are so extreme that a company cannot be a positive actor for human rights and may need to abandon the market. And there are certainly instances where a U.S. company should not sell software and consulting services to a repressive regime for a purpose that is plainly inconsistent with the protection of human rights. The recent reports of U.S. companies lining up to sell technologies to the Chinese police to improve surveillance capabilities strikes us as precisely the kind of activity the U.S. government should closely scrutinize.

But as we set out in the memorandum, we do not think that GOFA provides a workable approach to this problem. We welcome GOFA’s mandate that all appropriate instruments of United States influence, including diplomacy, trade policy, and export controls” be used to promote global Internet freedom, but question how the U.S. government which itself has not tied trade with countries like China to human rights improvements nor challenged the blocking of U.S. Internet content as a trade barrier (and in fact has strongly encouraged the ICT sector to enter these markets) can now place these companies in severe legal jeopardy for complying with the law in those countries.

The problem with GOFA is that it treats the Internet sector as adversaries rather than allies in the fight for global Internet freedom. If the ultimate goal is to change the behavior of Internet-restricting countries, the U.S. government must work collaboratively with U.S. companies to help them navigate these difficult legal environments, better assess and respond to human rights risk and to put pressure on these regimes to change their censorship laws.

The case turns on the travails of Michael Arnold. As Arnold was re-entering the U.S. from a trip to the Philippines, he was pulled out of line at the checkpoint, questioned about his travels, and directed by an official of U.S. Customs and Border Patrol (CBP) to turn on his computer so they could verify that it was functioning. CBP officials opened files that appeared on the computer’s desktop screen, discovered that they contained pictures of nude women, then opened other files and found images depicting what they believed to be child pornography. Arnold was arrested and his computer was seized.

Nobody has a right to bring child pornography into the country.

When CBP officials have a reasonable suspicion that a traveler is doing that, they should search the person’s papers and digital papers to see if the crime of transporting child pornography is being committed.

The case wasn’t about that.

Arnold’s case was about what officials can do at the border when they have no reasonable suspicion. Should they be able to download everything on a computer hard drive? The court reasoned that because the search of the computer’s contents occurred at the border, the same doctrine that permits CBP to search your suitcase permits its agents to cull through your computer or go trolling on your Treo or iPhone or whatever handheld electronic device you may be carrying.

But computers are not like suitcases or cars. They often contain a person’s most confidential communications, or a business’s most closely held secrets. They contain information about what websites a person visited, with whom they communicated, and sometimes, the person’s most confidential thoughts. There has to be at least some suspicion of illegal activity in the air before having our digital lives are laid bare. That’s why CDT joined with civil liberties and civil rights groups, with organizations representing business travelers, and others, asking Congress to hold hearings on CPB policies about seizing digital information and electronic devices at the border.

Capital One, the credit card company, asks: “What’s in your wallet?” Now, before they leave the country on a business trip, some companies are asking their employees, “What’s in your computer?” In effect, this court case tells travelers to leave their laptop behind if it contains something they don’t want to share with the government.

It looks like a great conference — John Morris and I are speaking from CDT. Here are all the details:

COMPUTERS, FREEDOM, AND PRIVACY: TECHNOLOGY POLICY ‘08
http://cfp2008.org/
18th Annual CFP conference
May 20-23, 2008
Omni Hotel
New Haven, CT

Conference Blog
Facebook Group
Conference Wiki
LinkedIn Group

Hotel Conference Discount Deadline: May 1, 2008
Early Bird Registration: Fri., May 2, 2008
Yale Journal of Law and Technology Tech Policy Essay Contest: Mon., May 5, 2008

ABOUT CFP: TECHNOLOGY POLICY `08

What should the technology policy priorities of the next administration be?

As the choice of presidential candidates becomes clearer and election year moves towards a comparison of the candidates’ platforms on the issues, technology policy is increasingly relevant to the forefront of public debate. In the areas of privacy, intellectual property, cybersecurity, telecommunications, and freedom of speech, topics that were once confined to experts now appear in the mainstream of political issues. We now know that our decisions about technology policy are being made at a time as the architectures of our information and communication technologies are still being built.

This year, the 18th annual Computers, Freedom, and Privacy conference is focusing on those issues at the forefront of technology policy this election year. With plenary panels on the “National Security State and the Next Administration” and “The 21st Century Panopticon?” the discussions taking place look towards our present and future priorities.

CFP: Technology Policy ‘08 is an opportunity to participate in shaping those issues being made into laws and regulations and those technological infrastructures being developed. Policies ranging from spyware and national security, to ISP filtering and patent reform, e-voting to electronic medical records, and more will be addressed by expert panels of technologists, policymakers, business leaders, and activists. The panel topics are listed below and full panel descriptions are available on the conference website.

The CFP: Technology Policy `08 conversation has already begun in the virtual spaces connected to the conference. Even if you are unable to attend the conference this year, there are several opportunities to participate remotely. The guiding principles that ought to guide our policies are being debated on the conference blog. Social networking groups on Facebook and LinkedIn are providing new spaces for the CFP community to meet and discuss. The Yale Journal of Law and Technology is hosting a call for essays, on the priorities of the next administration, with more details below.

We look forward to seeing you in New Haven on May 20-23.

First, Comcast and Pando hope to lead an “industry-wide effort” to create a “P2P Bill of Rights and Responsibilities” for P2P users and ISPs. We’ll have to see how this evolves, but establishing a set of best practices in this area could well be useful. It is important, for example, to ensure that users have control over how their P2P applications work, as in what files get shared, how and when the P2P application uses computer resources, etc.; the press release suggests that the question of “what choices and controls” consumers should have will be a central focus. So if Comcast and Pando succeed in getting broad buy-in to their ideas, this could be a productive discussion.

Second, the announcement says that Comcast and Pando will collaborate to run tests of Pando’s technology on Comcast’s network. If collaborating on tests can help Pando optimize its bandwidth efficiency and help Comcast work towards its promised protocol-agnostic approach to congestion management , that’s all welcome. It’s also a positive development if other ISPs and P2P providers can learn from the tests, as yesterday’s announcement suggests is intended.

At the same time, it is important to remember that the Internet has thrived as a platform for innovation in large part because it offers an open set of protocols that allows applications developers to roll out new products without seeking any kind of permission or cooperation from network operators. Voluntary collaboration is all well and good, but it would be a very different — and less innovative — Internet if collaboration with ISPs were to become a de facto expectation or necessity for anyone seeking to create and deploy new applications.

Individual deals between ISPs and applications providers are no substitute for open, generally applicable technical standards. Open technical standards are what enable independent software developers to innovate from a basement or garage, without the kind of corporate backing that would be needed to negotiate with ISPs. In the end, any “best practices” effort should steer clear of establishing any norm in favor of negotiated deals, and should keep in mind that not all applications developers will be companies with substantial resources. Likewise, technical efforts to address network congestion should look for system-wide approaches that are consistent with and reflected in open technical standards. An intricate web of individual, ad hoc arrangements and technical measures is not the Web, much less the Internet, that we’ve come to know and love.