With three Congressional hearings held within the past four months, U.S. legislators have expressed increased concern about the handling of private online information. As Paul Ohm mentioned yesterday, the recent scrutiny has focused mainly on the ability of ISPs to intercept and analyze the online traffic of its users– in a word, surveillance. One of the goals of surveillance for ISPs is to yield new sources of revenue; so when a Silicon Valley startup called NebuAd approached ISPs last spring with its behavioral advertising technology, many were quick to sign on. But by summer’s end, the company had lost all of its ISP partners, their CEO had resigned, and they announced their intention to pursue “more traditional” advertising channels.

How did this happen and what can we learn from this episode?

The trio of high-profile hearings in Congress brought the issue of ISP surveillence into the public spotlight. Despite no new privacy legislation even being proposed in the area, the firm sentiment among the Committees’ members, particularly Rep. Edward “When did you stop beating the consumer?” Markey (D-MA), was enough to spawn more negative PR than the partner ISPs could handle. The lesson here, as it often times is, is that regulation is not the only way, and rarely even the best way, of dealing with bad actors, especially in highly innovative sectors like Internet technology. Proposed regulation of third-party online advertising by the New York State Assembly last year, for example, would have placed an undue compliance burden on legitimate online businesses while providing few tangible privacy benefits. Proponents of net neutrality legislation may want to heed this episode as a cautionary tale, especially in light of Comcast’s recent shift to more reasonable traffic management techniques.

Behind the scenes, the work of investigative technologists was key in substantiating the extent of consumer harm that, I presume, caught the eye of Congress members and their staffers. A damaging report by technologist Robb Topolski, published a month before the first hearing, exposed much of NebuAd’s most egregious practices such as IP packet forgery. Such technical efforts are critical in unveiling opaque consumer harms that may be difficult for lay users to detect themselves. To return to net neutrality, ISP monitoring projects such as EFF’s Switzerland testing tool and others will be essential in keeping network management practices in check. (Incidentally and perhaps not coincidentally, Topolski was also the first to reveal Comcast’s use of TCP reset packets to kill BitTorrent connections.)

ISPs and other online service providers are pushing for industry self-regulation in behavioral advertising, but it is not at all clear whether self-regulation will be sufficient to protect consumer privacy. Indeed, even the FTC favors self-regulatory principles, but the question of what “opt-in” actually means will determine the extent of consumer protection. Self-regulation seems unlikely in any case to protect consumers from unwittingly “opting-in” to traffic monitoring. ISPs have a monetary incentive to enroll their customers into monitoring and standard tricks will probably get the job done. We all have experience signing fine-print contracts without reading them, clicking blindly through browser-based security warnings, or otherwise sacrificing our privacy for trivial rewards and discounts (or even just a bar of chocolate).

Interestingly enough, a parallel fight is being waged in Europe over the exact same issue but with starkly contrasting results. Although Phorm develops online surveillance technologies for targeted advertising similar to NebuAd’s, a UK regulator recently declared that Phorm’s technologies may be able to be introduced “in a lawful, appropriate and transparent fashion” given “the knowledge and agreement of the customer.” As a result, Phorm has continued its trials of their Internet surveillance technology on British Telecom subscribers.

Why these two storylines have diverged so significantly is not apparent to me. One thought is that Phorm got itself in front of the issue of business legitimacy– whereas U.S. regulators saw NebuAd as a rogue business from the start, Phorm has been an active participant on the IAB’s Behavioural Advertising Task Force to develop industry best practices. Another thought is that the fight over Phorm is far from over since the European Commission is continuing its own investigation under EU laws. I hope readers here, who are more informed than I am about the the regulatory landscape in the EU and UK, can provide additional hypotheses about why Phorm has, thus far, not suffered the same fate as NebuAd.

Thanks to Ed and his fellow bloggers for welcoming me to the blog. I’m thrilled to have this opportunity, because as a law professor who writes about software as a regulator of behavior (most often through the substantive lenses of information privacy, computer crime, and criminal procedure), I often need to vet my theories and test my technical understanding with computer scientists and other techies, and this will be a great place to do it.

This past summer, I wrote an article (available for download online) about ISP surveillance, arguing that recent moves by NebuAd/Charter, Phorm, AT&T, and Comcast augur a coming wave of unprecedented, invasive deep-packet inspection. I won’t reargue the entire paper here (the thesis is no doubt much less surprising to the average Freedom to Tinker reader than to the average lawyer) but you can read two bloggy summaries I wrote here and here or listen to a summary I gave in a radio interview. (For summaries by others, see [1] [2] [3] [4]).

Two weeks ago, Verizon and AT&T told Congress that they would monitor for marketing purposes only users who had opted in. According to Verizon VP Tom Tauke, “[B]efore a company captures certain Internet-usage data for targeted or customized advertising purposes, it should obtain meaningful, affirmative consent from consumers.”

I applaud this announcement, but I’m curious how the ISPs will implement this promise. It seems like there are two architectural puzzles here: how does the user convey consent, and how does the provider distinguish between the packets of consenting and nonconsenting users? For an ISP, neither step is nearly as straightforward as it is for a web provider like Google, which can simply set and check cookies. For the first piece, I suppose a user can click a check box on a web-based form or respond to an e-mail, letting the ISP know he would like to opt in. These solutions seem clumsy, however, and ISPs probably want a system that is as seamless and easy to use as possible, to maximize the number of people opting in.

Once ISPs have a “white list” of users who have opted in, how do they turn this into on-the-fly discretionary packet sniffing? Do they map white-listed users to IP addresses and add these to a filter, or is there a risk that things will get out of sync during dhcp lease renewals? Can they use cookies, perhaps redirecting every http session to an ISP-run web server first using 301 http status codes? (This seems to be the way Phorm implements opt-out, according to Richard Clayton’s illuminating analysis.) Do any of these solutions scale for an ISP with hundreds of thousands of users?

And are things any easier if the ISP adopts an opt-out system instead?

Tom Lee makes an interesting point about the satellite case I wrote about on Saturday: the problem facing EchoStar and other satellite manufacturers is strikingly similar to the challenges that have been faced for many years by video game console manufacturers. There’s a grey market in “mod chips” for video game consoles. Typically, they’re sold in a form that only allows them to be used for legitimate purposes. But many users purchase the mod chips and then immediately download new software that allows them to play illicit copies of copyrighted video games. It’s unclear exactly how the DMCA applies in this kind of case.

But as Tom notes, this dilemma is likely to get more common over time. As hardware gets cheaper and more powerful, companies are increasingly going to build their products using off-the-shelf hardware and custom software. And that will mean that increasingly, the hardware needed to do legitimate reverse engineering will be identical to the hardware needed to circumvent copy protection. The only way to prevent people from getting their hands on “circumvention devices” will be to prevent them from purchasing any hardware capable of interoperating with a manufacturer’s product without its permission.

Policymakers, then, face a fundamental choice. We can have a society in which reverse engineering for legitimate purposes is permitted, at the cost of some amount of illicit circumvention of copy protection schemes. Or it can have a society in which any unauthorized tinkering with copy-protected technologies is presumptively illegal. This latter position has the consequence of making copy protection more than just a copyright enforcement device (and a lousy one at that). It gives platform designers de facto control over who may build hardware devices that interoperable with their own. Thus far, Congress and the courts have chosen this latter option. You can probably infer from this blog’s title where many of its contributors stand.

My friend Julian Sanchez reports on a September 29 ruling by a federal magistrate judge that retailers will not be required to disclose the names of customers who purchased open satellite hardware that is currently the subject of a copyright lawsuit. The Plaintiff, Echostar, sought the records as part of its discovery procedures in a lawsuit against Freetech, a firm that manufacturers consumer equipment capable of receiving free satellite content. The equipment attracted Echostar’s attention because it’s also the case that with minor modifications Freetech’s devices can be used to illicitly receive Echostar’s proprietary video content. Echostar contends that satellite piracy—not the interception of legitimate free content—is the primary purpose of Freetech’s boxes. And it argues that this makes them illegal circumvention devices under the Digital Millennium Copyright Act.

The ruling is a small victory for customer privacy. But as Julian notes, the case still has some troubling implications. Echostar claims it can demonstrate that Freetech has been colluding with satellite pirates to ensure its boxes can be used to illegally intercept Echostar content. But it is a long way from proving that allegation in court. Unfortunately, the very existence of the lawsuit has had a devastating impact on its business. Freetech’s sales have dropped about 90 percent in recent years. In other words, Echostar has nearly destroyed Freetech’s business long before it has actually proved that Freetech had done anything wrong.

Second, and more fundamentally, it appears that Freetech’s liability may turn on whether there is a “commercially significant” use of Freetech’s products other than satellite piracy. As Fred von Lohmann points out, that has the troubling implication that Freetech’s liability under copyright law is dependent on the actions of customers over whom it has no control. As Fred puts it, this means that under the DMCA, a manufacturer could “go to bed selling a legitimate product and wake up liable.” It’s a basic principle of law that people should be liable for what they do, not for what third parties do without their knowledge or consent.

None of this is to condone satellite piracy. I have little sympathy for people who face legal penalties for obtaining proprietary satellite content without paying for it. But there are legal principles that are even more important than enforcing copyright. The progress of the Echostar case so far suggests that in its zeal to protect the rights of content owners, copyright law is trampling on those principles. Which is one more reason to think that the DMCA’s anti-circumvention provisions needs to be reformed or repealed.