NebuAd Lawsuit

-

There needs to be a distinction between a computer monitoring someone's communications and a human monitoring someone's communications. With NebuAd's system, it's a computer doing the monitoring. And the logged information, even if read by a human, probably wouldn't be that useful. (I’m assuming that the categories used are fairly broad, e.g. "interested in cars"). Actual law enforcement monitoring systems (e.g. <a href=” http://en.wikipedia.org/wiki/ECHELON”>ECHELON</a>) are designed to alert their human operators when any suspicious activity is noticed (based on the same sorts of triggers that 4th-party ad networks like NebuAd and Phorm use) and then allow those operators to monitor all of a user's activity. Although it takes some getting used to and some trust, I think people will eventually come to accept computer monitoring, but they should be rightly suspicious of human monitoring.

The history of surveillance cameras informs what’s happening with deep packet inspection. When first introduced, people railed against surveillance cameras. But when the only footage the public saw from those cameras was of actual crimes taking place and/or the faces of the perpetrators of those crimes in an attempt to locate them and bring them to justice, people became less suspicious of the cameras and began to see them as beneficial. Although there have been instances of security personnel using surveillance cameras to ogle women, we've stopped consciously noticing the cameras and worrying about what they're recording.

With time, what has happened with security cameras will happen with DPI. But what will be interesting is what will happen when the information gathered from DPI can be used without disclosure to humans. Right now, DPI data is used to serve up ads. Soon (if not already) it will be used to serve up custom coupons. But what will people think if, when they apply for a job, in additional to a financial credit check, the employer does a ‘Internet surfing history’ check. The result could be just a numerical score of the "wholesomeness" of their Internet surfing habits, so that no actual data is disclosed, but if a low score looses them the job, the damage is still done. Would this be a privacy violation if their ISP's terms of service clearly stated that this type of monitoring could be done?

Current privacy laws focus primarily on the collection of data. Maybe the focus should instead be on how that data is used and disclosed to humans.

--Adam

Adam,

Under the law, it makes no difference whether it is a human or a machine that is monitoring your communications and information. It is the disclosure that it critical, not by whom or by what it is read or even if it is read at all. You have no reasonable expectations of privacy in the phone numbers you dial (Smith v. Maryland) and in your bank records (U.S. v. Miller), even though, generally, no other human actually ever sees this information. There is no privacy in this information because you have disclosed it to a third party.

By using a network that you know to be inspected by DPI, for purposes such as NebuAd, you have made a similar knowing disclosure and you have no expectations of privacy. Without expectations of privacy, there is no confidentiality and, thus, privacy rights cannot be maintained in your Internet communicatiosn. This is the Third Party Doctrine and it is black letter law.

You should check your ISP's ToS and privacy policy because they very clearly authorize monitoring and inspection. Under your ToS, I would argue that you have no expectations of privacy (see Heckenkamp and Angevine) and that DPI is, thus, not a violation of any privacy rights. I would also say that these ToS are unconscionable and unenforceable should they ever be challenged in court.

And what if all ISPs do the same thing? Then, there's no choice. An individual should not be forced to decide between internet access and giving away the property that is his/her privacy.

Matthew,

I agree that most ISP ToSes eliminate any expectations of privacy on the part of users (though I'm not saying I agree with those practices). If "disclosure" can only be disclosure to a human being, then electronic eavesdropping laws (both Federal and state) that focus on disclosure instead of interception are exactly what I'm suggesting. Similarly, I think there needs to be a distinction between "third parties" that are corporations with human employees and "third parties" that are simply machines.

When I dial a phone number, there are lots of machines that "know" what number I've dialed--they need to know this to be able to connect me to the person I'm trying to call. But it's a different matter when that number is disclosed to a person.

If ISPs wanted to, they could write ToSes that clearly explain that communications will not be disclosed to humans unless necessary to investigate problems with the service, and even then the disclosures will be only to the extent necessary and no disclosed information will be used for other purposes. E.g. if a phone technician needs to listen to a line to confirm that it's working, and they happen to listen in on a guy having a steamy conversation with his girlfriend, the technician should not have the right to record the conversation and share it with others just because he initially had the right to momentarily listen to the conversation. This is similar to the notion of someone exceeding the explicit or implicit security level they've been granted on a computer system. Just because you *can* access certain areas of a computer system, doesn't mean that you're *supposed* to access those areas, and doing so could be a violation of computer crime laws.

For over a century, privacy law has been based on a secrecy paradigm, and i think it has worked fairly well. I don't think it would be wise to abandon the Third Party Doctrine and its knowing disclosure analysis. Making determinations on expectations of privacy based on who or what sees the information would become an ad hoc process that would remove the certainty of the law that we now enjoy.

For me, a solution that would protect users' privacy rights would be a determination that abusive subscriber contracts are either unconscionable or against public policy, which would be enforceable in state court. ISPs should not force their users to waive privacy as a mandatory condition of service. Now if users voluntarily and knowingly waived these rights and submitted to DPI for some sort of tangible benefit (e.g. reduced prices), then things like NebuAd would be fine. But I find it abhorrent that users are required to forfeit their expectations of privacy (and associated rights) merely to connect to the Internet.

Internet access is supposed to be a deregulated market, which would make it subject to standard state contract laws, like all other deregulated industries. Users should be able to hold their ISPs accountable in court and not get lost in a jurisdictional purgatory.