ISPs and the Power Bestowed Upon Them
A series of laws aimed at preventing such crimes as child pornography has the unintended consequence of placing a great deal of power in the hands of Internet service providers. Are they using this power responsibly? Episodes such as the NebuAd incident indicate they aren't.
"With great power comes great responsibility" is an oft-quoted line from the first "Spider-Man" film. Without torturing the "web" metaphor beyond its breaking point, it also applies to your friendly neighborhood Internet service provider.
A maze of legislation, regulations and business practices dating back to the 1930s has given ISPs the power to find out if you are downloading child pornography and turn you in to law enforcement officials, to snitch on you to the Recording Industry Association of America if you have pirated media on your computer, and to regulate the amount of data coming into your neighborhood nodes under the guise of "network management." They know where you Web surf, what you do while there and how long you do it. They hang on to that data for a minimum of three months, although proposed legislation in both houses of Congress would mandate an extension of that time period to 2 years. And one of them had a deal in place to divert that data for behavioral advertising, although public outcry scuttled that idea.
So are ISPs taking this great responsibility seriously? Are they erring on the side of consumer privacy, the fear of liability or the threat of law enforcement/Congressional fiat?
"You have to start with the proposition that the law actually gives network operators a lot of freedom for accessing and reviewing the information going over their networks," Albert Gidari, partner at the Seattle office of the Perkins Coie law firm, told the E-Commerce Times. "We don't regulate here like the Europeans. We don't start with the basic premise that information about me is mine and you can't use it."
ISPs (Barely) Tell Their Side
Service providers like Comcast and Verizon may tout the blazing capabilities of their broadband offerings, but they tend not to break any land-speed records when asked for responses about proposed data retention legislation, such as the bills introduced by two Texas Republicans, Sen. John Cornyn and Rep. Lamar Smith. The Internet Safety Acts would require ISPs to hang on to IP addresses for up to two years to assist with law enforcement prosecution of child exploitation on the Web.
A week after receiving an email seeking comment, Comcast spokesperson Sena Fitzmaurice told the E-Commerce Times that her company was not talking about the proposed legislation, leaving that to the U.S. Internet Service Provider Association; Comcast holds membership in the association. "We currently retain IP address assignment information and do not retain any other information unless required to do so by a valid legal process," Fitzmaurice said.
The USISPA did not respond to a request for comment by press time.
"We are watching closely to see what measures gain traction in Congress," Verizon spokesperson David W. Fish told the E-Commerce Times after several days of voicemail and email requests. "The committees may consider a variety of proposals." Like Fitzmaurice, Fish did not respond to questions about cooperating with the RIAA or how Verizon viewed its data monitoring powers. Fish did, however, send along a transcript of Verizon general counsel Thomas Dailey's June 2006 testimony before the House Energy & Commerce Subcommittee on Oversight & Investigations. The testimony included this passage regarding a previous attempt to mandate a 2-year data retention period:
"While the debate over data retention is still forming, Verizon's general view is that IP address assignment and customer record information collected in the normal course of business could be retained by network providers for a reasonable period of time, and if retention is required, that the period of retention should be long enough reasonably to enable law enforcement to conduct their investigations. Whether this obligation should extend to others in the Internet community is still open to debate, as is whether the period of retention should be 24 months (as has been proposed) or a shorter period more in line with the retention policies of businesses in effect today."
A Brief History of Communications Laws
Gidardi, who has studied privacy law for 20 years and chairs the privacy committee for his law firm, says the first time Congress took a look at protecting the sanctity of data was in 1934, and the technology involved was what Samuel Morse and Alexander Graham Bell hath wrought. The Communications Act passed that year held that no one could intercept telegraph and telephone communications. "The FBI ignored that, and in a series of cases that went to the Supreme Court, it upheld the lower courts decision that no person meant no person, including the FBI. Law enforcement wasn't exempt," Gidari said. "But at the same time, in similar cases, they upheld the carriers' right to monitor their system to prevent fraud."
The Crime Control and Safe Streets Act of 1968 codified some of the precedents from the 1930s by maintaining the need for warrants if wiretapping was involved and granting national security exemptions for the executive branch.
The powers that exist today for ISPs are largely the result of the Electronic Communications Act of 1986. "That especially gave access providers the right to randomly monitor and observe the traffic going over their networks. They can't do that with telephone calls, but Congress saw a difference with the nascent networks and the dawn of the Internet, and said 'We're just going to restrict you from disclosing electronic communications, but we'll give you the right to look at whatever you want to over your networks,'" Gidari said.
Those rights have expanded to include seeking customer consent to do more with that information "We wouldn't have much of an Internet or a software business if we didn't have click-through agreements, uniform licensing agreements. ISPs rely on the consent of customers to do more," Gidari said.
The law also permits ISPs to disclose information without permission if it relates to crimes that could endanger life, cause physical harm or threaten property rights. Hence, handing over IP addresses to the RIAA. "If they're sued by the RIAA for activities that are alleged to have infringed (on copyrights), they actually have the right to defend those lawsuits by disclosing information claiming they have no knowledge, and if a court orders them, to go ahead and disclose who is infringing," Gidari said.
Privacy Advocates Have Their Say
The law of unintended consequences is helping to write the 21st century chapters of Internet and privacy law as it relates to ISPs, Gidari said. "These well-meaning efforts on one side to help law enforcement to monitor communications of the bad guys provide them (ISPs) the capability to do the same thing for the RIAA. These three-letter agencies and four-letter agencies are darn interested in what you got," he said.
Yet there are other three-letter agencies and organizations that exist to make sure ISPs exercise their powers wisely. It was the FCC that punished Comcast for what it said was an irresponsible use of traffic management techniques last summer when it slowed down data for some customers because it claimed they were hogging bandwidth with their movie and music downloads. And the CDT, Center for Democracy and Technology, is one example of a privacy advocate that keeps an eye on service provider use of customer data, as in the NebuAd controversy. In May 2008, Charter announced its partnership with the online advertising company would allow for targeted Web ads from NebuAd based on which Web sites customers like to visit. An outcry from privacy groups and customers prompted Charter to pull back on its plans.
"Those approaches have raised a lot of red flags and caused concerns," CDT general counsel John Morris told the E-Commerce Times. "While there are not a lot of clear laws that delineate an ISP's tracking your Web surfing, there certainly is a lot of consumer pushback.
"On the one hand there's not a good, broad legal protection for privacy, as we think there should be. But on the other hand there is a lot of concern about tracking of information for ad purposes and the like."
Concern can be extended to laws like the Internet Safety Acts, Morris said. "They always name these bills some name that makes it very, very hard to vote against," he said. He has problems with the proposed laws that can be traced back to the unintended consequences category. "Law enforcement right now has the ability to get ISPs to preserve data -- they don't need any more authority there. What this bill would do is dramatically lead to a significant increase in the number of civil litigations against ISPs, with people trying to find out information in a divorce case or in a civil lawsuit. It opens up a whole range of possibilities."