Tuesday, September 9, 2008

Dealing With I.S.P. Snooping - "The Rise and Fall of Invasive ISP Surveillance"

One of the hot privacy topics of the day - which directly ties to the debate over Net Neutrality - is the danger ISP filtering poses regular old consumers like you and I because of the staggering amount of personal and private information they routinely have access to.

What seems to be generating a lot of buzz right now on this topic is a new paper by Paul Ohm - a former Justice Department official who now is a professor of law at the University of Colorado - entitled “The Rise and Fall of Invasive ISP Surveillance”.

I call it buzz because I found some pretty comprehensive write ups on the paper in both the New York Times and Arstechnica.com.

I'll primarily focus on the New York Times piece, but before I get to that, let me allow Professor Ohm to lay out the crux of his case:

"In modern connected life almost no other entity poses a greater threat to privacy than the ISP. ISPs pose a much greater threat to privacy than other online entities and they even pose a greater threat than offline institutions as well, including doctors, psychiatrists, and lawyers."


Because ISPs pose such a high risk of terrible harm to so many people, and because of the unmistakable signs that things are getting worse, they must be regulated.

Yes, he's saying the threat is greater even than Google.

So what's the big deal you ask? And why has this suddenly become a bigger threat than before? For that answer, let me first quote a clip from Arstechnica before I get to the Times piece:

Internet-savvy users are fully aware of this, of course, but most haven't had major concerns about all that sensitive data they're pushing through the tubes. ISPs have generally been solid on privacy, as Ohm concedes, and they've lacked the technical means to really invade that privacy, anyway. So why all this talk of a privacy apocalypse that will see blood raining from the skies and screams of the damned outside making it tough to keep concentrating on that World of Warcraft session?

The two bulldozers, in Ohm's view, that are remaking the ISP landscape are "deep packet inspection gear" and "tremendous commercial pressures." ISPs at last have the technical capacity to monitor huge amounts of user web traffic in realtime, and advertisers like NebuAd and Phorm are (or were) simultaneously offering large cash payments for access to Internet traffic.

Apart from these two major commercial forces, government mandates also lurk in the background. CALEA rules have forced ISPs to install this sort of gear in order to provide full wiretap access to a user's Internet data stream when required by law.

And content owners have been leaning on governments around the world, which in turn are leaning on ISPs to do something about the illicit P2P problem. Filtering has been one solution beloved of copyright owners, and ISPs like AT&T have even publicly committed to doing so. And then, of course, there's Comcast.

The New York Times elaborates:

Even though Congress has growled loudly enough to get Internet service providers to back off their plans to sell information about their customers’ Web surfing to advertising companies, one prominent legal expert argues that the law governing the issue should still be made tougher.


Mr. Ohm argues that the regulatory issues are still relevant because the Internet providers still have a strong incentive to seek money from advertisers to supplement their monthly fees.

The Electronic Communication Privacy Act, a 1986 law originally meant to keep telephone companies from listening to the calls of their customers, probably applies to some of these Internet monitoring schemes, Mr. Ohm writes. If a court determined that the browsing history of an Internet user represents the “contents of communication,” it could be construed as wiretapping, he wrote. Wiretapping, under the law, is a felony and also is a cause for civil action.


(Ohm) said he was surprised that Internet providers had proceeded as far as they have with plans for these advertising systems...Nonetheless, Mr. Ohm argues that the law is overly complex and ambiguous, and should be clarified. His article proposes simplifying the overall structure:

The new unified law should regulate all monitoring — without distinguishing between whether the monitoring is of content or not — provided it is monitoring of data “of or pertaining to a user, customer, or subscriber.”

He wants to make clear that Internet providers would be allowed to monitor customers to protect themselves, such as to track down a hacker. But that exception would need to be related to a specific incident. Routine and automated monitoring of customers, beyond the minimum needed to operate a network, would be banned.

Finally Mr. Ohm wants to make it much harder for customers to waive their protections by consenting to some boilerplate agreement. Internet users would need to authorize the monitoring of their surfing each time they use the Internet, under the standard he proposes.

Mr. Ohm said he is much more concerned with Internet service providers than with other Web companies, such as Google. Web sites, he said, have the ability to describe what they are doing with customer data on every page, although they may object to doing so. Consumers don’t really interact explicitly with their Internet providers once they set up a connection. Moreover, Internet providers have an unusually broad view of what customers read, buy, watch and listen to.

“Google doesn’t know what I do when I’m on MSN,” he said. “But your I.S.P. does. There is no hiding from your I.S.P.”

I think it goes without saying this is an incredibly important paper to the future of Internet privacy and how we proceed with protecting all users from invasive and intrusive monitoring.

Ohm's paper also seems to dovetail quite nicely with the concept of "network neutrality", because if the power of existing privacy and wiretap laws, as he asserts, can prevent providers from scrutinizing user communications closely, then neither could they discriminate between different types of traffic...which is the gravest of concerns within the Net Neutrality movement.

If the goals of net neutrality can be won through the use of existing "highways" as Ohm believes, rather than building new ones, we might have just gotten a lot closer to the grail: a free, private (relatively) and open Internet for all.

No comments: