Committees in both Houses of Congress held hearings in July to examine the privacy implications of online behavioral advertising technology. In the July issue of Privacy In Focus®, we noted that broadband Internet service providers (ISPs) potentially could use technology known as deep packet inspection (DPI) to monitor their subscribers' online activities, such as the websites they visit and the search terms they use. Such information would generate a user profile, which in turn could guide the placement of online ads as a subscriber surfs the Web. An ISP would receive a fee when an ad is placed or clicked on, tapping into the existing billion-dollar online advertising market.

Publicly available information concerning DPI tools stresses that the information collected—standing alone without cross-referencing an ISP's subscriber records—does not personally identify an individual. In addition, plans to deploy DPI tools usually include an opportunity for subscribers to "opt-out" in some way. Some in Congress, however, remain skeptical.

Into the Limelight

Targeted online advertising has operated, in many respects, in a legal vacuum, where old regulation had not been shown to apply, and new regulation had not been adopted. Yet, powerful DPI tools could prompt lawmakers to fill the void.

DPI technology hit center stage on July 9, when the Senate Committee on Commerce, Science and Transportation held a full committee hearing on the privacy implications of online advertising. ISPs had declined the committee's invitation, but providers of DPI tools participated. While Senator Byron Dorgan (D-ND), who chaired the hearing, acknowledged that Internet advertisements support free online services, he voiced concerns about the invisibility of data collection, whether data would be secure, and how it would be used. He also emphasized the importance of consumer choice.

Whether DPI collections should occur without a consumer's express approval was a flash point in the July 17 hearing of the House of Representatives Subcommittee on Telecommunications and the Internet of the House Commerce Committee. Rep. Edward Markey (D-MA) asserted that existing federal law requires opt-in consent, comparing DPI tools to the post office opening personal mail. Before such an intrusion, he asserted, consumers must receive meaningful notice, and no data collection may occur without their express consent. In a heated exchange with Rep. Markey, Robert Dykes, Chairman and Chief Executive Officer of NebuAD Incorporated, a DPI tool vendor, asserted the legal sufficiency of "robust notice," informed subscriber choice (apparently, an "opt-out" choice), and a policy against linking collected data to personally identifiable information.

Whether existing law requires an "opt-in" choice is subject to debate. But this view underpins a July 14 letter to ISP Embarq from Rep. Markey and his colleagues, John Dingell (D-MI), the Chairman of the House Commerce Committee, and Joe Barton (R-TX), the Ranking Member. This bipartisan group demanded information about a DPI test Embarq allegedly conducted using real subscriber information, including the notice that was given, the choices offered, and the legal justifications for the test. Embarq subsequently has responded.

Confluence of Interests for Federal Legislation?

July's Congressional hearings are the latest in a long history of challenges to online advertising brought by privacy advocates and privacy hawks in Congress. So far, their efforts have not yielded much federal legislation. But the prospect of DPI-driven advertising may change this dynamic.

Large search engine companies, the dominant actors in today's online advertising market, could potentially support the enactment of federal law. Indeed, during the Senate hearing, representatives of Google Inc. and Microsoft Corporation both called for the passage of baseline federal privacy legislation to prevent a state law patchwork. These companies may also have larger strategic interests in privacy legislation. By applying to all online advertising, a privacy law could curb any relative advantage that might run to ISPs providing richer, DPI-generated subscriber profiles. Thus, a market wide privacy burden could prevent ISPs—the potential new entrants—from eroding the search engine's existing large market share.