Jane E. Kirtley (University of Minnesota) reviews recent efforts in Congress to develop national privacy legislation and explains the implications (pro and con) of "deep packet inspection"

Jane E. Kirtley (University of Minnesota) assesses the potential nationwide impact of new encryption laws in Massachusetts and Nevada

Jane E. Kirtley: While Congress toils on privacy legislation, technology continues its march for good and (potential) assault on privacy rights

PLI: It has long been apparent that technology is outpacing our ability to define and thus implement viable privacy protections, particularly in the area of data collection and behavioral advertising. Where is Congress on this?

JANE E. KIRTLEY: House lawmakers have announced plans to develop national privacy legislation designed to provide Internet users more control over the information that is being collected about their online activity.¹ Rep. Rick Boucher (D-Va.), chairman of the House Internet subcommittee, the entity leading the legislative effort, believes "consumers are entitled to some baseline protections" from behavioral advertising.²

Toward this end, a Senate committee and two House subcommittees have held hearings to learn about the benefits, potential abuses, and privacy concerns arising from Internet use.³ Representatives of Internet service providers (ISPs), online advertisers and consumer groups are among those who have provided insight on the current state of private sector monitoring of Internet use. These individuals and groups have also offered suggestions on what the proposed legislation should include.

The reality that consumers' online activity can be tracked and fed back to them as targeted advertisements raises privacy concerns, but lawmakers have been urged to take into consideration the benefits consumers, ISPs and online retailers receive from the technology, particularly in a depressed economy. Boucher has tentatively proposed some "baseline" measures. These include an easy-to-find privacy policy alerting consumers to what information is collected about them, how it is used, stored and whether it is sold to third parties, as well as the ability to opt-out, or prevent parties from using the information.⁴

What is deep packet inspection, or DPI? Deep packet inspection (DPI) is a developing technology that enables ISPs to open every packet of information sent over the Internet, read its entire contents and treat it differently based on what it includes. This treatment could include adding advertising information, collecting data about users or blocking the content altogether. A common analogy used to describe DPI is to think of the United States Postal Service starting a side business to open every letter, read its contents, and sell the information inside without the consent of the sender or recipient. Without the use of DPI, Internet service providers simply read the top level of routing information as it passes through the network, similar to how postal employees read the address on an envelope to ensure it reaches its correct destination.⁵

Aside from the privacy implications of DPI, some worry that the technology will enable an ISP to block, or at least slow, the transmission of content that does not help its bottom line finances while letting other traffic take priority. "The thought that a network operator could track a user's every move on the Internet, record the details of every search and read every e-mail or attached document is alarming," Boucher said at the outset of a subcommittee hearing on April 23, 2009, on recent developments in consumer privacy. Consumers often do not know information is being collected about them online, and if they do, they often do not know who is collecting it or how it will be used. "In the absence of legal rules, companies that are gathering this data will be free to use it for whatever purpose they wish — the data for a targeted ad today could become a detailed personal profile sold to a prospective employer or government agency tomorrow," said Marc Rotenberg, executive director of the Electronic Privacy Information Center, a non-partisan research organization.⁶

Opt-in or opt-out? A contentious point as Congress drafts Internet privacy legislation is whether to mandate an opt-in or opt-out policy. In general, consumer groups favor a ban against the collection of data on consumers' online habits unless they explicitly agree to its collection, while Internet companies generally favor opt-out policies.⁷ Anne Toth, head of privacy for Yahoo! Inc., argued against drawing a bright line between the two options. "The answer is that it's not one or the other — it's both. Some services and models should require an opt-in approach, while, for other models, an opt-out is a more appropriate default," Toth said. She contended that the decision between whether to use an opt-in or opt-out approach for a particular service requires considering "whether everything a user does online is collected through the service."⁸

Benefits of DPI: In addressing the privacy concerns raised by deep packet inspection, Congress must also balance the benefits the technology provides. These benefits go beyond the targeted advertisements that are likely to increase revenues for advertisers and retailers. Kyle McSlarrow, president and CEO of the National Cable and Telecommunications Association, identified several pro-consumer purposes of the technology. First, it can be used to detect viruses and prevent spam to guard against invasions of subscribers' home computers. Second, it can allow cable operators to plan for network growth by anticipating the needs of their subscribers. Third, it enables network operators to accurately respond to requests from law enforcement to intercept communication. McSlarrow also touted packet inspection as a tool in providing more choices and controls as Internet technology evolves, such as advanced parental controls over the streaming videos watched by children.⁹

Use of Behavioral Advertising: Companies that employ DPI for targeted advertising often stress that the information intercepted is anonymous in nature and that they only use a limited amount of the available data. "However, the privacy concerns that arise from the use of DPI begin with the interception, diversion, or copying of substantially all of the Internet traffic of all subscribers. Just because ISPs or advertising networks may use only a small portion of what is captured and do not retain other information does not diminish the breadth and intrusiveness of the initial data capture," said Leslie Harris, president and CEO of the Center for Democracy and Technology.¹⁰

Internet companies take varying approaches to collecting and using data for targeted advertising. Facebook claims its use of targeted advertising enables the company to offer the social networking site free of charge. Chris Kelly, Facebook's privacy officer, explained to lawmakers that Facebook uses information in individual profiles, such as someone's favorite movies, but that this is transmitted to third parties in non-personally identifying form. For example, Kelly said users may see an advertisement for a film screening based on what they list as their favorite movies, but personally identifying information (name, e-mail address and other contact information) will not be given to advertisers. Kelly acknowledged the company may have previously been "inartful in communicating with our users and the general public about our advertising products," but that "users should choose what information they share with advertisers."¹¹

In March 2009, Google announced it would move toward interest-based advertising in which advertisements would be shown to consumers based on the Web pages they visit and the YouTube videos they watch online. Users have the ability to view, add and remove the categories (sports, travel, cooking, etc.) used to show them interest-based ads when they visit Web sites. Users can also opt-out of interest-based ads altogether.¹² AT&T Inc. says it is committed to developing an opt-in policy that will require affirmative, advance action by the consumer before his online practices will be tracked for behavioral advertising.¹³

Safeguards in Place: Self-regulation may already prevent some abuses of DPI. "Good privacy protection is also good business," said McSlarrow, who added that cable ISPs have used DPI legitimately "for many years now — and for many good reasons."¹⁴ Some specific uses of DPI may already be prohibited under the federal Wiretap Act, 18 U.S.C. §§ 2510-2522, and Cable Act, 47 U.S.C. § 553. However, the boundaries of the Wiretap Act as it applies to DPI are not clear in all contexts. "Moreover, the Act was last modified more than 20 years ago and has not kept pace with technology. It simply does not provide sufficient protection to consumers against DPI's risks," Harris said. She cautioned that there are difficulties in providing adequate notice and consent between consumers and Internet service providers, particularly in instances when more than one person uses a single Internet connection.¹⁵

Download Footnotes

Save 40% on PLI course handbooks. This week use the link to order Communications Law in the Digital Age 2009.

CLE for $99! More from Jane E. Kirtley — order the 90-minute CLE On-Demand presentation Privacy Protection, Safety and Security (from the PLI program Communications Law in the Digital Age 2009).

Get 20% off the entire PLI program when you order Communications Law in the Digital Age 2009, available in Audio-CD, DVD and On-Demand formats.

Jane E. Kirtley: Massachusetts and Nevada put personal information of consumers first — nation may follow

PLI: Massachusetts and Nevada have taken the lead in identity theft and data protection with encryption laws. What are the substance of them and what do they bode for the future?

JANE E. KIRTLEY: Massachusetts and Nevada have taken the lead in mandating safeguards for consumers' personal information by requiring companies that store or transmit personal information to encrypt the data.¹ The regulations formulated by the Massachusetts Office of Consumer Affairs and Business Regulation under the state's data protection law, M.G.L. c. 93H, were intended to take effect Jan. 1, 2009, but enforcement for most of the law has been extended until Jan. 1, 2010.² A similar law in Nevada went into effect on Oct. 1, 2008,³ and was later amended to closely align with the Massachusetts standard by requiring encryption of information in data storage devices. These data protection standards [were] scheduled to go into effect in Nevada on Jan. 1, 2010.⁴ Michigan and Washington have also considered similar legislation and the list of states mulling a similar law will continue to grow.

Under both laws, "Personal information" is essentially a combination of a person's name and one or more of the following: social security number, driver's license number, credit or debit card account number or another financial account number. "Personal information" does not include what is lawfully obtained through publicly available data.

Massachusetts Law: To Whom Does it Apply? The regulations apply to all persons, businesses and legal entities that "own, license, store or maintain personal information about a resident of the Commonwealth."

Encryption Standard: The regulations define encryption generally without referring to a particular strength or technology, other than a form "in which meaning cannot be assigned without the use of a confidential process or key." The regulations also require businesses that allow access to or share personal information with third parties to take "reasonable steps" to make sure those entities comply with the law.

The state plans to judge compliance on a case-by-case basis according to the size of a business, its available resources, the amount of data stored, and the need for confidentiality. State officials warned that unless a business has its own in-house IT staff, it will probably need to consult an outsider to determine if its computer system meets the encryption requirements.⁵

Potential Penalties⁶: Penalties for failing to abide by the regulations could result in enforcement actions by the state Attorney General and may expose a business to damages in a private negligence claim or under another legal theory.

Nevada Law: To Whom Does it Apply? The statute applies to data collectors who do business in the state. A "data collector" means government agencies, colleges, universities, corporations, financial institutions and retail operators.

Encryption Standard: Nevada law requires the use of encryption software "that has been adopted by an established standards setting body," such as the National Institute of Standards and Technology. The law requires technology that "renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data."

Potential Penalties: Data collectors that comply with the law but suffer a security breach would have their liability for damages capped at $1,000 per customer for each occurrence. Companies that do not comply would face unlimited civil penalties, according to James Earl, executive director of the state's task force for technological crimes.⁷

Ramifications across state lines: The two state laws will inevitably have an impact on businesses and residents throughout the country and could soon lead to a de facto national standard. The Massachusetts law applies to any entity that stores personal information "about a resident of the Commonwealth," meaning all companies that have a national customer or employee base must meet the requirements. The Nevada law applies to data collectors "doing business in this State" so that the information of some residents outside of Nevada is also protected.

Many businesses already have encryption requirements that would meet or come close to meeting the new state laws. However, many attorneys are advising clients to err on the side of caution and address the encryption issue now rather than later. Doing so, they urge, will not only expedite compliance with any future laws, but also help ease fears of events such as stolen laptops that often lead to security breaches.

Download Footnotes

More from Professor Jane E. Kirtley — Download Privacy Protection, Safety and Security

40% off PLI course handbooks — Save when you order Tenth Annual Privacy and Data Security Law Institute.

Save 20% when you order the entire PLI program order Tenth Annual Privacy and Data Security Law Institute, available in Audio-CD, DVD and On-Demand formats.

Use the links below to get information on or to register for any of the following:

Broadband and Cable Industry Law 2010
January 25-26
New York City
March 1-2
San Francisco, San Francisco

Green Technology Law and Business 2010: Legislation, Financing, Carbon Trading and Sustainability
February 5
New York City
February 22
San Francisco, Live Webcast

Live Program Pick Save 25% when you register for the brand new PLI program Presentation Skills for Attorneys 2010, being held January 15 in New York City.

Reader's Corner Save 25% on a must-have for every professional — order Proskauer on Privacy: A Guide to Privacy and Data Security Law in the Information Age (4th Ed.), by Proskauer Rose LLP (Kristen J. Mathews, Ed.).

Let us know.
Contact All-Star Briefing

Click the links to subscribe to our fantastic free newsletters.

• IN-HOUSE INSIGHTS
• LAWYER'S TOOLBOX
• COMPLIANCE COUNSELOR
• POCKET MBA
• ALL-STAR BRIEFING