ISPs to Congress: Let us regulate our own privacy practices

Time Warner's Peter Stern added that he doesn't believe the consumer actually cares who is doing the targeting, but may simply prefer that it not be done -- a sentiment echoed later by Verizon's Tauke and AT&T's Attwood. That may not exactly coincide with their promises to give customers a way to opt out, or whatever they want to call it, especially because not only would customers need to know what to opt out of or from, but from whose page they would be doing it. Verizon's? Google's? Platform-A's?

That disparity did enable ISPs' representatives to point the finger elsewhere, at content providers and ad platforms that are conducting targeting operations, and that are out of these ISPs' control. None of them named names, though "Google" was certainly on the edge of their lips, as was a certain "C" word.

The designated name-namer at this morning's hearing was D. G. Sohn, vice president and founder of Public Knowledge. Sohn used the dreaded term deep packet inspection (DPI) to refer to the tool recently used -- and mis-used -- by ISPs to determine the online behavior of their customers. However, she wasn't afraid to use the "C" word.

"Simply put, DPI is the Internet equivalent of the Postal Service reading your mail," remarked Sohn. "While a postal worker might read your mail for any number of reasons, the fact remains that your letter is being read by the very person whose job it is to deliver it."

Usually, the packetization of Internet data enables routers to access just the information necessary to forward those packets in the direction they need to go, Sohn reminded senators, without peering into packets' contents. Those headers are essentially packets' "envelopes."

"Until recently, when you handed that envelope to your ISP, the ISP simply read the address, figured out where to send the envelope, and handed it off to the proper mail carrier," she continued. "Now, we understand that some ISPs are opening these envelopes, reading their contents, and keeping varying amounts of information about the communications inside for their own purposes. In many cases, ISPs are actually passing copies of the envelopes onto third parties, who in turn read and make use of that information. For the most part, customers are not aware that their ISPs are engaging in this behavior. The end result is much like if the postal service were to open your letter, photocopy it, hand that copy to a third party, and then reseal the letter."

Who's the guilty parties in this case? D. G. Sohn: "So far, we've seen ISPs like Comcast use DPI as a means to identify and block certain types of Internet traffic, in violation of the FCC's Internet policy statement. We've also seen advertising companies like NebuAd use DPI to collect browsing histories, online habits, and other potentially personal information about users, in order to display advertisements targeted to a specific user's interests. The very nature of DPI raises grave privacy concerns. As a result, when evaluating an implementation of DPI, there are three basic questions that must be answered in order to assess both the impact on the user's privacy, and the acceptability of the use of the technology in question: First, what purpose is the collected data being used for? Second, how is that data collected and utilized? Third, how is affirmative, informed consent obtained?"

In previous Congressional hearings which involved such notables as NebuAd and Comcast, senators and representatives were more than happy to turn up the heat. This morning, the room was already hot enough from the residual heat going on down the hallway. It's fair to say there was no "grilling" taking place today.

And that enabled witnesses to point the finger of blame to sources unseen or unknown, without any challenge. "Right now, there is behavioral targeting in the online environment," said AT&T's Dorothy Attwood at one point, "and it is by Web actors who don't have direct customers to answer to. But the beauty of an advertising-supported model is that it's free; the disadvantage is that your customer is your advertising industry. It's not your retail, it's not our customers. So while I think there is a direct advantage that we have to our customers, I think we would, at AT&T, say, another key element to any legislative proposal would be that it apply to all actors, because that's really the only way."

How would that happen? Verizon's Tom Tauke suggested that Congress apply itself to a re-examination of the entire Communications Act, which he blamed for creating a system whereby one set of actors (telecom companies, like his) are governed by one set of laws, and another set (like Time Warner and Comcast) are governed by a different set. That's at the center of the debate over whether the FCC even has the authority to mandate Comcast's practices in the broadband field.

Sen. Byron Dorgan (D - N.D.), who chaired today's hearing in place of Committee Chairman Inouye, responded to that by implying that an overhaul of that magnitude would be...perhaps impossible at this point; and Tauke threw up his hands as if to say, "Exactly."

One small point of contention occurred when Sen. John Thune (R - S. D.) noticed the extreme similarity between the three ISPs positions and frameworks -- besides a shuffling of the order of the bullet points, they were essentially the same. So were they already working together...without Congress knowing about it?

Verizon's Tauke stopped short of pleading the Fifth: "First, we have signed some non-disclosure agreements with some other companies that wouldn't permit me today to publicly disclose who all the players are. But I think it is fair to say that there are ISPs, there are representatives of other online types of activities, and so I think we're seeing people from all parts of the online sector -- the search engines, the browsers, and so on -- who are interested in participating in this kind of thing," he responded, once again dancing concentric circles around the word "Google."

Sen. Dorgan did find an opportunity to infuse the discussion with an analogy he'd used before: "If somebody followed you into a mall with a clipboard and traced everything you -- not just bought, or store you visited, but every single item you looked at, you'd have great angst about that. Who on Earth is doing this? And yet that potential exists, so that's why we have to try to deal with this tension between the constructive advertising models on the Internet, and the right to privacy."

What did Dorgan mean by "deal with?" In closing today's hearing -- somewhat abruptly, given the circumstances -- he conceded that he wasn't sure at this point legislation was the answer. So early this afternoon, witnesses emerged into a world that was basically unchanged from the one they inhabited before the proceedings began.