Computers, Privacy & the Constitution

Online Behavioral Advertising

-- By JonathanBonilla - 26 Apr 2009

As seen in O’Harrow’s No Place to Hide, online data aggregation can pose a real problem to consumers. One pervasive form of data aggregation occurs as a result of “online behavioral advertising” (OBA). Any time a user visits a site, performs a search, purchases a product online, or otherwise submits personal information to a site that participates in such advertising, this information is stored to track the user’s “behavior” and tailor future online advertisements to fit the user’s predicted desires.

FTC Regulatory System

Under the current system of US regulation, OBA is monitored by the Federal Trade Commission (FTC). 15 U.S.C. 45 (a) provides a broad statutory mandate for the FTC to prohibit “deceptive acts … in or affecting commerce”. This has been interpreted by the FTC to implicate situations where companies collect or use customer data in a manner contrary to that company’s stated privacy policy, which is punishable as a deceptive practice. As a result of this interpretation, the FTC assumed jurisdiction in this area and has been following the development of OBA.

Unfortunately, FTC’s role in regulating OBA is largely passive. Compliance with the “deceptive acts” mandate is fairly simple for online publishers, merely requiring advertisers to inform a user exactly how they will make commercial use of the information. The self-regulatory scheme which emerged is equally ineffective, evinced by the fact that the advertisers’ policing body, Network Advertising Initiative (NAI), does not represent the entire industry. As well, FTC calls for congressional legislation to act as a backstop for NAI have gone unanswered.

Deep Packet Inspection

One of the more recent developments in OBA is the ability of advertisers to use Deep Packet Inspection (DPI) to monitor all traffic going through a particular Internet Service Provider’s (ISP) network. Compared to the traditional “cookie-based” model of web-behavior tracking, which could only monitor a user’s movements within the advertiser’s created network of sites (and only so long as the cookies were not blocked), DPI allows for inspection of all web traffic from a user, resulting in more closely tailored advertisements – as well as more information stored by the advertiser. Fortunately for consumers, DPI advertising is only possible through an agreement with ISP’s; unfortunately for consumers, ISP’s so far have been eager to explore this new profit source.

Not surprisingly, the FTC has failed to address DPI-based advertising any differently from previous OBA, despite the increased potential for privacy concerns. Taking matters into their own hands, a class action was filed by internet users against NebuAd? and ISP’s who allowed NebuAd? to install the DPI hardware on their networks, alleging violations of various federal and state statutes, including the Wiretap Act and Computer Fraud and Abuse Act. While this lawsuit will likely fail for similar reasons that previous cookie-based advertising litigation failed, Congress has already shown an interest in the DPI advertising process, and could potentially find DPI-based advertising to be serious enough to warrant legislation.

With potential legislation-based restrictions to DPI advertising in mind, the focus turns to whether such legislation would be able to withstand judicial scrutiny based on the 1st Amendment. This, in turn, could be viewed as having two components: the right to use DPI to inspect packets in the first place and the right to advertise based on obtained information. For the first aspect, it could be said that there is a right for the ISP to be informed; however, this seems distinguishable from the traditional right to education, as it does not directly relate to the ability of one to be informed in the democratic process, which is highly protected free speech. As well, any sort of right to inspect packets on the internet must be weighed against the right to privacy of network users. It would seem that any restrictive legislation on this topic would merely need to be justified in terms of a rational relation towards a goal of preserving the right to privacy. For the second aspect, the right to advertise falls under a form of commercial speech, which is protected unless intermediate scrutiny can be overcome. Again, such speech must be weighed against the counter-point of privacy concerns, but since the “speech” in advertising involves sending tailored information back to the person the information came from, the privacy concern for transmitting OBA is reduced. The result is that restrictive legislation would have to be careful not to overstep “excessive restrictions” imposed by Central Hudson.

Possible Tech Solution

One counter argument to the basis of this paper is that given technology available today, namely, Firefox, AdBlock? , and TrackMeNot? , the issue of OBA should not be a concern, since online ads can be blocked prior to ever being seen by the user. While the point is valid that some users are capable of blocking ads through this technology, it is a stretch to assume that use of this technology is significant enough to render advertising unprofitable, either now or in the near future.

Estimates of Firefox usage range anywhere from 10% - 20% of the browsing population; of those, only a small fraction have downloaded AdBlock? Plus, with the percent using TrackMeNot being negligible. Even if vastly more users were to switch over to Firefox and install AdBlock? , which seems unlikely especially when reports raise security concerns (and in light of Google’s Chrome browser), the whole efficiency of OBA is that it is extremely cheap to tailor ads to a large number of individuals. Chances are that any person who would use AdBlock? and TrackMeNot? were probably not clicking on the advertisements anyways, thus already not contributing to the profits these companies earn, which is based on advertisement success.

It would seem for this situation that technology is not a current realistic solution. With the FTC regulatory scheme providing little protection, a solution would have to come from Congress, either in the form of establishing restrictions to DPI, or perhaps creating a private cause of action based on weak privacy policies.

(Word Count: 993)

  • What's the point of footnotes in a wiki? Why not just link directly from the text?

  • It doesn't seem to me that you've ever addressed first principles:
    1. A packet moving on the public internet: who should be allowed to study it? Do I have a first amendment interest in my ability to learn from the traffic on the net?
    2. Given that I have some knowledge about someone, without regard to how I gained that knowledge, do I have a First Amendment right to advertise to them on the basis of what I know about them?

  • Then it seems to me there are some practical questions:
    1. If a behavioral advertiser is studying my behavior on the net in order to serve me ads that I am automatically removing from my web content before I see them: (a) am I harmed? (b) will he keep spending money to serve ads I will never see? (c) does this cycle when repeated ever end with the advertiser better off? (d) if not, why not just teach your friends how to install AdBlock Plus and stop worrying about the problem?
    2. If a behavioral advertiser is studying my behavior on the net in order to serve me ads that I am automatically removing, but in fact he's not studying my behavior because I am automatically also sending out a large number of automatically-generated random net behavior, designed to confuse onlooking analyzers without making my life harder in any way: [repeat all subparts of question 2, substituting TrackMeNot for AdBlock Plus.]
    3. In light of numbers 1 and 2 above, what is this all about, again?

# * Set ALLOWTOPICVIEW = TWikiAdminGroup, JonathanBonilla



Webs Webs

r8 - 05 Jan 2010 - 22:30:31 - IanSullivan
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM