FC: FCC's Farber warns of regulation if ISPs do discount tracking plan

[Declan McCullagh <declan () well com>]

Lauren Weinstein's latest privacy digest includes a lengthy warning by the 
author about potential industry practices. Seems as though a company called 
Predictive Networks hopes to partner with ISPs: They can then provide 
cheaper monthly dialup accounts through assembling demographic information 
about what web sites customers visit. There's no coercion involved; if you 
don't like it, you can use another ISP (albeit one, perhaps, that charges 
$25/month instead of $5/month).

Dave Farber, FCC chief technologist, forwarded Lauren's writeup to a 
mailing list he runs. The Subject: line was: "VERY IMPORTANT ISSUE -- 
Massive Tracking of Web Users Planned -- Via ISPs!" Dave warned that if the 
industry moves toward such a system, "adult supervision" will be imposed by 
the federal government through FCC regulation:

> I think the issues are a lot bigger than just how to get around such 
> behavior. as i have said often in the past, if this industry can not 
> behave itself and act like a rational self regulating , adult supervision 
> will be imposed -- that is called government regulation. (I have made that 
> a theme of talks I have given in my CT role at the FCC).
> If a similar idea was tried on the telephone infrastructure, I believe you 
> would get hauled off to jail for illegal wiretap. Lets get adult as a 
> business and realize that sometimes it is necessary to "just say no" to 
> ideas which are on the slippery slope toward regulation. No responsible 
> data carrier or isp should even think of getting involved in such a 
> "business opportunity" without carefully understanding the long term costs.
> Dave

Lauren's original note is below. Responses are welcome.

-Declan

************

PRIVACY Forum Digest      Thursday, 20 April 2000      Volume 09 : Issue 13

                (http://www.vortex.com/privacy/priv.09.13)

[...]

----------------------------------------------------------------------

Date:    Thu, 20 Apr 2000 18:04:08 -0700 (PDT)
From:    lauren () vortex com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Massive Tracking of Web Users Planned -- Via ISPs!

Greetings.

This is not a delayed April Fools' Day joke.  It's all too real,
and I assume that you're already sitting down.

Picture a world where information about your every move on the Web,
including the sites that you visit, the keywords that you enter into search
engines, and so on, are all shipped off to a third party, with the willing
cooperation of your Internet Service Provider (ISP).  None of those pesky
cookies to disable, no outside Web sites to put on block lists--just a direct
flow of data from your ISP to the unseen folks with the dollar signs (or
pound, yen, euro, or whatever signs) gleaming brightly in their eyes behind
the scenes.  You'll of course be told that your information is "anonymous"
and that you can trust everyone involved, that you'll derive immense benefits
from such tracking, and that you have an (at least theoretical) opt-in or
opt-out choice.

But just for some frosting on the cake, also picture that if you avail
yourself of the opportunity not to participate in such tracking (via opt-out
or opt-in choices), that you either cannot use the associated ISPs at all, or
will be faced with paying significantly higher fees than persons who are
willing to play along with tracking.

As you have no doubt guessed by now, this is not a theoretical scenario.
We're on the verge of starting down the slippery slope to this end right
now, with the imminent operations of Predictive Networks
(http://www.predictivenetworks.com) and other similar businesses also in the
works.

When I recently learned about Predictive (which has apparently been
established for some time and seems to be well funded), I naturally visited
their Web site, which was sadly lacking in obvious specifics such as an
actual posted privacy policy.  (I've since been told that this is a temporary
condition which will shortly be remedied.)  I spoke briefly with the firm's
president and had a much more detailed chat with his V.P. for Business
Development, and received an e-mailed copy of their privacy privacy.  Both
of these fellows were polite, cordial, and willing to provide me with the
information I desired about their plans.

Unfortunately, the more that I learned from these sources, the
increasingly concerned I became.

In brief, Predictive's business is to engage ISPs (not just "free" ISPs
where usage tracking has become typical, but conventional fee-based ISPs as
well) in arrangements where the ISP will directly feed Web usage data to
Predictive.  The firm also claims to be working with Internet backbone
providers.  To quote from Predictive's privacy policy:

    "Predictive Networks uses Digital Silhouettes to match Internet content
     and advertising with appropriate subscriber recipients.  As a result,
     subscribers receive information that appeals to their current needs and
     interests.  To develop a Digital Silhouette, The Predictive Network
     analyzes URL click-stream data, such as web pages visited, and date and
     time of visit.  URLs are then evaluated against more than 120 affinity
     and demographic categories, and assigned a score between zero and one.
     The resulting Digital Silhouette is simply an anonymous set of numerical
     probabilities inferred from subscriber behavior.  URL histories are not
     permanently stored and the data in the Digital Silhouette is not
     personally identifiable."

and:

    "To provide subscribers with content most relevant to their current
     interests, The Predictive Network may retain key words from Internet
     searches.  These key words are attached to the subscriber's anonymous
     Digital Silhouette and, like the Digital Silhouette itself, are not
     personally identifiable.  The Predictive Network also gathers data about
     a subscribers' response to messages and content, which is used to
     fine-tune future messages and message format."

It is Predictive's contention that they do not maintain an ongoing history
of sites visited (URLs), and that the Digital Silhouettes are maintained in
an "anonymous" fashion--so they feel that there is no violation of users'
privacy.

But outside of the fact that keyword search terms *themselves* can often
contain personally-identifiable or other sensitive data, also note from the
Predictive privacy policy that:

    "To optimize the format of the content delivered to subscribers, the
     anonymous Digital Silhouette may include specifications about the
     subscriber's computer, such as processor type, browser plug-ins and
     available memory.  For some of our ISP partners, Predictive Networks
     may provide a built-in dialer system.  Should an ISP select this
     option, The Predictive Network may require subscribers to furnish their
     ISP user name and password.  This information will be used strictly for
     account authentication purposes and will not be associated with the
     subscriber's anonymous Digital Silhouette.  Our ISP partners can also
     the leverage the power of The Predictive Network for customer service
     purposes.  Should a subscriber's ISP select this option, the ISP user
     name may be matched with the Digital Silhouette ID number.  This will
     allow The Predictive Network to send specific individuals important
     customer service information.  In addition, some subscribers may elect
     to have email service from their ISP.  Subscribers on The Predictive
     Network that choose this option may be required to supply Predictive
     Networks with their email address.  This information is used for email
     notification only."

In other words, there is a variety of personally-identifiable information
that you may need to provide to Predictive at various times, and you are
expected to trust Predictive not to purposely or accidentally misuse this
data.  You also must trust that Predictive will not associate this
information with your "Digital Silhouette" in any manner--nor let anyone
else make such an association.  One wonders what would happen in the face of
a court order to provide associated data for a civil or criminal proceeding
or investigation.

Most of the familiar problems we've seen in the past with so-called
"anonymous" tracking systems are present in this case.  Privacy policies can
be changed at any time (e.g., the recent DoubleClick fiasco).  Detailed data
that is theoretically discarded in the process of building "anonymous"
profiles could be preserved at any time, simply through software
alterations.  The very *existence* of these sorts of data collection and
tracking infrastructures is of great concern.  Even with the best of
intentions, the possibility for abuse is impossible to ignore--and as we
know there is a vacuum of laws to provide consumers with useful protections
in these areas.

Predictive claims that all of this effort is to bring better services to
Web users.  Their apparent view is that tracking people's usage to figure
out what sorts of ads to send them is far better than simply *asking* people
to select the sorts of materials that they might wish to receive.

Of course, whenever you use automated techniques to try figure out what
people want based on the Web sites they happen to visit, there is the
possibility of embarrassing errors.  For example, people may be suckered into
pornography sites by misleading banner ads, and not be at all interested in
receiving adult-oriented advertising.  Similar errors relating to other
topic areas can occur from any number of the inadvertent Web sites that all
of us hit in the process of typical Web browsing.  Predictive will let
people see the profiles that have been built about them--but sometimes you'll
have to *pay* for the privilege!  There are other interesting catches
as well:

    "In developing our anonymous subscriber Digital Silhouettes, Predictive
     Networks captures, analyzes and then discards URL click-stream data.
     While we do not permanently retain a record of each subscriber's usage,
     we can, upon request, make their Digital Silhouette available to them
     for review.  Any subscriber on The Predictive Network has the right to
     view their Digital Silhouette free of charge twice during the calendar
     year.  Subscribers will be charged $50.00 per request thereafter.
     Subscribers can obtain a copy of their Digital Silhouette by emailing
     Predictive Networks at silhouette () predictivenetworks com.  The email
     request must contain the subscriber's anonymous ID number, which can be
     found on their computer by holding down the shift key and
     right-clicking on about.  The corresponding Digital Silhouette will be
     emailed back to the subscriber within approximately ten business days.
     Subscriber should note that by emailing Predictive Networks, they may
     be "identifying" themselves to the Company.  While we do not
     incorporate this information into our Digital Silhouettes, we do
     maintain a separate record of Digital Silhouette requests for
     accounting and billing purposes.  Should a subscriber object to any or
     all of the information contained in their Digital Silhouette, they can
     opt-out of The Predictive Network permanently, or opt-out and
     re-register, which will erase the existing Digital Silhouette and begin
     a new one.  Again, Predictive Networks urges subscribers to consult
     their Internet service provider before opting-out as doing so may
     affect their Internet service and/or their Internet service rate."

The last sentence above is of *special* interest to the question of how
"optional" this tracking really would be.  It is apparently Predictive's
intention to encourage ISPs, both free and the conventional fee-based types,
to partner with them to create new revenue streams for the ISPs (and for
Predictive, of course).  It would appear to be the plan that in most cases
any use of free ISPs who have associated themselves with Predictive would be
predicated on your acceptance of the tracking.  You can opt-out, or refuse to
opt-in, but then you can't use the ISP.  Not much of an option!  The details
about the tracking may also be buried within an ISP's own privacy or other
policy statements, making it even less likely that most people will ever
bother reading or understanding all of the detailed ramifications of their
using these systems.

It also appears to be Predictive's intention to encourage fee-based ISPs to
offer lower rates to users willing to be tracked.  This can rapidly degrade
into a coercive situation where users who do not wish to participate in such
tracking will be forced to pay ever higher rates simply to maintain the same
level of privacy and non-tracking that they had in the first place (as the
immortal Alice learned, "running faster and faster to stay in the same
place"...)  Can ISPs resist this temptation?  If not, the *fundamental*
structure of the Internet and Web will be permanently changed in a manner
that could make reasonably-priced, non-tracked Internet access a rapidly
fading memory, and make all of the abuse potentials of these tracking
technologies the status quo engrained within the Internet infrastructure.

After Predictive gets their privacy policy online at their Web site, I urge
everyone interested in these issues to read the entire text.  There are many
other interesting sections, such as how they're dealing with the issue of
tracking children under the age of 13 (vis-a-vis the new Federal Trade
Commission regulations on this topic).  Basically, Predictive says that you
either must keep such children away from the computer, or must agree that
it's OK for the children to be tracked.  It's all or nothing.

Predictive of course says that they are very concerned about privacy.
They told me that they're forming a "privacy advisory board"--and so on.

I have a different suggestion.  How about if the users of the Internet and
World Wide Web, the millions and soon billions of individuals, take a stand
while we still have the opportunity?  We still have the chance to say that
our personal information is our own and that our Web browsing behavior is
private.  We may yet be able to successfully assert that we won't be
manipulated, coerced, or otherwise "bribed" into allowing our Web activities
to (as "The Prisoner" put it) be "pushed, filed, stamped, indexed, briefed,
debriefed, or numbered!"

The Internet and Web have tremendous commercial potential.  But it can be
achieved ethically and without the use of obnoxious technologies that are
being shoved down our throats like feed for animals destined for the dinner
table.  The firms who view the Internet as little more than a "cash cow" are
already placing the software rings in our noses in an effort to see us made
easier to manipulate and control.

The stink of the slaughterhouse may not be far away.

--Lauren--
Lauren Weinstein
lauren () pfir org or lauren () vortex com
Co-Founder, PFIR: People for Internet Responsibility - http://www.pfir.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy


--------------------------------------------------------------------------
POLITECH -- the moderated mailing list of politics and technology
To subscribe, visit http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
--------------------------------------------------------------------------