A Clear Case for ISP Regulation: IP Address Logging

[David Farber <dave () farber net>]

           A Clear Case for ISP Regulation: IP Address Logging

                http://lauren.vortex.com/archive/000577.html


Greetings.  Over on the Network Neutrality Squad
( http://www.nnsquad.org ) yesterday, I noted, without comment, the
following quote from the new Time Warner Cable privacy policy bill
insert:

  "Operator's system, in delivering and routing the ISP Services, and
   the systems of Operator's Affiliated ISPs, may automatically log
   information concerning Internet addresses you contact, and the
   duration of your visits to such addresses."

Today I will comment, and explain why such logging by ISPs creates a
clear case for regulatory intervention, on both privacy and
competition grounds.

ISPs -- the providers of "last mile" Internet access -- are in a
unique position vis-a-vis any other provider of Internet-based
services.  While any individual Internet service -- e.g., a Web
site -- can log a variety of information about their individual users,
ISPs have the ability to log access information relating to virtually
*all* internal and external services that their subscribers visit.

There are some technical limitations.  Without using Deep Packet
Inspection (DPI), an ISP would normally be unable to differentiate
which external virtual server a user was accessing on a single shared
IP address, and technologies such as proxies and VPNs also can obscure
addressing info.

But from an ISP standpoint, IP address usage information alone could
be a veritable treasure trove, particularly from a competitive
standpoint.

In the case of Time Warner, their statement regarding IP address
logging is buried in a very long privacy policy comprised of very tiny
print.  It is confusing in some ways.  It appears to conflate IP
address logging with gathering of personally-identifiable information,
and doesn't seem to explicitly address how long logged IP address
data, per se, will be retained.  However, it does state that
personally-identifiable data will be retained for "as long as it is
necessary for business purposes" ("as long as you are a subscriber and
up to 15 additional years").

The privacy concerns related to one entity having a log of virtually
*every* site that you visit on the Internet, and how long you visit
those sites, are fairly obvious.  As I noted, this capability goes
far, far beyond the IP address logging possible by any given non-ISP
Internet service.

But perhaps much less obvious is the manner in which such ISP IP
address logging capabilities could be abused in anticompetitive
manners of direct concern to us all.

If ISPs were just providers of "dumb Internet pipes" -- as most were
until fairly recently -- related anticompetitive concerns would be
largely moot.  But for many ISPs these days, especially all of the
vastly dominant U.S. ISPs, the big money isn't in providing Internet
access, it's in providing content -- especially video content.

The inexorable move of video to the Internet is now driving many of
the most contentious Internet-related issues, including battles over
pricing and bandwidth caps.  In such an environment, knowing as much
as possible about how your users partake of the competition is
invaluable.

Logged IP address data could provide ISPs with a window directly into
how their Internet video competitors and other competitors operate, in
a manner only possible by virtue of being ISPs with direct access to
the virtually complete data flow of subscribers to and from all sites.

ISPs have access to information in a comprehensive manner unlike any
of their competitors: How often are subscribers visiting Google?  How
much time are they spending on YouTube, and during what parts of the
day?  Are subscribers sometimes using Hulu more, as opposed to
YouTube?  How about visits to government sites?  Or pay movie sites?
Porn sites?  What sorts of usage patterns can be derived from all of
this accessible usage data?  How can we use this information to our
competitive advantage as a content-providing ISP who wants to
encourage the uptake of our content vs. that of outside services?

In the case of Time Warner, their privacy policy notes that logged IP
address data will not be disclosed or used for "marketing,
advertising, or similar purposes."  It says nothing about competitive
product development and deployment.

To be clear, I'm not accusing Time Warner -- or any other ISP -- of
abusing IP address data in these ways.  Frankly, given the current
lack of a mandated regulatory disclosure framework, there's no formal,
systematic mechanism to keep the public informed about the presence or
absence such activities, now or in the future.

Nor does the capability to collect and log IP address data (functions
present in much pro-grade networking hardware for engineering
purposes) necessarily indicate that this is actually being done in
manners that would negatively impact on privacy and competitive
concerns (but the associated lack of clarity on these issues and in
regards to data retention policies are discouraging in any case).

Still, it's readily apparent that ISPs' unique abilities to
comprehensively log IP addresses associated with virtually the entire
scope of their subscribers' external Internet activities, easily
triggers significant concerns relating to potential anticompetitive
behaviors and potential privacy abuses.

I would assert that regulations prohibiting the use of IP address
logging by ISPs in such manners, and mandating routine public
disclosures to help ensure that such abuses are not taking place, are
immediately called for at the national level.

--Lauren--
Lauren Weinstein
lauren () vortex com
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR
  - People For Internet Responsibility - http://www.pfir.org
Co-Founder, NNSquad
  - Network Neutrality Squad - http://www.nnsquad.org
Founder, GCTIP - Global Coalition
  for Transparent Internet Performance - http://www.gctip.org
Founder, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
Twitter: https://twitter.com/laurenweinstein





-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com