Let's make this really simple: You have a phone, and I want to tap it without your knowledge to find out what your buying habits are and sell the information to advertisers. That's not legal, period.
Suppose you say, "OK, you can tap my phone." You "opt in." Does that make it legal?
That’s the question we're really asking when we talk about ISPs using deep packet inspection (DPI). We know the answer for telephones, and I think we know the answer for the Internet.
The obvious problem with opt-in is that there are two parties on the phone call. You may not have a problem with my gathering intelligence about you, but your partner on the call might feel very differently.
I've asked a few regulatory specialists about this, and they all say the same thing, which is that tapping a phone line with just the permission of the owner of the line is not going to keep you out of court -- and probably not out of jail (or at least out of paying a fat fine).
Multi-party communications can't be tapped without consent in telephony, and logically that's true for Internet communications, too. In the U.S., the FCC has taken a general position that the technology of a service doesn't make it subject to or immune from regulation. So person-to-person communications are protected, whether they take place on the phone or via email.
Perhaps regulators and ISPs could say that person-to-person communication is immune from DPI, but not person-to-Web. That's like saying that I can tap your phone if I promise to listen only to conversations you have with merchants. Would you believe it? More to the point, could we really say that somebody opting into such a scheme was exercising "informed consent?"
The person-to-Web application that's the ostensible goal of the DPI fans has another major pitfall. Online retailers have every reason to expect that the intelligence they gather from their relationships with their users or customers is for their benefit. Why should somebody else be able to tap into the browser connection and gain insight about their customers, or even about the portal or merchant providers they use?
I tap your phone and listen to all your calls to malls and stores, and then I sell statistics on what I hear so others can sell to you more effectively. Even if you're OK with this, your retailers might feel they’re being robbed, and perhaps they are.
The argument for opting in to DPI is the most slippery of all the regulatory or ethical slopes we've encountered in the whole debate on the Internet, regulations, and privacy rights. Proponents would like us to believe that somehow packet inspection is harmless, that DPI brings real benefits -- better targeted advertising so you don't waste your time with irrelevant ads is an example. Well, one good application doesn't mean the concept is good.
Once someone looks into your traffic beyond the addresses and service indicators, they're looking into your personal world -- and the world of every partner you have on the Internet. Once you let ISPs snoop, you will never be sure just how far it goes. Wiretap is wiretap, and in a truly free society that empowers personal choice, you cannot opt in to being a victim.
— Tom Nolle, software engineer and founder of CIMI Corp.
There's an enforcement issue here, too. There may be an opt-in law but it may not apply to the jurisdiction where the data is being stored, and so it won't be of any value in protecting the consumer. It may be that issues like privacy rights will have to be addressed in an international treaty so that spammers and scammers can't simply set up in some exotic location with no extradition or enforcement and then do what they like.
Will they honor that? Can they be held responsible if they dont?
Most users dont do any Opting out. Ive asked users and friends and family. What do most of them say? It takes too much time, its too hard to even find the Opt Out form on their sites.
I tell them, thats what they want! They want you to give up.
Do they screen the buyers of our data to make sure they have no evil intent? They could be selling the info to scammers who will then email us a nastie that will then harvest out Hard Drive and steal our ID, or set up a nice BotNet.
I think you've captured the issue here, Paul. The opt-in is a one-way license applied to a two-way conversation. In the real world it will not be possible to insure that only players who have opted in are snooped because the other party's opt-in status can't be reliably determined.
Another question is what happens when you are using multiple systems or multiple IP addresses or mobile versus fixed devices. How does your permission follow you? Would you give your permission to snoop to every access provider you use, or only to your "home" provider?
I think even the opt-in mode is also a bit risky because you may have also endangered the personal information of other persons who is not in that mode. Since communication is a 'two-way stree' as you've rightly mentioned, it will be even difficult to implement this opt-in mode without getting the consensus of all those using that 'pipeline'.
I know there are others who don't mind being tapped and they can readily accept this opt-in policy but what about those you come in contact with daily who are opposed to such stuff. Should they make it mandatory for a person opting-in to be tapped to disclose is/her status to the other parties at the other end??
I think we're in general agreememt on the approach, which is to hold information in some place for others to get according to permissions/policies, and we're really only debating the question of where the place is and how it would be controlled.
My credit bureau analogy is intended to show that we already store our most sensitive information with third parties, so we should be able to figure out a way to store demographics (to the extent we want to). Everyone, including some who have posted here, will have a different notion of how to trade info for goodies. I think it's clear that we need to control the information explicitly and to set policies on when and how it is revealed.
I've personally been fiddling with an open-source demographic coding system that attempts to categorize users without explicitly coding things like age, sex, etc. It's gotten some attention from startups, vendors, and operators so far. It's not a perfect solution but it would make the use of demographics less a collision with privacy rights by decoupling the coding from personal details.
the parallel you make to phone-tapping is very revealing, but takes you only part of the way of realizing the full scope of the problem.
Establishing a data bank with secure and journaled access and with specific opt-in and user verification, as you suggest in answer to one of the comments, also stems from a basic assumption that it's a necessary evil to " need to have demographic and behavioral data in detail" .
Should prevailing paradigms just be improved? why not challenge them with an "outside the box" thinking on how to change the game so everybody wins but no one is abused?
so we wrote a piece titled "cat on hot isp roof" you can find in our I TINE blog at http://i4c-corp.com/
in it you can find (short excerpts)
as we see it, isps will start with very strong privacy words, but as we get used to this back-door intrusion, and as it spreads, the terms will start eroding, allowing isps to harvest deeper and sell new "products" to their ever hungry information guzzlers friends...
on the jurisdiction front, an extreme example, just to make the point very clear, a via-satellite isp falls under the jurisdiction of which country?
the entire problem arises from the top-down, site-centric approach we analyze things through. by changing the point of view into an icentered one, we can nullify the problem...
the prevailing paradigm of an industry controlled by providers, geared for their own profit making, with their lip service to the benefits for their consumers, sells us short.
the industry will not fight our war. why would they?
It is up to us, users, to claim our rightful place by changing the prevailing paradigm to an icentered world. the way to do it is to reverse the paradigm to an icentered world ( http://www.icentered.org/) where we users are the center - in our rightful place, with the reins in our hands, and create a new pact of engagement terms between interacting entities.
In the icentered paradigm I assume active responsibility for my privacy management. my proactive privacy and sharing management replaces corporate' vague privacy assurance policies, and I become free from reliance on the good intentions and capabilities of providers, to properly treat my personal information. I define to what extent it suits me to unlock any info i choose.
Furthermore, I the user, am an integral part of the food chain. My data are value creating currency, but first and foremost for me, and therefore I should transparently become part of any food chain built around my data and purchasing habits.
Icentered is an alternative to the top-down patronizing formalism of providing organizations, it is our time to collaboratively pave the way and draw the blueprint to enable it. more in http://www.icentered.org/
Privacy is becoming a thing of the past, unfortunately, but there is still a difference between a situation where you MIGHT be a victim of snooping and one where it's almost certain that you will be. It's also true that many people are very willing to trade facts about themselves in return for some kind of premium, and as long as they're able to form legal consent, that's fine too. Legal consent, though, means that you understand what you're giving up, and the basic problem with tapping for commercial gain is that you can never know.
If we really need to have demographic and behavioral data in detail, we should establish a bank of it with secure and journaled access and with specific opt-in and user verification. If you want to be a part of this in return for some benefits, then you elect membership, check your data regularly, and it becomes something like a credit report. We have financial institutions collecting stuff on all of us and reporting it to a central point, but while they can get records of our purchases, they can't open our mail. I'd sure like to keep it that way!
I think the bottom line is that we don't live in Mayberry an longer. We need to begin to assume that someone is always monitoring our communications and we must do whatever is necessary to protect/encrypt it.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
There’s probably no more controversial issue on the Internet than that of uploading copyrighted material. In the U.S., copyright owners have taken various approaches that include civil suits against file-sharers, and these have generated flashy trials and extraordinary penalties.
A Canadian regulator has created a U.S.-like fury there by saying that users who complain about ISP usage caps are “hogs” and that he’s not aware of studies that show Canada lags badly in Internet performance.
The Internet has always been a force in enterprise application strategy, starting with the growing popularity of using a browser as a front-end or thin client for hosted applications. Now we’re starting to see application platforms that can be used to build local, hosted, and cloud applications in any mixture.
These days, arguments over Internet policies like universal broadband or net neutrality get all of the publicity, and they are important. But these showy sides of Internet policy may not be the most important ones. Behind the scenes there’s a bigger issue whose outcome could completely change the nature of the Internet and how you get access to content, services, and other users.
Most people don’t think of enterprises as a content delivery network (CDN) opportunity, but in fact, this space is getting a lot hotter, and some enterprise requirements, particularly related to video, may change CDN technology overall.
While Google introduces its new Chrome OS (which I'm hearing will be widely available in one year? Did I mishear that?), IBM announced 10 new products today to help companies using IBM System z mainframe technology.
Smarter Collaboration: How to Thrive in a Challenging Business Environment Market conditions are changing faster than ever, and organizations need to improve their agility and adaptability in order to provide better service and improve processes. The ability to work with customers, business partners, and employees as effectively as possible - while at the same time holding down costs - is a key to success. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
In the final episode of this series about the death of Internet anonymity, Saunders describes how the Internet of the future will start to attain a level of intelligence that requires no human intervention. Scary.
What can users today do to protect their online privacy? The simplest and most obvious option is to not use the Internet – at all. However, once all digital information is consolidated over the Internet, trying to protect digital identity by simply unplugging from the Internet becomes impossible – a fact that has manifest implications for civil liberties, Saunders says.
By 2011 the number of Internet-connected sensors will exceed 1 trillion, making your chances of doing anything or going anywhere unnoticed pretty much zero. Saunders talks about how the 'sensortization' of the Internet is eliminating the traditional divide between online and offline populations.
The 20th Century Internet was characterized by the ability to interact with other people and information on the Internet largely without anyone knowing who you were. The Internet of this century, conversely, will be defined by identity. Saunders explains how Internet users are unwittingly contributing to the demise of the anonymous Internet.
It is 20 years since the invention of the World Wide Web, and the Internet has changed beyond recognition since then. Steve Saunders peers into the future to predict what the Web will look like in another 20 years time – and he doesn’t like what he sees.
The release of Microsoft's newest OS raises the question of the company's relevance in an era when Google dominates applications and search, and Apple runs circles around Redmond with its gadgets and user interfaces.
Is there such a thing as complete anonymity on the Internet? It is something of a philosophical question, but the consensus among experts seems to be 'No.' However, there are degrees of anonymity, which might be more practical for most people – and more necessary than ever before.
The FCC is throwing money at rural broadband empowerment, but it's dealing with the wrong problem. The real issue is how we get users who could get broadband but choose to reject it to change their minds. The answer lies with mobile technology – but it may surprise you!
Steve Saunders talks about the risks inherent in uncontrolled, widespread profiling of Internet users, and how one day this practice could form the basis of a new industry, the Outernet, which in economic terms will have outgrown the commercial value of the Internet itself.
Industry initiatives and government stimulus funds are giving enterprise software vendors a great opportunity to help build out and manage smart grid technologies.
The problem with telepresence is that it's not universally accepted, because video calling isn't. While we can all do video calling, we also apparently worry too much about how we look. If we want HD telepresence in our future, we have to dress down, mess up our hair, and dive into our online life.
The US loses about $20 billion a year on pirated software, movies, and music. But public policy can help stem the tide of digital theft. For example, France has recently passed a 'three strikes and you’re out' law, whereby if after two warning letters an individual continues to download pirated software then his Internet access will be cut off. US policy makers should consider adopting similar policies.
Financial management planning does not need to include Voodoo economics, but it does help to tap into the knowledge base of your team through some sort of real-time system. We explore your options.
When Reiter gets incensed over incompetent Verizon FiOS order-taking and support, he broadcasts it via Twitter. Did it do any good? How should your company offer Twitter support? Watch this for all the answers.
The successor to the BlackBerry Bold 9000 – the Bold 9700 – will be available soon in the US. Is it worth upgrading? Reiter's got one, and offers advice.
Digg
Del.icio.us
Reddit
Email This
TWEET THIS
