December 07, 2007

ISPs Spying On and Modifying Web Traffic -- With Patent Application

Greetings. Over on the NNSquad (Network Neutrality Squad) mailing list, the topic has arisen of ISPs spying on Web traffic and using the derived data to insert their own ads into the user data stream.

In my view, such behaviors by any conventional general purpose ISP with their paid subscribers is unacceptable, even when opt-outs of some sort are supposedly available (from the spying or just from the ads? -- Not clear!) This appears to represent a clear violation of basic network neutrality principles.

A fairly new patent application demonstrates the depth of intrusion that has been contemplated for the associated enabling devices [emphasis added]:

United States Patent 20070233857 (Application)
A network device for monitoring and modifying data traffic between a client device and a server device is disclosed. The network device is configured to provide targeted advertisements to a user based on some or all of the data traffics generated the user. Different from a proxy server, the network device operates transparently from both perspectives of a computer being used by the user and a website being visited by the user. The network device is disposed in line between the computer and the network so that all data traffics are examined. The data packets exchanged between a computer and a website being visited are altered or modified in such a way that the head of the packets remains largely intact while the payloads of the packets are changed to suit the need of delivering transparently the targeted commercial information.

It's important to note the vast difference between this sort of activity by a primary ISP, vs. ad insertions at Web sites that occur with the cooperation or at least the assent of the Web site operators.

The latter category only affects users who choose to visit particular Web sites or use specific services (e.g. Gmail) as an affirmative (essentially, an opt-in) choice. While it's possible in some cases to argue the fine points of privacy issues related to ad serving systems in this class of environments, it's generally the case that these services are chosen voluntarily by users on a case-by-case basis.

However, since ordinary "last mile" ISP circuits represent the only means of accessing the Internet for the vast majority of consumers and businesses, ISPs drafting their conventional paying customers on a default basis into pervasive traffic monitoring and modification regimes, are taking improper and unacceptable advantage of their gateway roles and are obviously behaving in a non-neutral and potentially highly abusive fashion.

This sort of ISP behavior may arguably be more acceptable in some very specialized situations -- such as with WiFi access services provided without charge for example, but even then only with full and complete disclosure and ironclad privacy protections, with appropriate data destruction - expiration - anonymization guidelines for the collected transactional data.

For ISPs providing conventional paid Internet access services -- even where such protections and guidelines are present -- these monitoring and traffic modification systems deployed in any form other than with affirmative customer "opt-in" cannot be condoned and should not be accepted by any Internet users.


Posted by Lauren at December 7, 2007 05:35 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein