June 02, 2009

A Clear Case for ISP Regulation: IP Address Logging

Greetings. Over on the Network Neutrality Squad yesterday, I noted, without comment, the following quote from the new Time Warner Cable privacy policy bill insert:

"Operator's system, in delivering and routing the ISP Services, and the systems of Operator's Affiliated ISPs, may automatically log information concerning Internet addresses you contact, and the duration of your visits to such addresses."

Today I will comment, and explain why such logging by ISPs creates a clear case for regulatory intervention, on both privacy and competition grounds.

ISPs -- the providers of "last mile" Internet access -- are in a unique position vis-a-vis any other provider of Internet-based services. While any individual Internet service -- e.g., a Web site -- can log a variety of information about their individual users, ISPs have the ability to log access information relating to virtually all internal and external services that their subscribers visit.

There are some technical limitations. Without using Deep Packet Inspection (DPI), an ISP would normally be unable to differentiate which external virtual server a user was accessing on a single shared IP address, and technologies such as proxies and VPNs also can obscure addressing info.

But from an ISP standpoint, IP address usage information alone could be a veritable treasure trove, particularly from a competitive standpoint.

In the case of Time Warner, their statement regarding IP address logging is buried in a very long privacy policy comprised of very tiny print. It is confusing in some ways. It appears to conflate IP address logging with gathering of personally-identifiable information, and doesn't seem to explicitly address how long logged IP address data, per se, will be retained. However, it does state that personally-identifiable data will be retained for "as long as it is necessary for business purposes" ("as long as you are a subscriber and up to 15 additional years").

The privacy concerns related to one entity having a log of virtually every
site that you visit on the Internet, and how long you visit those sites, are fairly obvious. As I noted, this capability goes far, far beyond the IP address logging possible by any given non-ISP Internet service.

But perhaps much less obvious is the manner in which such ISP IP address logging capabilities could be abused in anticompetitive manners of direct concern to us all.

If ISPs were just providers of "dumb Internet pipes" -- as most were until fairly recently -- related anticompetitive concerns would be largely moot. But for many ISPs these days, especially all of the vastly dominant U.S. ISPs, the big money isn't in providing Internet access, it's in providing content -- especially video content.

The inexorable move of video to the Internet is now driving many of the most contentious Internet-related issues, including battles over pricing and bandwidth caps. In such an environment, knowing as much as possible about how your users partake of the competition is invaluable.

Logged IP address data could provide ISPs with a window directly into how their Internet video competitors and other competitors operate, in a manner only possible by virtue of being ISPs with direct access to the virtually complete data flow of subscribers to and from all sites.

ISPs have access to information in a comprehensive manner unlike any of their competitors: How often are subscribers visiting Google? How much time are they spending on YouTube, and during what parts of the day? Are subscribers sometimes using Hulu more, as opposed to YouTube? How about visits to government sites? Or pay movie sites? Porn sites? What sorts of usage patterns can be derived from all of this accessible usage data? How can we use this information to our competitive advantage as a content-providing ISP who wants to encourage the uptake of our content vs. that of outside services?

In the case of Time Warner, their privacy policy notes that logged IP address data will not be disclosed or used for "marketing, advertising, or similar purposes." It says nothing about competitive product development and deployment.

To be clear, I'm not accusing Time Warner -- or any other ISP -- of abusing IP address data in these ways. Frankly, given the current lack of a mandated regulatory disclosure framework, there's no formal, systematic mechanism to keep the public informed about the presence or absence such activities, now or in the future.

Nor does the capability to collect and log IP address data (functions present in much pro-grade networking hardware for engineering purposes) necessarily indicate that this is actually being done in manners that would negatively impact on privacy and competitive concerns (but the associated lack of clarity on these issues and in regards to data retention policies are discouraging in any case).

Still, it's readily apparent that ISPs' unique abilities to comprehensively log IP addresses associated with virtually the entire scope of their subscribers' external Internet activities, easily triggers significant concerns relating to potential anticompetitive behaviors and potential privacy abuses.

I would assert that regulations prohibiting the use of IP address logging by ISPs in such manners, and mandating routine public disclosures to help ensure that such abuses are not taking place, are immediately called for at the national level.


Posted by Lauren at June 2, 2009 11:46 AM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein