"Deep-packet" snooping by American and European ISPs may present a more serious threat to democracy and freedom of expression than most realize. A Washington Post story over the weekend detailed how Americans are increasingly subjected to intense spying by the ISPs who are using their ability to "sniff" customers' Internet activity to collect data for profit.
In the UK, similar activity by British ISPs and the spyware firm Phorm is generating a great deal controversy. Phorm is infamous for downloading spyware onto the computers of people who are directed to their websites, and their deal with three major UK ISPs for a joint data-gathering enterprise have enraged Internet privacy advocates and even Web "inventor" Sir Tim Berners-Lee. Increasing concern is yesterday's story that one of the firms, BT, has been conducting "tests" of Phorm's software on their subscribers without their knowledge since last summer.
Part of the concern is over the detailed kinds of data collected by such "deep-packet" surveillance. Browsing history, email content and form completion are all collected along with the user's IP address which, of course, connects all that data to a particular household in many cases. The ISPs and ad agencies like Phorm swear that they hash out all identifying information, including ISP, but many are skeptical given the complete lack of regulation in the area and the industry's history of deceptive and over-reaching practices.
What's the harm if all this data can help advertisers better use behavioral techniques to sell you diet pills and shoes?
One problem is the ease with which governments can get this information from ISPs and those to whom they sell their data. In the United States, the tool of choice is the National Security Letter. Issued without the need for a warrant to private companies like telecoms and ISPs, National Security Letters can demand information about customers while prohibiting the company from even telling the subject of the investigation that his data has been requested and released.
Federal District Judge Victor Marrero has ruled the gag provisions of the National Security Letter statute an unconstitutional prior restraint on speech, but the case was appealed by the government and there has been no successful challenge to the ability of the government to demand the data itself.
The case in which Marrero issued his ruling was brought by an objecting (and necessarily anonymous) ISP, but not all Internet providers are so concerned about their customers' constitutional rights. Shortly after 9/11, AOL and Earthlink bragged about their cooperation with federal authorities, and their tone had changed little five years later. And the ability of the courts to restrain the corporate/government snooping partnership is limited as demonstrated by the FBI's own admitted skirting of judicial rulings.
Democrats have promised action on National Security Letters. Sen. Patrick Leahy and Rep. John Conyers have promised hearings, and there are two bills in the House (Harmon ?!? and Nadler) and one in the Senate (Feingold) that seek to put some limits on NSLs. But no one is seriously talking about limits on the data-gathering activities of ISPs and search engines, the two treasure troves of information about Web users and their activities.
For now, Internet surfers will have to beware and do the best they can to find ways to protect their own privacy.