Until recently, Internet service providers (ISPs) were just that: a bare-bones channel through which the Web flowed to customers.
They were stuck manning the Internet spigot as Google and Microsoft lapped up the profits from incredibly successful targeted ads. Every time users type in search terms or read letters in Gmail, the company learns a little more about what ads might appeal to them. Online social networks such as Facebook have also cashed in on direct marketing by picking up keywords in user profiles.
But now, many ISPs want in on targeted advertisements. From their perspective, they are the best source for user data. Google can only track what users do on its sites. But since ISPs control the flow, they can monitor everything a customer does online.
It’s the marketing mother lode, but this shift in business practices worries some privacy advocates.
“There is a definite push for more data collection,” says Alissa Cooper, chief computer scientist at the Center for Democracy and Technology. “[ISPs can also] collect your search terms. They claim they limit that. We haven’t done independent research, but if you look at the capabilities of their devices, they’re certainly capable of looking at other types of traffic.”
Ms. Cooper’s colleagues take up this issue in a Senate Commerce Committee hearing this week. After a recent scandal where British Telecom reportedly tracked user data without alerting its customers, Congress wants to iron out what American ISPs are allowed to monitor and how much they need to disclose.
Already, 70 percent of Web users are aware that their Internet footsteps may be tracked for advertising, according to a TrustE survey cited by CNET. Yet just 23 percent are comfortable with such online tracking, even if companies agree not to share the information.
“There is a difference between going to a site that you know will be including advertising and going to an ISP who you expect to be a simple carrier,” she says. People can easily choose whether or not to use Google sites, but it’s much more difficult to switch ISPs.
In many cases, these ISP targeted ad initiatives are “opt-out,” meaning that the company automatically enrolls users. If people want out, they have to ask to be removed.
While European activists and legislators are up in arms about British Telecom’s questionable definition of user rights, legal professionals say laws in the United States are much less restrictive.
The European Union explicitly requires an “opt-in” on the part of users, so British Telecom likely will have to change their policy. Not so for American ISPs.
The US has “a very market-driven, capitalistic approach,” says Leslie Reis of the Center for Internet Technology and Privacy Law at the John Marshal Law School in Chicago. “The US takes a mishmash approach to privacy. There are a lot of interests and a lot of lobbyists on the commercial side involved.”
Part of the reason the rules are so murky is that the Privacy Act of 1984, the go-to law for Internet users’ privacy, has not adapted to the rapidly changing face of the Internet, according to Professor Reis.
“Other than one amendment that dealt with data mining, there have been no changes to this law,” she says. “This is a huge problem. The legislation was created when the Internet was a gleam in certain scientists’ eyes.”
One solution: Companies can explain their privacy policies, usually as part of an “end user license agreement,” which are those long blocks of text that people often see when they install a new computer program. While this is legally kosher, few actually read the fine print. That’s not always a good thing for companies. In some circumstances, websites have found it to be in their own interests to be transparent.
Last year, Facebook created a stir with Beacon, the part of its ad system that delivered social-network features to nonsocial sites. This allows a user to share her Web activity with friends across the Internet – and possibly with advertisers as well.
In November, several online privacy groups banded together to demand that Facebook not share any Beacon information without the user’s explicit consent. The company quickly reached out, explained how the new feature works, and retooled Beacon to ease privacy concerns.
Unfortunately, ISPs don’t necessarily have the same incentive to educate their customers. There’s far more competition between social-network sites than there is in the ISP market, says Ms. Seltzer. Signing up for a new service provider can take days, and some communities only have one ISP.
While the disincentive of restricting the market for targeted ads is present, Seltzer argues that regulation and the strength of the market are not diametrically opposed.
“Regulation creates a framework for the targeted advertising business model to operate in,” she says. “Regulation that preserves the Internet’s openness allows the many Web markets to flourish. It’s not regulation versus market, it’s regulation for the market.”