EDUCAUSE | Federal Privacy Law

When the ISP Tracks Your Every Move: The Power (and Abuse) of Deep Packet Inspection

agould — Fri, 18 Jul 2008 15:55:23 -0500

As the temperatures rise in a typical Washington summer, so grows the pressure on some online advertising firms.

Yesterday the House Energy and Commerce Committee’s Telecommunications and the Internet Subcommittee held a hearing on the questionable methods for advertising currently being used by some Internet service providers (ISPs). The hearing was entitled, “What Your Broadband Provider Knows About Your Web Use: Deep Packet Inspection and Communications Laws and Policies.” Panelists included: Bob Dykes, the CEO for NebuAd, David Reed, an early Internet pioneer and professor at MIT, Alissa Cooper, the Chief Computer Scientist for the Center for Democracy and Technology, Scott Cleland, President of Precursor, LLC, and Bijan Sabet, a General Partner at Spark Capital.

Committee members expressed concerns about ISPs working with third party advertising firms that monitor their customers’ web habits for advertising purposes. Several people compared deep packet inspection techniques on the Internet with the United States Postal Service opening people’s packages. They said a basic level of privacy is violated when an ISP employs DPI for the sake of increasing revenue, especially when unwitting customers are not aware their web browsing is being monitored.

DPI is a computer network packet filtering that allows for the inspection of data for viruses, spam, or other content. In other words, this inspection process would provide an ISP or other entity with the power of conducting data mining, eavesdropping or even censorship. While DPI has benefits, panelist Bijan Sabet said the Comcast/BitTorrent debacle demonstrates that is also has its drawbacks. A few weeks ago, it was revealed that Comcast was blocking BitTorrent on its network through the use of DPI technology.

This marks the second week that advertising firm, NebuAd, has testified before Congress on its “robust” security practices. Last week, NebuAd faced questioning by the Senate Commerce Committee. The firm says targeted advertising “provides consumers with significant benefits, serving them with more relevant ads, which they want, while ensuring they have robust privacy protections and control over their online experience.”

Taking NebuAd to task, Chairman Ed Markey said DPI “can indicate every site a user visits and much more.” He said he would not expect the postal service or UPS to open up his packages, and believes tactics used by firms like NebuAd are subjecting Americans to unwarranted invasions of privacy. Furthermore, he said the notices that are provided to users are lost in the fine print or ignored.

“When people use the world wide web, they don’t want it to turn into the wild, wild west when it comes to their personal information,” said Markey.

Ranking Member Cliff Stearns, on the other hand, urged Members to use caution when approaching this issue, saying the FTC testified last week that no new regulations were needed for the online advertising arena.

“As the overall economy continues to take a downturn, the government shouldn’t be contemplating how to make it harder for small businesses to succeed. Targeted advertising may be essential for small businesses to compete with larger ones,” said Stearns. “Let’s look very closely at these issues before we leap to legislative proposals that even the FTC is not calling for at this time.”

Other Members said a policy of opt-in should be the norm, rather than the current opt-out choice.

“Why is the burden [of opting out] on me?” asked Representative Greg Walden. “I think for the Internet to succeed as an instrument of commerce,” people need to opt-in to the system.

Citing another issue, Representative Hilda Solis said she was concerned that vulnerable populations, like the elderly or those who cannot speak English, may be targets for predatory advertising tactics.

WHAT THEY SAID: Here is a brief summary of the panelists’ testimonies.

Bob Dykes (NebuAd)- Dykes said his company, which he says does not use personally identifiable information, has designed a service “so that no one- not even the government- can determine the identity of our users.” Dykes said they do not store raw data that can be linked to individuals. He also said they provide users “with prior, robust notice.” Dykes, who faced tough questioning from Chairman Markey and others, said they continue to innovate on privacy controls, including the development of better notices. He said the Internet “is more than 50% supported by advertising,” so it is imperative that firms like his have access.

David Reed (Professor, MIT)- Reed, who began working on the Internet in the late seventies, said he believes DPI is “not at all necessary” for operating the Internet. He said DPI technologies “actually violate long-agreed standards and principles that have been part of the Internet’s design from the beginning.” Furthermore, Reed said they “pose major risks to the economic successes of the Internet … by normalizing non-standard and risky technical activity on the part of telecom operators who may choose to exploit captive customers.” He said DPI is particularly harmful for unwitting customers, especially when they do not know how their information is being tracked (or even that it is tracked in the first place). Reed said users must have informed consent and know exactly how their data is being used.

Alissa Cooper (Chief Computer Scientist, CDT)- Cooper said that while DPI is benign and even beneficial at times, it “runs the risk of violating the trust of consumers for the Internet.” She said this technology allows networks to see the political or religious sites a user may visit, while providing little notice they are doing so. Cooper suggested that current online advertising techniques may violate federal wiretapping laws and might also interfere with normal Internet use. She urged Congress to seek more information from ISPs and other companies about how they are using DPI, and asked that they consider a larger, comprehensive privacy bill to protect consumers.

Scott Cleland (President, Precursor, LLC)- Cleland said the hearing should have focused on the search engines like Google and Yahoo, which he says have a double standard when it comes to consumer privacy. He said the committee should focus on “a comprehensive approach to Internet privacy,” rather than attacking the ISPs alone. He said firms like Google are truly “Orwellian” in that they have access to a full spectrum of people’s information through Google searches, Gmail, Picasa pictures, Google health, Google calendars, etc… Cleland said, “We are worried about perfect blinds on the windows when there are no walls on the house.” For full disclosure purposes, he noted that his business involves working for ISPs, but said he was speaking on his own behalf.

Bijan Sabet (General Partner, Spark Capital)- Sabet said DPI is a significant technology breakthrough, which provides consumer and economic benefits. But he said DPI could be used to thwart net neutrality, since it allows ISPs to slow down or turn off third party services or applications. Sabet warned that a closed Internet will not thrive as incentives for innovation decrease.

In a press release, the American Civil Liberties Union (ACLU) warned consumers about the “privacy landmines inherent in DPI.”

“The expanding use of DPI is increasingly sophisticated, complicated and lacking in transparency. The risk to Americans’ privacy is massive,” said Timothy Sparapani of the ACLU. “Every time we visit the Internet, everything we read, everything we see- all of it is up for grabs with DPI. … Congress must be Americans’ firewall on this issue.”

Are Online Targeted Advertising Practices Violating Wiretap Laws?

agould — Thu, 10 Jul 2008 15:08:12 -0500

Released one day before the Senate Commerce Committee held its hearing on the privacy implications of online advertising, a new report says targeted ads may involve practices that violate state and federal wiretap laws.

On Tuesday, the Center for Democracy and Technology (CDT) issued a memo, saying Internet service providers (ISPs) that allow an advertising network to copy [their] customers' Web traffic contents are defying "reasonable consumer expectations and may [be violating] communications privacy laws."

Currently, some ISPs are working with third party advertising agencies, which are copying consumer data in order to target specific ads at users. One such firm, NebuAD, testifed before the Senate Commerce Committee yesterday. NebuAd claims it does not violate any laws because they do not collect personally identifiable information. Some, though, argue that any collection of data can ultimately be tied to an individual and disagree with NebuAd's assertion that privacy is completely protected. CDT's memo says the practice most likely violates legal protections provided in the Electronic Communications Privacy Act.

"Consumers do not expect their ISP to be copying their Internet communications and selling them to third parties," said CDT Vice President Ari Schwartz. He stressed that consumers need to be aware that their information is being sold to outside groups, and there should be "clear notice and prior consent."

CDT acknowledges that federal laws may allow these practices with the consent of subscribers, but they say they fear consumers are "ill-equipped" to know how or even if their information is being tracked.

And while CDT President Leslie Harris said the larger ISPs have shied away from using firms like NebuAd, she says this model is not going away anytime soon. Harris says they want to see the Federal Trade Commission adopt enforceable guidelines and a sensible privacy regime for handling these evolving challenges to Internet privacy.

Security Task Force Submits Comments on Proposed FERPA Rules

vvogel — Thu, 29 May 2008 17:38:33 -0500

The EDUCAUSE/Internet2 Security Task Force recently commented on the "Recommendations for Safeguarding Education Records". The Family Educational Rights and Privacy Act (FERPA) has never contained regulations related to the security of student education records, although it is implied as a necessary safeguard to help keep student education records private. The department chose to include in this Notice some recommendations that included references to guidance issued by the National Institute of Standards in Technology (NIST) and the Office of Management and Budget (OMB). While the Security Task Force shared the department's concerns about cybersecurity, it was concerned that focus on government approaches may be misinformed and encouraged the department to consider resources developed by the task force (e.g., see Effective IT Security Practice Guide). The task force further cautioned the department that "the inclusion of recommended safeguards causes considerable confusion about the department's intentions and future plans."

See Rodney Petersen's blog for additional details. To review the full comments of ACE and the Security Task Force, see:

EDUCAUSE and Security Task Force Comment on Proposed FERPA Rules

Rodney — Mon, 12 May 2008 20:38:32 -0500

EDUCAUSE joined the American Council on Education (ACE) in comments to respond to a Notice of Proposed Rulemaking regarding the Family Educational Rights and Privacy Act (FERPA). The EDUCAUSE contribution addressed the proposed rules treatment of Social Security Numbers (SSN's), Student ID Numbers, and Student User ID's in the context of "directory information." The comments state:

According to the discussion [in the proposed rules], "student ID numbers (SID) can be used to impersonate the owner of the number and obtain information or services by fraud." We understand that this is widespread practice with respect to how the private sector uses the SSN for obtaining a variety of products and services. We do not believe, however, that unique student ID numbers created for internal educational uses typically are used in the same way or are subject to the same abuses. More often than not, such numbers are treated as identifiers only; they normally cannot be used to obtain access to education records by themselves, without a further act of authentication, nor can they normally be used in combination with other commonly available information to establish accounts or impersonate people. Moreover, on many campuses, the general "student ID number" and the "user ID" used to log in to electronic systems are in fact one and the same. As a result, many campuses may believe that they cannot designate these various kinds of identifiers as directory information even when doing so would yield clear benefits and could cause no harm.

The comments support the U.S. Department of Education's position that SSN's should never be considered "directory information". However, the comments provide alternative language for the treatment of SID and User ID's, essentially suggesting that they could be treated as "directory information" if there is an additional act of authentication and that the identifier itself does not provide an individual with access to student education records. The entire comments related to "directory information" are available on pages 1-2 of the ACE letter. There is also a discussion of "outsourcing" on pages 4-5.

The EDUCAUSE/Internet2 Computer and Network Security Task Force also commented on the department's "Recommendations for Safeguarding Education Records". FERPA has never contained regulations related to the security of student education records, although it is implied as a necessary safeguard to help keep student education records private. The department chose to include in this Notice some recommendations that included references to guidance issued by the National Institute of Standards in Technology (NIST) and the Office of Management and Budget (OMB). While the Security Task Force shared the department's concerns about cybersecurity, it was concerned that focus on government approaches may be misinformed and encouraged the department to consider resources developed by the task force (e.g., see Effective IT Security Practice Guide). The task force further cautioned the department that "the inclusion of recommended safeguards causes considerable confusion about the department's intentions and future plans."

Podcast: Identity Crisis: How Identification Is Overused and Misunderstood

gbayne — Thu, 28 Jun 2007 17:17:09 -0500

This 41 minute podcast features a speech from the EDUCAUSE 2007 Policy Conference. The speech is by Jim Harper, Director of Information Policy Studies at The Cato Institute, and is titled, "Identity Crisis: How Identification Is Overused and Misunderstood".

The advance of identification technology—biometrics, identity cards, surveillance, databases, dossiers—threatens privacy, civil liberties, and related human interests. In the wake of the terrorist attacks of 9/11 demands for identification in the name of security have increased. A national identification card, created by Congress in the REAL ID Act, is an example of a poor way to secure the country or its citizens. Instead of a uniform, government-controlled identification system, we need a competitive, responsive identification and credentialing industry that meets the mix of consumer demands for privacy, security, anonymity, and accountability. This session will explore the policy issues associated with identity and the implications for colleges and universities.

This podcast was edited and hosted by Carie Windham.

Podcast:: Security Breaches and Identity Theft

gbayne — Tue, 26 Jun 2007 15:05:47 -0500

In this 55 minute podcast, we present a general session from the EDUCAUSE 2007 Policy Conference entitled, “Security Breaches and Identity Theft”. This is a panel discussion moderated by EDUCAUSE Government Relations Officer and Security Task Force Coordinator, Rodney Peterson. The discussion features:

Michael Atleson, Attorney, Division of Privacy and Identity Protection, Federal Trade Commission

Liz Gasster, General Counsel and Acting Executive Director of the Cyber Security Industry Alliance

As Congress strives to pass legislation that would provide a uniform federal law for security breach notifications, a number of related privacy and security policy proposals are under consideration in the Congress and executive branch agencies. This panel will address topics such as preventing misuse of Social Security numbers, requirements for a personal data privacy and security programs, and measures to prevent identity theft.

Balancing “Safety” with “Freedom” in Aftermath of Virginia Tech Tragedy

Rodney — Tue, 19 Jun 2007 10:24:56 -0500

In response to the tragic shootings at Virginia Tech, President George W. Bush directed the secretaries of the Department of Health and Human Services and Department of Education along with the Attorney General to meet with educators, mental health experts, law enforcement and state and local officials to discus the broader issues raised by this tragedy. In their “Report to the President,” they conclude, “The Virginia Tech tragedy and similar violent events that have occurred in recent years . . . make us ask whether the complex balancing of fundamental interest in our communities – interests of protecting privacy and civil liberties, ensuring that our communities are safe, and helping people get the care they need – is appropriately calibrated.” The report contained several recommendations relevant to emergency planning, preparedness, and notifications:

States and localities should integrate comprehensive all-hazards emergency management planning for schools into overall local and state emergency planning.
The U.S. Department of Education should review its information regarding emergency management planning to ensure it addresses the needs of institutions of higher education and then disseminate it widely.
States and localities should develop a clear communication plan and tools to communicate rapidly with students and parents to alert them when an emergency occurs and utilize technology to improve notification, communication, and security systems.

According to the report, the meetings resulted in “a consistent theme and broad perception” of “confusion and differing interpretations about state and federal privacy laws and regulations [that] impede appropriate information sharing”. Therefore, the report also recommends:

Along with reviewing federal laws that may apply, clarify and promote wider understanding about how state law limits or allows the sharing of information about individuals who may pose a danger to themselves or others, and examine state law to determine if legislative or regulatory changes are needed to achieve the appropriate balance of privacy and security.
The U.S. Departments of Health and Human Services and Education should develop additional guidance that clarifies how information can be shared legally under HIPAA and FERPA and disseminate it widely to the mental health, education, and law enforcement communities.
The U.S. Departments of Health and Human Services and Education should consider whether further actions are needed to balance more appropriately the interests of safety, privacy, and treatment implicated by FERPA and HIPAA.

“We must not miss the opportunity to learn from this event and do what we can to make our communities safer” was the shared sense of people everywhere according to the report. The full report is available at http://www.hhs.gov/vtreport.html

EDUCAUSE to Co-Sponsor Data Retention Seminar in Washington, D.C.

cluckett — Tue, 08 Aug 2006 17:46:59 -0500

EDUCAUSE will co-sponsor an Information Technology Association of America event, “Defining the Acceptable Balance: A Reasoned Approach to Data Retention,” on September 27, 2006, inWashington, D.C. This seminar will assemble subject matter experts from Congress, law enforcement agencies, the privacy community, and high tech companies to answer such questions as: What data needs to be collected? How long should data be stored? How can data searches be conducted in a manner that does not risk wholesale sacrifice of customer privacy? Learn more about the event and register.

US gov't buys info from ChoicePoint

blaha — Mon, 21 Nov 2005 09:23:38 -0600

An interesting way for the FBI and Defense Department to get around laws that limit their surveillance powers, hire someone else to do it. Remeber Chlicepoint? NPR story on their security breach: http://www.npr.org/templates/story/story.php?storyId=4507687

US gov't buys info from ChoicePoint

http://govexec.com/story_page.cfm?articleid=32802&printerfriendlyVers=1"To help the government track suspected terrorists and spies who may be visiting or residing in this country, the FBI and the Defense Department for the past three years have been paying a Georgia-based company for access to its vast databases that contain billions of personal records about nearly every person -- citizens and noncitizens alike -- in the United States.According to federal documents obtained by National Journal and Government Executive, among the services that ChoicePoint provides to the government is access to a previously undisclosed, and vaguely described, "exclusive" data-searching system. This system in effect gives law enforcement and intelligence agents the ability to use the private data broker to do something that they legally can't -- keep tabs on nearly every American citizen and foreigner in the United States."