Congress to Reexamine Consumer Privacy on Broadband Networks

WASHINGTON, April 23, 2009 – Congressional scrutiny of consumer privacy on broadband networks, especially uses of so-called “deep packet inspection” technology, ramped up Thursday as industry representatives and consumer advocates testified before the House Energy and Commerce Subcommittee on Commun

WASHINGTON, April 23, 2009 – Congressional scrutiny of consumer privacy on broadband networks, especially uses of so-called “deep packet inspection” technology, ramped up Thursday as industry representatives and consumer advocates testified before the House Energy and Commerce Subcommittee on Communications, Technology and the Internet.

“Broadband networks are a primary driver of the national economy,” said subcommittee chairman Rick Boucher, D-Va. It is “fundamentally in the nation’s interest to promote their expanded use,” he said.

Boucher acknowledged that technologies like DPI have beneficial uses for network management and law enforcement. But DPI’s potential for invading consumer privacy is “nothing short of frightening,” he said.

Boucher, who has previously stated his commitment to passing comprehensive privacy legislation during the 111th Congress, announced that his subcommittee would hold a joint hearing with the Commerce, Trade and Consumer Protection subcommittee early this summer which would focus privacy and Internet-based companies like Google.

Boucher hinted that the privacy bill, which he wants to develop on a bipartisan basis, would be based largely on the Consumer Privacy Protection Act introduced in the 109th Congress by then-Chairman Cliff Stearns, R-Fla.

Stearns, now the ranking member of the subcommittee, cautioned against acting too swiftly against new technologies before their effects on consumers could be documented. “It’s imperative that there be some evidence of harm if we are going to regulate [DPI],” he said. “Overreaching privacy regulation – particularly in the absence of consumer harm – could have a significant negative economic impact.”

Privacy legislation should go beyond broadband and apply to all Internet-based companies equally, said Stearns, now the subcommittee’s ranking member. “Consumers don’t care if you are a search engine or a broadband provider,” he said. “They just want to ensure that their privacy is protected.”

Rep. Mary Bono Mack, R-Calif., agreed with Stearns call for a unitary regulatory structure. “I don’t think we should be out to get one particular industry,” she said.

Rep. Anna Eshoo, D-Calif., said the “growing tide of critics” supporting a single regime “do not understand the purpose of our privacy laws.”

Holding web-based services and telecommunications carriers to the same set of regulations is “neither practical, nor prudent,” Eshoo said. Different industries should be governed fairly, she said – but not under the same regulatory structure.

“It’s time to modernize our telecommunications policies,” said Rep. Bart Stupak, D-Mich. Consumers often have no idea what information is being collected about them, he said, much less the opportunity to give consent.

Stupak said current law does not give a clear definition of when affirmative consent is required to collect information.”Without clear direction from Congress…information will continue to go unprotected,” he said.

Center for Democracy and Technology President Leslie Harris said the use of DPI on broadband networks “raises profound questions about the future of privacy, openness and innovation online.” Even legitimate uses of the technology could fall victim to “mission creep” and be misused by government or broadband providers, Harris said. Network Neutrality legislation would be a good complement to privacy legislation, she suggested.

Free Press Policy Director Ben Scott noted that scenarios that were only hypothetical during past network neutrality debates were now becoming proposed business models thanks to DPI technologies being marketed by several vendors. And DPI technology “has evolved from innocuous…to potentially insidious,” he said, calling for a “bright line rule” on consumer protection.

NCTA CEO Kyle McSlarrow said that no cable internet service provider is currently using DPI for behavioral targeting. “Good privacy protection is also good business,” he said. DPI has been used legitimately by cable ISPs “for many years now — and for many good reasons,” including spam deterrence, McSlarrow said.

Cable ISPs are not doing any tracking, he said, objecting to the term “Deep Packet Inspection” and the alarm that often accompanies it. “The only tracking I want to do is to track down the engineer who came up with the term ‘deep packet inspection’…and shoot him.”

As the FCC develops a national broadband strategy, how its four principles of network neutrality are incorporated into any regulatory will come down to behavior, Scott said in an interview.

The FCC’s principles are a good starting point, but they aren’t enough when companies violate consumer privacy for commercial purposes, he said. Applying common carrier principles to broadband providers through privacy law would provide a critical fifth point, he said.

But in a separate interview, Boucher disagreed with Scott’s analogy. Boucher said as he moves forward with privacy legislation and oversight of telecommunications regulation – including the $7.25 billion broadband stimulus, network openness and consumer privacy will be treated as “separate and distinct issues.”