During Monday night’s ATLAS seminar, “Wiretapping the Internet.” CU LAW Professor Paul Ohm made a case to an audience of about fifty that Internet Service Providers (ISPs) like Comcast, AT&T, and Verizon represent the greatest modern threat to personal privacy. Ohm began by offering a brief tutorial in how the Internet functions, which might be thought of in the following manner:
Imagine you’re a trapeze artist, with your computer being the initial starting platform. In connecting to the Internet you are leaping from that platform into the hands of your ISP, who we’ll call Alvin. Alvin swings you through the air and launches you into space, at which point you’re caught by a second ISP named Barry. Barry then delivers you to an opposite platform, or the web site you sought to visit. Ohm’s central argument focuses on Alvin because, depending on your intended destination, the second platform and its attendant ISP will likely change (ISP Gary at Google or Yavonne at Yahoo or Rick at RockyRadar.com). But no matter what platform you land on, ISP Alvin will always be in the chain linking you to the Web, and that puts ISP Alvin in an enormously powerful position from which to collect data about you.
Ohm proceeded to demonstrate the ease of collecting user data when serving as an internet portal by wirelessly wiretapping the collected audience after scrupulously gaining their consent. The former programmer, network administrator, and Federal Prosecutor of Internet Crimes launched a program called EtherPEG that transferred the images displayed on the computers of his web-surfing audience and splashed them up on a movie screen. Ohm advised that his program was hugely crude in comparison to what the ISPs are capable of, with their ability to observe every email you send, every internet call you dial, every article you read or pornography site you (accidentally!) visit. But more troubling is the ISP’s ability to record, copy and remember this information, tying it to you for all time.
Like any good prosecutor, Ohm laid out his case against the ISPs in terms of means, motive and opportunity. After diligently explaining how your ISP is the choke point of one’s information flow and therefore possessing the opportunity to monitor, Ohm then focused on the means of an ISP to intercept, capture and analyze a user’s data. He argued that in the last decade computing power has advanced at a greater clip than networking speed, allowing software programs to digest all the information pouring through an ISP as if it were a light lunch. Ohm spent the rest of the presentation discussing motive, and this is where the situation becomes a little complicated.
The 1968 Wiretap Act and the more recent 1986 Electronic Communication Privacy Act outlaw data monitoring, yet offer two considerable exceptions for the ISP. The first exception – the Rights and Property exception – allows the ISP to monitor traffic for the purposes of protecting and maintaining the integrity of the network. These activities might include, but are not limited too, monitoring traffic for the purposes of spam filtering, virus protection, network security, and efficiently regulating congestion. The second exception orbits the subject of consent, whereby an ISP can monitor your traffic if you have consented for it to do so. But it’s the question of what constitutes consent where Ohm raises some interesting questions:
Do you regularly read the back of your cable bill where your provider legalistically spells out consent? When the cableperson installs your service, do you read all the documentation she asks you to sign or merely scratch your name and date so you can hurry her out the door? And even if you perform this diligence and reject the terms, what are your choices when the ISP subsequently refuses you service? Is there another ISP who can service your house in your area, and what are their policies?
Ohm believes ISPs are in the business to make money and the greatest potential for future windfall lies in their ability to collect more specific data about their users and offer this to advertisers or third party marketers. The consent exception will likely be the loophole they employ to this end, and lobbyists have already been hired by the ISPs to bring this grey-to-charcoal area of the law into sharper, ISP-friendly focus.
Ohm sees it only a matter of time before an ISP substantially abuses its ability to monitor an individual’s data traffic because the means are already in place to do so. The government requires that all ISPs develop mechanisms through which law enforcement can eavesdrop on both your data transmission and Internet telephone conversations, and with such capability in place – along with an environment of murky legislation – Ohm predicts it’s less a question of ‘Will it happen?’ than when.
Professor Ohm’s paper on this subject can be found here.
The ATLAS Institute Speaker Series is supported by a generous gift from Dr. Idit Caperton and daughter Anat Harel. Additional support is provided by The Van Heyst Group and Silicon Flatirons Center for Law, Technology, and Entrepreneurship. A calendar of future ATLAS events can be found here.
