Deep Packet Inspection and Communications Laws and Policies"

CENTER FOR DEMOCRACY & TECHNOLOGY

Statement of Alissa Cooper Chief Computer Scientist, Center for Democracy & Technology

Before the House Committee on Energy and Commerce, Subcommittee on Telecommunications and the Internet

" What Your Broadband Provider Knows About Your Web Use: Deep Packet Inspection and Communications Laws and Policies"

July 17, 2008

I. Summary

!"#$%&#'()#%*+,(#'-()+&.+%/(01(2"+(34.50&&$22++6(

7'(.+"#81(01(2"+(!+'2+%(10%(9+&05%#5,(:(;+5"'080<,(=!9;>?(@(2"#'*(,04(10%(2"+( 0AA0%24'$2,( 20( 2+/2$1,( 20-#,B( C+( #AA8#4-( 2"+( 34.50&&$22++D/( 8+#-+%/"$A( #'-( 10%+/$<"2( $'( +E#&$'$'<( 2"+( +&+%<$'<( A08$5,( #'-( 8+<#8( $&A8$5#2$0'/( 01( 2"+( 2+5"'$F4+(*'0G'(#/(H-++A(A#5*+2($'/A+52$0'BI(

J%+/+%K$'<(2"+(@'2+%'+2(#/(#(2%4/2+-(0A+'(A8#210%&(10%(/A++5"(#'-($''0K#2$0'?( G$2"042(<#2+*++A+%/(0%(5+'2%#8(50'2%08?("#/(.++'(#(-+1$'$'<($//4+(10%(!9;(/$'5+( $2/( $'5+A2$0'B( ;"+( @'2+%'+2( G#/( .4$82( #%04'-( 2"+( H+'-L20L+'-I( A%$'5$A8+6( 2"+( '02$0'( 2"#2( #AA8$5#2$0'/( #%+( .+22+%( 8+12( 20( .+( $&A8+&+'2+-( #2( 2"+( @'2+%'+2D/( +'-A0$'2/( %#2"+%( 2"#'( $2/( 50%+?( 8+#K$'<( 2"+( '+2G0%*( $2/+81( 4'1+22+%+-( .,( #',( A#%2$548#%( A#%2,D/( $'2+%+/2/BM( J4%/4#'2( 20( 2"$/( +'-L20L+'-( -+/$<'?( -#2#( "#/( 2%#-$2$0'#88,( 2%#K+%/+-( 2"+( @'2+%'+2( G$2"042( $'2+%1+%+'5+( 1%0&( $'2+%&+-$#%$+/B( N+<$/8#2$K+( #'-( 8+<#8( -+5$/$0'/( A%02+52$'<( @'2+%'+2( /+%K$5+( A%0K$-+%/( 1%0&( $'2+%&+-$#%,(8$#.$8$2,(=!"#"?(8$#.$8$2,(10%(50'2+'2(2"#2(0%$<$'#2+/(G$2"(4/+%/>("#K+( .++'(104'-+-(0'(2"+(A%$'5$A8+(2"#2(2"+('+2G0%*(0A+%#20%($/('02(&#'$A48#2$'<(2"+( 50'2+'2(2"#2(A#//+/(2"%04<"($2/('+2G0%*B(O0%(-+5#-+/?(#-"+%+'5+(20(2"+(+'-L20L +'-( A%$'5$A8+( "#/( A%+/+%K+-( 2"+( @'2+%'+2( #/( #( 2%4/2+-( A8#210%&( #'-("#/( /4AA0%2+-( #/204'-$'<( 8+K+8/( 01( $''0K#2$0'?( +50'0&$5( #52$K$2,?( #'-( $'-$K$-4#8( +EA%+//$0'B(( (((((((((((((((((((((((((((((((((((((((((((((((((((((((( 1 J.H. Saltzer, D.P. Reed & D.D. Clark, End-to-End Arguments in System Design, 2 ACM Transactions on Computer Sys. 277 (1984).

1634 I St., NW, Suite 1100, Washington, DC 20006 • v. +1.202.637.9800. • f. +1.202.637.0968 • http://www.cdt.org CENTER FOR DEMOCRACY & TECHNOLOGY

@'(%+5+'2(,+#%/?("0G+K+%?(&#//$K+(<%0G2"($'(-#2#(A%05+//$'<(A0G+%("#/(/A4%%+-( 2"+( -+K+80A&+'2( 01( '+G( H-++A( A#5*+2( $'/A+52$0'I( =9J@>( +F4$A&+'2( 2"#2( A02+'2$#88,(#880G/(@3J/(#'-(02"+%($'2+%&+-$#%$+/(20(5088+52(#'-(#'#8,P+(#88(01(2"+( @'2+%'+2( 2%#'/&$//$0'/( 01( &$88$0'/( 01( 4/+%/( /$&482#'+04/8,B( ;"+( 4/+( 01( 9J@( 2+5"'080<,?( 2"04<"( /2$88( $'( /0&+G"#2( 8$&$2+-( -+A80,&+'2?( %#$/+/( /+%$04/( F4+/2$0'/(#.042(2"+(1424%+(01(2%4/2?(0A+''+//?(#'-($''0K#2$0'(0'8$'+BQ((

;"+(482$+($&A8$5#2$0'/(01(9J@(-+A+'-(8#%<+8,(0'(.02"("0G($2($/($&A8+&+'2+-( #'-(2"+(A4%A0/+/(10%(G"$5"($2($/(4/+-B(9J@(#AA8$5#2$0'/(%#'<+(1%0&(&#'#<$'<( '+2G0%*( 50'<+/2$0'( 20( -+2+52$'<( '+2G0%*( 2"%+#2/( 20( &0'+2$P$'<( $'-$K$-4#8( @'2+%'+2(-#2#(/2%+#&/(2"%04<"(2#%<+2+-(#-K+%2$/$'

@'(A#%2(.+5#4/+(01(2"+(@'2+%'+2D/("$/20%,(01(-+5+'2%#8$P+-(50'2%08(#'-(4'1+22+%+-( 50&&4'$5#2$0'/?( 50'/4&+%/( #%+( '02( #554/20&+-( 20( "#K$'<( 2"+$%( @'2+%'+2( 2%#'/&$//$0'/($'2+%5+A2+-(0%(#'#8,P+-(+'(%042+(.,(#'($'2+%&+-$#%,B(9+A+'-$'<( 0'("0G(2"+,(#%+(-+A80,+-?(9J@(/,/2+&/(5#'(-+1,(2"$/(+EA+52#2$0'?(2"%+#2+'$'<( 2"+(.#/$/(10%(50'/4&+%(2%4/2(0'8$'+B(!+%2#$'(#/A+52/(01(9J@(#%+(#8/0(#2(0--/(G$2"( G+88( #55+A2+-( H1#$%( $'10%$0'( A%#52$5+/?I( 5#'( .+( -$/%4A2$K+( 20( @'2+%'+2( #'-( C+.(14'52$0'#8$2,?(#'-(&#,(%4'(#1048(01(50&&4'$5#2$0'/(A%$K#5,(8#G/B((

;"0/+(G"0(4/+(9J@(10%(2"+(A4%A0/+(01(2%#5*$'<(50'/4&+%/D(0'8$'+(#52$K$2$+/(20( /+%K+(2#%<+2+-(#-K+%2$/+&+'2/(/2%+//(2"+(#'0',&04/(#'-(8$&$2+-('#24%+(01(2"+( A%01$8+/(2"+,(50&A$8+B(U0G+K+%?(2"+(&#$'(1054/(01(04%(A%$K#5,(50'5+%'(G$2"(2"$/( (((((((((((((((((((((((((((((((((((((((((((((((((((((((( 2 Packet inspection or data analysis that a user conducts on his or her own data stream is a different matter and does not raise the same questions. There are many reasons why a user may want to conduct such analysis, and the ability to do so empowers users to better understand their own Internet service plans. This testimony focuses exclusively on packet inspection and analysis by intermediaries at the middle of the network rather than at the endpoints.

3 CDT has a long history of opposing government mandates that require ISPs to filter content at the middle of the network, which is certainly one potential use of DPI. See, e.g., CDT, Summary and Highlights of the Philadelphia District Court’s Decision in Center for Democracy & Technology v. Pappert (Case No. 03-5051 (E.D. Pa. Sept. 10 2004) (Sept. 15, 2004), http://www.cdt.org/speech/pennwebblock/20040915highlights.pdf. CDT has also been an active participant in policy debates surrounding Internet neutrality and network congestion management, both of which potentially implicate DPI as a tool that can be used to distinguish certain Internet data streams from others. We have called for focused Internet neutrality legislation that, if enacted, would likely have the effect of restricting certain uses of DPI that facilitate discrimination between Internet data streams. See CDT, PRESERVING THE ESSENTIAL INTERNET (2006), http://cdt.org/speech/20060620neutrality.pdf. More recently, we recommended to the Federal Communications Commission that ISPs’ endeavors to manage congestion on their networks – which may include the use of DPI – be transparent, evenly applied to all services and applications, and consistent with core internetworking standards. See Comments of CDT, In the Matter of Broadband Industry Practices, WC Docket No. 07-52 (Feb. 13, 2008), http://cdt.org/speech/20080213_FCC_comments.pdf.

2( CENTER FOR DEMOCRACY & TECHNOLOGY

&0-+8(#/($2(+E$/2/(20-#,($/('02(0'(2"+(A%01$8+/(2"+&/+8K+/(.42(%#2"+%(0'(G"#2($/( %+F4$%+-( 20( 50&A$8+( 2"0/+( A%01$8+/?( '#&+8,( 2"+( -$K+%/$0'( 0%( 50A,$'<( 01( /4./2#'2$#88,(#88(01(2"+(C+.(2%#11$5(01(#88(/4./5%$.+%/B(;"+(1#52(2"#2(#/(01('0G(2"+( #-K+%2$/$'<('+2G0%*/(4/+(0'8,(#(/X(A0%2$0'(01(G"#2($/(5#A24%+-(#'-(-0('02( /20%+(02"+%($'10%$0'(-0+/('02(-$&$'$/"(2"+($'2%4/$K+'+//(01(2"+($'$2$#8(-#2#( 5#A24%+B(C+(#%+(50'5+%'+-(G$2"(2"+($'2+%5+A2$0'(#'-(#'#8,/$/(01(-#2#($'(2%#'/$2( 10%(A4%A0/+/("#K$'<('02"$'<(20(-0(G$2"(2"+(-+8$K+%,(01(2"#2(-#2#(0%(2"+(/+54%$2,( 0%($'2+<%$2,(01(2"+(@'2+%'+2(/+%K$5+B()0%+0K+%?(#/(2"+(+E$/2$'<(&0-+8/(#%+('0G( 50'1$<4%+-?( '0( 0'+( 5#'( 0A2L042( 01( 2"#2( -$K+%/$0'( 0%( 50A,$'<( 01( 2"+$%( @'2+%'+2( 2%#11$5V(+E$/2$'<( 0A2L042/(&+%+8,(-$/50'2$'4+(2"+(5%+#2$0'(01(.+"#K$0%#8(A%01$8+/( 10%(4/+($'(-+8$K+%$'<(#-/B(

9J@(/,/2+&/(/"048-('02(.+(K$+G+-($'($/08#2$0'B((;"+,(#%+(.+$'<(-+A80,+-(G$2"$'( 2"+(50'2+E2(01(#'(0'8$'+(+'K$%0'&+'2(G"+%+(&0%+(-#2#($/(.+$'<(5088+52+-(W(#'-( %+2#$'+-(10%(80'<+%(A+%$0-/(W(2"#'(+K+%(.+10%+B(X+2(04%('#2$0'(/2$88("#/('0(.#/$5( 50'/4&+%(A%$K#5,(8#G(#'-(+E$/2$'<(/+520%#8(A%$K#5,(A%02+52$0'/("#K+(.++'(1#%( 042A#5+-(.,(2+5"'080<$5#8($''0K#2$0'B((

Y+5+'28,?( 2"+( O;!( "#/( .+<4'( 5%#12$'<( /+81L%+<48#20%,( A%$'5$A8+/( 10%( A%$K#5,( A%02+52$0'($'(0'8$'+(#-K+%2$/$'

! ;"+( 34.50&&$22++( /"048-( /++*( #--$2$0'#8( $'10%$0'( -$%+528,( 1%0&( @3J/( #'-(2"+$%(A#%2'+%/(#.042("0G(2"+,(#%+(4/$'<(9J@B( ! ;"+(34.50&&$22++(/"048-(/+2(#(<0#8(01(+'#52$'<($'(2"+('+E2(,+#%(#(/$&A8+?( 18+E$.8+(.#/+8$'+(50'/4&+%(A%$K#5,(8#G(2"#2(G048-(A%02+52(50'/4&+%/(1%0&( $'#AA%0A%$#2+( 5088+52$0'( #'-( &$/4/+( 01( 2"+$%( A+%/0'#8( $'10%$0'?( .02"( 0'8$'+(#'-(0118$'+B( ! ;"+( !0&&$22++( /"048-( /2%0'<8,( 4%<+( 2"+( O+-+%#8( ;%#-+( !0&&$//$0'( 20( #--%+//( 9J@( $'( $2/( A%0A0/+-( <4$-+8$'+/( #'-( +E+%5$/+( $2/( 1488( +'10%5+&+'2( #42"0%$2,(0K+%(0'8$'+(#-K+%2$/$'<(A%#52$5+/B((

(((((((((((((((((((((((((((((((((((((((((((((((((((((((( 4 See FTC, Online Behavioral Advertising: Moving the Discussion Forward to Possible Self-Regulatory Principles (Dec. 20, 2007), http://ftc.gov/os/2007/12/P859900stmt.pdf (proposal). 5 See Center for Democracy & Technology et al., Comments of the Center for Democracy & Technology, Consumer Action, and Privacy Activism In Regards to the FTC Staff Statement, “Online Behavioral Advertising: Moving the Discussion Forward to Possible Self-Regulatory Principles” (Apr. 11, 2008), http://www.cdt.org/privacy/20080411bt_comments.pdf at 18.

3( CENTER FOR DEMOCRACY & TECHNOLOGY

! !0'<%+//(/"048-(+E#&$'+(#'-(/2%+'<2"+'(+E$/2$'<(50&&4'$5#2$0'/(A%$K#5,( 8#G/( 20( 50K+%( '+G( /+%K$5+/?( 2+5"'080<$+/( #'-( .4/$'+//( &0-+8/( G$2"( 50'/$/2+'2(%48+/B((

II. Understanding Deep Packet Inspection

"#!! "$!"$%&'()!*'!*+,!-'.*%&!/).*,0!

;"+(+#/$+/2(G#,(20(4'-+%/2#'-(-++A(A#5*+2($'/A+52$0'($/(20(50'/$-+%(#'(#'#80<,( 20(2"+(A0/2#8(&#$8(/,/2+&B(@'(2"+(A0/2#8(/,/2+&?(8+22+%/(2%#K+8(2"%04<"(2"+(/,/2+&( $'( +'K+80A+/?( +#5"( 01( G"$5"( $/( #--%+//+-( 20( $2/( #AA%0A%$#2+( %+5$A$+'2( #'-( 50'2#$'/(2"+(%+24%'(#--%+//($'10%$0'(01(2"+(/+'-+%B(7'(2"+(@'2+%'+2?(-#2#($/( .%0*+'( $'20( HA#5*+2/BI( ;"$/( $/( 2%4+( 10%( #88( *$'-/( 01( @'2+%'+2( 50&&4'$5#2$0'/6( C+.(.%0G/$'(A"0'+(5#88/?(A++%L20LA++%(=AQA>(1$8+( 2%#'/1+%/?( 0'8$'+( <#&$'<( #'-( /0( 0'B( S( /$'<8+( A#5*+2( 50'/$/2( 01( 2G0( A#%2/6( #( HA#,80#-?I(G"$5"($/(2"+(#524#8(-#2#($'/$-+(2"+(A#5*+2?(8$*+(2"+(8+22+%($'/$-+(#'( +'K+80A+V(#'-(#(H"+#-+%?I(G"$5"(50'2#$'/(2"+(%042$'<($'10%$0'(2"#2(-$%+52/( 2"+( A#5*+2(20($2/(-+/2$'#2$0'(=0%(.#5*(20(2"+(/+'-+%($'(5#/+(01(+%%0%/>?(8$*+(2"+( #--%+//( #'-( %+24%'( #--%+//( 0'( 2"+( 042/$-+( 01( #'( +'K+80A+B( O0%( #'( @'2+%'+2( A#5*+2?(2"+(@J(#--%+//+/(01(2"+(%+5$A$+'2(#'-(/+'-+%?(%+/A+52$K+8,?(#%+(+F4$K#8+'2( 20(2"+(#--%+//(#'-(%+24%'(#--%+//(0'(#'(+'K+80A+($'(2"+(&#$8B((

S/( A0/2#8( +&A80,++/( #'-( +F4$A&+'2( &0K+( &#$8( 2"%04<"( 2"+( /,/2+&?( 2"+,( $'/A+52(2"+(#--%+//$'<($'10%$0'(0'(2"+(042/$-+(01(+#5"(+'K+80A+(20(-+2+%&$'+( 2"+('+E2(/2+A($'(-$%+52$'<(2"+(&#$8(20($2/(1$'#8(-+/2$'#2$0'B(;"+(/#&+($/(2%4+(10%(2"+( @'2+%'+2(W(2"+(-+K$5+/($'(2"+(&$--8+(01(2"+('+2G0%*(%+/A0'/$.8+(10%(%042$'<(-#2#( =*'0G'(#/(H%042+%/I>($'/A+52(A#5*+2("+#-+%/(20(-+5$-+(G"+%+(+#5"(A#5*+2(/"048-( <0( '+E2B( ;"$/( $/( 5#88+-( H/"#880G( A#5*+2( $'/A+52$0'I( .+5#4/+( 2"+( #'#8,/$/( $/( 8$&$2+-(20(2"+("+#-+%($'10%$0'(2"#2($/(#420$5#88,(+EA0/+-(=.,('+5+//$2,>(20( +K+%,(%042+%(0'(2"+(@'2+%'+2B(]4/2(#/(2"+(A0/2#8(&#$8(/$&A8,(5#''02(.+(-+8$K+%+-( G$2"042( A0/2#8( +&A80,++/( #'-( +F4$A&+'2( $'/A+52$'<( #--%+//+/?( '+$2"+%( 5#'( @'2+%'+2( 50&&4'$5#2$0'/( .+( -+8$K+%+-( G$2"042( %042+%/( $'/A+52$'<( A#5*+2( "+#-+%/B(^42(2"$/(/"#880G(/0%2(01($'/A+52$0'(-0+/('02(%+K+#8(2"+(#524#8(50'2+'2(01( 2"+( C+.( .%0G/$'<( /+//$0'?( +&#$8?( 0%( \0@J( 5#88( 2"#2( #( A#%2$548#%( A#5*+2( &#,( 50'2#$'?(R4/2(#/(800*$'<(#2(#'(#--%+//(0'(#'(+'K+80A+(%+K+#8/('02"$'<(#.042(2"+( 50'2+'2(01(2"+(8+22+%($'/$-+B(

9++A(A#5*+2($'/A+52$0'($/(2"+(+F4$K#8+'2(01(A0/2#8(+&A80,++/(0A+'$'<(+'K+80A+/( #'-(%+#-$'<(2"+(8+22+%/($'/$-+B(;0(-0(9J@?('+2G0%*(-+K$5+/(+E#&$'+(2"+(A#,80#-( 01(#(A#5*+2(W(2"+(#524#8(-#2#(2"+(A#5*+2(5#%%$+/(W($'(#--$2$0'(20(2"+(A#5*+2("+#-+%B( ;0($'/A+52(#(A#5*+2(-++A8,(&+#'/(20(+E#&$'+(2"+(50'2+'2/(01(2"+(C+.(.%0G/$'<( /+//$0'?( +&#$8?( $'/2#'2( &+//#<+?( 0%( G"#2+K+%( 02"+%( -#2#( 2"+( A#5*+2( 50'2#$'/B(

4( CENTER FOR DEMOCRACY & TECHNOLOGY

_'8+//(2"+(50'2+'2(01(2"+(A#5*+2($/(+'5%,A2+-(=#/(G$2"(&0/2(0'8$'+(A4%5"#/+/(#'-( .#'*(2%#'/#52$0'/>?(2"+(+'2$%+2,(01(2"+(A#5*+2(5#'(.+(#'#8,P+-(G$2"(9J@B((

7'+( /8$<"2( 50&A8+E$2,( 01( @'2+%'+2( A#5*+2/( $/( 2"#2( #( A#5*+2( A#,80#-( $2/+81( &#,( 50'2#$'(/0&+(#--$2$0'#8(#--%+//$'<($'10%$0'(2"#2($/(/4AA8+&+'2#8(20(2"+(@J( #--%+//+/(#K#$8#.8+($'(2"+(A#5*+2("+#-+%B(C"+'(/+'-$'<(#'(+&#$8?(10%(+E#&A8+?( 2"+( +&#$8( #--%+//( 01( 2"+( %+5$A$+'2( #AA+#%/( $'( 2"+( A#5*+2( A#,80#-?( '02( $'( 2"+( A#5*+2("+#-+%B(N$*+G$/+(10%(C+.(.%0G/$'B((

S82"04<"( /0&+( &#,( 58#$&( 2"#2( +E#&$'$'<( /45"( #AA8$5#2$0'( "+#-+%/( -0+/( '02( 50'/2$242+(-++A(A#5*+2($'/A+52$0'?`(!9;(-$/#<%++/B(SAA8$5#2$0'("+#-+%/("#K+(2"+( A02+'2$#8(20(%+K+#8(&45"(&0%+(#.042(#(50&&4'$5#2$0'(2"#'(A#5*+2("+#-+%/?(#'-( 2"+( 2#/*( 01( -+2+%&$'$'<( G"+%+( #'( #AA8$5#2$0'( "+#-+%( /20A/( #'-( #524#8( -#2#( 50'2+'2( .+<$'/( 012+'( '+5+//$2#2+/( 2"+( $'/A+52$0'( 01( 2"+( -#2#( 50'2+'2( $2/+81B( ;"+%+10%+?(G+(.+8$+K+(2"+(8$'+(.+2G++'(/"#880G(#'-(-++A($'/A+52$0'(8$+/(.+2G++'( 2"+(A#5*+2("+#-+%(#'-(2"+(A#5*+2(A#,80#-?(%+<#%-8+//(01(G"+2"+%(2"+(A#,80#-( 50'2#$'/(2"+/+(#--$2$0'#8(H#AA8$5#2$0'("+#-+%/BI((

9J@(&#,(.+(-0'+($'(%+#8L2$&+(#/(2"+(-#2#($/($'(2%#'/&$//$0'?(0%($2(&#,(.+(-0'+( #12+%G#%-($1(2"+(-#2#($/(%+2#$'+-B(@3J/(&#,("04/+(9J@(+F4$A&+'2(#'-(50'-452( 2"+(A#5*+2($'/A+52$0'(2"+&/+8K+/?(0%(2"+,(&#,(#880G(#(2"$%-(A#%2,($'2+%&+-$#%,( 20( #22#5"( +F4$A&+'2( 20( 5088+52( #'-( $'/A+52( 2"+( @'2+%'+2( 2%#'/&$//$0'/( 01( 2"+$%( /4./5%$.+%/B(

1#!! 2.,.!'3!4,,5!-%67,*!8$.5,6*9'$!

9++A(A#5*+2($'/A+52$0'($/(#(<+'+%$5(2+5"'$F4+(2"#2(5#'(.+(4/+-(10%(#(G$-+(K#%$+2,( 01(A4%A0/+/B(aE#&A8+/($'584-+6(

! $#%&'!()&*+ &,'#)-!.!/0( W( S/( G+( -$/54//( $'( <%+#2( -+2#$8( $'( 3+52$0'( @\?( 9J@( $/( 54%%+'28,(.+$'<(4/+-(.,(#-K+%2$/$'<(50&A#'$+/(20(#'#8,P+($'-$K$-4#8/D(C+.( .%0G/$'<( "#.$2/?( 5%+#2+( A%01$8+/( 01( 2"+$%( $'2+%+/2/( #'-( .+"#K$0%/?( #'-( 4/+( 2"0/+(A%01$8+/(20(/+%K+(2"+&(2#%<+2+-(#-K+%2$/+&+'2/B( ! 1#-#2-!(/+ (3+ /#-4()5+ &--&25.( W( @3J/( #'-( 02"+%( '+2G0%*( 0A+%#20%/( 5#'( /0&+2$&+/(4/+(9J@(20(-+2+52('+2G0%*(2"%+#2/(8$*+(/A#&(#'-(K$%4/+/?(/$'5+(

(((((((((((((((((((((((((((((((((((((((((((((((((((((((( 6 See, e.g., Declan McCullagh, Q&A with Charter VP: Your Web activity, logged and loaded, C|Net, May 15, 2008, http://news.cnet.com/8301-13578_3-9945309-38.html.

5( CENTER FOR DEMOCRACY & TECHNOLOGY

2"+/+(*$'-/(01(#22#5*/(&#,(+E"$.$2(G+88(*'0G'(-#2#(H/$<'#24%+/I(2"#2( @3J/( 5#'(%+50<'$P+(.,($'/A+52$'<(A#5*+2(A#,80#-/Bb(( ! 6#-4()5+ 2(/0#.-!(/+ 7&/&0#7#/-( W(9J@(5#'("+8A(@3J/(&#'#<+(2"+(K084&+(01( -#2#(0'(2"+$%('+2G0%*/B(O0%(+E#&A8+?($'/A+52$'<(A#5*+2/(&#,(#880G(#'(@3J(20( $-+'2$1,( 5+%2#$'( *$'-/( 01( 50&&4'$5#2$0'/( =AQA( 1$8+( 2%#'/1+%/?( 10%( +E#&A8+>( 2"#2($2(&#,(-+5$-+(20(H2"%0228+I(0%(A%05+//(&0%+(/80G8,(#2(2$&+/(G"+'(2"+( '+2G0%*($/(50'<+/2+-Bc( ! 8#)'!2#+-!#)!/0( W(S'(@3J(2"#2(G#'2/(20(5"#%<+(-$11+%+'2(A%$5+/(10%(2"+(4/+(01( -$11+%+'2(@'2+%'+2(/+%K$5+/(W(/#,(C+.(.%0G/$'

III. The Privacy Risks of Deep Packet Inspection

@'( A#%2( .+5#4/+( 2"+( @'2+%'+2( G#/( -+K+80A+-( #%04'-( 2"+( +'-L20L+'-( A%$'5$A8+?( 50'/4&+%/("#K+(50&+(20(+EA+52(2"#2(2"+$%(@'2+%'+2(50&&4'$5#2$0'/(A#//(2"%04<"(

(((((((((((((((((((((((((((((((((((((((((((((((((((((((( 7 See, e.g., Sandvine DPI-Based Policy Solutions, http://sandvine.com/general/getfile.asp?FILEID=17 at 6 (last visited July 14, 2008); Thomas Porter, The Perils of Deep Packet Inspection, SecurityFocus, Jan. 1, 2005, http://securityfocus.com/infocus/1817.

8 See, e.g., Nate Anderson, New Filings Reveal Extent, Damage of Bell Canada Throttling, Ars Technica, June 2, 2008, http://arstechnica.com/news.ars/post/20080602-new-filings-reveal-extent-damage-of-bell-canada-throttling.html.

9 See Nate Anderson, Deep Packet Inspection Meets 'Net Neutrality, CALEA, Ars Technica, July 24, 2007, http://arstechnica.com/articles/culture/Deep-packet-inspection-meets-net-neutrality.ars.

10 See, e.g., Audible Magic CopySense Appliance, http://audiblemagic.com/products-services/copysense/ (last visited July 14, 2008); see also Rob Frieden, Internet Packet Sniffing and Its Impact on the Network Neutrality Debate and the Balance of Power Between Intellectual Property Creators and Consumers, 18 Fordham Intell. Prop. Media & Ent. L.J. 633 (2008).

6( CENTER FOR DEMOCRACY & TECHNOLOGY

2"+( '+2G0%*( G$2"042( .+$'<( /'00A+-( 0'( 2"+( G#,B( 9J@( -%#$5#88,( #82+%/( 2"$/( 8#'-/5#A+( .,( A%0K$-$'<( #'( @3J( 0%( $2/( A#%2'+%/( G$2"( 2"+( #.$8$2,( 20( $'/A+52( 50'/4&+%(50&&4'$5#2$0'/(+'(%042+B(;"4/?(-+A80,$'<(#(9J@(/,/2+&(8$*+8,(-+1$+/( 2"+( +EA+52#2$0'/( 50'/4&+%/( "#K+( .4$82( 4A( 0K+%( 2$&+B( S./+'2( 4'&$/2#*#.8+( '02$5+?(50'/4&+%/(/$&A8,(-0('02(+EA+52( 2"+$%(@3J(0%($2/(A#%2'+%/(20(.+(800*$'<( $'20(2"+(50'2+'2(01(2"+$%(@'2+%'+2(50&&4'$5#2$0'/B((

)#',(50&A#'$+/(#2(+K+%,(8+K+8(01(2"+(@'2+%'+2(K#84+(5"#$'("#K+(G0%*+-(20(.4$8-( 2%4/2($'(2"+(&+-$4&(20(2"+(A0$'2(G"+%+(&$88$0'/(01(50'/4&+%/(1++8(50&10%2#.8+( +'<#<$'<( $'( #( G$-+( %#'<+( 01( A+%/0'#8( #'-( 50&&+%5$#8( 50&&4'$5#2$0'/( #'-( 2%#'/#52$0'/(0'8$'+B(@3J/(#%+(#(5%$2$5#8(A#%2(01(2"#2(5"#$'(01(2%4/2B(@1(50'/4&+%/( 1$'-(%+#/0'/(20(F4+/2$0'(G"#2(2"+$%(@3J/(#%+(-0$'<(G$2"(2"+$%(@'2+%'+2(-#2#?(2"+,( &#,(.+50&+(%+8452#'2(20(4/+(2"+(@'2+%'+2(#/(0A+'8,(#'-(1%+F4+'28,(#/(2"+,(-0( 20-#,B(_'8+//($2($/(5#%+1488,(-+A80,+-?(9J@(%4'/(2"+(%$/*(01(-#&#<$'<(50'/4&+%( 50'1$-+'5+($'(2"+(&+-$4&B(

!+%2#$'(5"#%#52+%$/2$5/(01(9J@(#8/0(/+%$04/8,(5"#88+'<+(2%#-$2$0'#8('02$0'/(01(H1#$%( $'10%$0'( A%#52$5+/?I( #( <+'+%#88,( #55+A2+-( /+2( 01( A%$'5$A8+/( 10%( A%02+52$'<( A%$K#5,BMM(!0'/$-+%(2"+(1#$%($'10%$0'(A%$'5$A8+(01(8$&$2$'<(-#2#(5088+52$0'(20( G"#2($/('+5+//#%,(20(50&A8+2+(2"+(2#/*(#2("#'-B(U0G(5#'(2"$/($-+#(.+(/F4#%+-( G$2"(+E$/2$'<(9J@(+F4$A&+'2(2"#2("#/(2"+(5#A#.$8$2,(20(5088+52(#'-(#'#8,P+(+K+%,( /$'<8+(@'2+%'+2(A#5*+2(10%(&$88$0'/(01(@'2+%'+2(4/+%/(#2(0'5+fMQ(S82"04<"(9J@(5#'( .+($&A8+&+'2+-(G$2"(8$&$2/(0'(2"+(2,A+/(01(-#2#(5088+52+-?(2"+(2%+'-($/(20G#%-( &0%+(-#2#(5088+52$0'(#'-(A%05+//$'<(A0G+%?('02(8+//B(

;%#'/A#%+'5,($/(#'02"+%(50%+(1#$%($'10%$0'(A%$'5$A8+(2"#2(9J@(G048-(#AA+#%( 20(5"#88+'<+B(9J@(+F4$A&+'2(K+'-0%/(50&A+2+(0'("0G(/X(01(#'($&A#52(2"+,( 5#'( "#K+( 0'( 0K+%#88( '+2G0%*( 0A+%#2$0'/BMT( \+'-0%/( /++*( 20( +'/4%+( 2"#2( 9J@( +F4$A&+'2?( +K+'( #/( $2( A%05+//+/( &#//+/( 01( @'2+%'+2( -#2#( 1%0&( &$88$0'/( 01( /4./5%$.+%/?( G$88( '02( /80G( -0G'( '+2G0%*( 0A+%#2$0'/( #'-( G$88( $'( 1#52( .+( #/( $'K$/$.8+(#/(A0//$.8+(0'(2"+('+2G0%*B(;"$/(&+#'/(@3J/(#'-(02"+%/(&#,(.+(#.8+(20( -+A80,(9J@(/,/2+&/(2"#2("#K+(1+G('02$5+#.8+(+11+52/(0'(50'/4&+%/B( C$2"( 9J@(

((((((((((((((((((((((((((((((((((((((((((((((((((((((((

11 See, e.g., Organisation for Economic Co-operation and Development, OECD GUIDELINES ON THE PROTECTION OF PRIVACY AND TRANSBORDER FLOWS OF PERSONAL DATA (Sept. 23, 1980), http://www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_1_1_1,00.html.

12 See Procera PacketLogic PL10000 Datasheet, http://www.proceranetworks.com/images/documents/ds-pl10000-05-21- 08_4p_web.pdf (last visited July 14, 2008).

13 See, e.g., The Tolly Group, Procera PacketLogic 7600 Evaluation of Accuracy and Scalability of Network Traffic and Service Management System (May 2007), http://www.proceranetworks.com/images/documents/tolly207173procerapacketlogic7600may2007.pdf (highlighting the fact that the Procera DPI device “generates less than 1 millisecond of one-way average latency”).

7( CENTER FOR DEMOCRACY & TECHNOLOGY

"$--+'(1%0&(K$+G?(2"0/+(-0$'<(2"+(A#5*+2($'/A+52$0'(&#,("#K+(8$228+($'5+'2$K+(20( 1488,(-$/580/+(2"+$%(A%#52$5+/B(

@'(&#',(5#/+/?(9J@(+F4$A&+'2(G$88(#420$5#88,(5088+52(A+%/0'#88,($-+'2$1$#.8+( $'10%$0'(=J@@>?(+K+'($1(2"+(@3J(0%($2/(A#%2'+%/("#K+('0($'2+'2$0'/(01(4/$'<(/45"( -#2#B( !0'/$-+%( #( 2"$%-LA#%2,( K+'-0%( 4/$'<( #( 9J@( /,/2+&( 20( #'#8,P+( 2"+( C+.( .%0G/$'<(#52$K$2$+/(01(#'(@3JD/(/4./5%$.+%/B(S82"04<"(2"+(K+'-0%(&#,('02(5#%+(20( *'0G(2"+("0&+(#--%+//(01(#(/4./5%$.+%?(2"+(9J@(+F4$A&+'2(/4%+8,(5088+52/(J@@( G"+'(2"#2(/4./5%$.+%(50'-452/(C+.(/+#%5"+/(20(0.2#$'(0'8$'+(-%$K$'<(-$%+52$0'/( 1%0&( "$/( 0%( "+%( 0G'( "0&+( #--%+//B( O4%2"+%&0%+?( 9J@( /,/2+&/( #420$5#88,( 5088+52( @J( #--%+//+/?( G"$5"( 5#'( /0&+2$&+/( .+( 4/+-( 20( %+L$-+'2$1,( $'-$K$-4#8/( G"+'( 50&.$'+-( G$2"( 02"+%( $'10%$0'B( @'( 2"$/( G#,?( 9J@( 2+'-/( 20( /G++A( $'( A+%/0'#8( $'10%$0'( +K+'( G"+'( /45"( $'10%$0'( $/( '02( /04<"2( .,( 2"+( A#%2,( -0$'<(2"+(A#5*+2($'/A+52$0'B(

3$&$8#%8,?( /+'/$2$K+( $'10%$0'( &#,( .+( 4'$'2+'2$0'#88,( 5088+52+-( $'( #( 9J@( /,/2+&B(J+%/0'#8("+#82"(-#2#?(10%(+E#&A8+?($/(&$<%#2$'<(0'8$'+(2"%04<"(#'(+K+%L +EA#'-$'<(#%%#,(01("+#82"($'10%$0'(#'-(/+#%5"(/$2+/?(0'8$'+(/4AA0%2(<%04A/?( #'-(A+%/0'#8("+#82"(%+50%-(/$2+/B(S82"04<"(2"+(0A+%#20%(01(#(9J@(/,/2+&(&#,('02( 5#%+( 20( /20%+( 0%( #'#8,P+( /45"( $'10%$0'?( #( A#5*+2( 50'2#$'$'<( /+'/$2$K+( -#2#( &4/2(1$%/2(.+($'/A+52+-(20(-+2+%&$'+($2/(50'2+'2/(.+10%+(2"+(9J@(/,/2+&(0A+%#20%( 5#'( -+5$-+( G"#2( 20( -0( G$2"( $2B( @'( /"0%2?( 9J@( 2+5"'080<,( &#,( 800*( #2( #88( $'10%$0'?( $'584-$'<( /+'/$2$K+( $'10%$0'V( G"#2( $/( 2"+'( -0'+( G$2"( 2"#2( $'10%$0'( 5#'( K#%,( G$-+8,( #'-( $/( 4'8$*+8,( 20( .+( -$%+528,( 0./+%K#.8+( .,( 50'/4&+%/B(

O0%( 9J@( 20( 0A+%#2+( $'( #( 2%48,( A%$K#5,LA%02+52$K+( G#,?( -#2#( 5088+52$0'( #'-( %+2+'2$0'( '++-( 20( .+( 8$&$2+-( #'-( 2"0/+( 8$&$2/( /"048-( .+( 2$+-( 20( 2"+( 0%$<$'#8( A4%A0/+/(10%(5088+52$'<(2"+(-#2#B(!0'/4&+%/('++-(20(.+($'10%&+-(#.042(G"#2( -#2#($/(.+$'<(5088+52+-(#.042(2"+$%(@'2+%'+2(#52$K$2$+/?("0G(2"+($'10%$0'(G$88( .+(4/+-?(G"+2"+%(2"+($'10%$0'(G$88(.+(/"#%+-(G$2"(02"+%/?(#'-(G"#2(&+#/4%+/( #%+(.+$'<(2#*+'(20(+'/4%+(2"#2(#',(2%#'/1+%(01(-#2#(%+&#$'/(/+54%+B(;"+,(/"048-( .+(A%+/+'2+-(G$2"(2"$/($'10%$0'($'(#(&#''+%(2"#2(/4AA0%2/($'10%&+-(5"0$5+( 50'5+%'$'<(2"+$%($'10%$0'(#'-(2"#2(5"0$5+(/"048-("0'0%+-(A+%/$/2+'28,(0K+%( 2$&+B(!0'/4&+%/(&4/2(#8/0("#K+(0AA0%24'$2$+/(10%(8+<#8(%+-%+//(10%(&$/4/+(01(2"+( -#2#B(S/(#(%+5+'2(9B!B(9$/2%$52(!04%2(0A$'$0'(+/2#.8$/"+-?(-#2#(8+#*#<+(#'-(2"+( 50'5+%'(10%(A02+'2$#8(#.4/+/(01(2"#2(-#2#(#%+(%+50<'$P#.8+("#%&/(/2#'-$'<(#80'+?(

8( CENTER FOR DEMOCRACY & TECHNOLOGY

G$2"042( #',( '++-( 20( /"0G( &$/4/+( 01( 2"+( -#2#BMZ( !0'/4&+%/( -0( '02( '++-( 20( .+50&+(K$52$&/(01($-+'2$2,(2"+12(20(/411+%(1%0&(#'($'K#/$0'(01(A%$K#5,B((

S82"04<"(9J@($'(#(<+'+%$5(/+'/+(%#$/+/(2"+(A%$K#5,(50'5+%'/(-+/5%$.+-(#.0K+?( 2"+( 4/+( 01( 9J@( 10%( .+"#K$0%#8( #-K+%2$/$'<( "#/( $2/( 0G'( 4'$F4+( A%$K#5,( $&A8$5#2$0'/B(;"+/+(#%+(+EA80%+-($'(2"+('+E2(/+52$0'B(

IV. The Emerging Use of Deep Packet Inspection for Behavioral Advertising

^+"#K$0%#8( #-K+%2$/$'

7K+%( 2"+( A#/2( ,+#%?( #( '+G( *$'-( 01( #-( '+2G0%*( 2"#2( &#*+/( 4/+( 01( 9J@( 10%( .+"#K$0%#8(#-K+%2$/$'<("#/(+&+%<+-B(@'(2"$/(&0-+8?(2"+(#-('+2G0%*(A#%2'+%/(G$2"( #'(@3J(20(-0($2/(-#2#(5088+52$0'?(%#2"+%(2"#'(G$2"(#('+2G0%*(01(A#%2$5$A#2$'<(C+.( /$2+/B( ;"+( @3J( #880G/( 2"+( #-( '+2G0%*( 20( 50'-452( 9J@( 0'( 2"+( $'-$K$-4#8( C+.( .%0G/$'<( #52$K$2$+/( 01( +#5"( 01( 2"+( @3JD/( 54/20&+%/B( ;"$/( &+#'/( 2"#2( 2"+( #-( '+2G0%*( %+5+$K+/( #'( $'-$K$-4#8D/( C+.( .%0G/$'<( /2%+#&( -$%+528,( 1%0&( 2"+( @3J( #'-(#'#8,P+/(2"+(50'2+'2(01(2"#2(A#5*+2(/2%+#&($'(0%-+%(20(5%+#2+(#(A%01$8+(01(2"+( $'-$K$-4#8D/( 0'8$'+( .+"#K$0%/( #'-( $'2+%+/2/B( S/( 54/20&+%/( 01( 2"+( @3J( /4%1( 2"+( C+.(#'-(K$/$2(02"+%(C+.(/$2+/?(2"+(#-('+2G0%*(/+%K+/(2"+&(#-/(2#%<+2+-(.#/+-( 0'(2"+$%(.+"#K$0%#8(A%01$8+/B(

(((((((((((((((((((((((((((((((((((((((((((((((((((((((( 14 Am. Fed'n of Gov't Employees v. Hawley, 543 F. Supp. 2d 44, 50–51 (D.D.C. 2008) (ruling, inter alia, that concerns about identity theft, embarrassment, inconvenience, and damage to financial suitability requirements after an apparent data breach constituted a recognizable "adverse effect" under the Privacy Act, 5 U.S.C. § 552a (citing Kreiger v. Dep't of Justice, 529 F. Supp. 2d 29, 53 (D.D.C. 2008)).

9( CENTER FOR DEMOCRACY & TECHNOLOGY

;"+(4/+(01(9J@(10%(.+"#K$0%#8(#-K+%2$/$'<($/(0'+(#%+#(2"#2(G+(.+8$+K+(%+F4$%+/( 580/+(/5%42$',(1%0&(8#G&#*+%/B(S/($2("#/(.++'($&A8+&+'2+-(2"4/(1#%?(2"+(4/+(01( 9J@( 10%( .+"#K$0%#8( #-K+%2$/$'<( A0/+/( %$/*/( 20( 50'/4&+%( A%$K#5,?( -+1$+/( %+#/0'#.8+( 4/+%( +EA+52#2$0'/?( 5#'( .+( -$/%4A2$K+( 20( @'2+%'+2( #'-( C+.( 14'52$0'#8$2,?(#'-(&#,(%4'(#1048(01(50&&4'$5#2$0'/(A%$K#5,(8#G/B(

"#! -:9;%6)!805&96%*9'$.!'3!*+,!2.,!'3!4-8!3':!1,+%;9':%&!"<;,:*9.9$(!

<"+ =)!'&2;+>7:*!2&-!(/.+(3+$#%&'!()&*+?,'#)-!.!/0+&-+@&)0#+

aK+'(G"+'($2(-0+/('02($'K08K+(9J@?(.+"#K$0%#8(#-K+%2$/$'<(A0/+/(#(<%0G$'<(%$/*( 20( 50'/4&+%( A%$K#5,B(!0'/4&+%/( #%+( 8#%<+8,( 4'#G#%+( 01( 2"+( A%#52$5+( #'-( #%+( 2"4/($88(+F4$AA+-(20(2#*+(A%02+52$K+(#52$0'B(;"+,("#K+('0(+EA+52#2$0'(2"#2(2"+$%( .%0G/$'<( $'10%$0'(&#,(.+(2%#5*+-(#'-(/08-?(#'-(2"+,(#%+(%#%+8,(A%0K$-+-( /411$5$+'2( $'10%$0'( #.042( 2"+( A%#52$5+/( 01( #-K+%2$/+%/( 0%( 02"+%/( $'( 2"+( #-K+%2$/$'<( K#84+( 5"#$'( 20( <#4<+( 2"+( A%$K#5,( %$/*/( #'-( &#*+( &+#'$'<148( -+5$/$0'/(#.042(G"+2"+%(#'-("0G(2"+$%($'10%$0'(&#,(.+(4/+-B(@'(#(%+5+'28,( %+8+#/+-(U#%%$/(@'2+%#52$K+gS8#'(OB(C+/2$'(/24-,?([dh(01(%+/A0'-+'2/(/#$-(2"+,( G+%+('02(50&10%2#.8+(G$2"(0'8$'+(50&A#'$+/(4/$'<(2"+$%(.%0G/$'<(.+"#K$0%(20( 2#$80%( #-/( #'-( 50'2+'2( 20( 2"+$%( $'2+%+/2/( +K+'( G"+'( 2"+,( G+%+( 208-( 2"#2( /45"( #-K+%2$/$'<(/4AA0%2/(1%++(/+%K$5+/BM[(S(%+5+'2(;Y_3;+(/4%K+,(A%0-45+-(/$&$8#%( %+/482/BM`(@2($/("$<"8,(4'8$*+8,(2"#2(2"+/+(%+/A0'-+'2/(4'-+%/200-(2"#2(2"$/(2,A+(01( #-(2#%<+2$'<($/(#8%+#-,(2#*$'<(A8#5+(0'8$'+(+K+%,(-#,B((

@'(&0/2(5#/+/?(-#2#(5088+52$0'(10%(.+"#K$0%#8(#-K+%2$/$'<(0A+%#2+/(0'(#'(0A2L042( .#/$/B(7A2L042(&+5"#'$/&/(10%(0'8$'+(#-K+%2$/$'<(#%+(012+'(.4%$+-($'(1$'+(A%$'2?( -$11$5482( 20( 4'-+%/2#'-?( "#%-( 20( +E+542+( #'-( 2+5"'$5#88,( $'#-+F4#2+B( 7'8,( 2"+( &0/2( /0A"$/2$5#2+-( #'-( 2+5"'$5#88,( /#KK,( 50'/4&+%/( #%+( 8$*+8,( 20( .+( #.8+( 20( /455+//1488,('+<02$#2+(/45"(0A2L042(A%05+//+/B()0%+0K+%?($'(&0/2(5#/+/?(0A2L042( &+5"#'$/&/(011+%+-(10%(.+"#K$0%#8(#-K+%2$/$'<(0'8,(0A2(2"+(4/+%(042(01(%+5+$K$'<( 2#%<+2+-( #-/?( .42( -0( '02( 0A2( 2"+( 4/+%( 042( 01( -#2#( 5088+52$0'( #.042( "$/( 0%( "+%( @'2+%'+2(4/#<+B((

(((((((((((((((((((((((((((((((((((((((((((((((((((((((( 15 Alan F. Westin, How Online Users Feel About Behavioral Marketing and How Adoption of Privacy and Security Policies Could Affect Their Feelings (Mar. 2008).

16 TRUSTe, “TRUSTe Report Reveals Consumer Awareness and Attitudes About Behavioral Targeting” (Mar. 28, 2008), http://marketwire.com/press-release/Truste-837437.html (“71 percent of online consumers are aware that their browsing information may be collected by a third party for advertising purposes . . .. 57 percent of respondents say they are not comfortable with advertisers using that browsing history to serve relevant ads, even when that information cannot be tied to their names or any other personal information.”).

10( CENTER FOR DEMOCRACY & TECHNOLOGY

;"+%+( $/( #8/0( #( %$/*( 2"#2( A%01$8+/( 10%( .+"#K$0%#8( #-K+%2$/$'<( &#,( .+( 4/+-( 10%( A4%A0/+/(02"+%(2"#'(#-K+%2$/$'

O$'#88,?( .+5#4/+( 2"+( 8+<#8( /2#'-#%-/( 10%( <0K+%'&+'2( #55+//( 20( A+%/0'#8( $'10%$0'("+8-(.,(2"$%-(A#%2$+/(#%+(+E2%#0%-$'#%$8,(80G?(2"+/+(50&A%+"+'/$K+( 50'/4&+%( A%01$8+/( #%+( #K#$8#.8+( 20( <0K+%'&+'2( 011$5$#8/( .,( &+%+( /4.A0+'#?( G$2"042('02$5+(20(2"+($'-$K$-4#8(0%(#'(0AA0%24'$2,(10%(2"+($'-$K$-4#8(20(0.R+52BMc(

A"+ 1##:+=&25#-+>/.:#2-!(/+BC&2#)D&-#.+&/,+>/-)(,92#.+>-.+E4/+=)!'&2;+F(/2#)/.+

;"+(A%$K#5,($&A8$5#2$0'/(01(.+"#K$0%#8(#-K+%2$/$'<(#2(8#%<+(#%+(#&A8$1$+-(G"+'( 9J@($/(2"+(-#2#(5088+52$0'(&+5"#'$/&B(S-('+2G0%*/(2"#2(A#%2'+%(G$2"(@3J/(#'-( 4/+(9J@(&#,(A02+'2$#88,(<#$'(#55+//(20(/4./2#'2$#88,(#88(01(#'($'-$K$-4#8D/(C+.( .%0G/$'<( -#2#( #/( $2( 2%#K+%/+/( 2"+( @3JD/( $'1%#/2%4524%+?( $'584-$'<( 2%#11$5( 20( #88( A08$2$5#8?( %+8$<$04/?( #'-( 02"+%( '0'L50&&+%5$#8( /$2+/B( C"$8+( 2%#-$2$0'#8( #-( '+2G0%*/( &#,( .+( 8#%<+?( 1+G( $1( #',( A%0K$-+( 2"+( 0AA0%24'$2,( 20( 5088+52( $'10%$0'(#.042(#'($'-$K$-4#8D/(0'8$'+(#52$K$2$+/(#/(50&A%+"+'/$K+8,(#/($'(2"+( 9J@( &0-+8?( A#%2$548#%8,( G$2"( %+/A+52( 20( #52$K$2$+/( $'K08K$'<( '0'L50&&+%5$#8( 50'2+'2B(S'-(#82"04<"(2"+/+(#-('+2G0%*/(54%%+'28,($'/A+52(A%+-0&$'#'28,(C+.( 2%#11$5?(@3J/(5#%%,(+&#$8/?(5"#2/?(1$8+(2%#'/1+%/(#'-(&#',(02"+%(*$'-/(01(-#2#(2"#2( 2"+,( 5048-( -+5$-+( 20( A#//( 0'( 20( .+"#K$0%#8( #-( '+2G0%*/( 10%( $'/A+52$0'( $'( 2"+( 1424%+B(

)0%+0K+%?( 2"+( 4/+( 01( 9J@( 10%( .+"#K$0%#8( #-K+%2$/$'<( -+1$+/( 4/+%( +EA+52#2$0'/( #.042( G"#2( "#AA+'/( G"+'( 2"+,( /4%1( 2"+( C+.( #'-( 50&&4'$5#2+( 0'8$'+B( )0/2( @'2+%'+2(4/+%/(G048-(.+(/4%A%$/+-(20(1$'-(#(&$--8+&#'(84%*$'<(.+2G++'(2"+&( #'-(2"+(C+.(/$2+/(2"+,(K$/$2B(i$K$'<(#'(4'*'0G'(2"$%-(A#%2,(.%0#-(#55+//(20(

((((((((((((((((((((((((((((((((((((((((((((((((((((((((

17 See Louise Story, Online Pitches Made Just for You, N.Y. TIMES, Mar. 6, 2008, http://nytimes.com/2008/03/06/business/media/06adco.html.

18 See CDT, Digital Search and Seizure: Updating Privacy Protections to Keep Pace with Technology (Mar. 2006), http://cdt.org/publications/digital-search-and-seizure.pdf at 7-9; Deirdre K. Mulligan, Reasonable Expectations in Electronic Communications: A Critical Perspective on the Electronic Communications Privacy Act, 72 GEO. WASH. L. REV. 1557 (2004); Daniel J. Solove, Digital Dossiers and the Dissipation of Fourth Amendment Privacy, 75 S. CAL. L. REV. 1083, 1135 (2002).

11( CENTER FOR DEMOCRACY & TECHNOLOGY

&0/2(50'/4&+%(C+.(50&&4'$5#2$0'/(&#,(4'-+%&$'+(2"+(2%4/2(2"#2(50'/4&+%/( "#K+($'(2"+$%(@3J/B(

1#! =>::,$*!805&,0,$*%*9'$.!?%)!8$*,:3,:,!@9*+!A':0%&!8$*,:$,*!2.,!

9+/A$2+(2"+/+(50'5+%'/?(/+K+%#8(#-('+2G0%*(50&A#'$+/(#%+(&0K$'<(10%G#%-(G$2"( A8#'/( 20( 4/+( 9J@( 10%( .+"#K$0%#8( #-K+%2$/$'?( !+'24%,;+8?(a&.#%F(#'-(k'080<,(#8/0(#''04'5+-(A8#'/(G$2"(j+.4S-(20(2%$#8(0%( -+A80,($2/(.+"#K$0%#8(#-K+%2$/$'<(2+5"'080<,B(S82"04<"(#('4&.+%(01(2"+/+(@3J/( "#K+(A42(2"+$%(A8#'/(0'("08-($'(2"+(G#*+(01(#(1$%+/20%&(01(5%$2$5$/&?(j+.4S-( 50'2$'4+/( 20( G0%*( G$2"( _B3B( @3J/( #'-( /++*( '+G( @3J( A#%2'+%/B( J"0%&?( G"$5"( 0%$<$'#88,(#''04'5+-(-+#8/(G$2"(2"%++(01(2"+(_kD/(8#%<+/2(@3J/(#'-("#/(/04<"2( A#%2'+%/"$A/(G$2"(_B3B(@3J/?($/(#8/0('0G(+'504'2+%$'<("+/$2#2$0'(1%0&(/0&+(01($2/( _k(A#%2'+%/BQe(

@'-+A+'-+'2(#'#8,/+/(01(.02"(50&A#'$+/D(/,/2+&/("#K+(%+K+#8+-(2"#2(.,(K$%24+( 01(2"+$%(#.$8$2,(20($'2+%5+A2(@'2+%'+2(2%#11$5(+'(%042+(W(#'-(.#/+-(0'(2"+$%(-+/$%+(20( 2%#5*( $'-$K$-4#8( @'2+%'+2( 4/+%/( W(2"+,(+'<#<+($'(#'(#%%#,( 01(A%#52$5+/(2"#2(#%+( $'50'/$/2+'2(G$2"(2"+(4/4#8(180G(01(@'2+%'+2(2%#11$5B(j+.4S-(%+A0%2+-8,($'R+52/( 50&A42+%( 50-+( $'20( C+.( 2%#11$5( /2%+#&/( 2"#2( 5#4/+/( '4&+%04/( 500*$+/( 20( .+( A8#5+-(0'(4/+%/D(50&A42+%/(10%(.+"#K$0%#8(2%#5*$'

((((((((((((((((((((((((((((((((((((((((((((((((((((((((

19 Saul Hansell, Charter Suspends Plan to Sell Customer Data to Advertisers, N.Y. TIMES: BITS BLOG, Jun. 24, 2008, http://bits.blogs.nytimes.com/2008/06/24/charter-suspends-plan-to-sell-customer-data-to-advertisers.

20 Chris Williams, CPW builds wall between customers and Phorm, REGISTER, Mar. 11, 2008, http://theregister.co.uk/2008/03/11/phorm_shares_plummet.

21 Robert M. Topolski, NebuAd and Partner ISPs: Wiretapping, Forgery and Browser Hijacking (June 2008), http://publicknowledge.org/pdf/nebuad-report-20080618.pdf.

22 Richard Clayton, The Phorm “Webwise” System (May 18, 2008), http://www.cl.cam.ac.uk/~rnc1/080518-phorm.pdf.

12( CENTER FOR DEMOCRACY & TECHNOLOGY

K48'+%#.$8$2$+/($'(2"+('+2G0%*?QT("#&A+%(2"+(/A++-(01(4/+%/D(@'2+%'+2(50''+52$0'/?( #'-($'2+%1+%+(G$2"(0%-$'#%,(C+.(14'52$0'#8$2,B(S2(#(2$&+(G"+'(&#',(-$11+%+'2( *$'-/(01(50&A#'$+/(#%+(G0%*$'<(20(.4$8-(#(2%4/2+-(50&A42$'<(A8#210%&(10%(2"+( @'2+%'+2?("#K$'<(@3J/(G0%*(G$2"(A#%2'+%/(G"0/+(A%#52$5+/(4'-+%&$'+(2%4/2(%#$/+/( 1424%+(5,.+%L/+54%$2,(50'5+%'/B(

=#! =>::,$*!805&,0,$*%*9'$.!?%)!B9'&%*,!C,<,:%&!D%E! ( ^+"#K$0%#8(#-K+%2$/$'<('+2G0%*/(4/$'<(9J@(/2%+//(2"#2(2"+(A%01$8+/(2"+,(50&A$8+( #%+( #'0',&04/( #'-( 50'2#$'( 0'8,( <+'+%$5( &#%*+2$'<( 58#//$1$5#2$0'/B( ;"#2( &#,( G+88( .+( 2%4+?( #'-( /45"( A%01$8+/( G048-( '02( .+( 2"+( 1054/( 01( /+%$04/( A%$K#5,( 50'5+%'/B(Y#2"+%?(04%(50'5+%'($/(G$2"(G"#2($2(2#*+/(20(50&A$8+(/45"(A%01$8+/6(2"+( -$/580/4%+?(50A,$'<(#'-(#'#8,/$/(01(/4./2#'2$#88,(#88(01(#'(@'2+%'+2(4/+%D/(C+.( 2%#11$5B(;"#2(#-K+%2$/$'<('+2G0%*/(20-#,(4/+(0'8,(#(A0%2$0'(01(G"#2(2"+,(5088+52( #'-(-$/5#%-(2"+(%#G(-#2#(#12+%(#'#8,P$'<($2(011+%/(/X(50&10%2(20(G"#2(2"+,(0%( 2"+$%(A02+'2$#8(50&A+2$20%/(&$<"2(-0(G$2"(2"+(-#2#($'(2"+(1424%+B(j0%(-0(54%%+'2( 58#$&/(#.042(2"+(#'0',&$2,(01(/20%+-(A%01$8+/(0K+%50&+(2"+(1#52(2"#2(2"+($'$2$#8( 5#A24%+( #'-( -$/580/4%+( 01( /4./2#'2$#88,( #88( 01( #( A+%/0'D/( C+.( 2%#11$5( -+1$+/( %+#/0'#.8+(+EA+52#2$0'/(#'-(&#,(K$08#2+(G$%+2#AA$'<(8#G/B(

;"+(1+-+%#8(C$%+2#A(S52?(#/(#&+'-+-(.,(2"+(a8+52%0'$5(!0&&4'$5#2$0'/(J%$K#5,( S52(=a!JS>?(A%0"$.$2/(2"+($'2+%5+A2$0'(#'-(-$/580/4%+(01(+8+52%0'$5( 50&&4'$5#2$0'/(W($'584-$'<(2"+(50'2+'2(01(@'2+%'+2(A#5*+2/(W(G$2"042(50'/+'2BQZ( S82"04<"(+E5+A2$0'/(20(2"$/(%48+(A+%&$2($'2+%5+A2$0'(#'-(-$/580/4%+(G$2"042( 50'/+'2?(G+(/+%$04/8,(-04.2(2"#2(#',(01(2"+&(#AA8,(20(2"+(4/+(01(9J@(10%( .+"#K$0%#8(#-K+%2$/$'<(A4%A0/+/B(S550%-$'<8,?(G+(.+8$+K+(2"#2(2"+(C$%+2#A(S52( %+F4$%+/(50'/+'2(.+10%+(2"+(50'2+'2(01(@'2+%'+2(A#5*+2/(&#,(.+(4/+-(10%( .+"#K$0%#8(#-K+%2$/$'<(A4%A0/+/?(#'-(14%2"+%&0%+(2"#2(/45"(50'/+'2(/"048-(.+( 0.2#$'+-(0'(#'(0A2L$'(.#/$/(#12+%(4'#K0$-#.8+('02$5+B(!+%2#$'(/2#2+(8#G/(&#,(2#*+( 2"$/(0'+(/2+A(14%2"+%?(%+F4$%$'<(50'/+'2(1%0&(.02"(A#%2$+/(20(2"+(50&&4'$5#2$0'6( 2"+(50'/4&+%(#'-(2"+(C+.(/$2+("+(0%(/"+($/(K$/$2$'

(((((((((((((((((((((((((((((((((((((((((((((((((((((((( 23 These types of behaviors have much in common with well-understood online security threats, and parts of the Internet security community are already investigating how to respond. See Anti-Spyware Coalition, Anti-Spyware Coalition Aims to Address Behavioral Targeting (Apr. 2008), http://antispywarecoalition.org/newsroom/20080425press.htm.

24 18 U.S.C. § 2511.

13( CENTER FOR DEMOCRACY & TECHNOLOGY

@&A0%2#'28,?(1+-+%#8(#'-(/2#2+(G$%+2#A(8#G/(&#*+('0(-$/2$'52$0'(.+2G++'(J@@(#'-( '0'LJ@@?(#'-(%$<"28,(/06(+#K+/-%0AA$'<(0'(A"0'+(5#88/?(10%(+E#&A8+?($/(#'( 0.K$04/(A%$K#5,(K$08#2$0'(+K+'(G"+'(2"+(+#K+/-%0AA+%(-0+/('02(*'0G(2"+( $-+'2$2,(01(2"+(5#88+%B(aE$/2$'<(8+<#8(A%0"$.$2$0'/(#<#$'/2($'2+%5+A2$0'(#'-( -$/580/4%+(01(+8+52%0'$5(50&&4'$5#2$0'/(#AA8,(G"+2"+%(0%('02(2"0/+( 50&&4'$5#2$0'/(50'2#$'(J@@B(( ( S/( !0'<%+//&+'( )#%*+,?( ^#%20'( #'-( 9$'<+88( "#K+( '02+-?( 2"+( !#.8+( !0&&4'$5#2$0'/(J08$5,(S52(#8/0(#AA8$+/("+%+BQ[(;"+(8#G(A%0"$.$2/(5#.8+( 0A+%#20%/( 1%0&( 5088+52$'<( 0%( -$/580/$'<( A+%/0'#88,( $-+'2$1$#.8+( $'10%$0'( G$2"042( A%$0%( 50'/+'2BQ`( C"$8+( 2"+( 2+%&( HA+%/0'#88,( $-+'2$1$#.8+( $'10%$0'I( $'( 2"+( 8#G( $/( -+1$'+-( .,( G"#2( $2( -0+/( '02( $'584-+( W( H#',( %+50%-( 01( #<<%+<#2+( -#2#( G"$5"( -0+/( '02( $-+'2$1,( A#%2$548#%(A+%/0'/IQb(W(G+(-04.2(2"#2(#(4/+%D/(+'2$%+(C+.(.%0G/$'<(-#2#( /2%+#&?(4'$F4+(20(2"#2($'-$K$-4#8?(012+'(50'2#$'$'<(.02"(J@@(#'-('0'LJ@@?( G048-( .+( 50'/$-+%+-( #<<%+<#2+( -#2#( #/( 2"#2( 2+%&( $/( 50&&0'8,( 4'-+%/200-B((

(

C+( -0( '02( .+8$+K+( 2"#2( $2( $/( A0//$.8+( 20( /"0+"0%'( 2"+( 5088+52$0'( #'-( -$/580/4%+( 01( #( /4./5%$.+%D/( +'2$%+( .%0G/$'<( "$/20%,( 10%( #-K+%2$/$'<( A4%A0/+/( $'20( 2"+( /2#242+D/( +E5+A2$0'( 10%( 5088+52$0'( 0%( -$/580/4%+( 01( $'10%$0'(2"#2($/('+5+//#%,(20(%+'-+%(/+%K$5+BQc(;"4/?(G+(50'584-+(2"#2( 5#.8+L.#/+-(@3J/(2"#2(G$/"(20(-$/580/+(2"+(50'2+'2(01(@'2+%'+2(A#5*+2/(20( #-K+%2$/$'<('+2G0%*/(G048-(#8/0("#K+(20(&++2(2"+(50'/+'2(%+F4$%+&+'2/( 01(2"+(!#.8+(!0&&4'$5#2$0'/(J08$5,(S52B(

;"+(9J@(&0-+8/(2"#2("#K+(.++'(-+A80,+-(2"4/(1#%("#K+(1#$8+-(20(0.2#$'( #11$%$K+?(+EA%+//(0A2L$'(50'/+'2(%+F4$%+-(.,(8#GB(@'(1#52?(2"+,("#K+(1#$8+-(20( &++2(+K+'(%+8#2$K+8,(8#E(/2#'-#%-/(01($&A8$+-(50'/+'2B(3+K+%#8(/X(_B3B(@3J/?( (((((((((((((((((((((((((((((((((((((((((((((((((((((((( 25 Reps. Edward Markey and Joe Barton, Letter to Charter Communications CEO in Regards to the Charter-NebuAd Data Collection Scheme (May 2008), http://markey.house.gov/docs/telecomm/letter_charter_comm_privacy.pdf; Reps. Edward Markey, John Dingell, and Joe Barton, Letter to Embarq CEO (July 2008), http://markey.house.gov/index.php?option=content&task=view&id=3410&Itemid=125.

26 47 U.S.C. § 551(b)-(c). A 1992 amendment adding the phrase “other services” to the Cable Act’s privacy provision made it clear that the law covers Internet services provided by cable operators.

27 Id. § 551(a)(2)(A).

28 Id. § 551(a)(2)(B).

14( CENTER FOR DEMOCRACY & TECHNOLOGY

10%(+E#&A8+?("#K+(.4%$+-(K#<4+($'10%$0'(#.042(2"+$%(-+#8/(G$2"(j+.4S-($'( 2"+(@3J/D(2+%&/(01(/+%K$5+BQd(!"#%2+%(!0&&4'$5#2$0'/?(2"+(8#%<+/2(_B3B(@3J(2"#2( "#-(A8#''+-(20(A#%2'+%(G$2"(j+.4S-?('02$1$+-($2/(/4./5%$.+%/(2"#2(2"+,(G048-( .+(%+5+$K$'<(&0%+(%+8+K#'2(#-/?(.42(-$-('02(+EA8#$'($2/(A8#'/(20($'2+%5+A2( /4./5%$.+%/D(2%#11$5(-#2#(#'-(-$-('02(A%0K$-+(#(G#,(10%(/4./5%$.+%/(20(<$K+(0%( G$2""08-(50'/+'2(20("#K$'<(2"+$%(50&&4'$5#2$0'/($'2+%5+A2+-(#'-(-$/580/+-B( !"#%2+%("#/(/$'5+(/4/A+'-+-($2/(A8#'/B( ( 9+/$<'$'<(#(%0.4/2(0A2L$'(50'/+'2(/,/2+&(10%(9J@L.#/+-(.+"#K$0%#8(#-K+%2$/$'<( A%+/+'2/(#(10%&$-#.8+(5"#88+'<+B(C+(#%+(8+//(2"#'(/#'<4$'+(2"#2(/45"(#(/,/2+&( 5#'(.+(+#/$8,(-+/$<'+-?(A#%2$548#%8,(/$'5+($2(&4/2('02(0'8,(A%0K$-+(#(G#,(10%( 50'/4&+%/(20(<$K+(#11$%$K+(50'/+'2?(.42($2(&4/2(#8/0(A%0K$-+(#(&+2"0-(10%( 2"+&(20(%+K0*+(2"#2(50'/+'2B(;"+(.4%-+'($/(0'(2"0/+(G"0(G$/"(20(&0K+(10%G#%-( G$2"(2"+(&0-+8(20(-+&0'/2%#2+(2"#2(#'(+EA%+//('02$5+(#'-(50'/+'2(%+<$&+(5#'( G0%*($'(2"$/(50'2+E2B((

V. The Role of Congress

!0'<%+//(/"048-(2#*+(#52$0'(20(#--%+//(2"+(/$<'$1$5#'2(A%$K#5,(50'5+%'/(%#$/+-( .,(9J@(#'-(.%0#-+%(0'8$'+(A%$K#5,($//4+/6(

! S/( #( 1$%/2( /2+A?( G+( 4%<+( 2"+( 34.50&&$22++( 20( /++*( #--$2$0'#8( $'10%$0'( -$%+528,(1%0&(@3J/(#'-(02"+%(50&A#'$+/(#.042(2"+$%(4/+(01(9J@(2+5"'080<,($'( 0%-+%( 20( .+22+%( #//+//( 2"+( #//05$#2+-( 2+5"'080<$5#8?( 8+<#8( #'-( A08$5,( $&A8$5#2$0'/B(

! ;"$/( 34.50&&$22++( /"048-( /+2( #( <0#8( 01( +'#52$'<( $'( 2"+( '+E2( ,+#%( <+'+%#8( A%$K#5,( 8+<$/8#2$0'( 50K+%$'<( .02"( 2"+( 0'8$'+( #'-( 0118$'+( G0%8-/B( !9;( "#/( 80'<( #%<4+-(10%(/$&A8+?(18+E$.8+(.#/+8$'+(50'/4&+%(A%$K#5,(8+<$/8#2$0'(2"#2( G048-(A%02+52(50'/4&+%/(1%0&($'#AA%0A%$#2+(5088+52$0'(#'-(&$/4/+(01(2"+$%( A+%/0'#8( $'10%$0'( G"$8+( +'#.8$'<( 8+<$2$+( .4/$'+//( 4/+( 20( A%0&02+( +50'0&$5( #'-( /05$#8( K#84+B( @'( A%$'5$A8+?( /45"( 8+<$/8#2$0'( G048-( 50-$1,( 2"+( 14'-#&+'2#8/( 01( H1#$%( $'10%$0'( A%#52$5+/6I( %+F4$%$'<( 2%#'/A#%+'5,( #'-( '02$5+( 01( -#2#( 5088+52$0'( A%#52$5+/?( A%0K$-$'<( 50'/4&+%/( G$2"( &+#'$'<148( 5"0$5+( %+<#%-$'<( 2"+( 4/+( #'-( -$/580/4%+( 01( 2"#2( $'10%$0'?( #880G$'<( 50'/4&+%/( %+#/0'#.8+( #55+//( 20( A+%/0'#8( $'10%$0'( 2"+,( "#K+( A%0K$-+-?( A%0K$-$'<( %+&+-$+/( 10%( &$/4/+( 0%( 4'#42"0%$P+-( #55+//?( #'-( /+22$'<( ((((((((((((((((((((((((((((((((((((((((((((((((((((((((

29 See Mike Masnick, Where's The Line Between Personalized Advertising And Creeping People Out?, TECHDIRT, Mar. 11, 2008, http://techdirt.com/articles/20080311/121305499.shtml; Peter Whoriskey, Every Click You Make, WASH. POST, Apr. 3, 2008, http://washingtonpost.com/wp-dyn/content/article/2008/04/03/AR2008040304052.html.

15( CENTER FOR DEMOCRACY & TECHNOLOGY

/2#'-#%-/( 20( 8$&$2( -#2#( 5088+52$0'( #'-( +'/4%+( -#2#( /+54%$2,B( S82"04<"( G+( .+8$+K+(50&&4'$5#2$0'/(A%$K#5,(8#G/(#8%+#-,(#AA8,(20(/0&+(#AA8$5#2$0'/(01( 9J@?(+'#52$'<(.#/+8$'+(A%$K#5,(8+<$/8#2$0'(G048-(14%2"+%(58#%$1,(50'/4&+%/D( A%$K#5,(%$<"2/(#'-(5%+#2+(A%02+52$0'/(10%(02"+%(10%&/(01(-#2#(5088+52$0'('02( 50K+%+-(4'-+%(54%%+'2(8#GB(

! ;"+( O;!D/( -%#12( A%0A0/+-( A%$'5$A8+/( 10%( 0'8$'+( #-K+%2$/$'<( 1#$8( 20( #--%+//( $//4+/(/A+5$1$5(20(2"+(9J@L.#/+-(#-K+%2$/$'<(&0-+8B(@2($/(#8/0(4'58+#%(G"+2"+%( 2"+( O;!( G$88( 10%X,( #-0A2( 2"+( A%$'5$A8+/( 0%( A42( $2/( +'10%5+&+'2( A0G+%( .+"$'-(2"+&B(C+(#/*(2"+(34.50&&$22++(20(4%<+(2"+(O;!(20(#--%+//(9J@($'($2/( <4$-+8$'+/(#'-(+E+%5$/+(2"+(1488(&+#/4%+(01($2/(+'10%5+&+'2(#42"0%$2,(0K+%( 0'8$'+(#-K+%2$/$'<(A%#52$5+/B((

! !0'<%+//(/"048-(+E#&$'+(#'-(/2%+'<2"+'(+E$/2$'<(50&&4'$5#2$0'/(A%$K#5,( 8#G/( 20( 50K+%( '+G( /+%K$5+/?( 2+5"'080<$+/( #'-( .4/$'+//( &0-+8/( G$2"( 50'/$/2+'2(%48+/B(a!JS(G#/(A#//+-(&0%+(2"#'(Qe(,+#%/(#<0?(80'<(.+10%+(2"+%+( G#/(#(C0%8-(C$-+(C+.(#'-(2"+(@'2+%'+2(.+5#&+($'2+<%#2+-($'20(S&+%$5#'/D( -#$8,(8$K+/B(;"+(#AA8$5#2$0'(01(2"+(8#G(20(50&&0'(0'8$'+(#52$K$2$+/($'584-$'<( C+.( /+#%5"( %+&#$'/( 4'58+#%( #'-( 2"+( 8+<#8( A%02+52$0'/( $2( A%0K$-+/( 10%( 2"+( +'0%&04/(#&04'2/(01(A+%/0'#8(-#2#(/20%+-(0'8$'+(#%+(1#%(200(80GB(!0'<%+//( /"048-(#8/0(50'/$-+%(58#%$1,$'<(2"#2(2"+(!#.8+(!0&&4'$5#2$0'/(J08$5,(S52D/( A%$K#5,(A%0K$/$0'/(#AA8,(20(.%0#-.#'-(@'2+%'+2(/+%K$5+B(

VI. Conclusion

!9;(G048-(8$*+(20(2"#'*(2"+(34.50&&$22++(#<#$'(10%("08-$'<(2"$/($&A0%2#'2(#'-( 10%G#%-L800*$'<("+#%$'

(

FOR MORE INFORMATION J8+#/+(50'2#526( S8$//#(!00A+%?(!9;(!"$+1(!0&A42+%(35$+'2$/2( =QeQ>(`QbLdcee( "22A6ggGGGB5-2B0%<(

16( CENTER FOR DEMOCRACY & TECHNOLOGY

Appendix A: An Overview of the Federal Wiretap Act, Electronic Communications Privacy Act, and State Two-Party Consent Laws of Relevance to the NebuAd System and Other Uses of Internet Traffic Content from ISPs for Behavioral Advertising

July 8th, 2008

!"#$%&'%($)%#&*()*(%&*%($)%+*(),*)(%-."/(%012)%#&*()*(%1*%*)3/454),/6%7,&58#5/(% 9:6%,581&%5*8%#570);%1/%/"44&,()8%1*%3$&0)%&,%45,(%7<%58=),(1/1*>%,)=)*")?%9$)% +*(),*)(% &''),/% /4)#150% &44&,("*1(1)/% (&% (5,>)(% 58/% 75/)8% &*% ($)% )@4,)//)8% &,% 1*'),,)8%1*(),)/(/%&'%($)%1*81=18"50%"/),?%9$),)%5,)%=5,1&"/%A&8)0/%'&,%8)01=),1*>% (5,>)()8% 58/% &*01*)?% 9$)/)% ,5*>)% ',&A% ($)% 4",)0<% #&*()@("50% -)=),<&*)% 3$&% =1/1(/% 5% (,5=)0% /1()% /))/% ($)% /5A)% 51,01*)% 58;% (&% A&8)0/% ($5(% 1*=&0=)% #&A4101*>%1*'&,A5(1&*%57&"(%($)%&*01*)%7)$5=1&,%&'%1*81=18"50%+*(),*)(%"/),/6%(&% 7)%"/)8%1*%/),=1*>%($)A%58=),(1/)A)*(/?%B&,%<)5,/6%C)7%/1()/%$5=)%)*(),)8%1*(&% 5>,))A)*(/%31($%58=),(1/1*>%*)(3&,2/%(&%"/)%D#&&21)/E%(&%(,5#2%1*81=18"50%"/),/% 5#,&//%C)7%/1()/%1*%&,8),%(&%#&A410)%4,&'10)/?%9$1/%544,&5#$%$5/%5035%($)% A),>),/% 7)(3))*% &*01*)% /),=1#)% 4,&=18),/% 5*8% /&A)% &'% ($)% 05,>)/(% &*01*)% 58=),(1/1*>% *)(3&,2/6% $5=)% $)1>$()*)8% ($)/)% #&*#),*/?% 9$)% G)*(),% '&,% H)A&#,5#<% I% 9)#$*&0&><% $5/% 7))*% #&*8"#(1*>% 5% A5.&,% 4,&.)#(% &*% 7)$5=1&,50% 58=),(1/1*>6%1*%3$1#$%3)%$5=)%7))*%,)/)5,#$1*>%7)$5=1&,50%58=),(1/1*>%4,5#(1#)/6% #&*/"0(1*>% 31($% +*(),*)(% #&A45*1)/% 5*8% 4,1=5#<% 58=()/6% 8)=)0&41*>% 4&01#<% 4,&4&/50/6%'101*>%)@()*/1=)%#&AA)*(/%5(%($)%B9G6%5*8%5*50%1*8"/(,<%/)0'K ,)>"05(&,<%>"18)01*)/?%

9$1/% A)A&% '&#"/)/% &*% ($)% 1A401#5(1&*/% &'% 5% /4)#1'1#% 544,&5#$% (&% 7)$5=1&,50% 58=),(1/1*>% 7)1*>% #&*/18),)8% 7<% +*(),*)(% 58=),(1/1*>% *)(3&,2/% 5*8% +*(),*)(% L),=1#)% M,&=18),/% -+LM/;?% 9$1/% *)3% 544,&5#$% 1*=&0=)/% #&4<1*>% 5*8% 1*/4)#(1*>% ($)%#&*()*(%&'%)5#$%1*81=18"50N/%+*(),*)(%5#(1=1(<%31($%($)%#&&4),5(1&*%&'%$1/%&,% $),%+LM?O%P*8),%($1/%*)3%A&8)06%5*%58=),(1/1*>%*)(3&,2%/(,12)/%5%8)50%31($%5*% +LM6%5*8%($)%+LM%500&3/%($)%*)(3&,2%(&%#&4<%($)%#&*()*(/%&'%($)%1*81=18"50%C)7% (,5''1#%/(,)5A/%&'%)5#$%&'%($)%+LMN/%#"/(&A),/?%9$)%58=),(1/1*>%*)(3&,2%5*50

1 See, e.g., Peter Whoriskey, Every Click You Make, WASH. POST (Apr. 3, 2008), http://www.washingtonpost.com/wp- dyn/content/article/2008/04/03/AR2008040304052.html?nav=hcmodule; Saul Hansell, I.S.P. Tracking: The Mother of All Privacy Battles, N.Y. TIMES: BITS BLOG (Mar. 20, 2008), http://bits.blogs.nytimes.com/2008/03/20/isp-tracking-the-mother-of-all-privacy-battles/?scp=1- b&sq=the+mother+of+all+privacy+battles&st=nyt.

Keeping the Internet Open, Innovative, and Free 1634 I St., NW, Suite 1100, Washington, DC 20006 • v. +1.202.637.9800. • f. +1.202.637.0968 • http://www.cdt.org CENTER FOR DEMOCRACY & TECHNOLOGY

"#$! %&'"$'"! &(! "#$)$! "*+((,%! )"*$+-)! ,'! &*.$*! "&! %*$+"$! +! *$%&*.! &(! $+%#! ,'.,/,.0+12)!&'1,'$!3$#+/,&*)!+'.!,'"$*$)")4!5+"$*6!+)!%0)"&-$*)!&(!"#$!789!)0*(! "#$! :$3! +'.! /,),"! ),"$)! ;#$*$! "#$! +./$*",),'0*%#+)$.! +./$*",),'+%$6! "#$?! )$$! +.)! "+*<$"$.! 3+)$.! &'! "#$,*! >*$/,&0)! 7'"$*'$"! 3$#+/,&*4!

@$30A.! ,)! &'$! )0%#! +./$*",),'+'?! &>$*+",'+)"!($;!-&'"#)6!,"!#+)!%&-$!"&!1,<#"!"#+"!@$30A.!;+)!>1+'','+*"'$*!;,"#!C#+*"$*!C&--0',%+",&')6!+!%+31$!3*&+.3+'.!7896!"&!%&'.0%"!"*,+1)! &(! "#$! @$30A.! 3$#+/,&*+1! +./$*",),'$'!:$)"!E:D:FG6!C$'"0*?H$16!I-3+*J6!+'.!K'&1&1+')! ;,"#! @$30A.! "&! "*,+1! &*! .$>1&?! ,")! 3$#+/,&*+1! +./$*",),'&')$! "&! %&'%$*')! *+,)$.! 3?! )03)%*,3$*)6! >*,/+%?! +./&%+"$)6! +'.!>&1,%?-+=$*)6!C#+*"$*6!C$'"0*?H$1!+'.!I-3+*J!#+/$!.$1+?$.!"#$)$!>1+')6! 30"! @$30A.! +'.! &"#$*! ),-,1+*! %&->+',$)! +*$! %&'",'0,'+*"'$*)4!

H#$! 0)$! &(! 7'"$*'$"! "*+((,%! %&'"$'"! (*&-! 789)! (&*! 3$#+/,&*+1! +./$*",),',$)! +11! &*! )03)"+'",+11?! +11! :$3! "*+')+%",&')6! ,'%10.,'"0*$! '&"! &'1?! %&--$*%,+1! +%",/,"?6! 30"! +1)&! /,),")! "&! >&1,",%+16! +./&%+%?6! &*! *$1,<,&0)!),"$)!&*!&"#$*!'&'N%&--$*%,+1!),"$)!"#+"!.&!'&"!0)$!%&&=,$)4!

7'!"#,)!-$-&6!;$!%&'%10.$!"#+"!"#$!0)$!&(!7'"$*'$"!"*+((,%!%&'"$'"!(*&-!789)!-+?! *0'! +(&01! &(! ($.$*+1! ;,*$"+>! 1+;)! 0'1$))! "#$! +%",/,"?! ,)! %&'.0%"$.! ;,"#! "#$! %&')$'"!&(!"#$!)03)%*,3$*4P!H&!3$!$(($%",/$6!)0%#!%&')$'"!)#&01.!'&"!3$!30*,$.!,'! "$*-)! &(! )$*/,%$! +'.! )#&01.! '&"! 3$! ,'($**$.! (*&-! +! -+,1$.! '&",%$4! :$! *$%&--$'.! >*,&*6! $Q>*$))! %&')$'"6! 30"! ;$! .&! '&"! &(($*! #$*$! +'?! .$"+,1$.! *$%&--$'.+",&')! &'! #&;! "&! &3"+,'! )0%#! %&')$'"! ,'! +'! 789! %&'"$Q"4! A1)&6! ;$! '&"$! "#+"! "#+"! "#$! C+1,(&*',+! 1+;! *$J0,*,'+*",$)! "&! +! %&--0',%+",&'!#+)!3$$'!+>>1,$.!3?!"#$!)"+"$!80>*$-$!C&0*"!"&!"#$!-&',"&*,'#&'$!%+11)!;#$'!"#$!-&',"&*,'>1,$.!"&!7'"$*'$"!%&--0',%+",&')!+'.!,"! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

2 Privacy concerns also apply to advertising-based models that have been developed for services, such as email, that ride over ISP networks. See CDT Policy Post 10.6, Google GMail Highlights General Privacy Concerns (Apr. 12, 2004), http://www.cdt.org/publications/policyposts/2004/6 (recommending express prior opt-in for advertising-based email service). 3 Additional questions have been raised under the Cable Communications Policy Act. See Rep. Edward Markey and Rep. Joe Barton, Letter to Charter Communications CEO in Regards to the Charter-NebuAd Data Collection Scheme (May 2008), http://markey.house.gov/docs/telecomm/letter_charter_comm_privacy.pdf. In this memo, we focus on issues arising under the federal Wiretap Act, as amended by the Electronic Communications Privacy Act.

2! CENTER FOR DEMOCRACY & TECHNOLOGY

"#!$%&'()*!+,(-,(*!"-!+.$'/!)00'1!#0(&"2"&)''1!-.!-,(!&.01"%3!.2!&.44$%"&)-".%#! )#!&.%/$&-(/!2.*!5(,)6".*)'!4.%"-.*"%3!0$*0.#(#7!5$-!"2!"-!.*!)%.-,(*!#-)-(8#!)''9 0)*-1!&.%#(%-!*$'(!+(*(!)00'"(/!-.!$#(!.2!:%-(*%(-!-*)22"&!2.*!5(,)6".*)'!0*.2"'"%37! "-!+.$'/!#((4!-.!0.#(!)%!"%#$*4.$%-)5'(!5)**"(*!-.!-,(!0*)&-"&(;!

Wiretap Act

!"##$%&'()%#*&+'(,%&-#./00+1#23('456%7#89%#.+01%01-#+:#$4;-)&(;%&# .+<<40()/1(+0-=#>?)%@1#*4&-4/01#1+#A(<(1%,#>?)%@1(+0-#

<,(!2(/(*)'!="*(-)0!>&-7!)#!)4(%/(/!51!-,(!?'(&-*.%"[email protected]$%"&)-".%#!A*"6)&1! >&-7! 0*.-(&-#! -,(! 0*"6)&1! .2! +"*(7! .*)'7! )%/! ('(&-*.%"&! &.44$%"&)-".%#;B! CD?E'(&-*.%"&! &.44$%"&)-".%F! "#! /(2"%(/! )#! C)%1! -*)%#2(*! .2! #"3%#7! #"3%)'#7! +*"-"%37!"4)3(#7!#.$%/#7!/)-)7!.*!"%-(''"3(%&(!.2!)%1!%)-$*(!-*)%#4"--(/!"%!+,.'(! .*! "%! 0)*-! 51! )! +"*(7! *)/".7! ('(&-*.4)3%(-"&7! 0,.-.('(&-*.%"&! .*! 0,.-..0-"&)'! #1#-(4! ;! ;! ;! ;FG! =(5! 5*.+#"%3! )%/! .-,(*! :%-(*%(-! &.44$%"&)-".%#! )*(! &'()*'1! ('(&-*.%"&!&.44$%"&)-".%#!0*.-(&-(/!51!-,(!="*(-)0!>&-;!!

:%! ')%3$)3(! 0(*-"%(%-! -.! -,(! 4./('! $%/(*! &.%#"/(*)-".%7! H! IGJJKLM! .2! -,(! >&-! #-)-(#!-,)-!C)!0(*#.%!.*!(%-"-1!0*.6"/"%3!)%!('(&-*.%"&!&.44$%"&)-".%!#(*6"&(!-.! -,(!0$5"&!#,)''!%.-!"%-(%-".%)''1!/"6$'3(!-,(!&.%-(%-#!.2!)%1!&.44$%"&)-".%#!;!;!;! +,"'(! "%! -*)%#4"##".%! .%! -,)-! #(*6"&(! -.! )%1! 0(*#.%! .*! (%-"-1! .-,(*! -,)%! )%! )//*(##((!.*!"%-(%/(/!*(&"0"(%-!;!;!;!;FN!

<,(*(! )*(! (O&(0-".%#! -.! -,"#! 0*.,"5"-".%! .%! /"#&'.#$*(7! -+.! .2! +,"&,! 4)1! 5(! *('(6)%-!,(*(;!P%(!(O&(0-".%!#0(&"2"(#!-,)-!CD"E-!#,)''!%.-!5(!$%')+2$'!$%/(*!-,"#! &,)0-(*!2.*!)%!;!;!;!('(&-*.%"&!&.44$%"&)-".%!#(*6"&(7!+,.#(!2)&"'"-"(#!)*(!$#(/!"%! -,(!-*)%#4"##".%!.2!)D%E!;!;!;!('(&-*.%"&!&.44$%"&)-".%7!-.!"%-(*&(0-7!/"#&'.#(7!.*! $#(!-,)-!&.44$%"&)-".%!"%!-,(!%.*4)'!&.$*#(!.2!,"#!(40'.14(%-!+,"'(!(%3)3(/! "%!)%1!)&-"6"-1!+,"&,!"#!)!!"#"$$%&'()!#)*"!+(+,(+-"(&"!*)+),!(,.(-)$($"&/)#"!.*!-.!-,(! 0*.-(&-".%! .2! -,(! *"3,-#! .*! 0*.0(*-1! .2! -,(! 0*.6"/(*! .2! -,)-! #(*6"&(;FQ! =(! +"''! *(2(*!-.!-,"#!)#!-,(!C%(&(##)*1!"%&"/(%-F!(O&(0-".%;!<,(!#(&.%/!(O&(0-".%!"#!2.*! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

4 18 U.S.C. §§ 2510-2522. 5 Id. § 2510(12). 6 Id. § 2511(3)(a). Lest there be any argument that the disclosure does not occur while the communications are “in transmission,” we note that the Stored Communications Act (SCA) states that “a person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service.” Id. § 2702(a)(1). We do not comment further here on the SCA because, in our judgment, the approach that has been described so far clearly involves the divulging of communications “while in transmission.” 7 Id. § 2511(2)(a)(i) (emphasis added). This analysis focuses on the capture of electronic communications and definitions are abridged accordingly.

3! CENTER FOR DEMOCRACY & TECHNOLOGY

"#$%&'$()*$! +#,-! ,-*! %'.$*.,! '/! '.*! '/! ,-*! 01),#*$23! 4*! +#&&! "#$%($$! 5',-! *6%*0,#'.$! 5*&'+2! 4*!%'.%&("*!,-1,!'.&7!,-*!%'.$*.,!*6%*0,#'.!100&#*$!,'!,-*! "#$%&'$()*!'/!$(5$%)#5*)!%'.,*.,!/')!5*-18#')1&!1"8*),#$#.9:!1."!+*!+#&&!"#$%($$! 0)*&#;#.1)#&7!+-1,!<%'.$*.,=!+'(&"!;*1.!#.!,-#$!%'.,*6,2!

!"##$%&'#(%)%&*+#,-.*/&%0123#41&*5.*/&%01#42#6720#850'%9%&*+#

>-*!4#)*,10!?%,!)*9(&1,*$!,-*!<#.,*)%*0,#'.=!'/!*&*%,)'.#%!%';;(.#%1,#'.$2!>-*! ?%,!"*/#.*$!<#.,*)%*0,=!1$!,-*!<1%@(#$#,#'.!'/!,-*!%'.,*.,$!'/!1.7!A!*&*%,)'.#%!A! %';;(.#%1,#'.!,-)'(9-!,-*!($*!'/!1.7!*&*%,)'.#%:!;*%-1.#%1&:!')!',-*)!"*8#%*2=B!!

>-*! 4#)*,10! ?%,! 5)'1"&7! 51)$! 1&&! #.,*.,#'.1&! #.,*)%*0,#'.! '/! *&*%,)'.#%! %';;(.#%1,#'.$2CD!>-*!?%,!*.(;*)1,*$!$0*%#/#%!*6%*0,#'.$!,'!,-#$!0)'-#5#,#'.2CC! E1+!*./')%*;*.,!'//#%*)$:!/')!*61;0&*:!1)*!1(,-')#F*"!,'!%'."(%,!#.,*)%*0,#'.$! 0()$(1.,!,'!1!%'(),!')"*)2!G')!HIJ$!1."!',-*)!$*)8#%*!0)'8#"*)$:!,-*)*!1)*!,-)**! *6%*0,#'.$! ,-1,! ;#9-,! 5*! )*&*81.,2! >+'! +*! -18*! ;*.,#'.*"! 1&)*1"7K! ,-*! <.*%*$$1)7!#.%#"*.,=!*6%*0,#'.!1."!1!%'.$*.,!*6%*0,#'.2CL!

?!,-#)"!*6%*0,#'.:!100&#%15&*!,'!#.,*)%*0,#'.!5(,!.',!,'!"#$%&'$()*:!1)#$*$!/)';! ,-*!"*/#.#,#'.!'/!<#.,*)%*0,:=!+-#%-!#$!"*/#.*"!1$!1%@(#$#,#'.!57!1.!<*&*%,)'.#%:! ;*%-1.#%1&:! ')! ',-*)! "*8#%*:=! +-#%-! #.! ,().! #$! "*/#.*"! 1$! <1.7! "*8#%*! ')! 1001)1,($!+-#%-!%1.!5*!($*"!,'!#.,*)%*0,!1M.N!2!2!2!*&*%,)'.#%!%';;(.#%1,#'.!!"#$%& "#'(OP1Q!1.7!,*&*0-'.*!')!,*&*9)10-!#.$,)(;*.,:!*@(#0;*.,!')!/1%#&#,7:!')!1.7! %';0'.*.,! ,-*)*'/! 2! 2! 2! P##Q! 5*#.9! ($*"! 57! 1! 0)'8#"*)! '/! 2! 2! 2! *&*%,)'.#%! %';;(.#%1,#'.!$*)8#%*!#.!,-*!!%)*('%+&,!-%.$&!/&*".&0-.*($..!2!2!2!2=CR!>-#$!0)'8#$#'.! ,-($!$*)8*$!,'!&#;#,!,-*!"*/#.#,#'.!'/!<#.,*)%*0,:=!0)'8#"#.9!+-1,!#$!$';*,#;*$! %1&&*"!,-*!<,*&*0-'.*!*6,*.$#'.=!*6%*0,#'.:!5(,!+-#%-!+*!+#&&!%1&&!,-*!<5($#.*$$! ($*=!*6%*0,#'.2!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

8 Id. § 2511(3)(b)(ii). 9 Id. § 2510(4). 10 Id. § 2511(1). 11 Id. § 2511(2). 12 Separate from the consent provision for disclosure, the consent exception for interception is set forth in 18 U.S.C. § 2511(2)(d): “It shall not be unlawful under this chapter for a person not acting under color of law to intercept a[n] . . . electronic communication where such person is a party to the communication or where one of the parties to the communication has given prior consent to such interception . . . .” 13 Id. § 2510(5) (emphasis added).

4! CENTER FOR DEMOCRACY & TECHNOLOGY

!"# $%&#!'()*+,#'-#.+/&0+&/#!'+/&+/#-'0#1*234'250&#/'#678&0/*2*+,# 9&/:'0;2#!'+2/*/5/&2#.+/&03&(/*'+#

"#$%!&%!'()!*+,-$.!&!*/.0+1$23.!*+11/%-*&0-+%.!+2!&44+5.!0#$1!0+!6$!*+,-$7! 68! &%! &79$20-.-%:! %$05+2;$7?@A14! B#$2$C+2$

1"##$%&#<9&3&22=0)#.+3*7&+/>#?@3&(/*'+#A0'B=B4)#1'&2#9'/#A&0C*/#/%&# .+/&03&(/*'+#'0#1*234'250&#'-#!'CC5+*3=/*'+2#-'0#D&%=8*'0=4# 678&0/*2*+,#A50('2&2#

B#$! "-2$0&,! L*0! ,$21-0.! -%0$2*$,0-+%! +C! $4$*02+%-*! *+11/%-*&0-+%.! 5#$%! 0#$! &*0-9-08!0&;$.!,4&*$!&.!=&!%$*$..&28!-%*-7$%0!0+!0#$!2$%7-0-+%!+C!>0#$!'()3.?!.$29-*$! +2!0+!0#$!,2+0$*0-+%!+C!0#$!2-:#0.!+2!,2+,$208!+C!0#$!,2+9-7$2!+C!0#&0!.$29-*$@A15! B#$!4&00$2!,2+%:!*+9$2.!&%0-M.,&1! &%7! &%0-M9-2/.!1+%-0+2-%:!&%7!C-40$2-%:!&%7! 9&2-+/.! &%0-MC2&/7! &*0-9-0-$.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

14 See, e.g., United States v. Rodriguez, 968 F.2d 130, 136 (2d Cir. 1992) (holding in context of telephone communications that “when the contents of a wire communication are captured or redirected in any way, an interception occurs at that time” and that “[r]edirection presupposes interception”); In re State Police Litig., 888 F. Supp. 1235, 1267 (D. Conn. 1995) (stating in context of telephone communications that “it is the act of diverting, and not the act of listening, that constitutes an ‘interception’”). 15 18 U.S.C. § 2511(2)(a)(i). 16 See United States v. Councilman, 418 F.3d 67, 82 (1st Cir. 2005) (en banc) (holding that service provider’s capture of emails to gain commercial advantage “clearly” was not within service provider exception); Berry v. Funk, 146 F.3d 1003, 1010 (D.C. Cir. 1998) (holding in context of telephone communications that switchboard operators’ overhearing of a few moments of phone call to ensure call went through is a “necessary incident,” but anything more is outside service provider exception).

5! CENTER FOR DEMOCRACY & TECHNOLOGY

"#$"%&'$'()! *+! *,-*! $#"'(.""! -"! /.00! -"! *,.! $-"'%! $#"'(.""! +1! 2(*.&(.*! -%%.""3! /,'%,!0.-4"!-(5,+/!*+!*,.!%+(".(*!6+4.0!*,-*!/.!%+(%0#4.!'"!(.%.""-&57!

!"# $%&'(#)*#)+#,-.'(/0#$%(*%(0#*%(#123+&-(++#,+(4#!5.(6*&7-#$73'8# 966':#*7#*%(#,+(#7;#/#<(=&.(#)-+*/''(8#70#>7-*07''(8#?:#/#@/0*:#A*%(0# *%/-#*%(#B(0=&.(#@07=&8(0C#*%(#!5.(6*&7-#<7(+#D7*#966':#*7#*%(# @07%&?&*&7-#9E/&-+*#<&=3'E&-E#/#B3?+.0&?(0F+#>7GG3-&./*&7-+#

8,.!9$#"'(.""!#".:!.;%.<*'+(3!=!>?@AB?CB-C3!%+("*&'%*"!*,.!4.1'('*'+(!+1!94.D'%.:! -(4!*,.&.$5!(-&&+/"!*,.!4.1'('*'+(!+1!9'(*.&%.<*:!'(!*,.!E'&.*-C! /,.*,.&! -(! 2JKL"! #".! +1! *,.! 4.D'%.! /+#04! $.! /'*,'(! *,.! 9+&4'(-&5!%+#&".!+1!'*"!$#"'(.""7:!

E.!/'00!4'"%#""!*,.!9$#"'(.""!#".:!.;%.<*'+(!-*!"+6.!0.()*,3!$.%-#".!*,.&.!,-"! $..(! %+("'4.&-$0.! 4'"%#""'+(! -0&.-45! -$+#*! /,.*,.&! %+<5'()! +1! -(! 2JK! "#$"%&'$.&L"! %+66#('%-*'+("! 1+&! $.,-D'+&-0! -4D.&*'"'()! '"! -(! 9'(*.&%.<*'+(:! #(4.&!=!>?@@B@C!+1!*,.!E'&.*-?@@BNC3!/,'%,!"*-*."!*,-*!-!".&D'%.!<&+D'4.&!9",-00! (+*! '(*.(*'+(-005! 4'D#0).! *,.! %+(*.(*"! +1! -(5! %+66#('%-*'+(! 7! 7! 7! /,'0.! '(! *&-("6'""'+(!+(!*,-*!".&D'%.!*+!-(5!<.&"+(!+&!.(*'*5!+*,.&!*,-(!-(!-44&.""..!+&! '(*.(4.4! &.%'<'.(*! 7! 7! 7! 7:@O! 8,.! $#"'(.""! #".! .;%.<*'+(! 4+."! (+*! -<<05! *+! *,'"! <&+,'$'*'+(!-)-'("*!4'D#0)'()718!

F*!1'&"*!)0-(%.3!'*!/+#04!"..6!*,-*!*,.!$#"'(.""!#".!.;%.<*'+(!'"!'(-<<0'%-$0.!*+! *,.! 1-%'0'*'."! +1! -(! 2JK! $.%-#".! *,.! .;%.<*'+(! -<<0'."! +(05! *+! -! 9*.0.<,+(.! +&! *.0.)&-<,! '("*.(*3! .G#'<6.(*! +&! 1-%'0'*53! +&! -(5! %+6<+(.(*! *,.&.+17:! M+/.D.&3!*,.!%+#&*"!,-D.!&.%+)('P.4!*,-*!QRKF!/-"!6+*'D-*.4!'(!<-&*!$5!*,.!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

17 18 U.S.C. § 2511(3)(a). 18 By adopting two different exceptions—“necessary incident” and “ordinary course”—Congress apparently meant them to have different meanings. Based on our reading of the cases, the necessary incident exception is narrower than the ordinary course exception. It is significant that the “necessary incident” exception applies to both interception and disclosure while the “ordinary course” exception is applicable only to interception. This suggests that Congress meant to allow service providers broader latitude in examining (that is, “intercepting” or “using”) subscriber communications so long as they did not disclose the communications to third parties. This permits providers to conduct a range of in-house maintenance and service quality functions that do not involve disclosing communications to third parties.

6! CENTER FOR DEMOCRACY & TECHNOLOGY

"#$%&%'()! )*%+,-.! (+! +-/! )0&12'-$! %+#! '-3-)0&&2+()%'(0+.! '-)*+030,(-.456! %+#!'*-$-70$-!/%.!(+'-+#-#!'0!&%8-!'*-!9($-'%1!:)'!3%$,-3;!+-2'$%3!/('*!$-.1-)'! '0!('.!'$-%'&-+'!07!<%$(02.!)0&&2+()%'(0+.!'-)*+030,(-.=!>*-!?-)0+#!@($)2('A!70$! -B%&13-A! )0+)32#-#! (+! %! $-3%'-#! )0+'-B'! '*%'! '*-! '-$&! "'-3-1*0+-4! .*023#! C$0%#3;! (+)32#-! '*-! "(+.'$2&-+'.A! -D2(1&-+'! %+#! 7%)(3('(-.! '*%'! E?F.! 2.-! '0! '$%+.&('!-G&%(3=4HI!>*-$-70$-A!%.!%!,-+-$%3!&%''-$A!('!.*023#!C-!%..2&-#!'*%'!'*-! C2.(+-..!2.-!-B)-1'(0+!(.!%<%(3%C3-!'0!E?F.=!

J0/-<-$A! ('! (.!+0'!)-$'%(+!'*%'!'*-!#-<()-!2.-#!'0!)01;!%+#!#(<-$'!)0+'-+'!70$! C-*%<(0$%3!%#<-$'(.(+,!/023#!C-!)0+.(#-$-#!'0!C-!%!)0&10+-+'!07!'*-! .-$<()-! 1$0<(#-$K.! -D2(1&-+'! 0$! 7%)(3('(-.=! E+! .0&-! 07! '*-! C-*%<(0$%3! %#<-$'(.(+,! (&13-&-+'%'(0+.!'*%'!*%<-!C--+!#-.)$(C-#A!'*-!&0+('0$(+,!#-<()-!0$!1$0)-..!(.! +0'!#-<-301-#!0$!)0+'$033-#!C;!'*-!E?F!C2'!$%'*-$!C;!'*-!%#<-$'(.(+,!+-'/0$8=!

>*-!.-)0+#!D2-.'(0+!(.!/*-'*-$!%+!E?FK.!2.-!07!%!#-<()-!'0!)01;!'$%77()!)0+'-+'! 70$! C-*%<(0$%3! %#<-$'(.(+,! 7%33.! /('*(+! '*-! "0$#(+%$;! )02$.-! 07! ('.! C2.(+-..=4! >*-$-!%$-!%!+2&C-$!07!)%.-.!(+'-$1$-'(+,!'*(.!-B)-1'(0+A!C2'!+0+-!07!'*-&!)3-%$3;! %##$-..-.! %! .('2%'(0+! /*-$-! %! .-$<()-! 1$0<(#-$! (.! )01;(+,! %33! 07! '*-! )0&&2+()%'(0+.! 07! ('.! )2.'0&-$.=!L%+;!07!'*-!)%.-.!%$(.-!(+!.('2%'(0+.! /*-$-! -&130;-$.! %$-! &0+('0$(+,! '*-! )%33.! 07! '*-($! -&130;--.! 70$! 12$10.-.! 07! .21-$<(.(0+! %+#! D2%3(';! %..2$%+)-=! ">*-.-! )%.-.! *%<-! +%$$0/3;! )0+.'$2-#! '*-! 1*$%.-!M0$#(+%$;!)02$.-!07!C2.(+-..=K421!N7'-+!.2)*!)%.-.!%3.0!(+<03<-!+0'()-!'0! '*-!-&130;--.!%+#!(&13(-#!)0+.-+'=22!N+-!)02$'!*%.!.'%'-#!'*%'A!-<-+!(7!%+!-+'(';! )023#! .%'(.7;! '*-! C2.(+-..! 2.-! -B)-1'(0+A! +0'()-! '0! 0+-! 07! '*-! 1%$'(-.! C-(+,! &0+('0$-#!/023#!C-!$-D2($-#=HO!N'*-$!)%.-.!(+<03<-!'*-!&0+('0$(+,!07!1$(.0+-$.=!!

?0&-!)%.-.!*%<-!(+'-$1$-'-#!"0$#(+%$;!)02$.-4!'0!&-%+!%+;'*(+,!'*%'!(.!2.-#!(+! "+0$&%34! 01-$%'(0+.=! >*-! P=@=! @($)2('A! 70$! (+.'%+)-A! *%.! .2,,-.'-#! '*%'! &0+('0$(+,! "2+#-$'%8-+! +0$&%33;4! D2%3(7(-.! %.! C-(+,! /('*(+! '*-! "0$#(+%$;! )02$.-!07!C2.(+-..=4HQ!E+!'*-!)0+'-B'!07!3%/!-+70$)-&-+'!'%1(+,!07!'*-!1*0+-!)%33.! 07!1$(.0+-$.A!'*-!R(+'*!%+#!>-+'*!@($)2('.!*%<-!)0+)32#-#!'*%'!.0&-'*(+,!(.!(+! '*-!"0$#(+%$;!)02$.-4!(7!('!(.!#0+-!$02'(+-3;!%+#!)0+.(.'-+'3;=HS!E'!&(,*'!C-!'*%'!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

19 S. Rep. No. 99-541, at 1 (1986), reprinted in 1986 U.S.C.C.A.N. 3555, 3555. 20 Hall v. Earthlink Network, Inc., 396 F.3d 500, 505 (2d Cir. 2005) (quoting S. Rep. No. 99-541 at 8). 21 United States v. Murdock, 63 F.3d 1391. 1396 (6th Cir 1995). 22 E.g., James v. Newspaper Agency Corp., 591 F.2d 579 (10th Cir. 1979). 23 See, e.g., Adams v. City of Battle Creek, 250 F.3d 980, 984 (6th Cir. 2001). 24 Berry v. Funk, 146 F.3d 1003, 1009 (D.C. Cir. 1998) (workplace monitoring). 25 See United States v. Van Poyck, 77 F.3d 285, 292 (9th Cir. 1996); United States v. Gangi, 57 Fed. Appx. 809, 814 (10th Cir. 2003).

7! CENTER FOR DEMOCRACY & TECHNOLOGY

"#$%&'!(#$)*!+,-.!./$0)!#%!+%.0&.%!)0&,&$*.!&#!'.%-,".!1%#-,*.%'!,2!3#2,&#%,2+! &4.,%!2.&(#%5'!&402!&4.6!(#$)*!+,-.!&#!3.%.!'$7'"%,7.%'!#%!$'.%'8!!

9&4.%! ",%"$,&! "#$%&'! 40-.! $'.*! 0! 3#%.! ),3,&.*! ,2&.%1%.&0&,#2:! "#2")$*,2+! &40&! ;#%*,20%6! "#$%'.?!@)&4#$+4!&4.!"#$%&'!40-.! 2#&!7..2!.2&,%.)6!").0%!0'!&#!(40&!&40&!3.02':!'#3.!40-.!'$++.'&.*!&40&!,&!,'! 3$"4!")#'.%!&#!2.".'',&6!&402!&#!3.%.!1%#=,&!3#&,-.8>A!92.!=%./$.2&)6B",&.*!"0'.! .C1),",&)6!4#)*'!&40&!&4.!7$',2.''!$'.!.C".1&,#2!*#.'!2#&!7%#0*)6!.2"#310''!0! "#31026D'!=,202",0)!#%!#&4.%!3#&,-0&,#2'E!;F4.!14%0'.!G,2!&4.!#%*,20%6!"#$%'.!#=! 7$',2.''D!"022#&!7.!.C102*.*!&#!3.02!026&4,2+!&40&!,2&.%.'&'!0!"#310268<>H!

I#%30)! 1%,2",1).'! #=! '&0&$&#%6! ,2&.%1%.&0&,#2! (#$)*! %./$,%.! &40&! '#3.! ,2*.1.2*.2&!(.,+4&!7.!+,-.2!&#!&4.!(#%*!;#%*,20%6:

K,.(.*!#2.!(06:!,&!,'!40%*!&#! '..! 4#(! &4.! "#16,2+! #=! "#2&.2&! =#%! 7.40-,#%0)! 0*-.%&,',2+!,'!10%&!#=!&4.!;#%*,20%6!"#$%'.!#=!7$',2.''

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

26 See Arias v. Mutual Central Alarm Serv., Inc., 202 F.3d 553, 560 (2d Cir. 2000) (monitoring calls to an central alarm monitoring service). 27 See id. (concluding that alarm company had legitimate reasons to tap all calls because such businesses “are the repositories of extremely sensitive security information, including information that could facilitate access to their customers’ premises”); see also First v. Stark County Bd. of Comm’rs, 234 F.3d 1268, at *4 (6th Cir. 2000) (table disposition). 28 Watkins v. L.M. Berry & Co., 704 F.2d 577, 582 (11th Cir. 1983). Watkins states: “We hold that a personal call may not be intercepted in the ordinary course of business under the exemption in section 2510(5)(a)(i), except to the extent necessary to guard against unauthorized use of the telephone or to determine whether a call is personal or not. In other words, a personal call may be intercepted in the ordinary course of business to determine its nature but never its contents.” 704 F.2d at 583. This language supports the conclusion that the business use exception could not cover wholesale interception of ISP traffic, no more than switchboard operators can perform wholesale monitoring of telephone traffic.

8! CENTER FOR DEMOCRACY & TECHNOLOGY

"#$! %&'()! *+,'-! ./*.! 0*+.! &1! 2.3! 4'325-33! 6&)-(70*+.! &1! 8/*.! 9--03! 2.3! +*.-3! (&8723!)-+2:25,!+-:-5'-!1+&6!2.3!0*+.5-+3/20!82./!*):-+.2325,!5-.8&+93;!

%.!*5)!?@$>!8-2,/!*,*253.!*!4+&*)! +-*)25,!&1!./-!4'325-33!'3-!-A%-0.2&5;!

!"# $%&#'()*&)+#,-.&/+0()1#$%&#'()+&-+#2&03%*#4&56078#0)#!56(9#(:# ;::09<5+06&=#>/+?@)#'()*&)+#:9(<#@AB#ACD*.90D&9*##

@&53-5.! 23! *5! -A0(2%2.! -A%-0.2&5! 4&./! .&! ./-! 0+&/242.2&5! *,*253.! 25.-+%-0.25,! -(-%.+&52%!%&66'52%*.2&53!'5)-+!./-!=2+-.*0!>%.!*5)!.&!./-!>%.D3!0+&/242.2&5! *,*253.!)23%(&325,!3'43%+24-+!%&66'52%*.2&53;!%.! ./*.! %&53-5.!%*5!4-!260(2-)B!4'.!./-+-!*+-!+-(*.2:-(C!1-8!%*3-3!30-%212%*((C!*))+-3325,! %&53-5.!*5)!-(-%.+&52%!%&66'52%*.2&53;!G&8-:-+B!25!%*3-3!25:&(:25,!.-(-0/&5-! 6&52.&+25,B!&5-!%2+%'2.!%&'+.!/*3!3.*.-)!./*.!%&53-5.!'5)-+!./-!=2+-.*0!>%.!I23! 5&.! .&! 4-! %*:*(2-+(C! 260(2-);JKL! >5&./-+! %2+%'2.! %&'+.! /*3! 5&.-)! ./*.! %&53-5.! I3/&'()! 5&.! %*3'*((C! 4-! 251-++-)JMN! *5)! ./*.! %&53-5.! 6'3.! 4-! I*%.'*(BJ! 5&.! I%&53.+'%.2:-;J31! O-.! *5&./-+! %2+%'2.! %&'+.! /*3! 3.*.-)F! I=2./&'.! *%.'*(! 5&.2%-B! %&53-5.!%*5!&5(C!4-!260(2-)!8/-5!./-!3'++&'5)25,!%2+%'63.*5%-3! !"#$%#!%#&'(! 3/&8! ./*.! ./-! 0*+.C! 95-8! *4&'.! *5)! %&53-5.-)! .&! ./-! 25.-+%-0.2&5;JMK! P'+./-+6&+-B! I95&8(-),-! &1! ./-! !)*)+%'%,(! &1! 6&52.&+25,! *(&5-! %*55&.! 4-!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

29 Watkins. 704 F.2d at 581 ("Consent under title III is not to be cavalierly implied. Title III expresses a strong purpose to protect individual privacy by strictly limiting the occasions on which interception may lawfully take place."). 30 Griggs-Ryan v. Smith, 904 F.2d 112, 117 (1st Cir. 1990). 31 In re Pharmatrak, Inc. Privacy Litig., 329 F.3d 9, 20 (1st Cir. 2003); see also United States v. Corona- Chavez, 328 F.3d 974, 978 (8th Cir. 2003). 32 Berry v. Funk, 146 F.3d 1003, 1011 (D.C. Cir. 1998) (internal quotation omitted).

9! CENTER FOR DEMOCRACY & TECHNOLOGY

"#$%&'()('! &*+,&('! "#$%($-./00! 12(! "3%(%! 42()(! "#$%($-! 23%! 5(($! &*+,&('! &$6#,6(!6()7!(8+,&"&-!$#-&"(9!*3$7!#:!-2(*!&$6#,6(!-2(!*#$&-#)&$;!#:!+)&%#$()%

=#$%($-! &%! "#$-(8->53%('.!?-!&%!#$(!-2&$;!-#!&*+,7!"#$%($-!&$!-2(!"#$-(8-!#:!3! +)&%#$!#)!3!4#)@+,3"(A!42()(!$#-&"(!*37!5(!+)(%($-('!3%!+3)-!#:!-2(!'3&,7!,#;>&$! +)#"(%%.!?-!&%!BC&-(!3$#-2()!-#!&*+,7!&-!&$!-2(!"#$-(8-!#:!#)'&$3)7!?$-()$(-!C%3;(! 57!)(%&'($-&3,!%C5%")&5()%A!42#A!57!'(:&$&-&#$A!3)(!C%&$;!-2(!%()6&"(!:#)!+()%#$3,! 3$'!#:-($!2&;2,7!%($%&-&6(!"#**C$&"3-&#$%.!=#$-&$C('!C%(!#:!3!%()6&"(!3:-()!3! *3&,('! $#-&"(! *&;2-! $#-! 5(! ($#C;2! -#! "#$%-&-C-(! "#$%($-.! =()-3&$,7A! *3&,&$;! $#-&:&"3-&#$!-#!-2(!5&,,!+37()!&%!+)#535,7!&$%C::&"&($-!-#!+C-!3,,!*(*5()%!#:!-2(! 2#C%(2#,'!42#!%23)(!-2(!?$-()$(-!"#$$("-&#$!#$!$#-&"(.!

12C%A! &-! %((*%! -23-! 3$! 3%%()-&#$! #:! &*+,&('! "#$%($-A! 42(-2()! #)! $#-! C%()%! 3)(! +)#6&'('!3$!#++#)-C$&-7!-#!#+-!#C-!#:!-2(!%7%-(*A!4#C,'!*#%-!,&@(,7!$#-!%3-&%:7! -2(! "#$%($-! (8"(+-&#$! :#)! -2(! -7+(! #:! &$-()"(+-&#$! #)! '&%",#%C)(! C$'()! "#$%&'()3-&#$!2()(.!D8+)(%%!+)&#)!"#$%($-!E#+->&$!"#$%($-F!&%!",(3),7!+)(:()35,(! 3$'! *37! 5(! )(BC&)('.! G2&,(! *(3$&$;:C,! #+->&$! "#$%($-! 4#C,'! 5(! %C::&"&($-A! "#C)-%!4#C,'!,&@(,7!5(!%@(+-&"3,!#:!3$!#+->&$!"#$%&%-&$;!*()(,7!#:!3!",&"@>-2)#C;2! 3;)((*($-H&.(.A! 3! %(-! #:! -()*%! -23-! 3! C%()! 3;)((%! -#! 57! ",&"@&$;! 3$! #$>%")(($! 5C--#$H&:!&-!'&%+,37%!"23)3"-()&%-&"%!-7+&"3,!#:!%C"2!3;)((*($-%A!%C"2!3%!3!,3);(! 3*#C$-! #:! -(8-! '&%+,37('! &$! 3! %*3,,! 5#8A! $#! )(BC&)(*($-! -23-! -2(! C%()! %")#,,! -2)#C;2!-2(!($-&)(!3;)((*($-A!#)!-2(!#+->&$!+)#6&%&#$!5C)&('!3*#$;!#-2()!-()*%! #:!%()6&"(.0I!

?$!)(;3)'%!-#!"#$%($-A!-2(!*#'(,!C$'()!'&%"C%%&#$!2()(!&%!'&%-&$;C&%235,(!:)#*! -2(!C%(!#:!J"##@&(%A/!42&"2!4()(!:#C$'!-#!5(!+()*&%%&5,(!57!3!:('()3,!'&%-)&"-! "#C)-! &$! 3! KLLM! "3%(! &$6#,6&$;! N#C5,(=,&"@.36! ?$! -23-! "3%(A! -2(! G(5! %&-(%! +3)-&"&+3-&$;!&$!-2(!N#C5,(=,&"@!3'6()-&%&$;!$(-4#)@!4()(!:#C$'!-#!5(!+3)-&(%!-#! -2(!"#**C$&"3-&#$%!#:!-2(!?$-()$(-!C%()%!42#!6&%&-('!-2#%(!%&-(%.!O%!+3)-&(%!-#! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

33 Watkins, 704 F.2d at 581; see also Deal v. Spears, 980 F.2d 1153, 1157 (8th Cir. 1992) (holding that consent not implied when individual is aware only that monitoring might occur, rather than knowing monitoring is occurring). 34 “The circumstances relevant to an implication of consent will vary from case to case, but the compendium will ordinarily include language or acts which tend to prove (or disprove) that a party knows of, or assents to, encroachments on the routine expectation that conversations are private. And the ultimate determination must proceed in light of the prophylactic purpose of Title III-a purpose which suggests that consent should not casually be inferred.” Griggs-Ryan, 904 F.2d at 117. 35 See, e.g., Specht v. Netscape Commc’ns Corp., 306 F.3d 17 (2d Cir. 2002) (rejecting online arbitration agreement because, among other things, site permitted customer to download product without having scrolled down to arbitration clause and agreement button said only “Download”); United States v. Lanoue, 71 F.3d 966, 981 (1st Cir. 1995) (“Deficient notice will almost always defeat a claim of implied consent.”). 36 In re DoubleClick Inc. Privacy Litig., 154 F.Supp.2d 497 (S.D.N.Y. 2001).

10! CENTER FOR DEMOCRACY & TECHNOLOGY

"#$!%&''()*%+"*&),-!"#$!.$/!,*"$,!%&(01!%&),$)"!"&!"#$!(,$!&2!"#$!%&&3*$,!"&! %&00$%"!*)2&4'+"*&)!+/&("!"#&,$!%&''()*%+"*&),5!6$4$-!&2!%&(4,$-!"#$!789,!+4$! )&"! :+4"*$,! "&! "#$! %&''()*%+"*&),! /$*);! '&)*"&4$1! +)1! "#$! *)"$4%$:"*&)! &4! 1*,%0&,(4$!$)%&':+,,$,!%&''()*%+"*&),!<*"#!,*"$,!"#+"!+4$!)&"!'$'/$4,!&2!"#$! +1=$4"*,*);! )$"<&435! >#$4$2&4$-! "#$! ,&(4%$! &2! %&),$)"! '(,"! /$! "#$! 789?,! *)1*=*1(+0!,(/,%4*/$4,-!+,!*"!<&(01!/$!*':&,,*/0$!"&!&/"+*)!%&),$)"!24&'!$=$4@! ,*);0$!.$/!,*"$!"#+"!$=$4@!,(/,%4*/$4!'+@!%&)%$*=+/0@!=*,*"5!

State Laws Requiring Two-Party Consent to Interception

!"# $%&&'()#

7)! +11*"*&)! "&! "#$! 2$1$4+0! .*4$"+:! A%"-! +! '+B&4*"@! &2! ,"+"$,! #+=$! "#$*4! &<)! <*4$"+:! 0+<,-! <#*%#! %+)! /$! '&4$! ,"4*);$)"! "#+)! "#$! 2$1$4+0! 0+<5! C&,"! ,*;)*2*%+)"0@-!"<$0=$!,"+"$,DE!4$F(*4$!+00!:+4"*$,!"&!%&),$)"!"&!"#$!*)"$4%$:"*&)!&4! 4$%&41*);!&2!%$4"+*)!"@:$,!&2!%&''()*%+"*&),!<#$)!,(%#!*)"$4%$:"*&)!*,!1&)$!/@! +!:4*=+"$!:+4"@!)&"!()1$4!"#$!%&0&4!&2!0+<5!

7)! ,$=$4+0! &2! "#$,$! ,"+"$,G2&4! $H+':0$-! I&))$%"*%("G"#$! +00J:+4"@! %&),$)"! 4$F(*4$'$)"!+::0*$,!&)0@!"&!"#$!4$%&41*);!&2!&4+0!%&)=$4,+"*&),5!7)!&"#$4,-!"#$! +00J:+4"@! %&),$)"! 4(0$! $H"$)1,! "&! /&"#! =&*%$! +)1! 1+"+! %&''()*%+"*&),5! K&4! $H+':0$-!K0&4*1+?,!8$%(4*"@!&2!I&''()*%+"*&),!A%"!'+3$,!*"!+!2$0&)@!2&4!+)@! *)1*=*1(+0! "&! *)"$4%$:"-! 1*,%0&,$-! &4! (,$! +)@! <*4$-! &4+0-! &4! $0$%"4&)*%! %&''()*%+"*&)-! ()0$,,! "#+"! :$4,&)! #+,! &/"+*)$1! "#$! :4*&4! %&),$)"! &2! +00! :+4"*$,5DL! 8*'*0+40@-! "#$! 700*)&*,! ,"+"("$! &)! %4*'*)+0! $+=$,14&::*);! :4&#*/*",! +! :$4,&)! 24&'! M*)"$4%$:"N*);O-! 4$"+*)N*);O-! &4! "4+),%4*/N*);! +)O! $0$%"4&)*%! %&''()*%+"*&)!()0$,,!#$!1&$,!,&!5!5!5!<*"#!"#$!%&),$)"!&2!+00!&2!"#$!:+4"*$,!"&! ,(%#!5!5!5!$0$%"4&)*%!%&''()*%+"*&)5PDQ!

>#$! '&,"! *':&4"+)"! +00J:+4"@! %&),$)"! 0+

*"# +',-./(0-'#

>#$! UQTE! I+0*2&4)*+! 7)=+,*&)! &2! 94*=+%@! A%"! '+3$,! %4*'*)+00@! 0*+/0$! +)@! *)1*=*1(+0!<#&!M*)"$)"*&)+00@!"+:,-!&4!'+3$,!+)@!()+("#&4*V$1!%&))$%"*&)!5!5!5!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

37 The twelve states are California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, and Washington. 38 Fla. Stat. § 934.03(1). 39 Ill. Comp Stat. 5/14-1(a)(1).

11! CENTER FOR DEMOCRACY & TECHNOLOGY

"#!$%"!$&''()''*!+,-!$&.%").!.%/!0",1/,.!"(!+''!2+#.&/1!."!.%/!0"33),&0+.&",!4!4!4! #/+-15!"#!+../32.1!."!#/+-5!"#!."!'/+#,!.%/!0",./,.1!"#!3/+,&,6!"(!+,*!3/11+6/!4!4! 4!"#!0"33),&0+.&",!$%&'/!.%/!1+3/!&1!&,!.#+,1&.!"#!2+11&,6!"7/#!+,*!$&#/5!'&,/5!"#! 0+8'/5! "#! &1! 8/&,6! 1/,.! (#"35! "#! #/0/&7/-! +.! +,*! 2'+0/9! &,! :+'&("#,&+4;$%"! )1/15! "#! +../32.1! ."! )1/5! &,! +,*! 3+,,/#!4!4!4!+,*!&,("#3+.&",!1"!"8.+&,/-9!"#!$%"!+&-1!+,*!2/#1",!&,!-"&,6!.%/! 1+3/4;?!@%/! '+$! %+1! +! 1/2+#+./! 1/0.&",! 0#/+.&,6! '&+8&'&.*! ("#! +,*! 2/#1",! /+7/1-#"22&,6!)2",!"#!#/0"#-&,6!+!0",(&-/,.&+'!0"33),&0+.&",!>&,./,.&",+''*! +,-!$&.%").!.%/!0",1/,.!"(!+''!2+#.&/159!$%/.%/#!.%/!2+#.&/1!+#/!2#/1/,.!&,!.%/! 1+3/! '"0+.&",! "#! 0"33),&0+.&,6! "7/#! ./'/6#+2%5! ./'/2%",/5! "#! ".%/#! -/7&0/! A/B0/2.!+!#+-&"C4;D!

:",1/,.!0+,!8/!&32'&/-!",'*!&,!7/#*!'&3&./-!0�)31.+,0/14!@%/!:+'&("#,&+!1.+./! :")#.!"(!E22/+'1!%/'-!&,!!"#$%"&'(&)*+,"+!.%+.!+!1)810#&8/#!."!+!./'/2%",/!1*1./3! &1!-//3/-!."!%+7/!0",1/,./-!."!.%/!./'/2%",/!0"32+,*F1!3",&."#&,6!"(!%&1!0+''1! &(!%/!)1/1!.%/!1*1./3!&,!+!3+,,/#!.%+.!#/+1",+8'*!G)1.&(&/1!.%/!0"32+,*F1!8/'&/(! .%+.!%/!&1!7&"'+.&,6!%&1!1)810#&2.&",!#&6%.15!+,-!/7/,!.%/,!.%/!0"32+,*!3+*!",'*! 3",&."#!%&1!0+''1!."!.%/!/B./,.!,/0/11+#*!("#!.%/!&,7/1.&6+.&",4;H!E,!&,-&7&-)+'! 0+,! 3+&,.+&,! +,! "8G/0.&7/'*! #/+1",+8'/! /B2/0.+.&",! "(! 2#&7+0*! 8*! /B2'&0&.'*! $&.%%"'-&,6!0",1/,.!("#!+!.+2/!#/0"#-&,65!/7/,!&(!.%/!".%/#!2+#.*!%+1!&,-&0+./-! +,!&,./,.&",!."!#/0"#-!.%/!0"33),&0+.&",4;;!

=,!-"*+."/&'(&0*%#1#.&01234&5*+."/6&7.8(5!.%/!1.+./!I)2#/3/!:")#.!+--#/11/-!.%/! 0",('&0.!8/.$//,!.%/!:+'&("#,&+!+''J2+#.*!0",1/,.!1.+,-+#-!+,-!K/"#6&+F1!$&#/.+2! '+$5!$%&0%!&1!3"-/'/-!+(./#!.%/!(/-/#+'!",/J2+#.*!1.+,-+#-4;L!=.!%/'-!.%+.5!$%/#/! +! K/"#6&+! (! #/0"#-/-! 0+''1! 3+-/! (#"3! &.1! K/"#6&+! "((&0/! ."! #/1&-/,.1!&,! :+'&("#,&+5!.%/!:+'&("#,&+!'+$!+22'&/-4!@%/!0")#.!1+&-!.%+.!&.!$")'-!8/!),(+&#!."! &32"1/! -+3+6/1! ",! .%/! K/"#6&+! (#! 8).! 2#"12/0.&7/'*! .%/! 0+1/! /((/0.&7/'*! #/M)&#/-!").J"(J1.+./! (! %+7&,6! ./'/2%",/! 0"33),&0+.&",1! $&.%! 2/"2'/! &,! :+'&("#,&+! ."! +,,"),0/! ."! +''! 2+#.&/1! +.! .%/! ").1/.! .%/&#! &,./,.! ."! #/0"#-! +! 0"33),&0+.&",4!:'/+#!,".&0/!+,-!&32'&/-!0",1/,.!+#/!1)((&0&/,.4!>=(5!+(./#!8/&,6! 1"!+-7&1/-5!+,".%/#!2+#.*!-"/1!,".!$&1%!."!2+#.&0&2+./!&,!.%/!0",7/#1+.&",5!%/!"#! 1%/!1&32'*!3+*!-/0'&,/!."!0",.&,)/!.%/!0"33),&0+.&",49;N!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

40 Cal. Pen. Code § 631(a). 41 Id. 42 Id. § 632(a). The statute explicitly excludes radio communications from the category of confidential communications. 43 275 Cal. App. 2d 119 (Cal. App. 1st Dist. 1969). 44 Nissan Motor Co. v. Nissan Computer Corp., 180 F. Supp. 2d 1089 (C.D. Cal. 2002). 45 39 Cal. 4th 95 (2006). 46 Id. at 118. 12! CENTER FOR DEMOCRACY & TECHNOLOGY

!"# $%&#'()*+,-.+/01#/2#!"#$%"&#

"#$!%$&'($)!*&+$!&',+$!-(!.#$!*,(.$/.!,0!.$1$2#,($!3,(-.,'-(45!&(6!.#$'$!-+!&! '$3&'7&81$!1&*7!,0!*&+$!1&9!&66'$++-(4!9#$.#$'!.#$!:&1-0,'(-&!+.&.;.$!&221-$+!.,! <(.$'($.!*,33;(-*&.-,(+=!<0!-.!6,$+5!,'!-0!.#$'$!-+!,($!,.#$'!+.&.$!.#&.!&221-$+!-.+! &11>2&'.)!*,(+$(.!';1$!.,!*,(6;*.!&00$*.-(4!<(.$'($.!*,33;(-*&.-,(+!&*',++!+.&.$! 1-($+5!.#$(!(,!2'&*.-*&1!0,'3!,0!,2.>-(5!(,!3&..$'!#,9!',8;+.5!9,;16!+&?$!.#$! 2'&*.-*$!,0!*,2)-(4!<(.$'($.!*,(.$(.!0,'!8$#&?-,'&1!&6?$'.-+-(4=!"#&.!-+5!$?$(!-0! .#$!<@A!,(1)!*,2-$+!.#$!*,33;(-*&.-,(+!,0!.#,+$!+;8+*'-8$'+!.#&.!*,(+$(.5!&(6! .#$!3,(-.,'-(4!,**;'+!,(1)!-(+-6$!&!,($>2&'.)!*,(+$(.!+.&.$5!&+!+,,(!&+!,($!,0! .#,+$! *;+.,3$'+! #&+! &! *,33;(-*&.-,(! 9-.#! &! (,(>*,(+$(.-(4! 2$'+,(! B,'! C$8! +-.$D!-(!&(!&11>2&'.)!*,(+$(.!+.&.$!.#&.!&221-$+!-.+!';1$!.,!-(.$'*$2.-,(+!,**;''-(4! ,;.+-6$! .#$! +.&.$5! .#$! <@A! 9,;16! +$$3! .,! 8$! -(! E$,2&'6)=! "#$! <@A! *,;16! (,.! *,(*$-?&81)! ,8.&-(! *,(+$(.! 0',3! $?$')! 2$'+,(! &(6! C$8! +-.$! -(! .#$! &11>2&'.)! *,(+$(.!+.&.$=!F,'!*,;16!-.!-6$(.-0)!B0,'!.#$!2;'2,+$!,0!,8.&-(-(4!*,(+$(.D!9#-*#! 2$,21$!,'!C$8!+-.$+!-.+!,2.$6>-(!+;8+*'-8$'+!9,;16!9&(.!.,!*,33;(-*&.$!9-.#!-(! &6?&(*$!,0!.#,+$!*,33;(-*&.-,(+!,**;''-(4=!

G!*,;(.$'?&-1-(4!&'4;3$(.!*,;16!8$!3&6$!.#&.!&(!&11>2&'.)!*,(+$(.!';1$!-+!(,.! &221-*&81$!.,!.#$!8$#&?-,'&1!&6?$'.-+-(4!3,6$15!+-(*$!.#$!2',*$++!,(1)!*,2-$+!,'! 6-?;14$+!,($!#&10!,0!.#$!*,33;(-*&.-,(5!(&3$1)!.#$!#&10!0',3!.#$!*,(+$(.-(4! +;8+*'-8$'=!!

Conclusion

"#$!2'&*.-*$!.#&.!#&+!8$$(!6$+*'-8$6!.,!;+5!9#$'$8)!&(!<@A!3&)!$(.$'!-(.,!&(! &4'$$3$(.!9-.#!&(!&6?$'.-+-(4!($.9,'7!.,!*,2)!&(6!&(&1)H$!.#$!.'&00-*!*,(.$(.! ,0!.#$!<@AI+!*;+.,3$'+5!2,+$+!+$'-,;+!J;$+.-,(+!;(6$'!.#$!0$6$'&1!C-'$.&2!G*.=!<.! +$$3+! .#&.! .#$! 6-+*1,+;'$! ,0! &! +;8+*'-8$'I+! *,33;(-*&.-,(+! -+! 2',#-8-.$6! 9-.#,;.! *,(+$(.=! <(! &66-.-,(5! $+2$*-&11)! 9#$'$! .#$! *,2)-(4! -+! &*#-$?$6! 8)! &! 6$?-*$! ,9($6! ,'! *,(.',11$6! 8)! .#$! &6?$'.-+-(4! ($.9,'75! .#$! *,2)-(4! ,0! .#$! *,(.$(.+!,0!+;8+*'-8$'!*,33;(-*&.-,(+!+$$3+!.,!8$5!-(!.#$!&8+$(*$!,0!*,(+$(.5!&! 2',#-8-.$6!-(.$'*$2.-,(=!G00-'3&.-?$!$/2'$++!*,(+$(.5!&(6!&!*$++&.-,(!,0!*,2)-(4! ;2,(!9-.#6'&9&1!,0!*,(+$(.5!9,;16!2',8&81)!+&?$!+;*#!2'&*.-*$+!;(6$'!0$6$'&1! 1&95!8;.!.#$'$!3&)!8$!+.&.$!1&9+!'$J;-'-(4!&11>2&'.)!*,(+$(.!.#&.!9,;16!8$!3,'$! 6-00-*;1.!.,!+&.-+0)=!

! FOR MORE INFORMATION A1$&+$!*,(.&*.K!L-3!M$32+$)5!G'-!@*#9&'.H5!,'!G1-++&!:,,2$'! NON>PQR>STOO! 13!