OHM.DOCX 9/11/2009 2:19 PM THE RISE AND FALL OF INVASIVE ISP SURVEILLANCE Paul Ohm* Nothing in society poses as grave a threat to privacy as the Inter- net Service Provider (ISP). ISPs carry their users’ conversations, se- crets, relationships, acts, and omissions. Until the very recent past, they had left most of these alone because they had lacked the tools to spy invasively, but with recent advances in eavesdropping technology, they can now spy on people in unprecedented ways. Meanwhile, ad- vertisers and copyright owners have been tempting ISPs to put their users’ secrets up for sale, and judging from a recent flurry of reports, ISPs are giving in and experimenting with new forms of spying. This is only the leading edge of a coming storm of unprecedented and in- vasive ISP surveillance. This Article seeks to help policymakers strike the proper balance between user privacy and ISP need. Policymakers cannot simply ban aggressive monitoring, because ISPs have legitimate reasons for scru- tinizing communications on an Internet teeming with threats, so in- stead policymakers must learn to distinguish between an ISP’s legiti- mate needs and mere desires. In addition, this Article injects privacy into the network neutrali- ty debate—a debate about who gets to control innovation on the In- ternet. Despite the thousands of pages that have already been written about the topic, nobody has recognized that we already enjoy manda- tory network neutrality in the form of expansive wiretapping laws. The recognition of this idea will flip the status quo and reinvigorate a stagnant debate by introducing privacy and personal autonomy into a discussion that has only ever been about economics and innovation. * Associate Professor of Law and Telecommunications, University of Colorado Law School. Versions of this article were presented to the Privacy Law Scholars 2008 Conference; Computers, Freedom, and Privacy ‘08 conference; and Telecommunications Policy Research Conference 2008. Thanks to Brad Bernthal, Aaron Burstein, Bruce Boyden, John Chapin, Samir Chopra, Danielle Ci- tron, kc claffy, Will DeVries, Susan Friewald, Jon Garfunkel, Dale Hatfield, Stephen Henderson, Chris Hoofnagle, Orin Kerr, Derek Kiernan-Johnson, Scott Moss, Deirdre Mulligan, Frank Pasquale, Wendy Seltzer, Sherwin Siy, Dan Solove, Gerard Stegmaier, Peter Swire, Phil Weiser, Matt Yoder, and Tal Zarsky for their comments and suggestions. 1417 OHM.DOCX 9/11/2009 2:19 PM 1418 UNIVERSITY OF ILLINOIS LAW REVIEW [Vol. 2009 TABLE OF CONTENTS Introduction ................................................................................................ 1420 I. Privacy Online and How It Is Lost .................................................. 1422 A. The Changing Nature of ISP Surveillance: Means, Motive, and Opportunity ....................................................... 1422 1. Opportunity: Where the ISP Sits on the Network ........ 1423 2. Motive: Extraordinary Pressures ..................................... 1425 a. Pressure to Upgrade Infrastructure and Obtain ROI .............................................................................. 1425 b. Google Envy and the Pressure to Monetize ........... 1426 c. All-You-Can-Eat Contracts and Network Congestion .................................................................. 1426 d. Outside Pressures ....................................................... 1426 3. Opportunity: Evaporating Technological Constraints .. 1427 a. Personal Computer to Pre-Commercial Internet ... 1428 b. Dawn of the Commercial Internet ........................... 1429 c. The Present Day ......................................................... 1430 d. The Future .................................................................. 1431 B. Signs of Change ....................................................................... 1432 1. AT&T’s Plans for Network Filtering .............................. 1432 2. Phorm ................................................................................. 1433 3. Charter Communications and NebuAd .......................... 1434 4. Comcast Throttles BitTorrent ......................................... 1435 C. Forecast .................................................................................... 1436 D. Measuring and Comparing the Harms of Complete Monitoring ............................................................................... 1437 1. Measuring What ISPs Can See ........................................ 1438 a. Visual Privacy as a Metaphor for Online Privacy ... 1438 b. What ISPs Can See .................................................... 1438 c. What ISPs Cannot See: Encrypted Contents and Use of Another ISP .................................................... 1439 2. Comparing ISPs to Other Entities .................................. 1440 a. ISPs Compared to Google ......................................... 1440 b. ISPs Compared to Google Plus DoubleClick ......... 1441 c. ISPs Compared to Spyware Distributors ................. 1442 d. ISPs Compared to Offline Entities........................... 1444 E. Harms ....................................................................................... 1444 F. Conclusion: We Must Prohibit Complete Monitoring ........ 1447 II. Weighing Privacy ............................................................................... 1447 A. Theories of Information Privacy ........................................... 1448 B. Analyzing Privacy in Dynamic Situations ............................ 1449 1. ISPs Have a Track Record of Respecting Privacy ........ 1450 OHM.DOCX 9/11/2009 2:19 PM No. 5] INVASIVE ISP SURVEILLANCE 1419 2. Constraints—and Signs of Evaporation ......................... 1450 3. Thought Experiment: What If Microsoft Started Monitoring? ....................................................................... 1451 III. Regulating Network Monitoring ...................................................... 1452 A. Abandoning the Envelope Analogy ..................................... 1453 B. Anonymization and Aggregation Are Usually Not Enough ..................................................................................... 1455 1. No Perfect Anonymization .............................................. 1456 2. Anonymous Yet Still Invasive ......................................... 1458 3. Conclusion ......................................................................... 1460 C. Reasonable Network Management ...................................... 1460 1. Network Management Defined ....................................... 1460 2. Why Providers Monitor .................................................... 1462 a. The Necessary, the Merely Convenient, and the Voyeuristic .................................................................. 1462 b. Different Networks with Different Priorities.......... 1463 c. The Purposes of Network Management .................. 1465 d. The Rise of Deep-Packet Inspection ....................... 1468 3. Reasonable Network Management: Provider Need ..... 1468 a. A Hypothetical Negotiation ...................................... 1469 b. NetFlow ....................................................................... 1469 c. NetFlow as a Ceiling on Automated Monitoring ... 1472 d. Routine Monitoring Versus Incident Response ..... 1473 D. Rethinking Consent ................................................................ 1474 1. Conditions for Consent .................................................... 1474 2. The Proximity Principle .................................................... 1475 3. ISPs and Proximity ............................................................ 1477 IV. The Law .............................................................................................. 1477 A. The Law of Network Monitoring .......................................... 1478 1. ECPA: Prohibitions .......................................................... 1478 a. Few Obvious Answers ............................................... 1478 b. Wiretap Prohibitions .................................................. 1478 c. Pen Registers and Trap and Trace Devices Act ..... 1479 d. Stored Communications Act ..................................... 1481 2. ECPA: Defenses and Immunities ................................... 1481 a. Protection of Rights and Property ........................... 1482 b. “Rendition of Service” .............................................. 1484 c. Consent ........................................................................ 1485 3. An Entirely Illegal Product Market ................................ 1486 4. Assessing the Law ............................................................. 1487 B. Amending the Law ................................................................. 1487 V. When Net Neutrality Met Privacy ................................................... 1489 OHM.DOCX 9/11/2009 2:19 PM 1420 UNIVERSITY OF ILLINOIS LAW REVIEW [Vol. 2009 A. Flipping the Status Quo .......................................................... 1490 B. But Is This Really Net Neutrality? ....................................... 1491 C. Resituating the Net Neutrality Debate ................................ 1493 Conclusion .................................................................................................. 1496 INTRODUCTION Internet Service Providers (ISPs)1 have the power to obliterate pri- vacy online. Everything we say, hear, read, or do on the Internet first passes through ISP computers. If ISPs wanted, they could store it all,
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages80 Page
-
File Size-