Behavioural Targeting of Online Advertisements and the Future of Data Protection

January 27, 2009

Behavioural targeting of advertisements by ISPs, search engines and online vendors has raised privacy questions in both the USA and the UK. Specifically, concerns about behavioural targeting involve the processes used to obtain data about consumers, such as deep packet inspection (a method of identifying the source and potentially contents of packet data), [1] as well as the uses, storage and sharing of the collected information. As such, these concerns return us to broader questions of data protection and information security. The issues raised by behavioural targeting involve doctrinal uncertainties in both US and UK contract law, privacy law, computer intrusion law and, most recently, data breach notification statutes. Although each of these bodies of law generates a modicum of improvements in the quality of data protection, none of them should be viewed as a panacea capable of replacing a harmonized, omnibus approach.

Recent Developments

In 2008, actions of two companies in particular triggered closer examination of these practices of behavioural targeting – Nebuad in the USA and Phorm in the UK. One of the controversial techniques they used to obtain consumer data was deep packet inspection, which allows analysis of network traffic to identify the application that sent the data, differentiation of data, and analysis of the contents of the data packet that are unencrypted, including which Web site originated the packet. However, allegations that ISPs were selling user browsing data to traffic-ranking Web sites and others predated the most recent controversies and will survive them. Particularly as market consolidations happen between credit reporting agencies and traffic ranking firms,[2] the widespread use of individual level targeted behavioural advertising seems inevitable.

These changes have not escaped the notice of regulators. In the USA, in July 2008, the House of Representatives and the Senate conducted hearings about privacy and behavioural targeting practices of Web sites, search engines and ISPs and, in August 2008, four members of the United States House of Representatives Committee on Energy and Commerce sent letters to 33 cable and Internet companies requesting information regarding the types of information they are collecting from consumers and their privacy standards. Companies who received these letters included Google, Microsoft, Comcast, AT&T, AOL, Time Warner and Cox Communications.[3] Meanwhile, the EU Information Commissioner has stated that behavioural targeting in advertising must be structured on an ‘opt in’ basis for consumers, and she raised questions regarding the legality of certain behavioural targeting practices.[4]

As other recent privacy public relations debacles have reminded us,[5] the most recent debates in the USA and the UK regarding the use of aggressive personal level Internet tracking – even if legal under current standards and contractually permissible under terms of use – show that it still violates many consumers’ ethical sense of acceptable privacy practices. The legal issues raised by behavioural targeting in online advertisements implicate contract law, privacy law, computer intrusion law and data breach notification statutes. Conceptually, they are bound up in the meaning of consumer ‘consent’ to the information collection.

Stated another way, the legal and ethical issues raised by the debate over behavioural targeting in advertising raise the same three sets of problems that have plagued data protection law for over a decade. First, consumers may ‘consent’ in contract to behaviors that they cannot foresee and, subsequently, they find these behaviors objectionable and privacy violative. Second, the line between information collection and computer intrusion becomes increasingly blurred. Third, the pace of technology renders law incapable of evolving in a timely fashion; no quick legal fix exists.

Issue One: Consumers’ Consent

The first set of problems revolves around the meaning of ‘consent’ in data protection contexts. ISPs and other corporate users of behavioural targeting in advertising, particularly those in the USA, would argue that their data collection and sharing practices are a simple matter of contract. Consumers whose data is used for behavioural targeting ‘consented’ to the data collection: when consumers agree to a company’s terms of service, consumers agree to these data practices as one of the terms. On the other hand, consumers who object to these targeting practices would argue that they did not consent in a meaningful sense – if they had understood that the agreement would subject them to privacy-invasive data collection behaviors they find objectionable, they would not have agreed. Consumers would further argue that the extent of privacy invasion is frequently not explicitly identified in the services agreements and not understandable to an average consumer. Further, the terms of these agreements are not negotiable for the consumer. In other words, pre-existing contract law debates over the validity, equity and desirability of form contracts (or contracts of adhesion) used in these contexts have reappeared in a new privacy driven context online.[6] Although UK courts may be more protective of consumers’ interests than US courts, in both legal contexts the crux of the legal question revolves around the meaning of contractual consent in a digital context. 

Issue Two: Information Collection or Computer Intrusion?

A second set of problems involves a different aspect of ‘consent’ to data collection – if data is collected without consent it may constitute a computer intrusion or a wiretap. Just as in tort and criminal law generally, what constitutes an intrusion or an unwanted technological ‘touching’ of a user’s machine is contingent entirely on user consent, so too this notion of consent transfers into questions of data collection for behavioural targeting. The language used by wiretapping and computer intrusion statutes in the USA revolves around ‘interception,’ ie monitoring without consent, and ‘exceeding authorized access,’ meaning surpassing the extent of consent.[7] Two federal statutes, as well as a patchwork of state statutes, use this framework of consent in the context of criminal and civil computer intrusion – the Electronic Communications Privacy Act (ECPA) and the Computer Fraud and Abuse Act (CFAA).

In various digital contexts, such as security-invasive digital rights management technologies, spyware, and, now, targeted behavioural advertising, the methods used to obtain information about the users’ actions begin to resemble the behavior of information criminals in an uncomfortable manner. The critical difference between an ISP using deep packet sniffing to collect data on consumers for advertising and a hacker collecting the same information is allegedly the contractual consent the consumer has provided to the ISP’s behavior. However, as was set forth above, the predicate assumptions of meaningful consent in traditional contract doctrine – that the consumer has been presented with a reasonable opportunity to read an agreement and that the consumer has the ability to understand and negotiate the terms of an agreement – are not necessarily true in cases of complicated information gathering scenarios.

The contracts which allegedly authorize the aggressive data collection/potentially criminally-intrusive behavior are frequently opaque to an average reader: the reader cannot predict the exact nature of the conduct authorized.[8] Therefore, contractual consent issues are aggravated by questions regarding what constitutes meaningful contractual disclosure in data collection contexts such as behavioural targeting in advertising. Prosecutors, legal scholars[9] and legislators in the U.S. are divided on the best course of action in addressing this potential overreaching and underdisclosure.

Issue Three: Technological Innovation Outpaces Law

The final set of problems are those which plague all forms of technology regulation, namely those arising out of the pace of technology outstripping the pace of law. Despite repeated statutory attempts on the part of US and UK legislators to address consent and disclosure problems arising out of data privacy and protection problems driven by technological evolution, no one approach has or can prove adequate.

The most recent statutory attempts to address disclosure inadequacies relating to data protection are data breach notification statutes.[10] Currently, approximately 44 U.S. states have data security breach notification statutes on their books.[11] These notification statutes have sprung to life in the last five years and compel entities who have suffered ‘data breaches’ to provide written notice to the consumers whose data has been impacted. The legislative intent driving data breach notification statutes involves preventing identity theft and generating a modicum of external accountability for data care.[12] As the UK embarks on building a body of data security breach notification law, it should take care not to view such new law as a panacea for all data protection problems.

The shortcomings of US data breach notification laws may prove instructive. Significant variation exists across data breach notification statutes. The types of data statutorily covered are not homogeneous. For example, California only recently added health data to its statutory definition of data that, if breached, triggers a disclosure obligation.[13] The definition of a breach also differs from one statute to the next, leaving room for discretion, in some cases, for the breached entity to determine whether notice is appropriate. Some statutes provide blanket encryption exemptions; in other words, if the breached data was encrypted at the time of compromise, no notice obligation is triggered. Definitions of encryption that qualifies, where they exist, vary. Statutory time frames for reporting of a security breach vary significantly across state statutes and can provide for as much as ten days or longer[14] to report a breach from the time of discovery of a breach. The discovery of a breach may occur months or years after the initial communication with the consumer.[15] Legal recourse is left almost always solely in the hands of a state’s attorney general, and prosecutions have been limited to date.[16] Further, data breach notification statutes vary on who must give notice. Most, but not all, of the statutes cover only for-profit entities. Conceptually, this frequent commercial focus is not well-advised: weak information security and technology-mediated speech that makes consumers more vulnerable is not a problem limited to commercial speakers. It is frequently non-profit and governmental speakers who expose consumers to additional information security risk.[17] Finally, although some research indicates that consumers take notice of data breach notifications and increasingly view information holders as having an obligation of data stewardship to them,[18] research simultaneously finds that consumers feel powerless in protecting themselves against data mishandling and may begin to suffer from ‘notification fatigue’ as numerous security notices describing past breaches arrive.[19] Although data breach notification statutes may yield a modicum of improvement and raise the profile of data protection issues, these piecemeal statutory approaches are unlikely to solve the larger problems of data protection. A holistic approach which addresses confounding problems in other bodies of law is warranted.

Directions for the Future

As discussed above, no easy legal solution exists to addressing the consumer protection and data protection issues raised by behavioural targeting of advertising. Old tensions in contract law, computer intrusion law and privacy law underpin the current debate. An approach which may offer promise of success is one which engages with each of these pre-existing legal problems directly.

Although it might be argued that the EU Data Protection Directive began down this path in the mid-1990s, the reality of the constitutional level differences between the USA and the UK in approaches to rights of information privacy rendered the impact of the Data Directive limited on a global basis. However, 13 years after the Data Protection Directive, the US approach to information security and data privacy is crawling toward a perspective closer to that of the UK. It is again time to revisit failed international discussions on legal harmonization in areas of contract law, reciprocity in jurisdiction and judgments, and computer crime. A multilateral omnibus approach to crafting an international, co-operative data privacy and information security regime is the only approach that may yield success in the long term.

Andrea M. Matwyshyn is an assistant professor of Legal Studies and Business Ethics at the Wharton School at the University of Pennsylvania. She can be reached at amatwysh@wharton.upenn.edu.

——————————————————————————–

[1] See, e.g., Deep Packet Inspection, ZDNet, http://dictionary.zdnet.com/index.php?d=deep+packet+inspection (last visited Jan. 11, 2009).

[2] See, e.g., Karl Bode, ISP Sale Of User Browsing Data May Soon Explode, Broadband DSL Reports, October 2, 2008, http://www.dslreports.com/shownews/98159

[3] See, e.g., Stephanie Clifford, Web Privacy on the Radar in Congress, New York Times, August 10, 2008

http://www.nytimes.com/2008/08/11/technology/11privacy.html?_r=1&fta=y&pagewanted=all

[4] See, e.g., Jake Swearingen, Behavioral Targeting Has Its Day in the UK, Bnet, September 29, 2008, http://industry.bnet.com/advertising/1000235/behavioural-targeting-has-its-day-in-the-uk/

[5] For a discussion of the public relations problems for Facebook caused by the ‘beacon’ technology, see, e.g., Juan Carlos Perez, Facebook’s Beacon More Intrusive Than Previously Thought, PC World, Nov, 30, 2007, http://www.pcworld.com/article/140182/facebooks_beacon_more_intrusive_than_previously_thought.html.

[6] For a discussion of the tension between freedom of contract and consumer protection see, e.g., Ian Ayres & Robert Gertner, Filling Gaps in Incomplete Contracts: An Economic Theory of Default Rules, 99 Yale L.J. 87 (1989) (discussing significance of distinction between default and mandatory rules for consumers); Randy E. Barnett, The Sound of Silence: Default Rules and Contractual Consent, 78 Va. L. Rev. 821 (1992) (describing a ‘conflict between the two aspects of the liberal conception of contractual freedom: freedom to contract and freedom from contract’ (citing Richard E. Speidel, The New Spirit of Contract, 2 J.L. & Com. 193, 194 (1982)).); Christine Jolls, Contracts as Bilateral Commitments: A New Perspective on Contract Modification, 26 J. Legal Stud. 203, 205 (1997) (‘Contrary to traditional wisdom, the parties to a contract may be better off if the law enables them to tie their hands, or ties their hands for them, in a way that prevents them from taking advantage of certain ex post profitable modification opportunities.’).

[7] ECPA is composed of Title I, amendments to the Wiretap Act, and Title II, the Stored Communications Act.18 U.S.C. §§ 2701-2712 (2000). See Computer Fraud and Abuse Act, 18 U.S.C. §1030.

[8] For example in the terms of use where users allegedly consented to the installation of a rootkit pushed out by Sony, the rootkit was described only as ‘a small proprietary software program.’ See, e.g., Mary Landesman, Sony Rootkit Strikes Sour Note, About.com, November 1, 2005, http://antivirus.about.com/od/virusdescriptions/a/sonyrootkit.htm .

[9] For example, Professor Ohm argues that this type of ISP behavioural targeted advertisements probably constitutes violations of ECPA. See, e.g., Paul Ohm, The Rise and Fall of Invasive ISP Surveillance, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1261344.

[10] For a discussion of state data breach notification statutes see, e.g., Paul M. Schwartz, Notification of Data Security Breaches, 105 Mich. L. Rev. 913 (2007).

[11] For a list of state data breach notification statutes, see National Conference of State Legislatures, http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm (last visited January 15, 2009).

[12] For a discussion of steps to mitigate identity theft see, e.g., Federal Trade Commission, Identity Theft: Immediate Steps, http://www.consumer.gov/idtheft/con_steps.htm (last visited Januray 15, 2009).

[13] Deborah Gage, California data-breach law now covers medical information, San Francisco Chronicle, January 4, 2008, http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/01/04/BUR6U9000.DTL.

[14] NJ P.L.1997, Sect. 3, as amended,

 http://www.njleg.state.nj.us/2004/Bills/A3500/4001_R1.PDF.

[15] For example UCLA has suffered data breaches which have included data of applicants from at least the previous ten years. See, e.g., Gregg Keizer, UCLA Admits Massive Data Hack, InformationWeek, December 12, 2006,

http://www.informationweek.com/security/showArticle.jhtml?articleID=196603485.

[16] See, e.g., Violating NY data breach law costs Chicago firm $60,000, IT Compliance Institute, April 30, 2007, http://www.itcinstitute.org/display.aspx?id=3474.

[17] For a recent compilation of breached entities, see, e.g., Privacy Rights Clearinghouse, http://www.privacyrights.org (last visited January 20, 2008).

[18] Andy Greenberg, If Security Is Expensive, Try Getting Hacked, Forbes.com, Nov. 28, 2007, http://www.forbes.com/home/technology/2007/11/27/data-privacy-hacking-tech-security-cx_ag_1128databreach.html.

[19] For a discussion of the possibility of U.S. national data breach notification legislation see, e.g., Grant Gross Analysis: US data breach notification law unlikely this year, IDG News Service, May 8, 2006, http://www.macworld.com/article/50709/2006/05/databreach.html.