Several existing laws, including the US Federal Wiretap Act and the US Pen Register Act, would appear to address many of the potential monitoring activities that concern Ohm. But the laws "are full of confusing ambiguities," he said. "I think the ISPs are interpreting these laws not to apply" -- at least to some of the monitoring plans that companies have proposed.
One area in which those laws could be misinterpreted to the advantage of ISPs involves the issue of user consent, said Alissa Cooper, chief computer scientist at the Center for Democracy and Technology.
According to Cooper, communications privacy laws prevent ISPs from engaging in many kinds of user monitoring except under certain situations, such as for network security purposes or when they have gotten explicit consent from users to do monitoring. In general, the Federal Wiretap Act would apply to behavioral advertising programs and require ISPs to get the "express informed consent" of users for monitoring activities, she said.
But, Cooper added, what hasn't been tested in court yet is whether the implied consent that a user might give to such monitoring when agreeing to a privacy statement is the same thing as clear and informed consent on the user's part -- or whether it could be interpreted that way.
The problem is compounded by the fact that user expectations are much different when dealing with ISPs than they are when dealing with companies such as Google, Cooper said. Many users might assume that they're being given a greater degree of privacy protections by ISPs than is actually the case, she noted.
John Pescatore, an analyst at Gartner, said that in at least some cases, ISPs potentially have more visibility into user activities on the Internet than companies such as Google do.
Pescatore added, though, that communications laws aren't the only thing that ISPs interested in doing more monitoring would need to contend with. In many cases, he said, companies would have to invest substantial amounts of money to install the kind of deep-packet inspection, filtering and analysis technologies that are needed to monitor user activity on a scale that makes commercial sense.
And just because ISPs could do monitoring doesn't mean it would always make financial sense for them to actually do so, especially in light of the potential legal issues they could find themselves mired in, Pescatore said. In contrast, Google and other online advertising vendors have no such legal constraints in place yet -- and, as such, have been operating in a manner that poses a far greater risk to online privacy, he said.
"The much bigger privacy threat continues to be Google," agreed Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington. "Google's business model -- its primary source of revenue -- is based on building detailed profiles of Internet users for advertising purposes. This is simply not the case for ISPs, who are primarily in the business of selling access to the Internet."