Behavioral advertisement regulation: how the negative perception of deep packet inspection technology may be limiting the online experience.

• Author: Person, Andrea N.

I. INTRODUCTION II. DEEP PACKET INSPECTION TECHNOLOGY A. How Deep Packet Inspection Technology Works B. The Many Pieces of the DPI Puzzle C. The Issue du Jour--Behavioral Advertising D. Cookies and Deep Packet Inspection Technology--A Progression of Technologies E. The Courts--Applying Cookie Precedents 1. The DoubleClick Litigation 2. The Pharmatrak Litigation 3. Beyond Cookies--The Status of DPI Litigation Today F. A Proactive Approach--Regulatory Vehicles Applying to Behavioral Advertising 1. The FTC--A Light Regulatory Touch 2. Congress--A Heavy Regulatory Approach 3. Across the Pond--A Different Approach III. IN SEARCH OF A REGULATORY MIDDLE GROUND A. Looking at the Benefits B. Looking Past the Perception in Search of a Solution 1. A Clarification of Law 2. A Consent Regime 3. A Review of International Approaches 4. A Consistent Policy 5. A Review of the Public Policy Hurdles VI. CONCLUSION I. INTRODUCTION

Like antibiotics, cars, and the microwave, the Internet has revolutionized the way people live. Over the last decade, the online community has become a day-to-day utility for the average person who, on any normal day, sends e-mails, makes calls, orders groceries, makes reservations, catches up on the news, and goes shopping. However, as technology becomes more advanced, the risks associated with it also increase. Laws must be carefully drafted to allow the continued development of technology while insuring that people are protected online. Policymakers who are fearful of the consequences of having personal information available online have made protecting that information a top priority. In their quest to limit information breaches online, government officials have recently focused on behavioral advertisements as the issue du jour. Behavioral advertising is a broad concept on the Internet, though, and defining what the government means by regulation in this space is complicated.

Deep packet inspection technology (DPI) is one technology platform that is being used to provide behavioral advertising to online customers. Some policymakers believe that this technology should be regulated became they are fearful that the technology grants companies too much access to personal information online. In particular, these policymakers have raised concerns with the use of this information for creating behavioral advertising profiles. (1) Responding to the lack of U.S. law dealing with behavioral advertising, congressional leaders in the 110th and the 111th Congresses held hearings in both houses to learn about the technology and the regulatory issues that surround it. (2) The first hearings began during the summer of 2008. No direct legislation came of those hearings, but the sentiment of policymakers signaled a commitment to focus on this hot-button issue. The commitment was honored as more hearings on the issue took place throughout 2009. (3) Despite the fact that, at the time of publishing, no legislation had been filed, the chairman of the House Subcommittee on Communications, Technology, and the Internet, Rick Boucher, continues to list privacy legislation that focuses on this issue as one of his top priorities. (4) While protecting the personal information of Americans online should be a top priority, it is equally important to consider how regulation in this area may affect the future of the Internet and how too much regulation may harm the consumer.

This Note asks how increasing regulatory barriers to limit online behavioral advertising could affect the consumer's experience online. To answer this question, this Note first looks at what DPI is, who uses it, and its purposes. Second, this Note discusses U.S. court decisions and policy decisions, as well as international business trials that relate to DPI and behavioral advertising practices. Specifically, this Note looks at the actions of the Federal Trade Commission (FTC) and Congress in responding to DPI. Finally, this Note proposes reforms for policymakers to consider as they continue to contemplate regulations for DPI.

The Internet is a terrific power for increasing wealth, knowledge, and communication. As the Internet continues to grow in day-to-day importance, regulations must be carefully drafted to ensure that online experiences are enhanced and not limited. Congress should not set a precedent by shutting the door to DPI because the technology seems to present privacy problems; instead, policymakers should recognize that there are benefits to the technology and create a light-touch regulatory environment where the technology--and others like it--can thrive and consumers can benefit.

II. DEEP PACKET INSPECTION TECHNOLOGY

Deep Packet Inspection technology provides Internet service providers (ISPs) with the ability to collect all Internet communications made by a consumer: Depending on how the technology is deployed, it may "monitor[], analyze[], and potentially manipulate[] Internet traffic." (6) DPI accomplishes these actions by "taking a magnifying glass to the individual packets of data that traverse the network." (7)

1. How Deep Packet Inspection Technology Works

   When DPI technology is deployed, it first collects the information that consumers view online. To do this, DPI collects packets. On the Internet, packets combine to create online communications such as "Web browsing, e[-]mail, [V]oice-over-I[nternet] P[rotocol] (VoIP) phone calls, peer-to-peer ([P2P]) file transfers, [and] online gaming," among others. (8) Frequently, packets are analogized to an envelope containing a letter. (9) Like a letter, the packet includes a message or "a 'payload,' which is the actual data inside the packet ... and a 'header,'" which is similar to an envelope that can direct the packets to the correct recipient. (10) Normally, routers throughout the system read the header information and, like a post office, determine where the information should be sent--a process called "shallow packet inspection." (11) Shallow packet inspection does not look at the contents of the packet; instead, it acts as a mechanism to move the packets where they need to go. Because shallow packet inspection is only a routing mechanism, it does not expose personally identifiable information (PII) embedded in a message, and communications are virtually anonymous. (12) DPI, however, looks past the "header" to the "payload," where detailed information regarding the message that the consumer is trying to send is located. (13) Depending on the technology, the payload information that it reads varies. Narus DPI technology, for example, claims to have the capability to "look inside all traffic from a specific IP address, pick out the HTTP traffic, then drill even further down to capture only traffic headed to and from Gmail, and can even reassemble e-mails as they are typed out by the user." (14) However, application analysis or "network intelligence" is a less intrusive and more basic use of DPI. (15) This type of analysis looks at the application or protocol signature to see what type of application is being used. (16) Network intelligence analysis provides detailed accounts of the number of consumers surfing the Web, downloading content, utilizing VoIP, participating in P2P technology, or even distributing a virus at any given time. (17) Currently, DPI provides information about the online tendencies of Internet users, by reviewing search engine queries, recognizing trends with the frequency of consumer Web site visits, and recording the types of applications that consumers are using online. (18)

2. The Many Pieces of the DPI Puzzle

   The original motivation for DPI technology was to prevent online security breaches. (19) Primarily, the technology was invented to minimize the harmful effects of Internet viruses by intercepting malicious programs before they reached end users. (20) Private and commercial networks used DPI's ability to read packets at the application level to offer high-level protection by monitoring the transmission of programs. In addition to ensuring personal security, DPI has been used by law enforcement to conduct surveillance over ISPs and to comply with the Communications Assistance for Law Enforcement Act (CALEA) requirements. (21) Recently, the technology has worked to stop copyright infringement violations. In January 2008, AT&T announced that it would notify the copyright holder if it detected an infringement occurring on its network. (22) At that time, AT&T further stated that the company would go as far as to block service to customers if it detected that those customers were transmitting "illegally obtained copyrighted works" over its network. (23)

   DPI has also been used to manage networks and tier service offerings. The technology became the focus of an FCC Order in 2008 when Comcast used it to recognize P2P file sharing on its network and degrade service to customers who were participating in those types of communications. (24) The FCC reacted to Comcast by forcing it to discontinue use of those management techniques. (25) Comcast appealed the FCC decision in September 2008 on the grounds that the FCC lacked authority to regulate in that area. (26) On April 6, 2010, the D.C. Circuit vacated the FCC decision in favor of Comcast holding that the FCC does not have jurisdiction in this area. (27)

   Like Comcast in the United States, broadband service providers abroad use DPI to manage networks and tier services. Tiering allows ISPs to sell heavy users more bandwidth capacity while allowing smaller bandwidth users to save money by purchasing less capacity. (28) Already, this practice is common in the United Kingdom where services like PlusNet sell broadband accessibility by the gigabyte and pair routers with varying degrees of capacity to the type of bandwidth the user purchases. (29)

3. The Issue du Jour--Behavioral Advertising

   Behavioral advertising has recently risen in the public spotlight as another major way that DPI technology is used. Behavioral...