FTC Workshop Asks About Deep Packet Inspection, Harms of Comprehensive Data Collection
The Internet is getting closer to delivering highly personalized user experiences, and the FTC wants to learn more about the technologies used to track and target users, Commissioner Julie Brill said. She opened the agency’s Thursday workshop on data collection practices. At the session, other participants asked that the agency focus on use of such consumer data and not its collection. “We need to find out more about how to differentiate the data collection capabilities of different technologies, or even whether differentiation is appropriate,” Brill told the audience of technology lawyers, Internet association employees, public interest group staff and other stakeholders.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
The FTC wants to learn about deep packet inspection (DPI), which could “potentially be used to amass information about consumers’ every move online,” Brill said, asking whether DPI should face more restrictions or require higher levels of consent. Stakeholders have responded to that question with varied answers, she said: Public interest groups say DPI “severely threatens consumer privacy” because it can be done by Internet service providers, who “serve as the gateway to the rest of the Internet.” ISPs say DPI doesn’t have tracking capabilities that exceed those of cookie-based technologies, Brill said. “Do these technologies fall in a continuum” in terms of their data collection capabilities, she asked: The question must be considered with “the context of the transaction and the relationship with the consumer.”
Online data aggregators have the technological capabilities to deliver completely personalized Internet experiences for each user based on profiles they construct through data collection, Brill said. They're waiting on industry and regulators to “figure out the privacy rules,” she said.
Brill is concerned that profiles about Internet users based on data collection “can be used to harm them at work and in their financial lives,” she said. She’s “equally concerned that consumers are unaware” of the data collection practices of these “entities that run in the background” of users’ devices, she said. If consumers are unaware, they can’t exercise their rights to the data or address any incorrect information, Brill said.
Despite numerous hearings, this Congress hasn’t gotten very far with online privacy issues, FTC Commissioner Maureen Ohlhausen said later in the workshop. “This may reflect the fact that there really isn’t a clear agreement” on how online data collection affects consumer harm and how to best address those harms, she said. Last month’s election changed the landscape for privacy issues in Congress, she said, citing the departure of Reps. Mary Bono Mack, R-Calif., defeated in the general election, and Cliff Stearns, R-Fla., who had lost his primary race.
Ohlhausen said she preferred “a technology neutral approach that focuses on the impact on consumers” and one that provides consumers with more information and choice. Echoing Brill, Ohlhausen stressed the importance of context when considering data collection and use. “Context can be quite nuanced, and we really need flexibility,” Ohlhausen said. When the commission issued its privacy report earlier this year, “we didn’t want to be locked in to specific types of uses,” she continued.
Comprehensive data collection has noticeable benefits to consumers, said Michael Altschul, CTIA senior vice president-general counsel. Among other things, data collection allows companies to provide more relevant experiences, including ads, to consumers, he said. Additionally, data collection “makes information visible that hasn’t been visible,” such as aggregated Google search terms, he said, pointing to an example where search trends indicated when a region is going to experience a flu outbreak. Regarding DPI, Altschul said the practice isn’t as invasive as it may seem, because “all of us routinely use lots of different service providers” when at home, at work, on a number of mobile devices and such. “We really shouldn’t fall in the trap of looking at particular technologies or techniques,” he said, but instead focus on the effects of data collection on consumers.
"We should be careful not to demonize the technology,” said Markham Erickson, executive director of the Open Internet Coalition and general counsel of the Internet Association. Instead, he said, “it’s necessary for us to focus … on what harms we're seeking to address.” Focusing on data collection would be “almost an impossible task,” he said, because each online service needs to collect “wildly different” information. Erickson and Altschul said privacy by design is prevalent, in their experiences. CTIA members “have incorporated the privacy-by-design concepts and they do have privacy policies,” Altschul said. According to Erickson, having privacy concerns “fully integrated with the product” is now “the norm, especially with the bigger Internet platforms."
Once information is collected, it will be aggregated, said Electronic Frontier Foundation Senior Staff Attorney Lee Tien. Because of business incentives to collect as much information as possible, “the data that is collected about people is going to tend to aggregate together” unless there are strict silos keeping portions of the data apart, he said. Rather than focusing on collection, policies could focus on retention, and require that data collectors “discard or destroy the data once it has been used for the original purpose,” he said. Tien suggested the use of anonymous data, which “perhaps can allow for advertising without compromising the identity of the individual.”