Cookies on Pinsent Masons website

Our website uses cookies and similar technologies to allow us to promote our services and enhance your browsing experience. If you continue to use our website you agree to our use of cookies.

To understand more about how we use cookies, or for information on how to change your cookie settings, please see our Cookie Policy.

Are ISPs about to betray our trust?

We hear from a US law professor who thinks that ISPs are in a position of unprecedented privilege and yet are preparing to invade our privacy for profit01 Oct 2008

A text transcription follows.

This transcript is for anyone with a hearing impairment or who for any other reason cannot listen to the MP3 audio file.

The following is the text spoken by OUT-LAW journalist Matthew Magee.

Hello and welcome to OUT-LAW Radio, the weekly podcast that keeps you up to date on all the twists and turns in the world of technology law.

Every week we bring you the latest news and in depth features that help you to make sense of the ever-changing laws that govern technology today.

My name is Matthew Magee, and this week we talk to a professor who says that creeping interference with our personal data by internet service providers poses the biggest threat to our privacy we have ever faced. He's got a solution to it, too.

But first, the news:-

Phone frauds will be denied premium numbers


Norway steps up iTunes action

Anyone who has abused premium-rate telephone numbers in the past will be barred from using the numbers again, telecoms regulator Ofcom has said.

Numbers beginning 070, 087 and 09 will not be available to anyone who has used phone numbers in the past to take part in scams, frauds or other dishonesty.

Ofcom said that it would publish lists of individuals and companies that have a history of using numbers that cause serious or repeated harm and refuse them the right to register numbers with higher than normal charges.

Ofcom will create two lists of people and companies who have been the subject of decisions by premium-rate regulator Phonepay Plus, the police or the Office of Fair Trading.

Apple will face action in Norway over the fact that its iTunes music shop sells tunes that cannot be played on devices that compete with Apple's iPod. The case has been referred to the Market Council, which can order companies to change their behaviour.

The Consumer Ombudsman has referred the case to the Market Council because it says that the restrictions are against the law.

"It’s a consumer’s right to transfer and play digital content bought and downloaded from the Internet to the music device he himself chooses to use," said Consumer Ombudsman Bjørn Erik Thon. "iTunes makes this impossible or at least difficult, and hence they act in breach of Norwegian law”, he said.

The Ombudsman first looked at the lock-in to iPods by the iTunes service when a complaint was registered by the Norwegian Consumer Council in 2006. A year later the Ombudsman ruled that the restrictions were illegal because it acted against the interests of consumers. Apple's Fairplay Digital Rights Management (DRM) technology prevents that on most tracks.

That was this week's OUT-LAW News.

There is an organisation that knows your every move – where you shop, what you buy, what you listen to, who you talk to, what you say, what you do for entertainment and where you go for information.

Does it sound like a vision from a dystopian totalitarian future? Or a particularly hammy sci-fi horror film?

Well, it's not – it's the present. Right now, for a generation that shops, socialises, reads and writes online, there is an organisation that knows all of this. It is your internet service provider.

Now the fact is that your ISP forgets much of this information as soon as it learns it. It won't actually store the content of emails you write on your webmail system, but it could, and increasingly ISPs are talking about using more of this information about what you do online so they can make money out of advertising to you.

One US academic has been looking into the phenomenon, he believes that ISP data gathering poses quite simply a massive threat to our rights to go about our daily business unobserved. University of Colorado Law Professor Paul Ohm says that we are on the brink of the most significant risks to privacy that most people have ever faced.

Ohm used to be a Federal Prosecutor in computer crime at the US Department of Justice looking at computers and privacy. He believes that there could be a way out, but first he told me about the papers he wrote which describes the looming problems we face.

Ohm: Historically ISPs have really kept their hands off their user's secrets. I don't know if it was necessarily law or ethics or what has kept them disciplined, but historically they have been pretty good on the privacy front. I think that there is a significant risk that a vast amount of privacy will soon be violated. Internet service providers (ISPs) have begun to look a little more closely at the communications passing through their facilities and they have been doing this for lots of different purposes and some this they have not started doing this they just plan to do. There is lots of threats from the revelation of what we do online and ISPs are in this unique position to know more about what we do online than anyone in the world, even Google. They're just in that unique choke point position.

Ohm says things aren't so bad yet, but that ISPs have plans to become much more invasive in the amount of information they gather or allow others to gather, and what happens to that data.

In the UK a storm has erupted over ISPs' plans to use technology from a company called Phorm, which looks at your surfing habits to show you supposedly more relevant ads. A similar outcry has greeted Nebuad in the US.

So why is this happening now? Ohm says that a combination of economics and technology has made ISPs feel that tracking is easier and more necessary than ever.

Ohm: Computer processors - which are the engines that allow them to basically wire tap - computer processors are getting faster at a rate more quickly than networks and so 10 years ago it was technologically pretty expensive for their computers to keep up with all this data flowing by them but now, 10 years later, the computers have more than kept up with the networks and they can do more cheaply, more efficiently. So that is the first important reason. The second important reason is because, at least in the US, ISPs have complained for 5 or 10 years that their business model does not work anymore. And so the ISPs have said for many years that they are at a financial crossroads and unless they find new forms of revenue they are just not going to be able to keep up with this consumer demand.

Ohm, a former network engineer, understands, though, that networks need to be monitored. He doesn't propose banning all monitoring, but he is wary of ISPs' claims that they need to look at everything.

Ohm: There are lots of legitimate reasons why ISPs need to monitor. And there are some legitimate reasons why they need to monitor deeply and so in the face of anyone who tries to place restrictions on an ISP's ability to use this kind of monitoring they will always be able to find a hundred technologists who will say 'we can’t allow an operating network unless we allow to monitor deeply'. The claim that we must monitor more otherwise the internet will crash is overbroad. There has to be more nuances to any answering, whenever a network rngineer or technologist says that to me, I push them and I say 'okay, tell me the types of information you want to scrutinise and tell me how they are related to one of these goals you are talking about'.

So what should be done? Clearly what is needed is a dividing line between what ISPs should be allowed to monitor and what they shouldn't. Quite by accident, Ohm says, one exists. A technical protocol in Cisco routers - called Netflow – could be exactly what is needed as a starting point deciding what information should be monitored to keep a network healthy

Ohm: This protocol allows providers to have access to quite a bit of information about what we do, but it through away much more than it keeps. And so in a strange way this protocol which was not created with privacy in mind strikes a pretty good balance between protecting your network and providing privacy. By default it forgets things like the URL you type into your website, the content of your e mail messages, even the to and from line of your e mail messages and it keeps only a very limited class of information and so when the guys say in the paper is why don’t we take that protocol, it is called Netflow, and why don’t we use that as the first draft of a policymakers view of this particular problem. Maybe the providers will say 'well, Netflow is okay, but we need one of two more pieces of information' but it is at least a good start for drawing a nice firm line instead of some vague fuzzy standard.

There are laws against surveillance, though. US wiretap law limits what companies can do in relation to US citizens’ information. Ohm thinks these could have a welcome side effect.

A debate rages in the US about whether ISPs should be allowed to charge content producing companies more for a faster connection into customers' houses. Those who oppose that move and say that a customer pays an internet access bill for equal access to the whole internet say they are arguing for net neutrality. Here, says Ohm, privacy laws can help.

Ohm: Anytime a provider wants to discriminate between a packet and another packet, they first need to know something about those two packets. They first need to scrutinise or surveil those two packets and so there is a tight connection, I argue, between privacy law and net neutrality. The idea is if there is a law that prohibits certain types of scrutiny that very same law, quite accidentally, will also prohibit certain types of discrimination.

Ohm's main concern remains user privacy, though. It is a vital issue, he says, and allowing ISPs to profit from greater surveillance would undoubtedly harm internet users.

Ohm: Then you have got greater concerns when we are talking about the always on, always present collection of information about you. That will begin to do lots of things, like affect your behaviour because you know you're being watched and when your ISP collects information about you any level of detail there is a risk that that can be used against you. We can all think of examples in our life of something embarrassing or worse that we hide in our web surfing traffic or that we would like to hide in our web surfing traffic, that if revealed would cause us great and embarrassing harm.

That's all we have time for this week, thanks for listening.

Why not get in touch with OUT-LAW Radio? Do you know of a technology law story? We'd love to hear from you on Make sure you tune in next week; for now, goodbye