In 2008, when several network operators began experiments with behavioral advertising firms NebuAd and Phorm, privacy advocates cried foul, arguing that network operators should never be allowed to monitor traffic for advertising purposes because the threats to privacy are too great. In testimony before the U.S. Congress, some network operators retorted that what certain network operators and NebuAd proposed to do is similar to what large Internet advertising networks already do when they plant cookies on users’ terminals to track behavior. Why should network operators be held to a different standard than advertising networks at the edge of the network?
Everyone agrees that monitoring online behavior can constitute a serious violation of privacy, and that user consent is critical. But what kind of consent: opt-in or opt-out? In Europe the recently amended e-Privacy directive appears to require an opt-in regime for cookies, but many wonder how an opt-in regime can work in practice. The 2008 NebuAd and Phorm turmoil did not focus on consent but on whether behavioral advertising can ever be done by network operators, regardless of the users’ consent. For some, it is unthinkable that network operators could get into the behavioral advertising business, regardless of the safeguards put in place
One of the telecom operators who experimented with NebuAd in 2008 was sued in federal court for illegally monitoring user traffic. Users brought a class action for illegal interceptions and invasion of privacy. On December 13, 2010 a U.S. District Court in Montana held that users of the network had consented to the operator’s use of NebuAd monitoring technology. The court found that the operator "gave Plaintiffs specific notice of when the NebuAd Appliance trial would commence and provided a link for its customers to opt out of the NebuAd Appliance if they so chose." It is not clear in the decision whether users got individual e-mails, or whether the specific notice was only posted on the operator’s website.
The court held that user consent adequately covered the monitoring activities, but that the consent may not have been sufficiently broad to cover alleged modifications made to users’ computer settings by the cookies sent by the NebuAd appliance. The court therefore allowed these issues to go to trial, while dismissing most of the other claims against the network operator.
The NebuAd case focuses the debate on whether valid consent was given or not. In France there are debates about whether ISPs may in some circumstances block certain kinds of content. Staunch net neutrality advocates argue that operators should under no circumstances be allowed to monitor, slow or block certain content, unless they are ordered to do so by a court. But in fact there are other circumstances where operators can legitimately monitor traffic: reasonable network management of course, but also cases where the user has unambiguously consented. If adequate consent is given, operators could install tools to limit access to certain content, or even propose discounted Internet subscriptions for users who accept to be monitored for targeted advertising purposes. In Europe, this kind of regime already exists for location based services provided by mobile operators: operators are alllowed to use precise location information generated by their network to provided value-added services to subscribers, as long as the subscribers consent in advance and have an easy way to opt-out.
In the context of the current focus on improvements to privacy protection, adequate safeguards need to be put in place to ensure that the tools installed by operators are not misused, and do not collect or store any more data than is necessary. Data minimisation and anonymisation are key, and can be achieved through privacy by design.
The NebuAd case confirms that there need not be any distinction between a network operator and a service provider at the edge of the network providing targeting advertising. In both cases, there exist potential privacy risks for the user. The key issue is what kind of consent is sufficient for these potentially invasive monitoring tools to be used, and what kind of privacy protections should be integrated into the technology through privacy by design.