In addition, ISPs, which already are saddled with a requirement that they comply with a 1994 federal wiretapping law called the Communications Assistance for Law Enforcement Act, or CALEA, are feeling increased pressure from the federal government to configure their networks so they are able to quickly assist monitoring activities by law enforcement agencies, Ohm said.
Several existing laws, including the Federal Wiretap Act and the Pen Register Act, would appear to address many of the potential monitoring activities that concern Ohm. But the laws "are full of confusing ambiguities," he said. "I think the ISPs are interpreting these laws not to apply" -- at least to some of the monitoring plans that companies have proposed.
One area in which those laws could be misinterpreted to the advantage of ISPs involves the issue of user consent, said Alissa Cooper, chief computer scientist at the Center for Democracy and Technology in Washington.
According to Cooper, communications privacy laws prevent ISPs from engaging in many kinds of user monitoring except under certain situations, such as for network security purposes or when they have gotten explicit consent from users to do monitoring. In general, the Federal Wiretap Act would apply to behavioral advertising programs and require ISPs to get the "express informed consent" of users for monitoring activities, she said.
But, Cooper added, what hasn't been tested in court yet is whether the implied consent that a user might give to such monitoring when agreeing to a privacy statement is the same thing as clear and informed consent on the user's part -- or whether it could be interpreted that way.
The problem is compounded by the fact that user expectations are much different when dealing with ISPs than they are when dealing with companies such as Google, Cooper said. Many users might assume that they're being given a greater degree of privacy protections by ISPs than is actually the case, she noted.
John Pescatore, an analyst at Gartner Inc., said that in at least some cases, ISPs potentially have more visibility into user activities on the Internet than companies such as Google do.
Pescatore added, though, that communications laws aren't the only thing that ISPs interested in doing more monitoring would need to contend with. In many cases, he said, companies would have to invest substantial amounts of money to install the kind of deep-packet inspection, filtering and analysis technologies that are needed to monitor user activity on a scale that makes commercial sense.
And just because ISPs could do monitoring doesn't mean it would always make financial sense for them to actually do so, especially in light of the potential legal issues they could find themselves mired in, Pescatore said. In contrast, Google and other online advertising vendors have no such legal constraints in place yet ? and, as such, have been operating in a manner that poses a far greater risk to online privacy, he said.
Sign up for Computerworld eNewsletters.