I would by no means argue with
celebrated law expert Paul Ohm
when he suggests that cable companies and other ISPs might be breaking
the federal wiretap law by doing deep packet inspection.
This was the recent news from a
Computers Freedom & Privacy.
I will leave it up to the lawyers to decide whether the wiretap law
was passed with the intent to keep providers from reducing traffic
that strains their bandwidth, or from complying with
requests from movie studios to prevent the unauthorized exchange of
first-run films. I’ll also let lawyers decide whether the ISPs are
shielded by exemption that allows them to protect their service.
But I can’t help observing that the same kinds of deep inspection that
Ohm decries (and that permits China and other governments to censor
content) is also used for spam and virus filtering. Superficial
traffic analysis could perhaps, someday, identify spam and viruses,
but it’s currently critical to check for the signatures of malicious content. Would
Professor Ohm like to personally handle the 2000% increase in email
he’d get if he forced his ISP to stop filtering?
On the other hand, I wonder whether web mail services such as Hotmail,
Yahoo! and Google would be guilty of wiretapping if they check
traffic. After all, they are not delivering traffic to another system
as Comcast is; they are terminating the traffic on their own systems,
where their users access it. I’d think they have a much stronger
defense, partly because the data is technically on their own systems,
and partly through the claim that they need to run filters to protect
these systems from viruses, or even just excessive traffic.
These dilemma suggest to me that the relationship between ISPs (or
mail service providers) and customers has to change, and perhaps that
the wiretap statute has to adapt. What we want is that most perplexing
of legal solutions: to screen out malicious behavior and impacts that
users don’t like, while leaving positive and desired behavior alone.
Many have called on providers to publish (at least in broad terms)
what kinds of filtering their doing, and to make it explicit parts of
their contracts with users. To extend this idea, users could
explicitly request what they want blocked.
It could be done on a fine-grained level; for instance, you could
implicitly grant your ISP a right to filter out Korean messages
(assuming you don’t understand Korean and consider the messages spam)
by checking a box on your service agreement that says, “Please block
anything containing Korean characters.” Or it could be done on a more
coarse-grained level, by granting your provider the discretion to look
Laws regarding notice and consent would make it harder for providers
to toss in practices that users don’t want. They could still do so by
insisting on it as part of their contracts. My suggestion is that we
revamp our philosophy about filtering. That would still leave the
difficult task of balancing adequate notice and consent with the need
of ISPs to respond with agility to every-changing conditions.