Privacy Commissioner should investigate ISP web surveillance: CIPPIC

The following press release is from CIPPIC. For people wanting to learn more about these harmful activities, they may wish to listen to recent Security Now podcasts: 149: ISP Privacy, 151: Frakking Phorm, 153: Bad Phorm.

OTTAWA – The Canadian Internet Policy and Public Interest Clinic (CIPPIC), based at the University of Ottawa, Faculty of Law, has asked the Office of the Privacy Commissioner to open an investigation into the internet service provider (ISP) industry’s controversial new practice of profiling users online to target them with advertising.

Using Deep Packet Inspection technologies, Canadian ISPs may soon start sorting through everything a user does online and compiling profiles about them in order to sell for targeted advertising purposes. The practice, known as behavioural targeting, is growing across the United States and the United Kingdom.

“Behavioural targeting raises a number of serious privacy concerns and may violate federal privacy laws.” said CIPPIC Director Philippa Lawson. The CIPPIC analysis concludes that behavioural targeting by ISPs likely violates the Personal Information Protection and Electronic Documents Act (“PIPEDA”), alleging that ISPs engaging in the practice often fail to provide sufficient notice to users, do not obtain meaningful consent from users, and do not offer users effective ways to control such uses of their personal information.

Behavioural targeting has generated controversy in the United Kingdom and the United States. The U.S. Congress recently held hearings on the topic and is considering passing legislation or issuing guidelines about the practice for industry self-regulation.

“Most users are not comfortable with the idea of being followed around online,” said CIPPIC Staff Counsel David Fewer. “Canadians would be surprised if their ISP not only started profiling them for its own purposes, but used that information to sell advertising.”

Along with the call for an industry-wide investigation regarding behavioural targeting, CIPPIC filed company-specific privacy complaints against Rogers Communications Inc., Shaw Communications Inc. and Eastlink Inc. for their use of Deep Packet Inspection in the context of “traffic-shaping”, another controversial ISP practice that is currently the focus of another CIPPIC complaint against Bell Canada (as well as a CRTC proceeding initiated by the Canadian Association of Internet Providers against Bell Canada).

- 30 -

For more information, see under “CIPPIC News” or “Projects – Privacy – PIPEDA complaints”.