Cable One's Privacy Gaffe

When privacy advocates first said that ISPs might be violating federal wiretap laws by selling information about users' Web activity to behavioral targeting company NebuAd, the company said it always obtained users' consent to the tracking.

Or, more precisely, NebuAd said it allows users to opt out of receiving targeted ads. Many advocates questioned whether deploying tracking technology by default and putting the burden on users to opt out really satisfied the requirement that users consent, but at least NebuAd could say with something of a straight face that people had some choice in the matter.

But now it's come out that at least one ISP, The Washington Post Company's Cable One, didn't even give subscribers that option. In response to a Congressional inquiry, Cable One said it didn't allow users to decline to participate in a recent test of NebuAd's platform.

Letting users opt out of tests of new technology "would stifle our ability to test new technologies that have the potential to offer significant benefits to our customers," the company told Congress. Instead, Cable One went ahead and allowed NebuAd to deploy its technology to track the Web activity of 14,000 cable modem subscribers in Anniston, Ala. for six months.

Cable One justified the failure to let users opt out by saying that subscribers knew the company might spy on their Web activity when they signed up for broadband because the acceptable use policy mentions that the company may occasionally monitor "bandwidth, usage, and content."

Of course, even if it's true that subscribers read the fine print in the acceptable use agreement and knew that Cable One might be watching them online, they still didn't know that Cable One would sell their clickstream data to NebuAd. And, even more important, they had no way to opt out of it.

NebuAd didn't collect names, addresses or other personal information, but industry observers ranging from privacy advocates to the FTC still say that people still should have some say over whether they're tracked for ad-serving purposes.

Other companies to test NebuAd didn't do much better. CenturyTel, Embarq and Knology are among those who buried news of the test in obscure language in their privacy policies, but at least subscribers had the chance -- remote though it was -- to learn about NebuAd and opt out. The companies might, arguably, have followed the letter of privacy principles, if not the spirit.

But Cable One didn't follow either the letter or spirit of well-established online privacy principles. And it arguably violated federal wiretap laws. It wouldn't be at all surprising if lawyers soon descended on Anniston, Ala. in search of plaintiffs for what might become the first lawsuit triggered by NebuAd.

Recommend (1) Print RSS