No, they are worlds apart.
If those with a little technical knowledge don’t protect the ignorant internet user, who do you expect to do it?
A website can choose to host a script which shares its visitors’ data with an advertising network.
With the ISP model, the website no longer has a choice. Those who do not want to share their visitor data can only partially protect that data by using ssl. Those websites who already have an agreement with an ad network are now also, without any choice, supplying their data to the ad network that the ISP is working with. The only way non-ISP ad networks and their website partners can protect some of the data they collect is by going the ssl route themselves.
It is not only the individual who needs their data protected. The data businesses collect about their visitors and customers is exceedingly valuable data to that business and the last thing any business can afford is for some snooping ISP to help themselves to that data and pass it to rival businesses, just so that the ISP can add an extra pound of flesh to its revenue stream.
When a website hosts the script from an ad network it is easy to block those scripts and the cookies they leave. Even the non-cookie tracking can easily be blocked.
When the ISP hosts the script neither end of the communication has any say about what is happening in the middle.
There are lots of snooping manufactures. Even well known network names like Alcatel-Lucent and Cisco use them. All claiming innocence because they don’t collect your name and address.
This does have nothing to do with advertising and everything to do with snooping. Educate yourself and then protect yourself and help protect the rest of the world.
As for your Google comment: if you are not happy with Google giving you a free tool to search the web in exchange for allowing them to earn advertising revenue, stop using Google. There are plenty of other businesses to choose from. Your choice.
There is no such thing as a free lunch. Even soup kitchens have someone paying for them.

nym didn’t strike me as being Kent at all

In fact, he struck me as being making some eminently sensible points about the contrast between BT (behavioural tracking, not the ISP) per se, and the Phorm DPI approach as an implementation of this.

For me, BT breaks into two separate parts; the collection of information to create a personal profile of the web user, and the serving of ads to that web user based on the profile.

nym seems to be arguing that pretty much all collection techniques are an invasion of privacy, so irrespective of whether we like or don’t like internet ads, or don’t care either way, we, and particularly TBL, ought not to like ads served on the basis of BT. I’ll buy that.

But I think I know why TBL made the distinction he did; the collection mechanism enshrined in the unpreventable, unknowable[1] man in the middle approach of DPI embedded in the ISP’s system is an order of magnitude worse than collection at the website end, so it’s important that it be stopped without confusing the issue about whether advertising, BT or not, is a good thing or not.

And we certainly do not want the big guns like Google weighing in if the issue is seen as BT, which Google now seem set to do, winning their case, and thus letting the pernicious DPI providers of BT slide in under the radar with them.

Nonetheless, like nym, I’m unhappy about BT in any form, and I have already voiced my unease on BadPhorm (http://www.badphorm.co.uk) that a couple of things I thought we had a beef with Phorm about, namely needing to opt-out, rather than opt-in, and to maintain an opt-out cookie to keep thing so, are not being objected to when Google do them.

And even though Google are not a physical man in the middle, As DPI techniques are, you can argue that they are a man in the middle if they stick around once your conversation with a website gets going, even if the website lets them; it’s kind of like the old days when telephone calls had to be connected manually by the operator, and as if the called party secretly said the the operator ‘Hey, it’s OK, you can keep listening in’.

But then I don’t think that Google’s new approach is any more obtrusive than using tracking cookies in the first place; it’s the same collection mechanism they’ve been using for a long time past, so all they are doing new is using that info to shape the serving of adverts.

And I don’t like being tracked, and I use countermeasures against it. Because at least I can.

But no, we mustn’t let Google get away with this unregulated. If I was a conspiracy theorist (which I’m not) I might postulate that Google secretly started NebuAd and Phorm so Google could threaten us with something so bad that what Google want to do seems benign by comparison

But I actually think NebuAd and Phorm did that for Google without even being asked; and we mustn’t breathe a sigh of relief that Google are ‘only’ proposing what they are proposing.

[1] The proponents of DPI say they will let you opt out, and they tell you the limits of what they are doing. For now. Allegedly. But since both Phorm and NebuAd conducted stealth trials, with some ISPs conniving at this also, would you trust any of them further than you could throw them?

>I have a relationship with a web site, and they implicitly gather
>information about my visits there. How they choose to use that data
>and whom they choose to sell it to is a matter for me to
>work out with them

This argument should be about privacy not technology.

I completely fail to see why a banner ad on a web site gathering behavioural data is any different than an ISP.

Don’t like the web site/ISPs practices – vote with your feet.

Don’t want to be monitoring? Don’t opt-in to the ISP behavioural monitoring, or opt-out of the web site’s behavioural monitoring.

The problem is that the technologists are looking at this through a technologists eyes, not realising that the vast majority of web users have no idea what web sites *OR* ISPs might do with their data. The privacy requirements are exactly the same.

I notice you haven’t commented at all on my proposals for privacy – you’ve just focused on Phorm… Not a Google employee, perhaps, are you?

@Mossop – I was aware, though I didn’t draw direct attention to it. You’re right though, I’m sure it’s a point that many people had top of mind.

@Nym – Is that you, Kent? Whoever you are, you’re strawmanning something fierce, and equivocating in ways that Kent did. I have a relationship with a web site, and they implicitly gather information about my visits there. How they choose to use that data and whom they choose to sell it to is a matter for me to work out with them, and there I *do* have substantial ability to vote with my feet. I don’t have the same expectation from my ISP. They are, by definition, a common carrier that I expect to move my traffic without trying to monetize its private contents, just like I expect the phone company not to listen to my calls in order to sell my data to bulk mail operations.

If you’re not Kent, you may be gratified to know that the CEO of Phorm was making very similar attempts to equivocate site ad campaigns with ISP-level surveillance, in the name of saving our poor journalistic institutions, who need stronger ad revenue to survive. The appeal to the virtue of journalism was emotional sleight of hand, and the equivocation with web site ads (which *someone* in the consumer-supplier relationship has control over) was transparently silly.

If there’s value here, make it opt-in and let the market decide. The frailties of opt-out mechanisms (multiple browsers, multiple machines, multiple physical connection locations) are all okay in the opt-in case because the default is that my privacy is protected, rather than the default being that surveillance persists. If I do break the opt-in, I ought to notice the drop in relevancy and take steps to restore it. Informed, opt-in consent makes this a much less pernicious technology.

He simultaneously says that he doesn’t want the fact that on the Web he looks for or reads information on a particular medical condition to reach his insurance company, but then in the next breath says that he has no objection to targeting of advertising based on behaviour and says it’s gathering data from the Internet net pipes that he objects to. He seems quite confused about what he objects to.

I think we need to approach this from a privacy point of view, rather than from a technology point of view, because that approach is causing the confusion and won’t end up with our privacy being protected.

I would like to see a regulator who could:
- enforce a set of privacy requirements on companies that gather Internet behaviour (regardless of whether it comes from browser plugins, ISP boxes, search engines, advertising)
- informed consent before behavioural data is gathered, however I recognise that many companies cannot meet this requirement easily (see recent Google announcement of an opt-out regime).
- no means no – if I opt out, there should be no data collected on me, not even anonymised data
- compulsory breach notification, even of so-called anonymised data
- right of audit by the regulator
- requirements for privacy impact assessments to be conducted by qualified third parties

All this talk of snooping makes good headlines, but there’s “snooping” going on at the browser, the banner ad and the web apps and it’s not going to be helpful if DPI-based behavioural targeting is somehow outlawed but those who gather behaviour from the browser, from the banner advert or from the web application are allowed to continue without being reined in.

I also believe that your comment that even if Phorm’s processes are iron-clad, other companies may not be, therefore let’s outlaw the entire practice, to be an example of the muddled thinking and one that we couldn’t apply in any other area of commerce. It’s actually an argument for regulation, strong regulation, based on a standard equivalent to whatever iron-clad processes everyone agrees on.

As to your “legislating technology”: There’s an easy resolution to your apparent inner conflict: There’s no need in legislating technology itself, but in setting the base rules. German Supreme Court (Bundesverfassungsgericht, judging about constitution) has ruled in the 1980s, inferred from basic “human dignity” that data about me is *mine*, my property, no matter who collected it how or stores it, and I have the right to decide what happens with it. It’s a very simple rule, and one that I seems natural and I feel is inherently right. Given that it’s so basic and natural, it can set rules for many questions which otherwise provide a moral dilemma. It also doesn’t legislate technology itself, merely what parties are allowed to do in general.

Based on that rule, Phorm would be illegal (as opt-out), but automatically inspecting packets and sorting them based on HTTP vs. BitTorrent (irregardless of ports used, but packet headers) would be fine, as long as that information is not stored nor other legal stakes impacted.

I think that rule “data about me is mine” is so fundamental, natural and universal that it should apply world-wide.

FWIW, Universal Declaration of Human Rights http://www.un.org/Overview/rights.html
Article 12.
* No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.