U.S. lawmakers plan to introduce privacy legislation that would limit how Internet service providers can track their users, despite reports that no U.S. ISPs are using such technologies except for legitimate security reasons.

Representative Rick Boucher, a Virginia Democrat, and three privacy experts urged lawmakers Thursday at a hearing before the House Energy Commerce subcommittee to pass comprehensive online privacy legislation in the coming months. Advocates of new legislation focused mainly on so-called deep packet inspection (DPI), a form of filtering that network operators can use to examine the content of packets as they travel across the Internet.

While DPI can be used to filter spam and identify criminals, the technology raises serious privacy concerns, Boucher said. "Its privacy-intrusion potential is nothing short of frightening," he added. "The thought that a network operator could track a user's every move on the Internet, record the details of every search and read every e-mail ... is alarming."

Boucher, chairman of the House Subcommittee on Communications, Technology and the Internet, said he plans to introduce a privacy bill for online users. That legislation could possibly prohibit DPI for use in behavioral advertising and other uses not related to security or network management, he suggested.

Officials with Free Press, the Center for Democracy and Technology (CDT) and the Electronic Privacy Information Center (ERIC) all spoke in favor of online privacy legislation. "In our view, deep packet inspection is really no different than postal employees opening envelopes and reading letters inside," said Leslie Harris, president and CEO of CDT. "Consumers simply do not expect to be snooped on by their ISPs or other intermediaries in the middle of the network, so DPI really defies legitimate expectations of privacy that consumers have."

Comcast and Cox Communications, both cable-based broadband providers, have experimented with using DPI in conjunction with behavioral advertising, but panelists at the hearing said they knew of no U.S. ISP now using DPI that way. However, there are about a dozen companies offering DPI services to ISPs, said Ben Scott, policy director at Free Press.

With ISPs staying away from DPI, Congress should let ISPs self-regulate, said Kyle McSlarrow, president and CEO of the trade group the National Cable and Telecommunications Association. "Any technology can be used for good purposes and for bad," he said. "We recognize that no one would want us looking at the communication in e-mail. We don't particularly want to do that."

The technology is changing so rapidly, it may be difficult to draft appropriate legislation, he added. "There are new models being created," he said. "It's fairly hard to freeze, in one point and time, a fairly immature marketplace. We should allow industry and all stakeholders to try to work together ... come up with self-regulatory principles that protect consumer privacy."

Some Republicans on the subcommittee also questioned whether legislation should be targeted only at ISPs. "Our focus should ... look at the entire Internet universe, including search engines and Internet advertising networks," said Representative Cliff Stearns, a Florida Republican. "Consumers don't care whether you are a search engine or a broadband provider; they just want to ensure that their privacy is protected."

Privacy advocates also urged lawmakers to go beyond rules that would force ISPs to get opt-in permission from customers before tracking their online activities. In many cases, customers don't completely understand what they're being asked to opt into, said Marc Rotenberg, EPIC's executive director.

"I don't think [opt-in] is sufficient because it won't be meaningful unless consumers understand what data about them is being collected and how it's being used," he said.