Even though Congress has growled loudly enough to get Internet service providers to back off their plans to sell information about their customers’ Web surfing to advertising companies, one prominent legal expert argues that the law governing the issue should still be made tougher.

The issue was examined in a new paper, “The Rise and Fall of Invasive ISP Surveillance”, by Paul Ohm, a former Justice Department official who now is a professor of law at the University of Colorado.

Mr. Ohm argues that the prospect of Internet service providers using new technology to monitor what their customers do online is a grave threat to privacy.

Because ISPs pose such a high risk of terrible harm to so many people, and because of the unmistakable signs that things are getting worse, they must be regulated.

For now, Internet providers in the United States have put on hold plans to sell customer surfing information to ad companies. Several congressional committees held hearings on the topic, providing a forum for a number of senators and House members to indicate their displeasure at the concept.

Indeed, NebuAd, the company that was behind most of the advertising systems set to be used by Internet providers in the United States, has in effect put that business on hold. Robert Dykes, its chief executive, quit to become chief financial officer of VeriFone.

(Phorm, which is working with big Internet providers in the United Kingdom, says it is plowing ahead with a test with 10,000 customers of BT. But its plans have been subject to delays and questions about an earlier trial with BT that was not disclosed to customers.)

Mr. Ohm argues that the regulatory issues are still relevant because the Internet providers still have a strong incentive to seek money from advertisers to supplement their monthly fees.

The Electronic Communication Privacy Act, a 1986 law originally meant to keep telephone companies from listening to the calls of their customers, probably applies to some of these Internet monitoring schemes, Mr. Ohm writes. If a court determined that the browsing history of an Internet user represents the “contents of communication,” it could be construed as wiretapping, he wrote. Wiretapping, under the law, is a felony and also is a cause for civil action.

Even if a list of sites visited isn’t called content, he argues the companies still fall under another part of the act that bans the collection of “pen register” information, the list of phone numbers called by a given line, and other data used for the routing of communications. Using that data, other than for a few specified purposes, is only a misdemeanor, however, and cannot be the basis of a civil lawsuit.

When I reached Mr. Ohm on the phone Friday, he said he was surprised that Internet providers had proceeded as far as they have with plans for these advertising systems.

“If I were a lawyer for an I.S.P., you have to err on the side of avoiding this sort of massive liability,” he said.

Nontheless, Mr. Ohm argues that the law is overly complex and ambiguous, and should be clarified. His article proposes simplifying the overall structure:

The new unified law should regulate all monitoring — without distinguishing between whether the monitoring is of content or not — provided it is monitoring of data “of or pertaining to a user, customer, or subscriber.”

He wants to make clear that Internet providers would be allowed to monitor customers to protect themselves, such as to track down a hacker. But that exception would need to be related to a specific incident. Routine and automated monitoring of customers, beyond the minimum needed to operate a network, would be banned.

Finally Mr. Ohm wants to make it much harder for customers to waive their protections by consenting to some boilerplate agreement. Internet users would need to authorize the monitoring of their surfing each time they use the Internet, under the standard he proposes.

Mr. Ohm said he is much more concerned with Internet service providers than with other Web companies, such as Google. Web sites, he said, have the ability to describe what they are doing with customer data on every page, although they may object to doing so. Consumers don’t really interact explicitly with their Internet providers once they set up a connection. Moreover, Internet providers have an unusually broad view of what customers read, buy, watch and listen to.

“Google doesn’t know what I do when I’m on MSN,” he said. “But your I.S.P. does. There is no hiding from your I.S.P.”