Regulation. Specifically, as I somewhat implied, business doesn't get to ask people to give up privacy, for similar reasons to why you can't ask people to sign contracts that give up various other important rights. Any alternative to this needs to bring along liability for anything that happens to someone's important privacy rights.
For ISPs, we already have a model that we should be using: common carrier. It may need adaption to the realities of ISPs, but the basic idea that you get certain immunities if you only provide transit.
Dan Geer was talking about network neutrality, but I believe his solution should apply to privacy as well when he explained[1]:
Channeling for Doctor Seuss, if I ran the zoo I'd call up the ISPs
and say this:
Hello, Uncle Sam here.
You can charge whatever you like based on the contents of what
you are carrying, but you are responsible for that content if it
is hurtful; inspecting brings with it a responsibility for what
you learn.
-or-
You can enjoy common carrier protections at all times, but you
can neither inspect nor act on the contents of what you are
carrying and can only charge for carriage itself. Bits are bits.
Choose wisely. No refunds or exchanges at this window.
In other words, ISPs get the one or the other; they do not get both.
