Deep packet inspection under assault over privacy concerns
By Nate Anderson | Published: May 12, 2008 - 12:03PM CT
Add the Canadian Internet Policy and Public Interest Clinic (CIPPIC) to the list of groups concerned about the privacy implications of widespread deep packet inspection (DPI) by ISPs. CIPPIC has filed an official complaint with Canada's Privacy Commissioner, Jennifer Stoddart, asking her office to investigate Bell Canada's use of DPI (and we're flattered to be quoted as an expert source in the complaint). In addition, the group would welcome a wider investigation into possible DPI use at cable operators Rogers and Shaw, as well.
In writing up this morning's announcement of a massive new 80Gbps DPI appliance from Procera Networks, I noted that privacy concerns were one of the storm clouds in DPI's bright blue skies. Because DPI can drill down into packet headers and then further into the actual content being pumped through the tubes, it raises all sorts of questions from privacy advocates concerned about the easy collection of private personal information. Current gear is so sophisticated that it can reconstitute e-mails and IM conversations out of asymmetric traffic flows and it can essentially peek "under the hood" of any non-encrypted packet to take a look at what it contains.
Bell Canada's use of DPI gear has now ensnared the company in a pair of government actions over net neutrality concerns and privacy. Bell, apparently sensitive to such concerns, has made clear in its own responses to the network neutrality proceeding that its DPI gear looks at packet headers and traffic flows as a means of identifying various applications and protocols. Bell does not use DPI to actually peer at packet contents, however. "The content itself is not actually reviewed, analyzed or stored," Bell says.
But that's not good enough for CIPPIC, a group based at the University of Ottawa. Canada, like many European countries, has fairly strict rules about collecting and using personal data, and CIPPIC points out that "data packets gathered by ISPs through the use of DPI are (or can be) associated with identifiable subscribers via the IP addresses attached to those data packets."
CIPPIC seems to be making the case that IP addresses can be personal information (especially when linked a list of visited websites or to particular searches that can be gleaned from search engines with a subpoena). This fits with a recent recommendation from the top data privacy working group in the EU, which said that IP addresses should be considered personal information for precisely these reasons.
But even if what Bell is doing now passes muster, CIPPIC is worried about the widespread installation of gear that can so easily be used for other things. "The evidence is clear that DPI technologies permit the collection and use of personal data about internet subscribers," says the complaint. "If Bell is somehow able to limit the data it inspects via DPI to non-personal data, we remain concerned about the longer term viability of any such limitation, and the pressure on Bell (and other ISPs) to use DPI to distinguish among traffic in ways that necessarily involve the collection and use of personal data."
How else could Bell control traffic on its network? CIPPIC has some ideas, first among them "invest in more infrastructure to accommodate the additional demand generated by P2P traffic." But if that's not feasible, the group suggests other ways to control traffic that don't rely on widespread collection of personal information or on discriminatory throttling:
Set limits on the amount of data per second that any user can transmit on the network
Set dynamic data limits that relax when congestion is low and increase when congestion is high
Cache popular files (in a non-discriminatory fashion)
Work with protocol/application developers to develop application and network level congestion mechanisms
Institute per-user bandwidth caps and/or metered pricing (which it is now doing)
Develop business models to encourage heavy bandwidth usage during off-peak hours
Stoddart has previously shown a willingness to stand up for consumers on technical issues when she went public with her concerns about intrusive DRM. CIPPIC's complaint gives her office another chance to delve into the privacy issues surrounding new technology.
Here in the US, the same privacy concerns have been raised about DPI. Texas disaster recovery and managed services company Data Foundry objects to network operators doing this deep level of inspection, and in an FCC filing last year (PDF), the company charged that "broadband providers' AUP/TOS/Privacy Policies, in combination with Deep Packet Inspection, allow intrusive monitoring of the content and information customers transmit or receive. This contractual and technical capability interferes with and may well eliminate all sorts of privileges presently recognized under law... Broadband service providers have no justifiable reason to capture this information."
The issues go beyond just IP addresses, encompassing attorney/client privilege, trade secrets, and other protected communications, but DPI vendors have assured Ars that they have little interest in examining content; most traffic information can be gleaned from packet headers, destination IP addresses, flow patterns, handshakes, and the like. Given the sheer capabilities of these devices, though, it seems at least worthwhile to have a detailed discussion about the potential privacy implications.
