Inside 1to1:Privacy

Going Deep on Deep Packet Inspection

May 1, 2009

By Don Peppers and Martha Rogers, Ph.D.

There's a reason Viagra commercials dominate television coverage of PGA tournaments and previews run before a movie starts. Targeted advertising has been around for a while and, over the years, has helped sellers hone in on those most likely to take action on their ads.  

With technology's advance, the targeted advertising space has evolved to one where sellers can serve ads to a degree of relevance previously unfathomed. Demographics are so twentieth century. Vendors today can get to know their customers better than radio, television and direct mail advertisers ever could.

As the Web looks for ways to sustain itself, and as other communication providers realize technologies that will let them, too, capitalize on new revenue opportunities, behavioral advertising has come into the fray in a much bigger way. Internet providers can glean users' surfing patterns and general interests and use that information to further maximize their advertising ROI.

Some companies have taken this a step further, using a method called deep packet inspection to peer into packets of network traffic and understand specific users to an even greater degree. Deep packet inspection has garnered cautious interest among Internet providers and advertisers who are attracted by the prospect of delivering extremely targeted promotions. Both have billions to gain.

But the method has provoked what such providers may view as less desirable attention. The U.S. Congress and Federal Trade Commission have taken an interest, as have advocacy groups and the European Commission (EC). Recently the EC announced it will begin legal action against the United Kingdom for allowing DPI provider Phorm to operate. The commission says Phorm's technology violates EU data protection principles.

This dialogue is only in its infancy. The DPI debate will continue to rage as companies innovate to seek profits and, as a result, push the boundaries of consumers' privacy expectations.

Recently, the privacy commissioner of Canada released a series of essays that explore deep packet inspection from varied perspectives. Here is one that we found very interesting.

----------------------------------------------------------------------

(The following article is reprinted with permission from the Office of the Privacy Commissioner of Canada.)

The privacy implications of deep packet inspection

By Danielle Citron

(Licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License)

Broadband providers increasingly use deep packet inspection technologies (DPI) that examine consumers' online activities and communications in order to tailor advertisements to their unique tastes. Although providers emphasize the market efficiencies that DPI provides, they have not adequately addressed the privacy concerns that it raises. Providers insist that because they discard consumers' communications after analyzing them, any privacy concerns are illusory. Nonetheless, privacy concerns remain despite these assurances because nothing prevents providers from simply altering their policies--in the U.S., the law does not restrict the secondary use of DPI data. And the public has no means to oversee what broadband providers are actually doing because DPI operates invisibly. In the future, network providers could collect our online communications and sell them, including medical data and private correspondence, to employers, insurance companies, credit bureaus, and landlords. Broadband providers could morph into powerful data brokers of our online communications. But even if providers only retain DPI data and do not sell it, their databases are vulnerable to accidental leaks and theft. These scenarios would be permissible and possible if broadband providers decide to retain such data.

Another concern is the government's ability to subpoena the digital surveillance of a person's online life from broadband providers. Consumers may deserve notice and an opportunity to be heard before the disclosure of such information to governmental actors, if courts construe the data as implicating an individual's important property or liberty interests. More generally, if DPI becomes a fact of life, informed consumers may curtail their online communications rather than risk its release to others. This would stunt our creativity and intellectual privacy, so critical to the development of our ideas and free speech.

Network providers dismiss these concerns on the grounds that consumers can opt out of DPI tracking of their online life with a single click. Optimism about a properly functioning marketplace, however, is misplaced. Network providers bury notice of their inspection practices in densely worded privacy policies and do not email users to note the change in policy. Thus, a basic information asymmetry problem arises--consumers cannot reasonably be expected to know about, and protect themselves from, opaque practices. Even if consumers opt out of the creation of behavioral profiles for use in delivering ads, they may not be opting out of the copying of their traffic. And if some network providers switch to an opt-in approach or reject DPI entirely, consumers still cannot totally control the use of DPI technologies by those with whom they communicate, thus rendering consumer choice illusory. As a result, privacy concerns may not be self-correcting and thus consumers can safeguard their privacy only through costly encryption practices.

Given the difficulties of opt-in and opt-out solutions, should law curtail the use of DPI? One solution may be to ban the use of DPI for commercial benefit. Alternatively, law could insist upon greater oversight over providers' use of DPI. To that end, the Center for Democracy and Technology suggests a variety of ways to enhance the transparency and oversight over DPI practices, including instituting a "Do Not Track" list, requiring providers to disclose their data collection practices, establishing an Online Consumer Protection Advisory Committee, and providing remedies for abuses of DPI data. These solutions would enable providers to continue to use DPI to combat spam, assist prosecutors who obtain warrants, and identify child porn traffickers, precisely the sort of "Good Samaritan" monitoring efforts that Section 230 of the Communications Decency Act anticipates, without compromising consumers' privacy.

Visit the federal privacy commissioner of Canada's Web site to read other DPI essays.