Deep Packet Inspection.ca

ESSAYS » American and Canadian Politics Surrounding Deep Packet Inspection

Deep Packet Inspection (DPI) is a networking technology that Internet Service Providers (ISPs) use to manage their networks, generate targeted advertisements, improve network security and billing reliability, and generally survey data traffic to gain actionable intelligence. The technology broadly has the capability to examine subscribers’ data traffic and mediate the traffic based on characteristics that a subscriber’s ISP is interested in – this can focus on searching for characteristics of viral outbreaks on the network, to identifying SPAM email, to delaying peer-to-peer filesharing sessions – and is usually stated as being used to improve network reliability and fairly provision network resources amongst all subscribers. This short essay aims to introduce you to some background surrounding the politics of deep packet inspection in Canada and the United States. We begin by looking at the American situation, proceed to unpack regulatory occurrences in Canada, and then note comparisons between the two nations as it pertains to regulating the uses of DPI equipment. Ultimately, I suggest that Canada has been situated in a way that provides superior regulation of the technology than is seen in the United States but that increased vendor and ISP transparency into the technology is required for a healthy democratic state.

The Case of America

Arguably, the massive surveillance of digital networks took off as a contemporary issue in 2005, when the New York Times published their first article on the NSA’s warrantless wiretapping operations. The concern about such surveillance brewed for years, and finally exploded as the public began to learn about the capacities of DPI technologies as potential tools for mass surveillance. This awareness can arguably be attributed to Nate Anderson’s piece, “Deep packet inspection meets ‘Net neutrality, CALEA.” Anderson’s article is often acknowledged by academics as the popular news article that put DPI on the scene, and the American public’s interest in this technology was reinforced by the use of DPI equipment for behavioural advertising and particularly disruptive traffic management purposes. In this section, we briefly explore the use of the technology to modify data streams for advertising-related surveillance purposes, how Comcast aggressively used DPI to disrupt peer-to-peer (P2P) content delivery systems, and the political responses to these actions.

Attention about, and pressure directed against, the use of DPI built as the American behavioural advertising company NebuAd began partnering with ISPs to deliver targeted ads to ISPs’ customers using DPI equipment. The Free Press hired Robert Topolski to perform a technical analysis of what NebuAd was doing, and led him to state that “NebuAd’s code injected into another’s page source is a cross-site exploit (XSS) and the subsequent behavior of loading cookies it normally would not load is a browser hijack. NebuAd accomplishes its XSS by using what is effectively a classic man-in-the-middle attack.”

In light of the damning evidence that ‘consent’ was never genuinely achieved (in at least one ISP’s case, there was a change to their already massive privacy policy to inform customers of the new behaviour) NebuAd was very publicly disciplined in front of the House Telecommunications Subcommittee. Congressman Markey asserted that “Simply providing a method for users to opt-out of the program is not the same has asking users to affirmatively agree to participate in the program.” While NebuAd has lost it’s CEO, is now subject to a class action lawsuit in America, and itself is dead in the water (though has arguably been reincarnated in the UK as Insight Ready), no legislation have been passed to address behavioural advertising using DPI. A Senate Commerce Committee session in September 2008 led three of the US’s largest ISPs – AT&T, Verizon, and Time Warner – to commit to an “affirmative consent” model for behavioural advertising should the ISPs ever adopt such an advertising system, but no Senate action even attempted to legislate a consent-based model. The Federal Trade Commission (FTC) only went as far as to advocate for voluntary self-regulation of the industry. This regulation encompassed the following principles;

1. Transparency and customer control, which maintains that on every website where data is collected for behavioural advertising that customers are informed of this in concise and clear language with the option of choosing whether their information will collected for these purposes.
2. Reasonable security, and limited retention, of consumer data. In essence, this requires companies to secure data in a manner consistent with FTC data security enforcement and only retain data as long as required for legitimate business purposes.
3. Affirmative express consent for material change to existing privacy promises. Critical is that this principle is meant to apply even when the material change is a result of a corporate merger when such a merger modifies the ways in which companies collect, use, and share information.
4. Affirmative express consent to (or prohibition against) using sensitive data for behavioural advertising. This principle does not actually identify what constitutes sensitive information; the FTC sought input into what classes of information should be considered sensitive and whether the collection of such information should be prohibited by regulation instead of by customer choice.

In the case of using DPI for network management purposes, Comcast was found using TCP RST data packet to intentionally disrupt peer-to-peer filesharing programs that were accounting for substantial amounts of data traffic along their networks. The stated issue with the programs was that they generated high levels of congestion; in effect, this meant that a large number of customers’ packets were regularly being dropped as Comcast routers struggled to keep pace with the high levels of peer-to-peer traffic. While at one point the company maintained that it only used RST packets during periods of high congestion, it ultimately admitted that their RST-based system was triggered regardless of overall network congestion and at all times of they day.

As a result of Comcast’s use of DPI to target particular applications and application-types the Federal Communications Commission (FCC) issued an order requiring the ISP to stop their particular mode of network management under the FCC’s ancillary authority, or authority that implicitly is derived from past judicial rulings, policy contours, congressional mandate, and telecommunications act. Specifically, the FCC required Comcast to;

1. Reveal the “precise contours” of its network management practices, including the types of equipment used, when they came into use, how they were configured, and where they have been deployed.
2. Come up with a compliance plan complete with benchmarks that explains how Comcast will move “from discriminatory to nondiscriminatory network management practices by the end of the year.”
3. Publicly disclose the details of its new practices, “including the thresholds that will trigger any limits on customers’ access to bandwidth.”

The FCC decision was met with two responses from Comcast. First, the company adopted a ‘protocol agnostic’ solution to dealing with high-bandwidth usage. This involved them shifting from using deep packet inspection – which examines the payload of data packets – to shallow packet inspection that is (relatively) limited to examining header, or addressing, information of data packets. Under the revised approach, where Comcast identifies consumers who are engaged in high-bandwidth activities for 15 minutes or longer those customers have their packets reclassified to “best effort” from the default “priority best effort”. Essentially, whenever a Comcast subscriber uses their Internet connection to transmit or receive large amounts of data for 15 minutes or longer they suffer a degradation of service, insofar as other subscribers’ data traffic is given priority to transmit or receive information from the Internet ahead of the heavy-use subscriber.

Second, the company took the FCC to court, arguing that the FCC had exceeded their authority in determining how the corporation can manage their networks. The courts recently returned with a decision in Comcast’s favor: the FCC’s order that Comcast cease the issuance of RST packets using DPI equipment is now invalidated on the basis that the FCC decision exceeded their authority. This sends a message that American telecommunications carriers can use equipment, as they perceive needed, to manage their networks and such usage includes mobilizing DPI to actively disrupt customers’ data traffic. Whether there will actually be a return to the use of RST packets is questionable – clearly consumers resent this usage of DPI equipment – but it is important that such disruptive activity on the part of a broadband operator is (for now, at least) legally permissible.

Turning to Canada

In Canada, there has been a substantial amount of attention directed towards the use of DPI equipment since 2007 when CAIP filed a complaint about Bell’s use of the technology to affect how CAIP’s customers’ data traffic was being transmitted through Bell’s infrastructure. The result of Bell v. CAIP, and the 2008/9 CRTC investigation into how DPI is used by ISPs more widely, was positive in some lights. Positively, out of the 2008/9 investigation the CRTC asserted:

• the blocking of content is prohibited unless approved by the CRTC;
• when noticeable degradation of service for time sensitive services occurs, then a traffic management system amounts to controlling the content or influencing its meaning. As such, any actions that create such a degradation require approval by the CRTC;
• the CRTC affirmed that it works in a complementary fashion with the Privacy Commissioner of Canada and that telecommunications providers are held to a higher standard than that contained in PIPEDA alone. Critically, not only are primary ISPs (e.g Bell, Rogers, Cogeco, etc.) prohibited from using data gathered from traffic management for anything other than management actions, but “the Commission directs all primary ISPs, as a condition of providing wholesale services to secondary ISPs, to include, in their service contracts or other arrangements with secondary ISPs, the requirement that the latter not use for other purposes personal information collected for the purposes of traffic management and not disclose such information.”
• economic measures are preferred to technical traffic management processes;

Key is that the CRTC has not forbidden ISPs from using DPI, and has instead put strong conditions on what are and are not permissible uses of the technology. What remained permissible was that delaying non-time sensitive services (e.g. email, peer-to-peer, FTP, etc) does not require CRTC approval, and wholesale ISPs (e.g. TekSavvy, Execulink) remain affected by DPI and can expect to receive a mere 30 to 60 day notification before primary ISPs make material changes that would affect wholesale ISPs. Thus, should Rogers significantly modify how they will use DPI in their network their wholesale customers can expect a short period of time before those changes will affect the entire network.

The privacy element of the CRTC’s ruling was reinforced in the Privacy Commissioner of Canada’s ruling on deep packet inspection, which required Bell to note on their website that personal information (i.e. subscriber ID and IP address) was briefly collected (and then quickly discarded) in the ongoing use of DPI. Emergent from the CRTC and OPC’s decisions, we can comfortably say that Canada has a strong set of regulatory bones when it comes to DPI; what’s left is fleshing the bones out, which will presumably continue to happen over the coming months and years.

Comparisons and Conclusions

So, how might we draw a comparison between the US and Canada? To being, in the US non-regulated processes are exclusively meant to limit the use of behavioural advertising – though as demonstrated by Chris Soghoian’s work such self-regulation is practically non-regulation in the advertising business - and that the traffic management questions linger in the air. ISPs in the US have (at least temporarily) managed to get a bit more freedom from the FCC with the decision favouring Comcast, and the FTC has been unwilling to strongly regulate ISPs’ uses of DPI. Thus, the American reality stands in stark contrast to Canada: Canadians have a skeleton of regulated guidelines that ISPs are required to adhere to, whereas the US remains a relatively unregulated marketplace for DPI.

Given the different regulatory environments, we cannot expect civil or governmental bodies that are interested in the use of DPI to adopt similar language or regulatory tools in their approaches, but this shouldn’t prevent interested parties from identifying common language and regulatory principles to see what does and does not work. Further, such comparative projects could try and identify differences that emerge when there is greater transparency (either required by regulation or performed on a voluntary basis) surrounding the development, deployment, and usage of the technologies. This would (and, in Canada, arguably did) enable advocates to more clearly articulate their messages in relation to where interested parties are kept in the dark about the technologies. In addition to improving the calibre of debate surrounding the technology, transparency can simultaneously alleviate some of the concerns that emerge when our communications systems are mediated by an unknown technical power, in unknown manners, for less than clear corporate means. Democracies thrive on their freedom of speech, and it is critical for citizens to be involved in legitimating or regulating the infrastructures that carry that speech.

Ultimately, citizens of Canada and the US need to understand how their communications are regulated and have a clear and valued voice in shaping the structure of their communications systems; citizens along with government and business, as opposed to business and deep packet inspection alone, must be responsible for choosing the ‘winning’ applications that facilitate digital communications across the Internet.

Interested in more? Subscribe to our RSS feed for new essays and site news as it comes available.