Massive growth in data processing power has spurred the development of deep packet inspection (DPI) equipment that potentially allows providers of Internet service and other intermediaries to collect and analyze the Internet communications of millions of users simultaneously. DPI has come to permeate numerous Internet policy debates, including those related to net neutrality, behavioral advertising, content filtering, and many others. Although the policy concerns that DPI raises differ in each case, one theme that recurs throughout these debates is the potential for DPI to essentially eliminate online privacy as it exists today, absent pervasive use of encrypted communications. As a technology that can provide Internet service providers (ISPs) and their partners with broad and deep insight into all that their subscribers do online, its potential to facilitate privacy invasion has been described in the most dire of terms: as “wiretapping” the Internet (Barras, 2009, p. 1), “unprecedented and invasive ISP surveillance” (Ohm, 2009, p. 1417), and even “the end of the Internet as we know it” (Riley and Scott, 2009, p. 1).

ISPs’ use of DPI has drawn scathing privacy criticism despite the fact that numerous other entities are capable of conducting content inspection. Content delivery networks and caching services could have similar capabilities, as can individual Internet users employing firewalls, home gateways, or packet sniffers. Likewise, many of the services that DPI can facilitate for ISPs – security protections, behavioral advertising, and content filtering, for example – have been offered for years by web- and software-based service providers.

There are several characteristics inherent to ISPs and their use of DPI that significantly increase the privacy stakes as compared to these other entities, however. ISPs are uniquely situated in three respects: they serve as gateways to all Internet content, switching ISPs can be difficult for Internet users, and their use of a tool as powerful and versatile as DPI makes it prone to mission creep. An exploration of each of these factors reveals that they are difficult or impossible to mitigate. Taken together they form the fundamental basis for the heightened privacy alarm that has characterized DPI debates.

ISPs as Internet Gateways

The Internet is often thought of as a dramatically free medium for speech, where little stands between an Internet user and the expression of his or her ideas to friends, colleagues, and the world at large. It is also an intensely personal medium used to maintain familial and social ties, to find information related to personal activities and pursuits, and to transact personal business. Millions of Internet users worldwide trust the medium enough to engage in a wide range of personal and commercial communications and transactions online. While “the medium” is composed of many services and applications providers at different levels, the foundation for this trust is the connectivity itself as provided by ISPs. Ohm (2009, p. 1446) has aptly described this service provider trust as the “sense of repose” that Internet users have as they use the network to conduct their lives.

DPI has the potential to disrupt this sense of repose by inserting a middleman – and potentially a gatekeeper – between Internet users and those with whom they communicate. To the extent that Internet users find themselves at ease conversing and transacting online, ISPs’ increased use of DPI presents the potential to chip away at that sense of security by introducing a surveillance element where it did not exist previously. ISPs are an important element of the trust that Internet users place in the network, and increased use of DPI calls that trust into question.

The effects of this loss of trust could be wide-ranging. As with other technologies of surveillance, increased use of DPI creates the potential for self-censorship and inhibition online (Lyon, 2007). It may also serve to deter online commerce if consumers and businesses question the confidentiality of their transactions. These are plausible risks whether or not specific uses of DPI are known to Internet users or indeed breach confidentiality, as even a general awareness that surveillance may be occurring can prompt people to alter their behavior (Foucault, 1977). Introducing DPI on the network thus has the potential to turn what was a trusted conduit into a suspicious eavesdropper, even if Internet users are only vaguely aware that DPI is in use.

Many other trusted service providers exist on the Internet, and many of them would be similarly capable of damaging user trust should they begin to examine their users’ communications in an unexpected way. In fact, there are clearly intermediaries in existence today that are capable of collecting more application-level data about many more Internet users than any single ISP could – Google is the obvious example. But neither Google nor any other service provider is as capable as an ISP of comprehensively monitoring the entirety of each individual subscriber’s online activities. Every one of a subscriber’s packets, both sent and received, must pass through the ISP’s facilities. What separates ISPs is the potential for their gaze over their subscribers to be omniscient.

ISPs may be far from realizing that potential, and encryption tools exist to help protect Internet users from the prying eyes of their ISPs. But as long as the majority of Internet users pursue their online activities without encrypting their communications, the mere existence of DPI on the network jeopardizes the bond between them and their ISPs.

High ISP Switching Costs

The potential for ISPs to abuse their gatekeeping power is further exacerbated by the fact that switching ISPs is comparatively more difficult than switching between other services like search engines or web browsers. While the latter may involve a simple mouse click or software download, changing ISPs can be a much more elaborate process involving a time investment to explore new options and bundled services, installing new equipment, setting up new bill payments, and time at home waiting for an engineer to hook up new service (Krafft and Salies, 2008). Because of these barriers to switching, subscribers may be unwilling or unable to switch ISPs even if their current ISPs introduce DPI-based practices with which they disagree. Internet users may perceive their choice of ISP to be much more binding than their choice of other online services, which reduces their ability and inclination to avoid ISPs’ privacy-invasive practices.

Notably, even where consumers have many ISP choices, switching costs may still impede consumers from changing ISPs over DPI concerns. This may be one reason why even less concentrated ISP markets appear to lack a market for privacy. For example, in the competitive UK market, many ISPs indicate in their web site disclosures that they are using DPI of some form to manage congestion, and the majority of Canadian ISPs that responded to a recent regulatory inquiry indicated that they are using DPI for some network management purpose (Parsons, 2009). Whereas competition for privacy is appearing in other online sectors with low switching costs – the major search engines, for example, continue to improve upon each others’ data retention policies (Center for Democracy & Technology, 2007) – higher ISP switching costs may reduce ISPs’ incentives to compete on privacy.

While there may be limited steps that ISPs can take to reduce switching costs – lowering or eliminating contract termination fees, establishing flexible schedules for hooking up new service, and so forth – the burdens of changing to a new ISP are in some ways inherent to the provision of Internet service. Because these burdens are largely unavoidable, relying on competition to discipline ISPs’ privacy behavior is not likely to be sufficient.

Propensity for Mission Creep

Another distinguishing feature of ISPs’ use of DPI is the potential for “mission creep:” having DPI equipment that was installed for one purpose used for multiple new purposes over time (Werbach, 2005). The potential uses of DPI are nearly as wide as computing itself. Many of the capabilities of DPI equipment are generic computing capabilities: intercepting packets; pattern-matching their content; and storing the raw data, statistics about the data, or conclusions drawn from the data. Because each of DPI’s uses employs some or all of these generic capabilities, DPI vendors are finding it more efficient and less costly to build their equipment to suit multiple uses. Several vendors tout the fact that a single one of their products can be used for congestion management, usage monitoring and prioritized or tiered service offerings, for example (Arbor Networks, 2010; ipoque, 2008). The trend is toward more functionality built into individual DPI products, not less.

When mission creep does occur, it may be invisible to users. Because ISPs’ use of DPI occurs in the middle of the network, there need not be any indication to subscribers that inspection is occurring. There is also no technical reason why DPI equipment should leave any trace on users’ computers (although DPI used to facilitate behavioral advertising, for example, may be employed in conjunction with cookies or other files stored on users’ computers). This is in contrast to other kinds of technologies that can perform similar functions to those of DPI – for example, while many web-based behavioral advertising networks deposit cookies on users’ computers for tracking purposes, an ISP could employ a DPI-based behavioral advertising system without storing anything on users’ machines. Furthermore, one of the core design goals of DPI vendors is to build equipment that has the least possible impact on network performance and user experiences (Allot Communications, 2007). The combination of these technological factors create the potential for DPI to be deployed – and subsequently put to new uses – mostly invisibly on the network.

Perhaps because of the fact that DPI technology does not need to reveal itself on the network, several early DPI systems were deployed without any indication to users (European Commission, 2009; Federal Communications Commission, 2008). Furthermore, despite the limited public scrutiny that ISPs’ DPI practices have been subjected to thus far, one large ISP has already admitted that “even though DPI equipment was originally intended to introduce usage data collection functionality. . . it was subsequently determined that DPI should be used for traffic shaping” (Engelhart, 2009, p. 3). This sort of mission creep is precisely what raises concerns about the misuse of the technology and its ability to erode consumer trust in the network. Concerns over mission creep are driven by features of the technology itself that are not easy to overcome – the cost effectiveness of producing general-purpose DPI equipment and its lack of transparency on the network.

Conclusion

In the heat of DPI policy debates, serious concerns have been raised about the potential for the technology to facilitate massive privacy invasion. For some stakeholders, these risks are enough to reject DPI altogether and call for its prohibition (NoDPI, 2008). But given that a number of other kinds of applications and services have or could have similar capabilities to DPI, it is important to understand precisely what differentiates ISPs’ use of DPI. The aspects of ISPs discussed here – their role as trusted network onramps, their switching costs, and DPI’s particularly promising territory for mission creep – set them apart from other service providers, raising the bar for what ISPs must do to mitigate privacy risks as they pursue new DPI-based solutions.

Works Cited:

Allot Communications. (2007). Digging Deeper Into Deep Packet Inspection. Retrieved from http://www.allot.com/Common/FilesBinaryWrite.aspx?id=3053

Arbor Networks. (2010). Arbor e100 Datasheet. Retrieved from http://www.arbornetworks.com/de/docman/arbor-e100-data-sheet-english/download.html

Barras, C. (2009, March 16). Tim Berners-Lee: Internet at risk from ‘wiretapping’. Computer Weekly. Retrieved from http://www.computerweekly.com/Articles/2009/03/16/235279/Tim-Berners-Lee-Internet-at-risk-from-39wiretapping39.htm

Center for Democracy & Technology. (2007). Search Privacy Practices: A Work in Progress. Retrieved from http://www.cdt.org/privacy/20070808searchprivacy.pdf

Engelhart, K. G. (2009, January 13). Response to Interrogatory: Rogers(CRTC)4Dec08-1. CRTC Public Notice 2008-19. Retrieved from http://www.crtc.gc.ca/public/partvii/2008/8646/c12_200815400/1005723.zip

European Commission. (2009, April 14). Commission launches case against UK over privacy and personal data protection. IP/09/570. Retrieved from http://europa.eu/rapid/pressReleasesAction.do?reference=IP/09/570&format=HTML&aged=0&language=EN&guiLanguage=en

Federal Communications Commission. (2008). Memorandum Opinion and Order In the Matters of Free Press and Public Knowledge Against Comcast Corporation for Secretly Degrading Peer-to-Peer Applications; Broadband Industry Practices; Petition of Free Press et al. for Declaratory Ruling that Degrading an Internet Application Violates the FCC’s Internet Policy Statement and Does Not Meet an Exception for “Reasonable Network Management”. Retrieved from http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-08-183A1.pdf

Foucault, M. (1977). Discipline and Punish. Pantheon Books.

ipoque. (2008). Datasheet PRX-10G. Retrieved from http://www.ipoque.com/userfiles/file/datasheet-prx10g.pdf

Krafft, J., & Salies, E. (2008). The diffusion of ADSL and costs of switching Internet providers in the broadband industry: Evidence from the French case. Research Policy, 37(4), 706-719. doi:10.1016/j.respol.2008.01.007

Lyon, D. (2007). Surveillance Studies: An Overview. Polity.

NoDPI. (2008). No Deep Packet Inspection FAQ. Retrieved February 27, 2010, from https://nodpi.org/faq/

Ohm, P. (2009). The Rise and Fall of Invasive ISP Surveillance. University of Illinois Law Review, 2009(5), 1417-1496. Retrieved from http://lawreview.law.uiuc.edu/publications/2000s/2009/2009_5/Ohm.pdf

Parsons, C. (2009). Summary of January 13, 2009 CRTC Filings by Major ISPs in Response to Interrogatory PN 2008-19 with February 9, 2009 Updates.Retrieved from http://preview.tinyurl.com/289mpax

Riley, M. C., & Scott, B. (2009). Deep Packet Inspection: The End of the Internet As We Know It? Free Press. Retrieved from http://www.freepress.net/files/Deep_Packet_Inspection_The_End_of_the_Internet_As_We_Know_It.pdf

Werbach, K. (2005). Breaking the Ice: Rethinking Telecommunications Law for the Digital Age. Journal on Telecommunications & High Technology Law, 4, 59. Retrieved from http://heinonline.org/HOL/Page?handle=hein.journals/jtelhtel4&id=65&div=&collection=journals

Biography:

Alissa Cooper is a doctoral student at the Oxford Internet Institute. Her research focuses on how social, economic, technical and regulatory forces are challenging the open and decentralized Internet paradigm. She is interested in examining the balance of intelligence between the ends and the middle of the Internet; what the consequences of shifts in this balance might be for innovation, expression and privacy; and how individual Internet constituencies may be able to contribute to maintaining Internet openness.

Alissa is also the Chief Computer Scientist at the Center for Democracy and Technology (CDT), a non-profit public policy organization headquarted in Washington, DC. Her work at CDT focuses on a range of Internet policy issues including consumer privacy, net neutrality, and technical standards. At CDT she conducts original research and writing on numerous policy topics, serves as technical liaison between CDT and engineers at technology companies and within Internet standards bodies, and serves as CDT’s technical voice in public forums. During her time in DC, she has testified before the US Congress and and on several occasions before the Federal Trade Commission. While pursuing her doctoral work she is continuing to serve as CDT’s Chief Computer Scientist on a part-time basis. Alissa also currently co-chairs the Geographic Location/Privacy working group (Geopriv) within the Internet Engineering Task Force (IETF).

Alissa joined CDT after completing her Bachelor’s and Master’s degrees in Computer Science at Stanford University. There her work focused on computer security issues and included research into the structure and organization of botnets and online forums used to perpetrate fraud.

Interested in more? Subscribe to our RSS feed for new essays and site news as it comes available.

Building the overpasses of Long Island lower than the height of public buses of the time enforced a subtle policy of segregation. Robert Moses, the architect of the overpasses and many major public works of 20th Century America, believed the poor would ruin Long Island’s beaches. The low clearance of the overpasses barred public transit buses from the beach area while allowing affluent motorists to freely drive there. The story about segregating the poor from the beach illustrates how technologies have acted as tools of social control (Winner, 1986, pp. 22-23).

Deep packet inspection (DPI) marks a new period in the history of social control and, again, we must question the politics of control embedded in the technology. The control embedded in DPI differs from the architecture of overpasses; DPI runs through software and thus its mode of control is more fluid than concrete. Control does not block, but works by “increasing the probability of a desired outcome rather than its absolute determination” (Samarajiva, 1996, p. 129). The Internet appears open but the opaque software of deep packet inspection now subtly controls Internet traffic by gently guiding our communications into fast and slow lanes.[1] In this short essay I will identify what is significant about DPI’s capacity to control communications. I do so by first naming the nature of this control, secondly sketching its operation, and finally by speculating on the challenges it poses to democratic society.

Deep packet inspection, along with a bevy of other technologies for governing Internet traffic, amplifies the management of Internet communication. Networks can now predict the content of a message and assign it a speed. Such assignments create tiers of Internet traffic. Previously, speed depended on the size of the pipe and how fast its wires conducted messages, whereas now speed can depend on content and/or the pipe’s size.

To Internet Service Providers (ISPs), the ability to re-evaluate how to transmit information relieves their struggling infrastructure. ISPs face a bandwidth crunch from on-demand movies, streaming video, multiplayer games, music stores, not to mention the explosion in illegal file sharing. The crunch, in short, requires better management of the scarce resource. DPI allows network owners to identify certain communications and assign more or less bandwidth depending on the communication type.

Canadian Internet Service Providers, thus far, dominantly use DPI to solve congestion issues – mostly shaping peer-to-peer file sharing. Peer-to-peer traffic mostly moves large files around, ISPs argue, and thereby this communication traffic is less time-sensitive than web traffic or Voice over Internet Protocol (VoIP). Lowering the strain keeps Internet service costs down while still delivering an open Internet service (Canadian Radio-television and Telecommunications Commission, 2009b); DPI merely shifts the priorities of packets around in order to keep time-sensitive ones moving.

Concerns over DPI arise from its international abuses. International cases demonstrate the less mundane applications of DPI. Many believe DPI technologies enabled the domestic wire-tapping of American citizens (Bamford, 2008), and that China and Iran employ DPI to filter unwanted messages from their domestic Internet (Zittrain & Palfrey, 2008). However, these concerns overlook an important aspect of DPI: the technology has the capacity to control open communication. It is not only a system for surveillance and censorship.

Surveillance and censorship online differ from Internet control. Surveillance finds out if you browse the web or play video games. Censorship, a related concern, refers to the prevention of certain forms of speech: stopping us from saying certain things. Surveillance allows the discovery of illicit communication and censorship stops its circulation. While invasions of privacy might trouble us, they are not the only concerns with DPI. Control refers to inspection and interaction; it collapses the distinction between censorship and surveillance.

Internet control operates using DPI that, in my sense, refers to a certain type of software running on the many computers – known as network processors – routing our communication across the Internet. Processors inspect the bits of information coming across its pipes. The bits form a pattern that the software recognizes as types of traffic. Peer-to-peer communication (P2P) has a different pattern than web traffic. The software matches the peer-to-peer pattern to a list of known patterns. A match triggers certain policies. Bell, for example, allocates less bandwidth to peer-to-peer traffic during peak hours – a technique commonly called Internet throttling. These processes allow network owners to predict your mode of communication, and then to intervene in their transmission. These steps occur as the packet moves, nearly instantly. The home user, for the most part, never registers the uses of DPI equipment to monitor data flows.

Control is central for concerns about DPI while simultaneously being elusive because we never acknowledge when it works. Control disappears and blends into the everyday operation of the Internet. Its presence is active, constant, pervasive, and necessary to movement, but also hidden. The American ISP Comcast’s traffic shaping of peer-to-peer traffic only came to light through the efforts of many concerned media activists.[2] Users would have just thrown their hands up in frustration because their communications suddenly slow down without cause.

Control, in the case of Comcast, frustrates its users participating with peer-to-peer networks and lifts the throttling – and the frustration – only when its users travel along sanctioned digital channels. Its effect, then, is the “purposive influence toward a predetermined goal” (Beniger, 1986, p. 7). Influence gently guides our communication into more acceptable streams, never blocking, only guiding. Control does not stop us from communicating; it simply marginalizes non-prioritized communications. Control permits free speech, though a free speech with instrumental marginalization.

Introducing free speech might appear a leap in a technical discussion of Internet technologies, but it leads to questioning the technologies’ political repercussions. DPI poses, for me, all of the questions we must investigate if we aim to understand the democratic implications of control in communication. Control, enabled through deep packet inspection or its successors, will not disappear. While we might not always be aware of its influence, its invisibility possesses a political problem of how control should be governed online.

Confronting control requires establishing boundaries. Lawrence Lessig refers to this problem as one of regulability (Lessig, 2006, pp. 23-24). A term he uses to signify the limits of regulation. What can we now regulate, manage, or, in my language, control? What areas can we now control? Just because we can regulate does not imply that we should regulate. For instance, “the ordinary ways in which individuals create and share fall within the reach and refutation of the law, which has expanded to draw within its control a vast amount of culture and creativity that it never reached before” (Lessig, 2004, p. 8). Should control begin to enforce the law? As control becomes more ubiquitous in our communication systems, we must question its reach and decide what areas belong outside of such control.

We should note that the introduction of control in Canada has intensified. Telecommunications firms have lobbied and petitioned the Canadian Radio-Television Telecommunications Commission (CRTC) to permit the installation of deep packet inspection equipment in ISPs’ networks. As part of this lobbying effort, Mr. O’Carroll of Rogers Communications stated, “the rate of change in the Internet environment is increasing, therefore, Internet traffic management practices must be highly dynamic and responsive to these changes.” DPI is a vital part of Rogers’ Internet business model; the model demands keeping the cost of an open communication system in check. However, Rogers’ desire to continue to shape peer-to-peer file sharing seems dull compared to the threats of Mike McConnell, former director of the National Security Agency in the United States. He stresses the insecurities of the Internet in his public relations campaign on behalf of traffic management software firms.[3] He states, “we need to reengineer the Internet” because “if an enemy disrupted our financial and accounting transactions …  or created confusion about the legitimacy of those transactions – chaos would result.” Control, for McConnell, becomes an issue of national security. His posturing exemplifies the tremendous push to expand the limits of control.

Twin pistons churn the engines of control forward – the need to monetize network communication and the drive to increase the security of networks. Both ignore the problems of control to society. If we use the Internet more and more in our daily lives, as Statistics Canada reports 80% of Canadians now do,[4] then the setting of our society falls within the limits of control. Reducing the conditions of the expansion of control to a simple game of security and profit ignores the politics of control and the long-standing public service component of communications networks (See Moll & Shade, 2001). Mr. Lee of Rogers Communications reveals this troubling logic of the market forces where he states, “market forces, not government fiat, are responsible for Canada’s remarkable success [in broadband growth]. Many of the participants of the CRTC hearing on Intelligent Traffic Management Practices (Canadian Radio-television and Telecommunications Commission, 2009a), perhaps with good intentions, want to change that. They want lawyers, not engineers, to design the networks. This would be a big mistake.” Making control political, he infers, would threaten the success of the Internet in Canada. I believe the opposite. DPI, control and its limits must be debated publicly.

The nature of software enacting control challenges our public response. Invisible software systems do not lend themselves well to public representation. Such invisibility is why sites like this one are so important.  Deep packet inspection Canada’s home page explains to visitors whether their Internet service features deep packet inspection – a significant step in making control more visible. The CRTC, in the ruling on Intelligent Traffic Management Practices, required ISPs to be more transparent with their practices. Unfortunately, as Michael Geist points out, they are still complying with the regulation.[5] These examples mark the beginnings of a democratic response to control by bringing it to the public light. As control expands, perhaps through a new lawful access law,[6] we must find new means to represent and contest its operation. Framing DPI as a technology of control, I hope, renders another side of the technology. By understanding the politics of this technology, we might begin to find ways to govern it.

Notes:

[1] For another perspective on DPI and control, see DPI as an Integrated Technology of Control – Potential and Reality/. Bendrath studies the major actors pushing to install DPI and compares how drivers utilize DPI to alter their techniques of social control, technical efficiency, and economization.

[2] See, Packet Forgery By ISPs: A Report on the Comcast Affair

[3] The campaign also included a CNN broadcast of a two-hour simulation of a cyberwar against the United States. See, Cyberwar Hype Intended to Destroy the Open Internet.

[4] See, the Statistics Canada’s Canadian Internet Use Study.

[5] See, Geist: ISPs fall short on Net neutrality rules

[6] See, Feds to give cops Internet-snooping powers

Other Works Cited:

Bamford, J. (2008). The Shadow Factory: The Ultra-Secret NSA from 9/11 to the Eavesdropping on America (1st ed.). New York: Doubleday.

Beniger, J. R. (1986). The Control Revolution: Technological and Economic Origins of the Information Society. Cambridge, Mass.: Harvard University Press.

Canadian Radio-television and Telecommunications Commission (2009a). Hearings for Review of the Internet traffic management practices of Internet service providers. Retrieved 15 March 2010. from http://www.crtc.gc.ca/eng/transcripts/2009/tt0706.htm.

Canadian Radio-television and Telecommunications Commission (2009b). Telecom Regulatory Policy CRTC 2009-657: Review of the Internet traffic management practices of Internet service providers. Retrieved 12 March 2010. from http://www.crtc.gc.ca/eng/archive/2009/2009-657.htm.

Lessig, L. (2004). Free Culture: How Big Media uses Technology and the Law to Lock Down Culture and Control Creativity. New York: Penguin Press.

Lessig, L. (2006). Code: Version 2.0. New York: Basic Books.

Moll, M., & Shade, L. R. (Eds.). (2001). E-commerce vs E-commons: Communications in the Public Interest. Ottawa: Canadian Centre for Policy Alternatives.

Samarajiva, R. (1996). Surveillance by Design: Public Networks and the Control of Consumption. In R. Mansell & R. Silverstone (Eds.), Communication by Design: The Politics of Communication Technologies (pp. 129-156). New York: Oxford University Press.

Winner, L. (1986). The Whale and the Reactor: A Search for Limits in an Age of High Technology. Chicago: University of Chicago Press.

Zittrain, J., & Palfrey, J. (2008). Internet Filtering: The Politics and Mechanisms of Control. In R. Deibert, J. Palfrey, R. Rohozinski & J. Zittrain (Eds.), Access Denied: The Practice and Policy of Global Internet Filtering (pp. 29-56). Cambridge: MIT Press.

Biography:

Fenwick McKelvey is a second-year PhD Candidate (Fall‘08) in the Communication & Culture program at Ryerson and York Universities. He researches digital political communication, and digital research methods. His dissertation charts the politics of traffic management software – how it controls information and how it meets resistance. He is a research associate with the Infoscape Research Lab: Centre for the Study of Social Media.

Interested in more? Subscribe to our RSS feed for new essays and site news as it comes available.

Website Objectives

The website has five particular goals to achieve:

1. To develop the largest publicly accessible repository of information concerning the use of DPI in Canada;
2. To explain to Canadians in non-technical language whether and how their ISP uses DPI technologies;
3. To provide regular analyses of current uses of DPI in Canada, as well as abroad when relevant;
4. To facilitate discourse about DPI technologies amongst Canadians;
5. To provide research and analyses of DPI technologies that could be used by government agencies, including privacy and information commissioners.

If we are to realize these goals, however, we require the assistance of interested vendors of the technology, ISP representative, members of provincial and federal governments, and most importantly from Canadian citizens. Most pressingly, while we have successfully gathered information on many of Canada’s largest ISPs we must still collate and make available information about Canada’s smaller ISPs and other service providers. We are depending on other Canadians to assist us in finding our blindspots and helping us correct them; this is a terribly large country with a rich set of service providers and the research team is unable to find them all!

Call for Assistance

In the upper left-hand corner of the website, there is a part of the website that is designed to identify what ISP you are visiting us from and then correlate that information with a database we have built. If we haven’t successfully identified your ISP you can help us by simply contacting us with the following information:

• Name of your ISP or host;
• Region where the ISP operates (or, alternately, the city/town/village where you receive service from the provider);
• A link to their webpage.

If you can provide the above information to us, we’ll do our best to learn whether or not the ISP or host uses DPI. A page will be created and we’ll note any successes or failures in getting information.

Made Possible By

This website, and the research associated with it, has been made possible because of funding received through the Office of the Privacy Commissioner of Canada’s contributions program. The website will continue to be updated for at least the next two years, and will include regular updates in the resources, ISPs, and essay sections of the webpage, as well as revisions to our ISP detection system.

Interested in more? Subscribe to our RSS feed for new essays and site news as it comes available.

The Case of America

Arguably, the massive surveillance of digital networks took off as a contemporary issue in 2005, when the New York Times published their first article on the NSA’s warrantless wiretapping operations. The concern about such surveillance brewed for years, and finally exploded as the public began to learn about the capacities of DPI technologies as potential tools for mass surveillance. This awareness can arguably be attributed to Nate Anderson’s piece, “Deep packet inspection meets ‘Net neutrality, CALEA.” Anderson’s article is often acknowledged by academics as the popular news article that put DPI on the scene, and the American public’s interest in this technology was reinforced by the use of DPI equipment for behavioural advertising and particularly disruptive traffic management purposes. In this section, we briefly explore the use of the technology to modify data streams for advertising-related surveillance purposes, how Comcast aggressively used DPI to disrupt peer-to-peer (P2P) content delivery systems, and the political responses to these actions.

Attention about, and pressure directed against, the use of DPI built as the American behavioural advertising company NebuAd began partnering with ISPs to deliver targeted ads to ISPs’ customers using DPI equipment. The Free Press hired Robert Topolski to perform a technical analysis of what NebuAd was doing, and led him to state that “NebuAd’s code injected into another’s page source is a cross-site exploit (XSS) and the subsequent behavior of loading cookies it normally would not load is a browser hijack. NebuAd accomplishes its XSS by using what is effectively a classic man-in-the-middle attack.”

In light of the damning evidence that ‘consent’ was never genuinely achieved (in at least one ISP’s case, there was a change to their already massive privacy policy to inform customers of the new behaviour) NebuAd was very publicly disciplined in front of the House Telecommunications Subcommittee. Congressman Markey asserted that “Simply providing a method for users to opt-out of the program is not the same has asking users to affirmatively agree to participate in the program.” While NebuAd has lost it’s CEO, is now subject to a class action lawsuit in America, and itself is dead in the water (though has arguably been reincarnated in the UK as Insight Ready), no legislation have been passed to address behavioural advertising using DPI. A Senate Commerce Committee session in September 2008 led three of the US’s largest ISPs – AT&T, Verizon, and Time Warner – to commit to an “affirmative consent” model for behavioural advertising should the ISPs ever adopt such an advertising system, but no Senate action even attempted to legislate a consent-based model. The Federal Trade Commission (FTC) only went as far as to advocate for voluntary self-regulation of the industry. This regulation encompassed the following principles;

1. Transparency and customer control, which maintains that on every website where data is collected for behavioural advertising that customers are informed of this in concise and clear language with the option of choosing whether their information will collected for these purposes.
2. Reasonable security, and limited retention, of consumer data. In essence, this requires companies to secure data in a manner consistent with FTC data security enforcement and only retain data as long as required for legitimate business purposes.
3. Affirmative express consent for material change to existing privacy promises. Critical is that this principle is meant to apply even when the material change is a result of a corporate merger when such a merger modifies the ways in which companies collect, use, and share information.
4. Affirmative express consent to (or prohibition against) using sensitive data for behavioural advertising. This principle does not actually identify what constitutes sensitive information; the FTC sought input into what classes of information should be considered sensitive and whether the collection of such information should be prohibited by regulation instead of by customer choice.

In the case of using DPI for network management purposes, Comcast was found using TCP RST data packet to intentionally disrupt peer-to-peer filesharing programs that were accounting for substantial amounts of data traffic along their networks. The stated issue with the programs was that they generated high levels of congestion; in effect, this meant that a large number of customers’ packets were regularly being dropped as Comcast routers struggled to keep pace with the high levels of peer-to-peer traffic. While at one point the company maintained that it only used RST packets during periods of high congestion, it ultimately admitted that their RST-based system was triggered regardless of overall network congestion and at all times of they day.

As a result of Comcast’s use of DPI to target particular applications and application-types the Federal Communications Commission (FCC) issued an order requiring the ISP to stop their particular mode of network management under the FCC’s ancillary authority, or authority that implicitly is derived from past judicial rulings, policy contours, congressional mandate, and telecommunications act. Specifically, the FCC required Comcast to;

1. Reveal the “precise contours” of its network management practices, including the types of equipment used, when they came into use, how they were configured, and where they have been deployed.
2. Come up with a compliance plan complete with benchmarks that explains how Comcast will move “from discriminatory to nondiscriminatory network management practices by the end of the year.”
3. Publicly disclose the details of its new practices, “including the thresholds that will trigger any limits on customers’ access to bandwidth.”

The FCC decision was met with two responses from Comcast. First, the company adopted a ‘protocol agnostic’ solution to dealing with high-bandwidth usage. This involved them shifting from using deep packet inspection – which examines the payload of data packets – to shallow packet inspection that is (relatively) limited to examining header, or addressing, information of data packets. Under the revised approach, where Comcast identifies consumers who are engaged in high-bandwidth activities for 15 minutes or longer those customers have their packets reclassified to “best effort” from the default “priority best effort”. Essentially, whenever a Comcast subscriber uses their Internet connection to transmit or receive large amounts of data for 15 minutes or longer they suffer a degradation of service, insofar as other subscribers’ data traffic is given priority to transmit or receive information from the Internet ahead of the heavy-use subscriber.

Second, the company took the FCC to court, arguing that the FCC had exceeded their authority in determining how the corporation can manage their networks. The courts recently returned with a decision in Comcast’s favor: the FCC’s order that Comcast cease the issuance of RST packets using DPI equipment is now invalidated on the basis that the FCC decision exceeded their authority. This sends a message that American telecommunications carriers can use equipment, as they perceive needed, to manage their networks and such usage includes mobilizing DPI to actively disrupt customers’ data traffic. Whether there will actually be a return to the use of RST packets is questionable – clearly consumers resent this usage of DPI equipment – but it is important that such disruptive activity on the part of a broadband operator is (for now, at least) legally permissible.

Turning to Canada

In Canada, there has been a substantial amount of attention directed towards the use of DPI equipment since 2007 when CAIP filed a complaint about Bell’s use of the technology to affect how CAIP’s customers’ data traffic was being transmitted through Bell’s infrastructure. The result of Bell v. CAIP, and the 2008/9 CRTC investigation into how DPI is used by ISPs more widely, was positive in some lights. Positively, out of the 2008/9 investigation the CRTC asserted:

• the blocking of content is prohibited unless approved by the CRTC;
• when noticeable degradation of service for time sensitive services occurs, then a traffic management system amounts to controlling the content or influencing its meaning. As such, any actions that create such a degradation require approval by the CRTC;
• the CRTC affirmed that it works in a complementary fashion with the Privacy Commissioner of Canada and that telecommunications providers are held to a higher standard than that contained in PIPEDA alone. Critically, not only are primary ISPs (e.g Bell, Rogers, Cogeco, etc.) prohibited from using data gathered from traffic management for anything other than management actions, but “the Commission directs all primary ISPs, as a condition of providing wholesale services to secondary ISPs, to include, in their service contracts or other arrangements with secondary ISPs, the requirement that the latter not use for other purposes personal information collected for the purposes of traffic management and not disclose such information.”
• economic measures are preferred to technical traffic management processes;

Key is that the CRTC has not forbidden ISPs from using DPI, and has instead put strong conditions on what are and are not permissible uses of the technology. What remained permissible was that delaying non-time sensitive services (e.g. email, peer-to-peer, FTP, etc) does not require CRTC approval, and wholesale ISPs (e.g. TekSavvy, Execulink) remain affected by DPI and can expect to receive a mere 30 to 60 day notification before primary ISPs make material changes that would affect wholesale ISPs. Thus, should Rogers significantly modify how they will use DPI in their network their wholesale customers can expect a short period of time before those changes will affect the entire network.

The privacy element of the CRTC’s ruling was reinforced in the Privacy Commissioner of Canada’s ruling on deep packet inspection, which required Bell to note on their website that personal information (i.e. subscriber ID and IP address) was briefly collected (and then quickly discarded) in the ongoing use of DPI. Emergent from the CRTC and OPC’s decisions, we can comfortably say that Canada has a strong set of regulatory bones when it comes to DPI; what’s left is fleshing the bones out, which will presumably continue to happen over the coming months and years.

Comparisons and Conclusions

So, how might we draw a comparison between the US and Canada? To being, in the US non-regulated processes are exclusively meant to limit the use of behavioural advertising – though as demonstrated by Chris Soghoian’s work such self-regulation is practically non-regulation in the advertising business - and that the traffic management questions linger in the air. ISPs in the US have (at least temporarily) managed to get a bit more freedom from the FCC with the decision favouring Comcast, and the FTC has been unwilling to strongly regulate ISPs’ uses of DPI. Thus, the American reality stands in stark contrast to Canada: Canadians have a skeleton of regulated guidelines that ISPs are required to adhere to, whereas the US remains a relatively unregulated marketplace for DPI.

Given the different regulatory environments, we cannot expect civil or governmental bodies that are interested in the use of DPI to adopt similar language or regulatory tools in their approaches, but this shouldn’t prevent interested parties from identifying common language and regulatory principles to see what does and does not work. Further, such comparative projects could try and identify differences that emerge when there is greater transparency (either required by regulation or performed on a voluntary basis) surrounding the development, deployment, and usage of the technologies. This would (and, in Canada, arguably did) enable advocates to more clearly articulate their messages in relation to where interested parties are kept in the dark about the technologies. In addition to improving the calibre of debate surrounding the technology, transparency can simultaneously alleviate some of the concerns that emerge when our communications systems are mediated by an unknown technical power, in unknown manners, for less than clear corporate means. Democracies thrive on their freedom of speech, and it is critical for citizens to be involved in legitimating or regulating the infrastructures that carry that speech.

Ultimately, citizens of Canada and the US need to understand how their communications are regulated and have a clear and valued voice in shaping the structure of their communications systems; citizens along with government and business, as opposed to business and deep packet inspection alone, must be responsible for choosing the ‘winning’ applications that facilitate digital communications across the Internet.

Interested in more? Subscribe to our RSS feed for new essays and site news as it comes available.