As part of the review proceedings, the CRTC held public hearings from July 6 to 14 2009. All parties who submitted initial comments were invited to participate. Parties were also invited to submit a “final reply” to the proceedings by July 28th 2009. A final reply is intended to give the parties a last opportunity to address any issues raised during the proceedings. A final reply is also meant to ensure that the CRTC has the most complete record of relevant issues and evidence as possible upon which to ground any future policy direction, order or telecom decision relating to Internet traffic management.

The OPC’s submission and final reply are made pursuant to our legislative mandate to protect the privacy rights of individuals, foster public understanding of privacy, and promote the privacy protections available in Canada. Both OPC submissions to this proceeding are focused on the privacy implications about the potential uses of deep packet inspection (DPI) and more generally the crucial need – and growing expectation – of Canadians that their personal information is protected online.

——————
Mr. Robert A. Morin
Secretary General
Canadian Radio-television and Telecommunications Commission
Ottawa, ON
K1A 0N2

Dear Mr. Morin:

Re: Telecom Public Notice CRTC 2008-19 – Review of the Internet traffic management practices of Internet service providers; Final Reply Submission from the Office of the Privacy Commissioner of Canada

1. On February 18 2009, the Office of the Privacy Commissioner of Canada (OPC) (1) made a submission(2) to the Canadian Radio-television and Telecommunications Commission (CRTC) as an interested party to the above proceedings. The OPC’s submission was made pursuant to its legislative mandate to protect the privacy rights of individuals and promote the privacy protections available to Canadians.(3)

2. The OPC’s initial submission was focused on the privacy implications of Internet traffic management practices employed by internet service providers (ISPs). Specifically, the OPC’s comments addressed privacy concerns about the potential use of Deep Packet Inspection (DPI).

3. From July 6th to July 14th, 2009 the CRTC conducted 7 days of public hearings (the hearings) for the proceeding. The CRTC heard evidence from public interest advocacy groups, industry organizations, manufacturers of equipment and technologies used to manage networks, ISPs and interested individuals.

4. The CRTC has given parties the opportunity to respond to issues raised during the proceedings in a Final Reply. This submission serves as the OPC’s Final Reply to privacy issues raised by the CRTC Panel and parties that appeared at the hearings.

5. The OPC acknowledges that the ISPs and others gave evidence before the Hearing Panel that DPI is not currently used by operators for purposes other than network management. The ISPs stated that customer personal information(4), that is being handled in Internet traffic management practices (ITMPs) such as DPI, is not being used for marketing purposes. Specifically, ISPs claimed that they do not engage in targeted or behavioural advertising using information obtained through DPI.

6. The Personal Information Protection and Electronic Documents Act (PIPEDA),(5) applies to personal information(6) handled by ISPs in the course of providing Internet services to customers. PIPEDA requires that there be informed and meaningful consent for any purpose different from the original.

7. Our Final Reply will address the following:

I. The CRTC has a statutory obligation and recognized expertise to protect privacy.

II. PIPEDA provides a basic standard for privacy protection: The CRTC may set higher, industry specific guidelines.

III. Privacy and legitimate business interests can be addressed using a balancing test: The example of OPC Findings under PIPEDA.

IV. Canadians care about personal privacy and are entitled to know how their personal information is being handled and protected.

I. The CRTC has a statutory obligation and recognized expertise to protect
privacy.

8. According to Canadian telecommunications policy, the CRTC is required to safeguard the privacy of individuals and their communications. This policy is set out in paragraphs 7(a) and (i) of the Telecommunications Act: (7)

7. It is hereby affirmed that telecommunications performs an essential role in the maintenance of Canada’s identity and sovereignty and that the Canadian telecommunications policy has as its objectives

(a) to facilitate the orderly development throughout Canada of a telecommunications system that serves to safeguard, enrich and strengthen the social and economic fabric of Canada and its regions;
…
(i) to contribute to the protection of the privacy of persons.

9. During the Hearings, a number of parties to the proceeding took the position that they preferred that the CRTC refrain from regulating the Internet traffic management practices of ISPs with respect to privacy. In response, the Panel reminded the parties that, under the Act, the CRTC not only has statutory authority to protect privacy, but indeed, an express obligation to do so, reflecting the intention of Parliament in its enabling legislation.

10. Moreover, the CRTC is a specialized, decision-making, tribunal with recognized expertise over telecommunications matters.(8) Bill C-27, the Electronic Commerce Protection Act (ECPA) currently before the Standing Committee on Industry, Science and Technology is an example of Parliament recognizing the specific expertise of both the OPC and the CRTC over areas of overlapping concern. (9) The CRTC has the institutional knowledge and experience to craft appropriate measures to encourage technological innovation and economic growth, within this industry, and ensure that the privacy of Internet users in Canada is respected.

II. PIPEDA provides a basic standard for privacy protection: The CRTC may set higher, industry specific guidelines.

11. In exercising its powers under the Telecommunications Act, the CRTC may apply higher standards to protect privacy than those contemplated by PIPEDA.(10)

12. Our original submission noted that the CRTC and the OPC have recognized complementary statutory roles regarding privacy protection.(11) Their statutory roles are related, but not redundant. While the OPC and CRTC have overlapping jurisdiction with respect to both privacy protection and communications service providers,(12) their functions and powers differ significantly.

13. The Telecommunications Act is sector-specific. The Act enables the CRTC to create specific guidelines and regulations to address concerns within the industry. The Act gives the CRTC the ability to enhance privacy protection for Canadians. For example, under the Telecommunications Act, the CRTC has:

• the authority to make binding decisions and orders
• the ability to regulate both Internet services and the use of communications technologies used to deliver those services. This is a significant regulatory power which allows the CRTC to ensure that privacy is built into technologies used by the communications industry across Canada.

14. As noted by the Panel during the hearings, PIPEDA is, in contrast to the Telecommunications Act, a statute of general application. PIPEDA broadly applies to personal information collected by an organization in the course of commercial activity. The Act applies to organizations across diverse industries and in a wide variety of contexts.

15. PIPEDA represents a basic standard for how organizations should manage personal information. The CRTC, through its regulatory powers may exceed PIPEDA’s standard if, in their expert opinion, the proposed requirement is consistent with the public interest and Canadian telecommunications policy, as set out under the Telecommunications Act.(13)

IV. Privacy and legitimate business interests can be addressed using a balancing test: The example of OPC Findings under PIPEDA.

16. The legislative purpose of PIPEDA is to protect personal information while recognizing the reality of modern commerce, which, increasingly, is characterized by virtual, electronic transactions, propelled by rapid advances in information technology.(14)

17. The bedrock of PIPEDA is individual consent, which can be express or implied, depending on the circumstances. (15)  Even with consent, organizations must limit collection, use, and disclosure of personal information, for purposes that a reasonable person would consider appropriate under the circumstances.(16)

18. The “reasonable person” test is central to privacy protection under PIPEDA and echoes the Oakes (17) test developed by the Supreme Court of Canada.

19. The OPC has applied (18) the reasonable person test, with its consideration of less privacy-invasive methods, as part of an overall assessment of reasonableness under PIPEDA. The test is applied contextually, on a case-by-case basis, to strike the appropriate balance between individual privacy concerns, and legitimate business interests.

20. From a privacy perspective, this approach is consistent with the Chair’s observations during the hearings.(19)

V. Canadians are concerned about privacy and are entitled to know how their personal information is being handled and protected.

21. Whether the collection, use, or disclosure of personal information is perceived as minimal, or conducted for a legitimate purpose in the ordinary course of business, it should be remembered that whenever personal information is implicated, the issue of privacy will be raised. This is also true in instances where an organization claims to merely “access” personal information using DPI, and not “monitor,” store or disclose that information for purposes other than network management.

22. Privacy is fundamentally a right from which other essential freedoms flow. The OPC’s initial submission for this proceeding cites extensive Canadian jurisprudence and statute law confirming this principle. (20) Members of the Panel repeatedly affirmed throughout the hearings that privacy is a fundamental right. Privacy has an inherent social and human value that transcends a singular regulatory regime or statute.

23. Canadians have mounting concerns about the preservation of privacy rights. They are entitled to have clear, easily accessible, and meaningful safeguards of their personal information, and how it is managed by ISPs implementing traffic management practices. They expect that their personal information will not be misused, and will be treated with a high standard of care by the organizations they choose to do business with, and that the public bodies tasked with the duty to protect their privacy, not hesitate to do so.

Respectfully submitted,

Jennifer Stoddart
Privacy Commissioner of Canada

1. Office of the Privacy Commissioner of Canada: http://www.priv.gc.ca/
2. Deep Packet Inspection: Review of the Internet traffic management practices of Internet Service Providers by the Office of the Privacy Commissioner of Canada: http://dpi.priv.gc.ca/index.php/essays/review-of-the-internet-traffic-management-practices-of-internet-service-providers/
3. Office of the Privacy Commissioner of Canada, About Us, Mandate and Mission: http://www.priv.gc.ca/aboutUs/mm_e.cfm#contenttop
4. Section 2(1) of PIPEDA provides that “personal information” means “information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.” For examples of OPC findings on what constitutes personal information, see OPC Interpretation “The Meaning of Personal Information” (2008): http://www.priv.gc.ca/leg_c/interpretations_02_e.cfm, citing PIPEDA Case Summary #25 (2001) – A broadcaster accused of collecting personal information via Web site – http://www.priv.gc.ca/cf-dc/2001/cf-dc_011120_e.cfm; and PIPEDA Case Summary #319 (2005): ISP’s anti-spam measures questioned
http://www.priv.gc.ca/cf-dc/2005 /319_20051103_e.cfm
5. 2000, c. 5
6. Information need not be recorded for it to constitute personal information. It is sufficient that the information be about an identifiable individual even if the information is not in a recorded form, such as oral conversations, biological samples and real time video surveillance. While the absence of a recording may go to the issue of collection, it does not change the fact that the information is personal information (Morgan v. Alta Flights Inc. (2006) FCA 121, affirming (2005) FC 421 – http://decisions.fct-cf.gc.ca/en/2005/2005fc421/2005fc421.html.)
7. S.C. 1993, c. 38
8. British Columbia Telephone Co. v. Shaw Cable Systems (B.C.) Ltd., [1995] 2 S.C.R. 739 at paras 30 and 33 – http://csc.lexum.umontreal.ca/en/1995/1995rcs2-739/1995rcs2-739.html; Englander v. Telus Communications Inc., 2004 FCA 387 (2004) at para 72 – http://decisions.fca-caf.gc.ca/en/2004/2004fca387/2004fca387.html.
9. Speech, Notes for an address by Konrad von Finckenstein, Q.C., Chairman, Canadian Radio-television and Telecommunications Commission to the Standing Committee on Industry, Science and Technology, Ottawa, Ontario, June 18, 2009 regarding Bill C-27, the Electronic Commerce Protection Act (ECPA) – http://www.crtc.gc.ca/eng/NEWS/SPEECHES/2009/s090618.htm. See also generally Bill C-27, ECPA – http://www2.parl.gc.ca/HousePublications/Publication.aspx?DocId=3832885&Language=e&Mode=1
10. Telecom Decision CRTC 2003-33, May 30, 2003
11. Telecommunications Policy Review Panel, Ch. 6 Social Regulation http://www.telecomreview.ca/eic/site/tprp-gecrt.nsf/eng/rx00060.html
12. Englander v. Telus Communications Inc. 2004 FCA 387 at 79 – http://decisions.fca-caf.gc.ca/en/2004/2004fca387/2004fca387.html
13. British Columbia Telephone Co. v. Shaw Cable Systems (B.C.) Ltd., [1995] 2 S.C.R. 739 at paras 30 and 33 – http://csc.lexum.umontreal.ca/en/1995/1995rcs2-739/1995rcs2-739.html; Englander v. Telus Communications Inc., 2004 FCA 387 (2004) at para 72 – http://decisions.fca-caf.gc.ca/en/2004/2004fca387/2004fca387.html.
14. Section 3 of PIPEDA states as its purpose: “to establish, in an era in which technology increasingly facilitates the collection, use and disclosure of information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.”
15. Clause 4.3 of Schedule 1, and section 7 of PIPEDA listing the exceptions to the consent requirement. See also OPC – Determining the appropriate form of consent under the Personal Information Protection and Electronic Documents Act Fact Sheet (2004) – http://www.priv.gc.ca/fs-fi/02_05_d_24_e.cfm
16. Ss 3 and 5(3) of PIPEDA; see also OPC Fact Sheet: Complying with the Personal Information Protection and Electronic Documents Act (2005) – http://www.priv.gc.ca/fs-fi/02_05_d_16_e.cfm
17. in the seminal constitutional law case, R. v. Oakes [1986] 1 S.C.R. 103 – http://scc.lexum.umontreal.ca/en/1986/1986rcs1-103/1986rcs1-103.html
18. For example, see the OPC’s Findings under PIPEDA, particularly: PIPEDA Case Summary #351 (2006) – Use of personal information collected by Global Positioning System considered – http://www.priv.gc.ca/cf-dc/2006/351_20061109_e.cfm
19. Transcript of proceedings before the CRTC – Review of the internet traffic management practices of internet service providers – http://www.crtc.gc.ca/eng/transcripts/2009/tt0714.htm at 6337 and 6818.
20. Ibid, note 2 at paras 17 and 18.

Introduction

Communications technologies have changed people’s views of personal privacy for hundreds of years. The invention of the printing press allowed wide-scale distribution of information about public figures that was previously impossible, funding an industry of paparazzi and tabloid reporters who appealed to the public’s prurient interests as a means of selling advertising. The rise of the consumer Internet has given unprecedented ease of access to information which once may have been considered private and personal, including information from newsgroup postings, personal blogs, social networking sites, and, in some cases, from unintentional information leakage or even intentional information theft. The level of information available about individuals which is available through a simple search engine would be considered astonishing compared to as recently as even 10 years ago. Society has always adapted to changes in technology with a give and take, modifying guidelines and accepted practices on information usage, and realigning expectations with respect to information privacy. Will the Internet continue this trend, or are privacy concerns and progress destined to oppose each other?

Legislation and Technology

Legislation has often struggled to keep up with technology. Where a new technology has created a perceived need for legislation, legislators have often tended to focus on the technology itself, rather than the use cases involved. In essence, they focus on writing the letter of the law when they should focus on the spirit. Take for example the case of American jurist Robert Bork. Other than being famous for acquiescing to Richard Nixon’s will and firing special prosecutor Archibald Cox, he is known for being a candidate to the US Supreme Court. During the debate of his nomination, Bork’s video rental history was leaked to the press, which in turn led to the enactment of the Video Privacy Protection Act. In this case, the law clearly did not stay abreast of technology, and was enacted for the narrow purpose of preventing information about VHS tape rentals from reaching the public, anticipating neither DVD rentals 10 years later, nor video on demand over cable, nor Internet-based video distribution. If society had acted to place guidelines on ‘dissemination of entertainment preference information’, which was the actual intent, we would have been better served, rather than having legislation narrowly targeted to a specific technology.

Societal Expectation

Privacy is all about the expectations of those involved. As a consumer, I expect the content of my email message to be private between me and my intended recipient, regardless of whether I send it via my residential Internet service provider’s mail server, or via a web-based service such as Google’s Gmail or Microsoft’s Hotmail. If this email were to be used by anyone other than my intended recipient, my expectation of privacy would not be met, regardless of whether this unauthorised use was facilitated by the Internet service provider I am using or by a web-based service I am using. The societal expectation of privacy applies to the use of the information, not the method or point of interception. To allow a model where a web-based provider of email services can read my email, and use the contents to build a profile of me for advertising purposes, but not allow an Internet service provider (also with my consent) to do the same thing is to create an imbalance in my expectations that the majority of email users do not appreciate. Privacy use cases should be viewed through the expectations of the information originator, not through the specific narrow methods which are used to gather the information.

Demonising Technology

Throughout history, control of terminology has been used as a method of setting agendas and inciting preconceived conclusions on the basis of nomenclature alone. It appears that this is becoming true again in the current privacy debate regarding the term “deep packet inspection” and its acronym “DPI”. Deep packet inspection is, from a network engineering and architectural perspective, the act of any network equipment which is not an endpoint of a communication using any field other than the layer 3 destination IP address for any purpose. DPI has been used for years in providing voice over Internet protocol (VoIP) services (e.g. in a session border controller), for providing safe and secure traversal of consumer and enterprise firewalls, for providing network address translation services, and for managing quality of service in a network.
Unfortunately, in the summer of 2008 a special committee of the US congress invited testimony on the subject of behavioural targeting in Internet-based advertising. The specific technique investigated was, perhaps inadvertently, labelled as DPI. Rather than focus on the use cases (e.g. whether it was acceptable to build a profile of a user for the purpose of targeted advertising), the technology itself became the focus of the examination. It appears that as a result of this inquiry and the press coverage and commentary arising from it, in the public’s mind, all uses of DPI now somehow, by definition, involve privacy invasion, rather than just those that go into specific content and use the information.

DPI is a required technology as part of the Internet’s evolution, being critical to help evolve from IPv4 to IPv6, to providing quality voice services, etc. DPI need not involve inspecting the ‘content’ of a communication, but is required to address fields other than the layer-3 destination IP. For example, service providers of all access types (cable, DSL, FTTx, wireless) have used DPI to understand and manage traffic in their networks. The most common applications – network capacity planning, congestion management and mitigating malicious traffic like denial of service attacks and spam – do not require the inspection of content. To be clear, applications such as these do not read your mail, listen to your voice calls, or watch the video you are streaming. They inspect only those locations of a packet that hold identifying signature characteristics to the extent necessary to see if there is a match with the signature profile in the library. Once identification has occurred further inspection stops and the attributes examined in the process of arriving at that identification are “forgotten”. Machines which make instantaneous automated decisions on network information and do not share that with humans are not a threat to privacy, but are a requirement for reliable communication. Demonising a broad class of technologies, in this case DPI technologies, is not serving any useful purpose in ensuring privacy.

The public would be best served by guidelines for online information usage, rather than for the means of information collection. From an end-user perspective, it does not matter to me whether someone builds a profile of me by looking at packets on the wire, or by placing cookies on the web sites I visit. Both yield the same result, some third-party builds a model of my interests and behaviours.

Conclusions

Humans are adaptable. Society will evolve. Our concept of privacy in the information age will change over time, and our expectations of what uses are private will become clearer. If we focus on the use cases in a user-centric fashion, rather than the techniques or technologies, these guidelines will be easier to convey and enforce. Society is not well served by a narrow focus like protecting the privacy of video cassette tape rentals, nor is it well served by trying to prevent a technology because it has concerns with one of the use cases the technology enables. DPI is needed for our continued innovation of the Internet. Let us focus on making our future spirit of privacy expectations clear rather than limiting our attention to one particular means.

Coming a bit late to the party as I am, I think the other essays on DPI capture most of the issues that I would want to talk about. So I won’t, especially since I agree with most of the essayists on the issues surrounding network neutrality, spying and privacy.

However, there’s one critical aspect missing from all of the other essays which at first surprised me completely. On second thought, perhaps it wasn’t so surprising, because none of the other writers seem to be in the front line of Internet Security with a handle on current and ongoing threats.

This issue is that of malware, spambots, viruses, phishing, trojans, keyloggers, denial of service, malicious downloaders, “DNS attacks” and so on.

On a daily basis we track tens of millions of infected computers (mostly home computers) participating in the sending of billions of email spams per day, resulting in distributed denial of service attacks, identity/credit card/credential theft, money laundering, keystroke logging and so on. Also we see legitimate web sites and other services being “hacked” so as to leave malicious software to drop on the unwary.

Attacks on DNS (the name service that maps the name of where you want to go to its Internet location) is one of the newer and most dangerous threats. You think you’re on your bank’s site managing your account? No, you’re not, you have someone eavesdropping (man-in-the-middle attack via perversion of your DNS lookups) on your conversation, and they will deplete your account shortly thereafter. Encryption (eg: https/SSL) can help, but not always because there are attacks that can subvert that or confuse the user too.

The sheer magnitude of the problem is staggering – and getting worse. This isn’t visible to people not specializing in the field because for the most part organized crime is very good at hiding (some can fool even the experts at times), and ISPs have been struggling to shield their users from it.

Still, it is becoming increasingly dangerous to your bank balance and your privacy to use the Internet. The criminals are getting better at their attacks with new tools and techniques, and network security has to keep pace.

The reality is also that law enforcement’s efforts to catch and prosecute such criminals has been spotty at best, and at least for the medium term, it’s an ineffective weapon for dealing with this. We’re doing our best, and we do have successes, but the overall effects have been minimal so far.

Another unpleasant reality is that anti-virus/spyware packages are becoming increasingly ineffective. Less than 23% of all new infectors are caught by any anti-virus solution, and are seldom useful in preventing current infectors taking hold.

When it really comes down to it, discussions about privacy, network neutrality and the other issues brought up in the other essays here won’t mean anything if users can no longer trust the services they use, nor indeed even their own computers. Even full encryption isn’t a panacea. As more and more people distrust the Internet, the Internet will suffer, and perhaps even die with catastrophic economic consequences.

It’s true that many ISPs are looking into Deep Packet Inspection (DPI) in ways that we may not like (non-network-neutral bandwidth shaping decisions, “phorm-like” marketing intelligence gathering, or even outright “spying” et cetera). Those were possible without DPI and will remain so, whether or not DPI exists.

However, perhaps the biggest incentive for DPI within Internet providers and businesses is the detection and interception of malicious traffic undesirable by any user, and identifying which user has these infections so as to assist them getting the infection removed.

In other words, providers are trying to protect their customers from organized crime attacking them.

DPI can detect when the popular social networking site you just visited had been hacked and tried to download a virus onto your computer, or when an email sent to you contains something malicious and stop it. It can detect when the virus activates and tries to operate. It can detect where the attacks originate from. And so on.

DPI can be misused. So can a hammer. We don’t ban hammers. We do ban the bad things you can do with a hammer.

We need to consider DPI as just another tool. DPI is a very powerful one that can be miss-used, but it’s still just a tool.

Rather than talk about DPI in terms of the things we don’t want DPI to do, we as a society have to decide what things we do/don’t want done, regardless of what technology is used to do it. If we want network neutrality, than that’s what we should regulate, not a particular tool that may or may not be used for it.

Professor Larry Lessig writes in Code and Other Laws of Cyberspace[1] that four forces regulate behaviour on-line: code, law, norms and markets. In the case of deep-packet inspection and other forms of Internet surveillance, code is currently no impediment at all. Most Internet communications take place in “plain text” — unencrypted data that is as easy to read as a postcard sent through the postal system. These unprotected data packets are passed through dozens of computers, any of which could peer into its contents. Deep-packet inspection is merely a matter of one machine’s diverting this flood of data, and doing what computers do best: analyzing their contents.

A single line of code, run on a standard PC running Linux or MacOS with generally-available software, can conduct “deep packet inspection” across everyone communicating over your local network, and search for a keyword in all users’ communications.

# tcpdump -A -s0 -i eth0 | grep privacy

Can existing law defend users’ privacy? Many national laws provide strong protections for the privacy of communications — but in a world of plain-text traffic, enforcement of such laws is a constant challenge.

It’s also a constant temptation to stretch, bend, or circumvent these rules. Apart from encrypted traffic, surveillance on the present Internet is not only easy, but nigh undetectable. Reading email and web traffic requires no steamed-open envelopes. Often, the inspection of Internet traffic can be revealed only by human whistle-blowers like Mark Klein, a retired AT&T employee who provided details of a secret surveillance system installed in the telephone company’s facilities in San Francisco.[2]

Markets can provide incentives to protect customer privacy — but can also incentivize prying. Many ISPs are now mulling the financial benefits that might come from various applications of deep packet inspection to their own customers’ communications. Companies like Phorm[3] in the United Kingdom have proposed that ISPs scan the private traffic of their users to create marketing “profiles”, which can then be used to more precisely target advertising to them. Naturally, the more information that is collated on an Internet user, the more valuable that data is.

In practice, a remarkable part of the burden of discouraging mass surveillance online relies on ISPs’ internal cultural norms. Because the techniques are so simple, the data so valuable, and the extent of the privacy violations unbounded, intermediaries themselves are forced to impose a bright line themselves to avoid the temptation to investigate every packet that passes through them.

Unwritten norms like this are most effective when human oversight exists in Internet surveillance. The more customers and ISPs know, the more reticent they are to conduct or condone such behaviour.

Ironically, the aspect of deep-packet-inspection that reassures many may also embody its profoundest risk. In the case of Phorm’s ad targeting, dragnet government surveillance, and automated ISP filtering for particular content, the argument is often made that the surveillance is acceptable because “no humans see the intercepted data” – that it’s just a machine watching.

It may be easier to feel uneasy about a human being looking over one’s shoulder than an appliance in a remote server room crunching out statistics. But to the extent that humans are taken out of the loop, it is harder detect or report abuses, and harder still to resist “mission creep”. Without careful oversight, the subtlest and most apparently reasonable deep packet inspection can turn into a tool for widespread privacy violation with just a few more lines of code. The packets are there; the data is present; the machines are flexible. After all, if we spy on all data for intellectual property infringement, should we not inspect all private data for potential terrorist attacks, a far more pressing social threat? And if our automatic IP filters work so well without human intervention, perhaps we are happy to run our “bad politics” filters with a similar lack of oversight?

Much of what has protected our privacies online thus far is the ISP world’s thin cultural norm that your private communications really are private to you and those you address. If deep packet inspection replaces ISPs’ bright line of ignoring the data passing under their eyes, the Internet may truly become lawless; with ineffective privacy laws, a culture within intermediaries of consequence-free surveillance, and an emergent new marketplace of private communications, sold to the highest bidder.

[1] http://www.code-is-law.org/
[2] http://www.eff.org/issues/nsa-spying
[3] http://en.wikipedia.org/wiki/Phorm

“Neither rain, nor snow, nor heat, nor gloom of night stays these couriers from the swift completion of their appointed rounds.” So wrote Herodotus of the fifth-century-BCE packet delivery service used by Xerxes, king of the Persians. This famous passage is inscribed on the general post office in New York City. Less familiar are the next words of the text: “The first courier transfers the message to the second, the second to the third, and thence it passes from one to the next.”

Though the technologies have changed, the principles have not. Break the delivery chain into segments; provide fast service on each link; make your best effort to complete the handoff at each stage; and don’t try to do anything else with the message except to deliver it.

In the Internet, “deep packet inspection” (DPI) is usually described as the practice by Internet Service Providers (ISPs) of looking at the contents of packets, not just their addresses, before deciding how to deliver them. In fact, DPI is more than that: “inspection” is a euphemism. As actually used, DPI may involve introducing forged packets into the data stream—packets apparently created by a sender, but in fact created by the ISP to alter the recipient’s experience. Comcast used this method to “manage” communications by slowing certain data streams (mostly video), and drew a stinging rebuke from the U.S. Federal Communications Commission.

Some ISPs consider DPI to be a useful tool in their quest to provide high-quality service and rational allocation of limited bandwidth. In their view, regulation of DPI would hobble innovation in their business practices. Some have even suggested that anti-DPI legislation would be a precedent for government regulation of Internet speech itself.

In fact, DPI should be banned for two reasons. The first is privacy. DPI violates the universal expectation that delivery services won’t read the messages they are delivering. Second is “generativity,” to use the term coined by Harvard Law School professor Jonathan Zittrain to describe technologies on which users can build in unanticipated ways. Reliability of the delivery service is the mother of creativity at the endpoints.

Privacy first. Users do not expect service providers to examine packets en route, any more than they expect the phone company to decide by listening in whether a call merits a high-quality line. The Internet by design connects peers to peers. For example, “distributors” and “consumers” of movies streamed over the Internet are architecturally on an equal footing with email in and out of African Internet cafes. The real threat of censorship comes not from government guarantees of content neutrality, but from carriers discriminating on the basis of content, source, and destination—probably in favor of the powerful and against the weak. It has happened before, as when Western Union cut a deal with the Associated Press in 1867 to exclude other news services from its telegraph wires, and when Verizon denied a pro-choice group access to text messaging in 2007 on the basis that its agenda was “controversial or unsavory.”

Analysis of packet protocols (“he’s been downloading a lot of video lately”) and origins (“those videos are from YouTube, not Comcast”) is intrusive. Indeed, the presumption of privacy, and of neutral treatment of all data types and sources, is so strong that DPI might be self-defeating. Were it widely known that ISPs could lawfully exploit information they glean from peeking inside packets, Internet users might encrypt their communications to defeat the ISPs’ payload analysis.

Generativity second. As Internet pioneer David Reed explained to the U.S. Congress, creative software engineers at the edge of the network gave us countless useful applications for which the Internet was not designed. Internet telephone protocols, for example, changed the international phone call from an expensive luxury into a routine part of millions of daily lives. Such creativity will continue into the future only if the functioning of the core of the Internet remains documented, consistent, and predictable.

The market won’t sort out this conflict because necessary competitive conditions don’t exist. When many areas have only one choice for broadband services, and few have more than two, service providers find it more profitable to sustain and manage scarcity than to build toward reducing it.

The Internet is a public good owned by private businesses, which enjoy monopoly or duopoly powers almost everywhere. Though any regulation must judiciously avoid hobbling future technological innovation, broad legal guarantees of the Internet’s secure and transparent operation will serve the public interest.

The end-to-end principle for the Internet, where the intelligence is at the edges of the network, not within its core infrastructure, is supported by three types of arguments:

• Technical Simplicity: Because of the layered protocol stack, the sub-networks are only connected through the TCP/IP protocol suite and a shared address space. Therefore, they are highly open to new transportation methods as well as new applications.
• Political Freedom: Because the payloads at the application layer are encapsulated for the lower transport layers, the users have uncensored and uncontrolled end-to-end communication channels.
• Economic Openness: Because of the openness for new applications, the Internet does not discriminate traffic based on its source, therefore treating all innovations equally and giving them a fair chance to succeed at the market.

Lawrence Lessig in his 1999 book “Code and other Laws of Cyberspace” used a nice illustration for the end-to-end model: “Like a daydreaming postal worker, the network simply moves the data and leaves interpretation of the data to the applications at either end.” Now, imagine a postal worker who is not just daydreaming and moving packets from one point to another in the transportation chain. Imagine the postal worker opens up all packets and letters; inspects and even reads the content; checks it against databases of illegal material and if finding a match, sends a copy to the police authorities; destroys letters he finds having prohibited or immoral content; sends packets with content from those mail-order companies which pay extra to the postal service to a special and very fast delivery truck, while the ones from the competitors go to an extra-slow and cheap sub-contractor. Such a postal system would infringe on the values embodied by the internet as described above:

• Political Freedom: The postal system would now invade the privacy of communications and introduce censorship, potentially leading to “lost” letters from trade unions or political dissidents.
• Technical Simplicity: Such an inspection system would create an additional overhead that would slow down postal delivery and place a significant responsibility on the postal worker. The letters and packets would also be damaged when being opened. And, most importantly, the postal service would assume functions it never was founded for.
• Economic Openness: The differential treatment of content from different senders and companies basically means blackmailing content companies like mail-order stores into signing additional and costly high-speed contracts. New business models that solely rely on innovative content being delivered through the normal postal system would have to negotiate specialized fees with the postal service for their products.

Now, imagine a postal worker could all do this without significant delays compared to his (former, now fired) daydreaming colleague. This is what deep packet inspection technology is designed for.

Many of the functions provided by DPI have been available before. Internet traffic could be intercepted and logged with tools like TCPDump or Wireshark, copyright was enforced with digital rights management (DRM) and watermarks, scarce bandwidth was prioritized by the TCP congestion management and quality of service protocols, user behaviour was tracked and used for advertising with cookies, and so on. The potentially paradigm-changing characteristic of DPI is the fact that it integrates these diverse functions into one hard-coded and extremely fast piece of equipment. It thereby also integrates the interests of a diverse set of actors, who all have their distinct ideas of how to use DPI:

• government agencies and content providers, who are interested in the monitoring and filtering of information flows (political control)
• network operating staff, who have to deal with more malware and bandwidth-hungry applications than ever before and who often have limitations for expanding bandwidth on the last mile (technological efficiency),
• vertically integrated ISPs that want to create additional revenues or protect them, e.g. through preventing the internet from cannibalizing their telephone- or video-on-demand revenues (economic interests).

DPI thus has the potential to change the nature of the internet, by making it a less open network, by introducing means for political control, and by stifling economic openness. But a potential does not necessarily, and rarely fully, translate into reality. DPI usage does not have to implement all the above functions of the highly awake postal worker. Some use-cases of DPI already seem to be disappearing. They do so for different reasons:

• Market Reactions: NebuAd has ended its behaviour-based marketing activities because of the public outcry, and UK ad injection provider Phorm may undergo the same fate. The ISPs are publicly fleeing from this model for extra revenue before their customers flee from them.
• Legislation: The European Parliament has voted against demands of the music and film industry, which was pushing for mandatory copyright filtering provisions. This happened mainly because of an intensive publicity campaign by internet users’ rights groups.
• Regulatory Action: ISPs Comcast in the US and Rogers in Canada have undergone scrutiny by regulatory and privacy authorities because they throttled some of their users’ traffic based on what seemed appropriate and what not.
• Technological Circumvention: A growing number of filesharing and other programs now allow for encrypting their traffic, which makes DPI-based copyright filtering impossible.

An important factor in all these cases is awareness and transparency. The market as well as technology vendors and public bodies reacted only after privacy advocates, bloggers and consumer protection groups had published how DPI works and what it does to the users’ privacy and the idea of an open Internet. As long as DPI vendors can successfully hide under ambiguous terms like “intelligent network” or “network management”, the dangerous potential of DPI will not be under enough public scrutiny.

It may well be that there is a sustainable and legitimate market for DPI technology, but with a much smaller set of use-cases. These will probably include corporate firewalls and malware filters, and potentially differentiated internet access pricing models and behavioural advertising – if this is done very openly and on an opt-in basis.

In the end, DPI teaches us again that while engineers invent powerful technologies, it is society and its norms, rules, and institutions that define if and how these technologies should and will be used. Any technology use-case that violates fundamental rights and user expectations is doomed to die. This does not happen automatically, of course. But the internet users’ rights groups have become a powerful force, and if they are supported by fundamental beliefs and basic rights of society, there is not much to do against them.

Appendix: Previous Technologies and DPI – Use Cases and Drivers

Political Control

Technological Efficiency

Economic Interests

Final Version of 11 March 2009
Commissioned as a contribution to a publication by the Canadian Privacy Commissioner
Roger Clarke

© Xamax Consultancy Pty Ltd, 2008-09

The job of an intermediary node on the Internet is to pass each packet on to another node closer to the addressee. Deep packet inspection involves an intermediary node also poking its nose inside the packet.

Inspection of the header, and even the contents of the message, may be consensual. Even if it is not consensual, it may be beneficial to all parties. However, the proliferation of uncontrolled, non-consensual access is currently threatening to underminethe open, public Internet as it has been known for its first 15 years of operation.

Worse, these intrusions bring with them the threat that communications over the Internet may become much less free than the communications channels that residents of relatively free nations used in the pre-Internet era.

The term ‘deep packet inspection’ refers to a technique that is being imposed on data communications networks in order to probe into the contents of passing traffic. This short paper commences with some background, provides an overview of the technique, and undertakes a brief analysis of its implications.

The term ‘packet’ is ambiguous, and there are advantages in avoiding it. This paper uses the more straightforward term ‘message’ to refer to that which passes from a sender to a recipient.

The Internet comprises a very large number of nodes, each of which is a computer capable of performing a wide range of functions. Messages are created in a ‘sending node’, and addressed to a ‘receiving node’. In order to get from sender to recipient, messages pass through many other nodes, which are usefully referred to as ‘intermediary nodes’. The number of intermediary nodes that messages pass through is typically about 20. A large message is broken into as many parts as necessary in order to comply with the maximum message-size that intermediary nodes along the way are prepared to handle.

The task of an intermediary node is to compute the next node to pass each message on to, in order to either deliver it to the intended recipient, or get it one step closer. The notion of ‘deep packet inspection’ involves an intermediary node doing more than that. In order to analyse the technique’s implications, it is necessary to understand a little about the layers of processing involved in data transmission.

Raw media (such as cable and radio waves) require considerable electronic engineering expertise, infrastructure, hardware and software to make them useful for the transmission of data. That expertise is embodied in ‘protocols’ (rules of engagement) that are implemented in software in the sending, intermediary and receiving nodes.

Interpreting the binary digits that are transmitted on those media requires a further and different kind of expertise. Another layer of software performs this functions. It implements a further set of protocols, and depends on sender and recipient addresses and other administrative data being stored in headers that are added to the underlying message content.

Shifting the groups of bits from one node tothe next requires a different kind of expertise again, a number of protocols, software packages in each node, and an extra header added onto the message. De-constructing large messages into small ones and re-constructing them back into the original message requires another layer of expertise, protocols, software and header. And conveying the semantics of the message requires yet another of each.

In short, transmitting a message from a sending node via intermediary nodes to a receiving node involves a stack of protocols, software and headers. The protocol stack is roughly modelled by the first of the following diagrams, and the headers by the second.

Exhibit 1: The Protocol Stack in Operation

Exhibit 2: The Message and the Accumulation of Headers

Intermediary nodes run a number of software packages to perform the various functions at each level of the protocol stack. The best-known term for such software is ‘router’. Used correctly, this refers to the software operating at the middle level of the stack, which handles the Internet Protocol (IP). Router software depends on lower-level software (switches and hubs).

The term ‘router’ is often used in misleading ways, however. It may refer to all of the layers of software combined, rather than just one layer. And often it refers to the device (the ‘intermediary node’) rather than just the software.

Software in an intermediary node, in performing its function as a way-station passing messages from a sender to a recipient, only needs to look at the header associated with the relevant protocol. It has no intrinsic need to look at the deep-nested headers associated with higher-level protocols, let alone at the data deep inside the message. So a well-behaved intermediary node does what it needs to do in order to pass messages on, and nothing more. In terms of Exhibit 1, that work is performed in the Network Layer, by the software called a router.

There are a number of circumstances in which an intermediary node can perform additional functions, as an agent of the sender or recipient. A general term for such software is a ‘proxy-server’.

A recipient may use software on their own machine to scan incoming email, evaluate the headers and content in order to assess the likelihood that it is spam, and flag (or, more riskily, delete) messages whose spam-score exceeds some threshhold. Similarly, a recipient may use software on their own machine to scan the content of web-pages they have requested, and possibly block display of the page if the scan detects content that is undesirable in some way. A third example is commonly referred to as a ‘firewall’. A firewall detects messages that are being directed at processes within the user’s machine that are not expecting to receive such messages.

Rather than having such functions performed on their own device, a recipient may request an intermediary to provide ‘spam-filtering’, ‘web-page filtering’ or ‘firewall’ services. Such services may be offered by companies that provide consumers with connections to the Internet (which are often referred to as Internet Service Providers – ISPs). Where the consumer actively requests it, or provides informed and free consent to it, such services are positive and worthwhile enhancements to basic Internet infrastructure.

The previous examples all involved a message recipient. Circumstances also arise in which the sender may take advantage of additional services from an intermediary node. In particular, a proxy-server may send a message on behalf of the real sender, or manage a session of multiple messages between the sender and a remote server.

One example is called by the obscure name ‘reverse-proxy’. For example, a person who is currently away from their normal place of work (e.g. on a client’s site, in a hotel or at home) can be made to appear to a remote server as though they were at work.This service is commonly offered by university libraries to academics, enabling them to access publications databases that the library subscribes to, and to do so from anywhere in the world.

Another purpose to which proxy-servers are put is to obscure the sender’s network location (their ‘IP-Address’). Such services are commonly referred to as anonymous remailers and tools for anonymous web-surfing. They may offer anonymity. Alternatively,where an investigator has the technical capability and the legal authority to access relevant look-up tables, they offer pseudonymity rather than unbreakable anonymity. Such services are valuable, and arguably essential, for ‘people with something to hide’, such as whistle-blowers, protected witnesses, victims of domestic violence, celebrities, notorieties, and people in security-sensitive occupations, including undercover operatives and spies.

In order to perform these services, the software running on the intermediary node has to read the message content, or at least the deepest-nested ‘application headers’; hence the term ‘deep packet inspection’.

There are further circumstances in which an intermediary node can perform additional functions which are generally beneficial to all participants.

An intermediary node performs a function as a ‘gateway’ if it operates a transition facility between the Internet and some other network. For example, one participant in a telephone call may be using VOIP (voice over IP) but the other may be on the conventional Public Switched Telephone Network (PSTN, sometimes referred to as a landline), or on a cellular network (i.e. using a mobile phone). A gateway performs for messages much the same function as an intermodal terminus does for cargo – lifting containers on and off trucks, trains and ships.

Another example is ‘network cache’. Many web-pages are requested by multiple web-browser users in a short period of time. An intermediary node can save everyone time and money by storing (‘caching’) the page for a while after the first request. This avoids having to unnecessarily fetch the same content a second time from a distant server.

To perform these services, however, gateway and network cache software have to read both the ‘application headers’, at the deepest level of the message, and the message content itself. This represents an intrusion inside the message envelope. Such behaviour may be justifiable on the grounds of efficiency, or perhaps implied consent. But care is needed, because the person whose message is being handled may not be aware of the activity, and may perceive problems that the operator of the intermediary node does not.

Some intermediary nodes contain software that reads deep-nested headers and even content, without the consent of the parties to the message, and for purposes that are not consistent with the interests of the parties. There are several categories, each ofwhich has potentially serious negative implications for the parties, and for society as a whole.

An intermediary node may access the content of the message and either use it for the purposes of the interceptor, or disclose it to some other party. One example of this is software that detects and accumulates email-addresses – for use by spammers. Similarly, software may ‘sniff out’ credit-card details sent in email messages and typed into web-forms
– for use in financial fraud.

Another example is message-monitoring by law enforcement agencies. In many jurisdictions, such monitoring is subject to judicial warrants and tight controls, but in others (including nominally free countries such as the UK, the USA and Australia) those independent authorisations and controls have been subverted, using terrorism as the excuse. As a result, a considerable amount of message-interception is being conducted in the absence of demonstrated and reasonable grounds for suspicion of criminal behaviour.

A further possibility is adaptation of the message and onforwarding of something that purports to have originated with the sender, but did not. This creates further possibilities for fraud, and for the ‘planting’ of evidence.

Another form of intrusion is masquerade by the intermediary node as though it were the recipient, and provision of a falsified response. This is understood to have been the mechanism whereby the People’s Republic of China (PRC) has returned (and continues to return?) false responses to searches submitted to remote search-engines, and fake ‘not found’ messages in response to requests for web-pages blocked by the regime.

Yet another example of intrusion is the blocking ofmessages by an intermediary node on the basis that some aspect of the header information or of the message itself is deemed to offend some rule imposed by the party that operates the node. This is commonly the case in un-free regimes such as Burma, the PRC and Iran. But it is also the mechanism proposed by nominally free nations that are adopting a ‘nanny state’ role and seeking to censor such content as on-line gambling, pornography (however defined) and dissident political speech (however defined). See Dedman & Sullivan (2008) and ONI (2008).

Singapore was an early mover among economically advanced nations. But currently, governments in the USA and Australia are trying to impose much the same repressive measures. Such interference represents concrete steps towards the authoritarian future presaged in Clarke (2001).

The term ‘deep packet inspection’ refers to access by software running in an intermediary node to header data, and even the message-content, that the node does not need to access in order to perform its inherent function of passing messages on, along their journey from sender to recipient.

Deep packet inspection may be performed at the request, or with the consent, of a party to the message. This is an enhancement to fundamental Internet infrastructure.

Deep packet inspection may be performed without the consent of the parties to the message, but in such a manner that all parties benefit. Primary examples are enhanced response-time and the avoidance of unnecessary transmission of large files, through ‘network caching’. This is more problematical than consensual access, because some party is making the judgement that the intrusion is beneficial to all parties.

Finally, and of far more serious concern, deep packet inspection may be performed not only without the authority of the sender and recipient, but also for purposes that are, or at least may be, against the interests of some of the parties. This requires strong justification, tight controls, and enforcement mechanisms. Unfortunately, these are seriously lacking, and both Internet Service Providers and government agencies in many countries (both nominally authoritarian and nominally free) are abusing and undermining Internet infrastructure in the process.

Imagine the postal service steaming open your letters so that they could scan the content, work out your interests, and then deliver a better class of junk mail. Most people would be horrified, yet some of the UK’s largest ISPs are planning to do something even more intrusive. They will capture the details of all the online searches you make, all of the web pages you visit – solely to serve up targeted online adverts. This isn’t happening for some altruistic aim of making adverts more relevant, but because the ISPs will get a cut from the advertising revenue, and Phorm, the technology vendor involved, will charge advertisers extra for delivering up an especially receptive audience.

You might think that “there ought to be a law against it” – and you’d be right. Analysis by the Foundation for Information Policy Research (FIPR) shows that the complicated way in which the Phorm system works means that the ISPs will commit criminal offences, and could also face civil litigation for the unauthorised processing of copyrighted material.

The Phorm system snoops on all web page requests, and in particular it picks out the search terms used on Google and other search engines. The system also monitors the contents of any web pages visited, looks for the commonest words, and tries to discern what the pages are about. This works up to a point – early search engines used similar schemes – but isn’t especially accurate. Accurate or not, a distillation of this information is matched against advertiser word lists, for example, if “flight” and “hotel” appear, then perhaps you’ll be a sucker for a travel advert. If so, then when you next visit a participating website, the adverts won’t be random but will have a travel theme to them – with the highest bidder getting to put their message in front of you, and the ISP getting a back-hander for participating.

However, UK criminal law calls snooping on web traffic “interception” and can send you to prison for it. There are statutory defences for the ISP (or indeed the postal service) looking at traffic for operational purposes (so your mailman can look at the address on the envelope), but this is irrelevant because it isn’t an ISP operational matter to deduce whether or not you’re a travel junkie.

The ISPs involved with Phorm will obtain the permission of their customers to be snooped upon (albeit this permission is rather an afterthought, and early trials didn’t bother with such niceties). Unfortunately for the ISPs, in the UK this is necessary but not sufficient, because interception is illegal unless BOTH ends of the communication give permission. This is a fundamental (and clearly intentional) change made by Parliament in 2000 from the previous one-sided regime. What’s more, the 2002 EU “Directive on Privacy and Electronic Communications” also makes it clear that both ends’ permission is needed.

As it happens, the two-sided requirement gave the legislators several headaches, and so there are special provisions to permit the police to listen in to a kidnapper’s ransom demand and secondary legislation sets out “Lawful Business Practice” to permit stockbrokers to record their instructions, and call centres to perform quality monitoring. None of what the ISPs intend will come under Lawful Business Practice.

Readers may be surprised to have got this far without any mention of the UK’s Data Protection Act 1998 (DPA). It is relevant, in that the Phorm system will regularly be processing “sensitive” personal data and must therefore arrange for an informed opt-in. However, not much more of the DPA will apply because Phorm has carefully designed its systems to evade the provisions of the Act – and providing pseudonyms for users in the form of unique identifiers gets them an awfully long way.

But the real reason the DPA is scarcely relevant is that people’s outrage at the system is expressed in the language of privacy, and there is a significant difference between “privacy” and “data protection”.

When the taxman looks at your financial affairs, they trample all over your privacy, but their systems are completely DPA compliant. Likewise, the Phorm system may learn that someone they know of by an opaque identifier is fascinated by the prospect of travelling to Israel, and they will stay with the letter of the DPA law. However, they’ve learnt something very private about that user’s opinions. If they were a Saudi Arabian student studying in the UK, subsequent serving of targeted adverts, and the information thereby revealed, could lead to embarrassment or much worse.

The bottom line for me, when I consider the Phorm system, is that having ISPs snoop into the personal lives of their customers for a trivial financial gain is inherently objectionable. It is simply not what ISPs should be doing. That the system turns out to infringe a number of laws should simplify blocking its deployment; it’s not the reason that it has to be stopped.

The idea that general purpose communications networks should be subject to special obligations, and that those obligations are understood to benefit the rest of society, has a long and distinguished history. For more than a hundred years, policymakers subjected these networks – think post, telegraph, and telephone – to obligations not to discriminate among communications and to keep their customers’ information private . (I call these networks “general purpose” to distinguish them from networks dedicated to one-to-many broadcasts, like television, cable, and satellite.)

The successor general purpose network is Internet access. It’s replacing the telephone and the post. Just as Western Union finally sent its last telegraph in February 2006, these older general purpose networks will become extinct someday. This won’t happen for a while; the pace of telecommunications modality extinction is glacial. But no one can deny that Internet access is now essential to modern communications.

Somehow we’ve forgotten the close traditional relationship between basic communications and the functions of the state itself. The key reason that basic communications (and basic transport) were subject to nondiscrimination and privacy obligations was that these pieces of social infrastructure were closely associated with sovereigns. True, states may initially have gotten involved with transport and communications networks (even if the state was not providing the network itself) to ensure that the state’s communications and vehicles could move smoothly and swiftly across its territory in the service of national security and law enforcement interests. After this self-protective priority was ensured, a second role of the state – ensuring equal access to essential physical utilities and services and making sure that users’ information was treated with respect – became operative.

Over the last five years or so, this basic set of social requirements for general purpose U.S. networks has been thrown overboard. Through definitional legerdemain and a certain amount of judicial gullibility, we’ve ended up treating Internet access as if it was a Broadway show: privately controlled, content-driven, and subject to no particular social demands. And we have very few of these shows running at this point; most people have few choices of providers, prices are high, speeds are slow, and Internet access is inseparably bundled with several other “services.”

One important element of social policy that has been jettisoned along the way concerns the treatment of user data. In the telephone world, Section 222 of the Communications Act prohibited carriers from using consumer information for marketing purposes. Period. Now those same carriers are providing Internet access, and with the FCC’s help they have freed themselves of the strictures of Section 222. They can plumb the depths of packets, use the resulting data to target advertising, copy all data and shunt it off to other companies, prioritize streams of traffic based on what users are doing, and pull whatever stunts they feel like in terms of DNS redirection.

Thus, the two central social obligations that we used to impose on general purpose network providers – nondiscrimination and confidential treatment of user data – have been completely undermined by the private, highly concentrated operators of Internet access.

Network operators are taking the view that disclosure of their practices will address and resolve any possible consumer protection issues. They’re saying that as long as a consumer has been told what is going on, all is well. They’re also saying that they are doing the same kinds of things that free Web applications (like Yahoo! and Google) have been doing for years.

Every essay of this sort can make only one point, and here is the point of this piece: Transport is not the same thing as the vehicle using that transport. The providers of Internet access should be treated like the basic, general purpose actors they are. In particular, they should not be permitted to use subscriber data for their own business purposes. Acting otherwise confounds consumer expectations and runs counter to more than a hundred years of basic communications understandings. Remember, this is fundamentally the role of the state we’re talking about. Add in the crucial role of general purpose networks for economic growth and innovation, and you have some powerful arguments against network level deep packet inspection.

The idea of separation between transport and “other” is taken quite seriously in other corners of the world. For example, Singapore, the city of Amsterdam, and the city of Stockholm have all required fiber networks to be architected along passive, open access lines. Any company can come and install electronics in those fibers, and competition is fierce. The European Commission’s Information Society and Media department, led by Commissioner Viviane Reding, has recently released a paper calling for this kind of open access approach to Internet connectivity. Separation and non-discrimination both militate against allowing deep packet inspection by network providers.

Network providers would like us all to muddle along in the weeds of disclosure details, but DPI presents a much more fundamental issue: What should the providers of general purpose network access be permitted to do as a social and economic policy matter? For me, the answer is clear. They should be required to stick to the business of transport.

In recent years a controversy has erupted in Canada, the United States and other parts of the industrialized world regarding the provision of Internet services. The controversy centers on the relationship between the entities that provide connectivity to the Internet (ISPs) and the traffic that flows their networks. A long-standing principle of the Internet’s architecture — known as “network neutrality” — says ISPs should not discriminate on the basis of the content that flows through their pipes. And yet today, ostensibly for reasons of efficiency and cost, that is precisely what many ISPs are doing. The practice, known as Deep Packet Inspection (DPI), involves network managers of ISPs developing procedures that track, inspect, and re-route or delay traffic based on the type of protocol being employed or the content of the communication being transmitted. Like many others, I believe that if DPI is adopted as the Internet’s norm, it will undermine the Internet’s foundational architecture and much of its novel and beneficial effects, threaten freedom of speech, access to information, and privacy online, and further carve up and degrade a valuable global commons.

While the controversy has bubbled up in North American and Europe, DPI is, in fact, widely practiced around the world, and an examination of some of the ways it is employed elsewhere may give us a glimpse of the future here. For the last six years, working with colleagues at Harvard, Cambridge, and Oxford Universities plus partners worldwide, I have helped marshal a talented pool of researchers, organized under the OpenNet Initiative (ONI) and Information Warfare Monitor (IWM) projects, to lift the lid on the Internet and document what goes on “beneath the surface.” For most people, the Internet’s infrastructure is largely invisible; the user’s experience begins and ends with the terminal that sits in front of them. However, it is deep within the subterranean realms of the Internet’s infrastructure – through the fibre optic cables, long haul lines, satellite uplinks, routers, and Internet exchanges — that power is increasingly exercised. Fortunately, as the Internet is an open public network, those with the knowledge and skills are able to interrogate it directly and uncover and expose these types of practices.

According to the latest findings of the ONI, more than two dozen countries now engage in some kind of Internet content filtering in which ISPs act as the frontline defense against content deemed politically, socially or strategically threatening. As evidence of mounting problems, we are presently testing for Internet censorship in 71 countries. Presumably dozens more engage in surveillance for the same reasons, although far less is known and documented about those practices. In countries where the rule of law is not regularly respected, and free speech and access to information is rare, widely cherished norms concerning “network neutrality” have little basis in reality. In China, Burma, Vietnam, Tunisia, Saudi Arabia, Yemen, Ethiopia, UAE, Syria, Pakistan, Iran, and Uzbekistan, to name a few of the worst offenders, governments routinely order ISPs to engage in DPI to block access to the websites of political opposition movements and human rights groups. In some of the most egregious cases, like Kyrgyzstan and Belarus, we have documented ISPs secretly disabling access to opposition websites leading up to and during election periods, and then restoring normal Internet connectivity afterwards — a phenomenon we have dubbed “just in time” filtering. Most of the ISP’s DPI practices take place without oversight or public accountability, and so errors, malicious redirects, and collateral blocking are legion. So is a phenomenon we call “mission creep”: once the practice of filtering has been enabled for whatever reason, the temptation to use it for a wide variety of other social and political problems is enormous. For example, Pakistan started out filtering access to satirical images and videos of the Prophet Muhammed; it now also blocks access to any websites related to the troublesome domestic Baluchistan insurgency.

To be sure, Canada is not Belarus, China, or Pakistan. And, of course, ISPs here claim they are engaged in DPI for narrow reasons of bandwidth control, and not for political reasons. Can we trust them? Recent research from the IWM should raise concerns. As detailed in our report, called Breaching Trust, our researcher Nart Villeneuve discovered that the Chinese version of Skype was not only filtering keywords on the instant messaging client, it was systematically uploading the messages containing the keywords to insecure servers in China. We were able to access, view, and download millions of messages containing sensitive political and economic information ostensibly collected at the behest of Chinese public security organizations. Many people suspected there was a “backdoor” in Skype and that the Chinese version was a Trojan horse for Chinese intelligence; the company publicly denied these worries in 2006. Our research proved they were wrong.

Even more instructive is our August 2005 ONI bulletin, which found that the Canadian ISP, Telus, was blocking subscribers’ access to a website set up by an employee labor union. Our research at the time showed that not only was Telus blocking access to the pro-union website, but it was collaterally filtering 766 additional, unrelated websites. Although our report and other observers questioned whether Telus violated CRTC regulations in blocking access to the pro-union website, Telus responded by saying that under contractual agreements with its customers, it has the right to block access to certain sites, such as those containing child pornography. No mention was made of the collateral filtering we discovered and as far as we know, Telus was not disciplined in any manner by the CRTC.

Once the norm against network neutrality is breached for whatever reasons, the relationship between Internet intermediaries and the communications they facilitate fundamentally changes, and with it the character of the Internet itself. The research of the ONI and IWM suggests strongly that pressures around mission creep mount, collateral blocking explodes, and the enforcement of public security is delegated to often unaccountable and mendacious private entities. Is that the Internet we want?