Copping a packet
North America gets antsy over Deep Packet Inspection.
Use of Deep Packet Inspection (DPI) by North American ISPs is coming under attack as the thought takes root that the technology may not be used just for house-keeping traffic management. In the USA, after discussions in the House Energy and Commerce Subcommittee on Telecommunications and the Internet, letters have been sent to 33 leading Internet and broadband companies, including Verizon, AT&T, Time Warner, Comcast, Microsoft, Google and others, pressing them for information about the extent to which they collect information about consumers' use of their broadband services or websites. North of the border the Canadian Internet Policy and Public Interest Clinic (CIPPIC), based at the University of Ottawa , Faculty of Law, has asked the Office of the Privacy Commissioner to open an investigation into ISPs’ practice of profiling users online to target them with advertising.
The US legislators’ hearings, titled ‘What Your Broadband Provider Knows About Your Web Use: Deep Packet Inspection and Communications Laws and Policies’, was meant to shed light on the use of DPI by ISPs. The US hearings elicited this response from Timothy Sparapani, senior legislative counsel for the American Civil Liberties Union (ACLU): “The expanding use of DPI is increasingly sophisticated, complicated and lacking in transparency. The risk to Americans’ privacy is massive. ISPs will have access to a complete cached record of Americans’ transactions including our search terms, the pop up ads that appeal to us, the stories we read, the blogs we visit and post to, and anyone we’re associated with on the Internet. If that information is misused by commercial vendors for profit, it can lead to embarrassment and annoyance through additional ‘targeted marketing,’ and vendors making decisions about us and our views and lifestyles.”
The letters sent out after the hearings were signed by Reps. John D. Dingell (D-MI) and Joe Barton (R-TX), the chairman and ranking member of the Committee on Energy and Commerce, and Reps. Ed Markey (D-MA) and Cliff Stearns (R-FL), the chairman and ranking member of the Telecommunications and the Internet Subcommittee.
“Privacy is a cornerstone of freedom. Online users have a right to explicitly know when their broadband provider is tracking their activity and collecting potentially sensitive and personal information,” noted Rep. Markey in a comment on the letter. “New technologies, such as ‘deep packet inspection' technologies, have the ability to track every single website that a consumer visits while surfing the Web. This sweeping ability to collect, analyse, and profile how individuals use their broadband connection raises clear privacy issues and I believe such activity should occur only with the express prior consent of individual citizens. In addition, individual websites and search engines and their affiliates that monitor users also owe consumers constructive notice of such activities and the right to limit or thwart any personal data collection.”
Meantime, the palindromic CIPPIC fears that with the use of DPI technologies, Canadian ISPs may soon start sorting through everything a user does online and compiling profiles about them in order to sell for targeted advertising purposes. According to CIPPIC the practice, known as behavioural targeting, is growing across the USA and the UK .
“Behavioural targeting raises a number of serious privacy concerns and may violate federal privacy laws,” suggests CIPPIC director Philippa Lawson. CIPPIC’s analysis is that behavioural targeting by ISPs likely violates the Personal Information Protection and Electronic Documents Act (PIPEDA), and the organisation alleges that ISPs engaging in the practice often fail to provide sufficient notice to users, do not obtain meaningful consent from users, and do not offer users effective ways to control such uses of their personal information.
“Most users are not comfortable with the idea of being followed around online,” adds CIPPIC staff counsel David Fewer. “Canadians would be surprised if their ISP not only started profiling them for its own purposes, but used that information to sell advertising.”
Along with the call for an industry-wide investigation regarding behavioural targeting, CIPPIC has filed company-specific privacy complaints against Rogers Communications Inc, Shaw Communications Inc and Eastlink Inc for their use of DPI in the context of ‘traffic-shaping’.