EPIC: Deep Packet Inspection and Privacy

Deep Packet Inspection and Privacy

Top News

Congressional Privacy Leaders Call for Internet Companies to Come Clean On Behavioral Profiling. Senior members of Congress have requested details of Internet companies' efforts to spy on their customers. The 33 targeted Internet companies, including AT&T, Time Warner, Microsoft, and Google, may be tracking the activities of Internet users. Congressman Edward J. Markey warned that "new technologies, such as ‘deep packet inspection' technologies, have the ability to track every single website that a consumer visits while surfing the Web." Charter Communications and Embarq previously came under fire for monitoring Internet users and suspended their activities. Members of Congress have now turned their attention to the leading telcos and Internet firms. For more information, see EPIC's page on Deep Packet Inspection and Privacy. (Aug. 4).
Under Pressure, Charter Cable Drops Internet Snooping Plan. Today, Charter announced that it will scrap its plan to intercept internet traffic for marketing purposes. The fourth-largest American cable company's plan recently came under fire from Rep. Edward J. Markey (D-MA) and Rep. Joe Barton (R-TX). Congressman Markey welcomed today's news, and urged other companies to delay any similar plans until "important privacy concerns can be addressed." In May, Charter announced its intention to partner with NebuAd and spy on its customers' internet activities. Legal experts questioned the legality Charter's snooping program, citing federal laws, including the Wiretap Act and the Communications Act, which prohibit interception and disclosure of wire and electronic communications. For more information, see EPIC's page on Deep Packet Inspection and Privacy. (June 24)
Congressional Privacy Leaders Call for Charter Cable to Halt Internet Snooping Plan. Rep. Edward J. Markey (D-MA) and Rep. Joe Barton (R-TX), senior members of Congress and leading privacy champions, challenged the legality of Charter Communications' plan to intercept and inspect their customers' Internet activity. The Congressmen stated that provisions of the federal Communications Act prohibit companies that provide cable services from disclosing subscribers' personally identifiable information without "prior written or electronic consent of the subscriber." Charter plans to intercept its customers' Internet activity without obtaining prior written consent. Congressmen Markey and Baton requested that Charter Communication hold off on the proposed venture with NebuAd. (May 20)

Deep Packet Inspection ("DPI") is a computer network packet filtering technique that involves the inspection of the contents of packets as they are transmitted across the network. DPI is sometimes referred to as "complete packet inspection." Owing to the volume of traffic on most networks, DPI is usually automated and performed by software based on criteria set by the network operator. Deep Packet Inspection can be used to determine the contents of all unencrypted data transferred over a network. Since most Internet traffic is unencrypted, DPI enables Internet Service Providers ("ISPs") to intercept virtually all of their customers' Internet activity, including web surfing data, email, and peer-to-peer downloads. After inspecting the contents of users' packers, ISPs can use DPI to perform activities based on filter criteria. Deep Packet Inspection has been used in attempts to: build profiles of consumers for marketing purposes; intercept communications at the request of law enforcement (both with and without warrants); enforce copyright laws; prioritize the transmission of some packets over others; and identify computer viruses and spam. DPI also enables non-ISP service providers, such as search engines or webmail providers, to build user profiles based on Internet activity. Traditionally, packet headers are inspected by ISPs for a variety of reasons, including optimization of packet routing, detection of network abuse, and statistical analysis. Such inspection, sometimes referred to as "shallow packet inspection," gives ISPs access to basic information about Internet traffic, but does not disclose the contents of users' email or web surfing to ISPs. In contrast, Deep Packet Inspection provides ISPs with access to the content of all unencrypted Internet traffic that ISP customers send or receive. In the early days of the Internet, DPI was effectively impossible to perform on a large scale as a result of limited computing speed and resources. Recent technological advances have made is possible for ISPs and service providers to implement Deep Packet Inspection on a large scale. Deep Packet Inspection is controversial, and has been criticized by privacy and network neutrality advocates.

Behavioral Targeting Using Deep Packet Inspection

On approximately May 14, 2008, some consumers who subscribe to Charter Communications' broadband Internet service received notices stating that Charter would soon begin to perform Deep Packet Inspection of their Internet traffic. The notices were sent to customers in four markets: Fort Worth, Texas; San Luis Obispo, California; Oxford, Massachusetts; and Newtown, Connecticut. Charter, the fourth-largest cable company in the US, stated that it plans to use the initial four locations as test markets, and expects to expand its DPI activities to include all 2.8 million Charter customers within several months. Charter partnered with NebuAd to implement its Deep Packet Inspection program.

NebuAd plans to install its hardware on Charter’s system, and pay Charter a monthly fee per subscriber. NebuAd also pays various Internet advertising networks for the right to serve ads through their networks. NebuAd serves ads for its clients via the advertising networks, and makes a profit because NebuAd charges its clients more than it pays the ad networks. This differential is based on NebuAd’s ability to target advertisements to users’ interests based on user data that it collects through its hardware connected to Charter’s ISP servers. NebuAd’s hardware runs proprietary software that inspects the contents and header information of every packet transmitted to or from Charter’s subscribers. Based on the intercepted information, NebuAd builds profiles of users, and serves targeted advertisements to users through the ad networks. Charter does not obtain written consent from users prior to initiating DPI. Charter permits users to opt out of receiving targeted advertising via a cookie, but reportedly provides no mechanism for opting out of the Deep Packet Inspection. Charter’s Deep Packet Inspection program is the first large-scale DPI implementation by a major US ISP. Previously, several smaller American ISPs (including Knology, Wide Open West, and Embarq) instituted DPI programs. In early 2008, Deep Packet Inspection in the UK was met with public outcry. Three large British Internet providers, Virgin Media, BT and TalkTalk, contracted with Phorm to implement DPI-based targeted advertising. Privacy advocates and consumers objected, and additional controversy ensued when it was revealed that BT had used Phorm to secretly intercept customer information in 2006 and 2007. Google, Inc.'s Gmail webmail service utilizes Deep Packet Inspection to display advertisements based on email content. Gmail uses the inspection of email content to present targeted advertisements to Gmail users. The practice drew criticism from privacy advocates in the wake of Gmail's 2004 launch.

Traffic Shaping Using Deep Packet Inspection

On April 24, 2008, the Canadian Association of Internet Providers asked the Canadian Radio-television and Telecommunications Commission to direct Bell Canada to cease "throttling" or "traffic shaping" network traffic. CAIP alleged that Bell intentionally reduced the data transfer speeds of other ISPs. Net Neutrality advocates have argued that Deep Packet Inspection permits network discrimination of the sort identified by CAIP, and thereby limits consumer choice, economic opportunity, and technological innovation.

News Items

Charter suspends ad program over privacy fears, Washington Post, June 25, 2008
Web monitoring for ads? It may be illegal, Declan McCullagh, Wired, May 19, 2008Charter's Web monitoring draws intervention from Capitol Hill, Declan McCullagh, Wired, May 16, 2008Lawmakers raise concerns over Charter Web tracking plan, Jim Salter, Associated Press, May 16, 2008Can Charter Broadband Customers Really Opt-Out of Spying? Maybe Not, Ryan Singel, Wired.com, May 16, 2008 Charter Will Monitor Customers’ Web Surfing to Target Ads, Saul Hansell, The New York Times, May 14, 2008Charter (CHTR) To Customers: We're Watching You And Cashing In, Dan Frommer, Silicon Alley Insider, May 14, 2008BT's 'illegal' 2007 Phorm trial profiled tens of thousands, Chris Williams, The Register, April 14, 2008
Google's Gmail sparks privacy row, BBC, April 5, 2004

Deep Packet Inspection Resources

Thomas, Porter, The Perils of Deep Packet Inspection Wikipedia, Deep Packet Inspection
Anderson, Nate, Deep packet inspection meets 'Net neutrality, CALEA

EPIC Privacy Page | EPIC Home Page

Last Updated: August 4, 2008
Page URL: http://epic.org/privacy/dpi/