Deep Packet Inspection and Privacy
- Following EPIC FOIA Request, Homeland Security Releases Privacy Study of Cybersecurity Project: The Department of Homeland Security (DHS) Privacy Office has released an unclassified version of the Privacy Impact Assessment (PIA) for the Initiative Three Exercise, a pilot exercise for the classified cybersecurity tool known as "EINSTEIN 3." EINSTEIN 3 is the next generation of the U.S. Computer Emergency Readiness Team's intrusion detection and prevention system for the federal government, which will involve active monitoring of all network traffic to and from federal agencies. DHS has not released the full, classified PIA for the tool in either complete or redacted form, but instead drafted a different version for release to the public. For more information, see EPIC Deep Packet Inspection, EPIC Critical Infrastructure Protection (Mar. 26, 2010)
- European Commission Takes Action Against UK, Deep Packet Inspection: The European Commission announced that the UK government has failed to comply with Europe's ePrivacy Directive and Data Protection Directive. European laws state that EU countries must ensure the confidentiality of electronic communications by prohibiting unlawful interception and surveillance. The EC statement specifically cited unlawful interception under the UK Regulation of Information Powers Act. This marks the second phase of an infringement proceeding that was filed earlier this year against the UK. The case follows complaints about the use of Phorm's Deep Packet Inspection technology. For more information, see EPIC Deep Packet Inspection and Privacy and Human Rights Report. (Oct. 29, 2009)
- Public Knowledge, EPIC, Other Public Interest Groups Urge FCC to Ensure Open Internet: EPIC has signed on to a letter from Public Knowledge to the Federal Communications Commission supporting the FCC's decision to begin public proceedings on preserving an open internet. EPIC joins many other public interest groups who have also expressed support for the FCC's initiative. The FCC's proceedings will focus on proposed rulemaking policies that would preserve open internet. EPIC favors the general principles of "network neutrality" and has called on the FCC to preserve privacy safeguards against measures that Internet Service Providers may use to limit access to the internet. For more information, see also EPIC Deep Packet Inspection. (Oct. 22, 2009)
- Office of Legal Counsel Reaffirms Legality of Einstein 2.0: The Office of Legal Counsel has released two opinions regarding Einstein 2.0, the federal cyber-security initiative that monitors network activity. The Bush administration opinion concluded that Einstein 2.0 complied with the Constitution and applicable federal laws, provided that users are properly warned that it is operating. The Obama administration opinion, signed August 14, 2009, concurred with the earlier opinion, and also concluded that the system does not violate “state wiretapping or communications privacy laws.” EPIC has stated that Einstein should be subject to the Privacy Act. Also, documents previously obtained by EPIC under the Freedom of Information Act revealed that network monitoring tools often exceed their legal authority. For more information, see EPIC Carnivore (FBI tracking tool). (Sep. 21, 2009)
- EPIC Calls on FCC to Continue Privacy Commitments for Broadband Deployment : In response to a request from the Federal Communication Commission concerning the future of the US Broadband Infrastructure, EPIC urged the FCC to secure the privacy interests of consumers and Internet users. EPIC recommended the Commission desist from collecting personal information, adopt robust privacy safeguards, avoid use of Deep Packet Inspection, and require protections for electronic medical records. EPIC noted the long tradition of establishing privacy protections as new communications technologies emerged in the United States. EPIC previously advocated for the FCC to require strong privacy safeguards for telephone customers' personal information, and protect wireless subscribers from telemarketing. See EPIC's page on CPNI and Deep Packet Inspection and Privacy. (Jun. 9, 2009)
- EPIC Urges Privacy Protections for Government's Use of Social Media: The DHS Privacy Office is seeking public comments on developing best practices on the government's use of social media. EPIC submitted comments on the benefits, issues and privacy best practices. EPIC recommended Privacy Act protections to the data collected, prohibit commercialization and sharing, and the use of a model certification system. See also EPIC's page on Social Networking Privacy, Network Advertising Initiative, and Deep Packet Inspection and Privacy.. (Jun. 3, 2009)
- European Commission Seeks to Protect Internet Privacy: Following complaints about Phorm's Deep Packet Inspection Technology with UK internet service providers, the European Commission has opened a formal investigation. The EU e-Privacy and Data Protection Directives protect the confidentiality of communications by prohibiting interception and surveillance without the user's consent. Deep Packet Inspection allows internet service providers to intercept virtually all customers' Internet activity, including web surfing data and other Internet related activities. The Commission charges that the UK government could not permit this activity under European Union privacy law. In the US, Congressional leaders also objected to Deep Packet Inspection. For more information, see EPIC's page on Deep Packet Inspection and Privacy and Human Rights Report. (Apr. 14, 2009)
- FCC Proposes Nationwide Broadband Expansion, Seeks Public Comments on Privacy Safeguards: Today, the Federal Communications Commission announced that it will develop a plan to expand broadband access. The plan will attempt to "ensure that every American has access to broadband capability," and will be submitted to Congress in February 2010. The Commission seeks comments from the public concerning how to best safeguard consumers' privacy in the face of technologies such as deep packet inspection and behavioral advertising. Chairman Michael J. Copps identified priorities for the broadband expansion, including "avoiding invasions of people’s privacy." EPIC previously advocated for the FCC to require strong privacy safeguards for telephone customers' personal information, and protect wireless subscribers from telemarketing. For more information, see EPIC's pages on deep packet inspection. (Apr. 8, 2009)
- Congressional Privacy Leaders Call for Internet Companies to Come Clean On Behavioral Profiling. Senior members of Congress have requested details of Internet companies' efforts to spy on their customers. The 33 targeted Internet companies, including AT&T, Time Warner, Microsoft, and Google, may be tracking the activities of Internet users. Congressman Edward J. Markey warned that "new technologies, such as 'deep packet inspection' technologies, have the ability to track every single website that a consumer visits while surfing the Web." Charter Communications and Embarq previously came under fire for monitoring Internet users and suspended their activities. Members of Congress have now turned their attention to the leading telcos and Internet firms. For more information, see EPIC's page on Deep Packet Inspection and Privacy. (Aug. 4, 2008)./li>
- Under Pressure, Charter Cable Drops Internet Snooping Plan. Today, Charter announced that it will scrap its plan to intercept internet traffic for marketing purposes. The fourth-largest American cable company's plan recently came under fire from Rep. Edward J. Markey (D-MA) and Rep. Joe Barton (R-TX). Congressman Markey welcomed today's news, and urged other companies to delay any similar plans until "important privacy concerns can be addressed." In May, Charter announced its intention to partner with NebuAd and spy on its customers' internet activities. Legal experts questioned the legality Charter's snooping program, citing federal laws, including the Wiretap Act and the Communications Act, which prohibit interception and disclosure of wire and electronic communications. For more information, see EPIC's page on Deep Packet Inspection and Privacy. (June 24, 2008)
- Congressional Privacy Leaders Call for Charter Cable to Halt Internet Snooping Plan. Rep. Edward J. Markey (D-MA) and Rep. Joe Barton (R-TX), senior members of Congress and leading privacy champions, challenged the legality of Charter Communications' plan to intercept and inspect their customers' Internet activity. The Congressmen stated that provisions of the federal Communications Act prohibit companies that provide cable services from disclosing subscribers' personally identifiable information without "prior written or electronic consent of the subscriber." Charter plans to intercept its customers' Internet activity without obtaining prior written consent. Congressmen Markey and Baton requested that Charter Communication hold off on the proposed venture with NebuAd. (May 20, 2008)
Deep Packet Inspection ("DPI") is a computer network packet filtering technique that involves the inspection of the contents of packets as they are transmitted across the network. DPI is sometimes referred to as "complete packet inspection." Owing to the volume of traffic on most networks, DPI is usually automated and performed by software based on criteria set by the network operator. Deep Packet Inspection can be used to determine the contents of all unencrypted data transferred over a network. Since most Internet traffic is unencrypted, DPI enables Internet Service Providers ("ISPs") to intercept virtually all of their customers' Internet activity, including web surfing data, email, and peer-to-peer downloads. After inspecting the contents of users' packers, ISPs can use DPI to perform activities based on filter criteria. Deep Packet Inspection has been used in attempts to: build profiles of consumers for marketing purposes; intercept communications at the request of law enforcement (both with and without warrants); enforce copyright laws; prioritize the transmission of some packets over others; and identify computer viruses and spam. DPI also enables non-ISP service providers, such as search engines or webmail providers, to build user profiles based on Internet activity. Traditionally, packet headers are inspected by ISPs for a variety of reasons, including optimization of packet routing, detection of network abuse, and statistical analysis. Such inspection, sometimes referred to as "shallow packet inspection," gives ISPs access to basic information about Internet traffic, but does not disclose the contents of users' email or web surfing to ISPs. In contrast, Deep Packet Inspection provides ISPs with access to the content of all unencrypted Internet traffic that ISP customers send or receive. In the early days of the Internet, DPI was effectively impossible to perform on a large scale as a result of limited computing speed and resources. Recent technological advances have made is possible for ISPs and service providers to implement Deep Packet Inspection on a large scale. Deep Packet Inspection is controversial, and has been criticized by privacy and network neutrality advocates.
On approximately May 14, 2008, some consumers who subscribe to Charter Communications' broadband Internet service received notices stating that Charter would soon begin to perform Deep Packet Inspection of their Internet traffic. The notices were sent to customers in four markets: Fort Worth, Texas; San Luis Obispo, California; Oxford, Massachusetts; and Newtown, Connecticut. Charter, the fourth-largest cable company in the US, stated that it plans to use the initial four locations as test markets, and expects to expand its DPI activities to include all 2.8 million Charter customers within several months. Charter partnered with NebuAd to implement its Deep Packet Inspection program.
NebuAd plans to install its hardware on Charter's system, and pay Charter a monthly fee per subscriber. NebuAd also pays various Internet advertising networks for the right to serve ads through their networks. NebuAd serves ads for its clients via the advertising networks, and makes a profit because NebuAd charges its clients more than it pays the ad networks. This differential is based on NebuAd's ability to target advertisements to users' interests based on user data that it collects through its hardware connected to Charter's ISP servers. NebuAd's hardware runs proprietary software that inspects the contents and header information of every packet transmitted to or from Charter's subscribers. Based on the intercepted information, NebuAd builds profiles of users, and serves targeted advertisements to users through the ad networks. Charter does not obtain written consent from users prior to initiating DPI. Charter permits users to opt out of receiving targeted advertising via a cookie, but reportedly provides no mechanism for opting out of the Deep Packet Inspection. Charter's Deep Packet Inspection program is the first large-scale DPI implementation by a major US ISP. Previously, several smaller American ISPs (including Knology, Wide Open West, and Embarq) instituted DPI programs. In early 2008, Deep Packet Inspection in the UK was met with public outcry. Three large British Internet providers, Virgin Media, BT and TalkTalk, contracted with Phorm to implement DPI-based targeted advertising. Privacy advocates and consumers objected, and additional controversy ensued when it was revealed that BT had used Phorm to secretly intercept customer information in 2006 and 2007. Google, Inc.'s Gmail webmail service utilizes Deep Packet Inspection to display advertisements based on email content. Gmail uses the inspection of email content to present targeted advertisements to Gmail users. The practice drew criticism from privacy advocates in the wake of Gmail's 2004 launch.
On April 24, 2008, the Canadian Association of Internet Providers asked the Canadian Radio-television and Telecommunications Commission to direct Bell Canada to cease "throttling" or "traffic shaping" network traffic. CAIP alleged that Bell intentionally reduced the data transfer speeds of other ISPs. Net Neutrality advocates have argued that Deep Packet Inspection permits network discrimination of the sort identified by CAIP, and thereby limits consumer choice, economic opportunity, and technological innovation.
- Charter suspends ad program over privacy fears, Washington Post, June 25, 2008
- Web monitoring for ads? It may be illegal, Declan McCullagh, Wired, May 19, 2008Charter's Web monitoring draws intervention from Capitol Hill, Declan McCullagh, Wired, May 16, 2008
- Lawmakers raise concerns over Charter Web tracking plan, Jim Salter, Associated Press, May 16, 2008
- Can Charter Broadband Customers Really Opt-Out of Spying? Maybe Not, Ryan Singel, Wired.com, May 16, 2008
- Charter Will Monitor Customers' Web Surfing to Target Ads, Saul Hansell, The New York Times, May 14, 2008
- Charter (CHTR) To Customers: We're Watching You And Cashing In, Dan Frommer, Silicon Alley Insider, May 14, 2008BT's 'illegal' 2007 Phorm trial profiled tens of thousands, Chris Williams, The Register, April 14, 2008
- Google's Gmail sparks privacy row, BBC, April 5, 2004
Deep Packet Inspection Resources
- Thomas, Porter, The Perils of Deep Packet Inspection
- Wikipedia, Deep Packet Inspection
- Anderson, Nate, Deep packet inspection meets 'Net neutrality, CALEA
Share this page:
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.
by Ryan Calo, A. Michael Froomkin,