Deep Packet Inspection has frequently been sighted as the solution to tracking and throttling users who use file-sharing applications – regardless of legality. The idea of DPI hasn’t been seen much outside of Sandvine claiming that 44% of all bandwidth consumption is P2P related despite counter-evidence that shows a different story.

Bell, one of Canada’s largest ISPs have been under fire in the recent past for throttling its customers. Comcast has received a fair share of headlines for similar actions.

While it may, at first, seem like DPI is strictly a p2p related issue, the issue raises many concerns that spans farther beyond simply whether or not a person is able to download RadioHead’s ‘In Rainbows’. There’s one particular issue that may grab the attention of more than the Canadian file-sharing community – it’s a privacy related issue.

Should ISPs be able to profile it’s customers internet usage? It’s a topic currently being handled in a number of countries. In Britain for instance, there’s been no shortage of controversy surrounding the infamous Phorm technology being rolled out. In the United States, similar actions are being taken by ISPs. the most recent case is an ISP known as Embarq being pressured to admit to spying on their customers for the purpose of profiling and targeted advertising. Sweden is currently dealing with privacy related to web use through the FRA wiretap law that was passed a little while ago.

So clearly, the concerns of eavesdropping is justified when one looks internationally. In a press release issued by CIPPIC the other day:

“Behavioural targeting raises a number of serious privacy concerns and may violate
federal privacy laws.” said CIPPIC Director Philippa Lawson. The CIPPIC analysis
concludes that behavioural targeting by ISPs likely violates the Personal Information
Protection and Electronic Documents Act (“PIPEDA”), alleging that ISPs engaging in the
practice often fail to provide sufficient notice to users, do not obtain meaningful consent
from users, and do not offer users effective ways to control such uses of their personal
information.

“Most users are not comfortable with the idea of being followed around online,” said CIPPIC Staff Counsel David Fewer. “Canadians would be surprised if their ISP not only started profiling them for its own purposes, but used that information to sell advertising.”

Along with the call for an industry-wide investigation regarding behavioural targeting,
CIPPIC filed company-specific privacy complaints against Rogers Communications Inc.,
Shaw Communications Inc. and Eastlink Inc. for their use of Deep Packet Inspection in
the context of “traffic-shaping”, another controversial ISP practice that is currently the
focus of another CIPPIC complaint against Bell Canada (as well as a CRTC proceeding
initiated by the Canadian Association of Internet Providers against Bell Canada).

So, pretty much every ISP other than Telus/AT&T is being brought under fire for such technology, though a precedent setting case that affects all ISPs could be made as a result of all of this. It could very well make it more difficult in the future to roll out programs as seen in Britain where the MPAA among others are getting ISPs to police their networks.

While there is an emphasis on privacy concerns, there is definitely the issue of throttling certain protocols as well that could easily be affected by this movement. It will be interesting to see where all this goes.

Internet Service Providers (ISP) have a legal sore spot these days – that sore spot is internet intervention on the ISP level. In Canada, a form of that sore spot may be in the form of Deep Packet Intervention and its impact on privacy. Considering the kind of privacy laws Canada has, it may prove very interesting to see where this goes. A hint on the kind of privacy laws that are in place is the fact that Canada has commissioners dedicated to privacy which is often said is a rarity in the world today.

The complaint (PDF) made by CIPPIC says, among other things:

1. This is a complaint under s.11 of Part I of the Personal Information Protection and Electronic Documents Act (PIPEDA), regarding the unnecessary and non-consensual collection and use of personal information by Bell Canada and Bell Sympatico (collectively, “Bell”) through the use of “Deep Packet Inspection” (“DPI”) technology.
Our attention has been drawn to this matter by individual internet users, media reports, and most recently, an application filed with the Canadian Radio-television Telecommunications Commission (CRTC) on 3 April 2008 by the Canadian Association of Internet Providers (CAIP).

2. In brief, we understand that Bell is engaging in internet “traffic management” practices that involve the inspection of internet traffic headers and content, both of which contain information that can be linked to internet subscribers, purportedly to classify traffic for purposes of network optimization. Such practices – i.e., those involving the collection and use of personal information – are not necessary to ensure network integrity and quality of service. Moreover, subscribers whose traffic is being inspected have not consented to the inspection and use of their data for this purpose. Finally, Bell does not make readily available to individuals specific information about these practices.

3. We submit that Bell is violating Principles 4.3, 4.4, and 4.8 of PIPEDA, Schedule 1 by failing to:
a. Obtain informed consent from affected individuals to the collection and use of their personal information for the purpose of traffic management (Principle 4.3);
b. Limit the collection of personal information to that which is necessary for its stated purposes (Principle 4.4); and
c. Make readily available to the public specific information about its traffic management policies and practices insofar as they involve the collection and analysis of personal information (Principle 4.8).

Internet traffic shaping practices have typically focused on identifying and slowing down Peer-to-Peer (“P2P”) traffic during peak hours of usage, for the alleged purpose of ensuring adequate bandwidth availability for other users. In order to distinguish P2P traffic from other types of traffic, ISPs typically use Deep Packet Inspection technologies. DPI examines the contents (commonly called the “payload”) rather than just the header of the data packet.

A press release (PDF) has the following:

Large ISPs including Bell Canada and Rogers Communications Inc. may be monitoring internet subscribers’ online activities contrary to Canada’s privacy legislation, and the Canadian Internet Policy and Public Interest Clinic has asked Canada’s Privacy Commissioner to investigate.

The Canadian Internet Policy and Public Interest Clinic (CIPPIC) today filed a complaint with Canada’s Privacy Commissioner about Bell Canada’s alleged practice of monitoring internet subscribers’ internet activities without their knowledge or consent. Bell began to apply “deep packet inspection” to its own Sympatico retail customers late in October 2007, but only admitted this practice late in March 2008, after it began applying the same practice to subscribers of other, independent internet service providers.

There is evidence that other large ISPs such as Rogers, Shaw, and Cogeco may be engaging in similar practices, said Lawson. “Our complaint focuses on Bell, but we are asking the Commissioner to investigate all ISPs who engage in traffic-shaping practices.”

“Canada has privacy legislation that Bell and other ISPs must follow,” Ms. Lawson pointed out. “We’re asking the Privacy Commissioner to investigate just what Bell’s use of deep packet inspection involves. Canadians have a right to know who is looking over their shoulders, and why.”

So, first of all, what are principles 4.3, 4.4, and 4.8 of PIPEDA? Here’s what we find in these sections:

4.3 Principle 3 — Consent

The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

Note: In certain circumstances personal information can be collected, used, or disclosed without the knowledge and consent of the individual. For example, legal, medical, or security reasons may make it impossible or impractical to seek consent. When information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information. Seeking consent may be impossible or inappropriate when the individual is a minor, seriously ill, or mentally incapacitated. In addition, organizations that do not have a direct relationship with the individual may not always be able to seek consent. For example, seeking consent may be impractical for a charity or a direct-marketing firm that wishes to acquire a mailing list from another organization. In such cases, the organization providing the list would be expected to obtain consent before disclosing personal information.

4.4 Principle 4 — Limiting Collection

The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

4.4.1

Organizations shall not collect personal information indiscriminately. Both the amount and the type of information collected shall be limited to that which is necessary to fulfil the purposes identified. Organizations shall specify the type of information collected as part of their information-handling policies and practices, in accordance with the Openness principle (Clause 4.8).

4.8 Principle 8 — Openness

An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

4.8.1

Organizations shall be open about their policies and practices with respect to the management of personal information. Individuals shall be able to acquire information about an organization’s policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable.

Considering Bell Canada was very secretive in their business with filtering technology, among other things, it definitely sounds like Bell Canada is about to get nailed for their use of Deep Packet Inspection. It also sounds like that ’33% overloaded’ complaint from Bell, as we reported last month, is going to be a part of the trouble Bell put themselves in to.

Second of all, there was mention over the CAIP submission at the CRTC. Michael Geist posted about this, highlighting the privacy concerns Deep Packet Inspection, the technique used to filter P2P traffic:

CAIP is also raising privacy concerns with the throttling, seeking an order that “Bell has acted unlawfully and contrary to the prohibition on carrier interference with the content of messages carried over its telecommunications network contrary to section 36 of the Act and contrary to the Canadian telecommunications policy objectives set out in paragraphs 7(a) and (i) which, inter alia, seek to protect the privacy of persons.” The privacy argument is based on Bell’s deep-packet inspection of Internet traffic. In particular:

“In order to throttle the Internet traffic originating from/or destined for end-user customers of independent ISPs, Bell is using measures to first, open each data packet, examine the packet data and header information, and then apply certain rules to the content in question. This aspect of Bell’s wholesale throttling activities give rise to concerns that Bell’s actions violate the privacy of the communications of its wholesale customers (as well as
that of their own end-user customers). It also gives rise to concerns that Bell has violated its duty under section 36 of the Act not to control the content or influence the meaning or purpose of telecommunications carried by it for the public.”

Michael Geist is noting this connection as well:

With CAIP raising the privacy issue in its submission to the CRTC, it was only a matter of time before the Privacy Commissioner was asked to intervene.

Finally, it seems that the complaint stems specifically from a few things, some of which include the fact that Bell did not obtain permission from its customers to use the technology, it didn’t disclose it’s practices in, not only a clear manner, but a timely manner, limit the amount of information they obtain, and the fact that filtering the internet is clearly not an essential practice on the network in the first place.

The case has a number of similarities to the Phorm controversy in Britain where two analysis, one from Richard Clayton and the other from FIPR (which complimented Claytons analysis)

Phorm, of course, has a few key differences in the fact that it’s based on analysis of web surfing behavior while the DPI technology analyzes specific packets from a few protocols. At the same time, the similarities are very real in the fact that both deal with intervention from an Internet Service Provider and capturing and using private information indiscriminately. One thing to consider is the simple fact that the privacy laws in Britain are different from that of Canada. Either way, when an ISP starts collecting personal information in some form or another, there’s bound to be high level controversy at some point.

Whether or not the Privacy Commissioner of Canada will respond is, of course, another matter. There was a case in the past where CIPPIC filed a privacy complaint (namely against Abika.com) back in June of 2004 (second from bottom). The privacy commissioner initially refused to intervene due to a jurisdiction issue, but after going through court for a judicial review, the courts ruled in favor of CIPPIC and the case resumed in 2007.

It’ll be interesting to see what the Privacy Commissioner has to say about this case and if the commissioner will intervene. Looking through the laws CIPPIC sites, it seems reasonable to assume that there’ll be fewer issues in this case.

digg_url = ‘http://digg.com/tech_news/Privacy_Commissioner_to_Investigate_Bell_Canada_Over_DPI’;

“Deep Packet Inspection: Taming the P2P Traffic Beast” focuses exclusively on products that specifically provide or use real-time data and analysis of packet contents for stateful protocol identification, flow monitoring, application monitoring, session monitoring, policy enforcement, use and usage control, quality of service, security, traffic management, and similar functions. The 28-page report provides an overview of P2P’s impact on data networks and details how DPI can be deployed to help minimize those effects.

The report presents a detailed comparison of product features and functions from key DPI vendors, including Allot Communications, Caspian Networks, Cisco Systems, Ellacoya Networks, Narus, and Sandvine. It also lists known customer wins for the vendors in this sector and catalogs the various technology partnerships each vendor has struck with suppliers of related hardware and software.

Worldwide, network operators spent $96.8 million on DPI in 2005, but the DPI sector is poised to grow by more than 75% this year, to about $170 million, and top $586 million in 2010, estimates James Crawshaw, Research Analyst for Light Reading Insider and author of the report.