Thursday, April 24, 2008
Is DPI an invasion of privacy?
I have been troubled by the allegation that the use of deep packet inspection for network management purposes by Internet Service Providers is an invasion of privacy. The issue arises in the dispute over traffic shaping of customers of one of Bell's wholesale shared internet access products.
One commentator says that CAIP "rightly" notes that a privacy violation arises since there is no contractual relationship between Bell and the customers of the independent ISPs. CAIP's application said:
Isn't this precisely why traffic shaping has impacted both legitimate and inappropriate file transfers without differentiation?
Is this any different from compression technologies that were historically used in long distance telephone networks? Such technologies looked at the nature of the traffic and applied appropriate compression algorithms based on whether the call was fax, voice, dial-up data, broadcast audio, etc.
Think of enforcement of high occupancy vehicle lanes during peak traffic periods. The police can quickly look in the windows to see if there are 2 or more passengers in the car without pulling over the car, determining where the people are from, where they are going, who is in the car, the purpose of the trip, etc.
We can have an intellectual discussion about the rights of service providers to manage their networks and the methods that may or may not be appropriate. But, the invasion of privacy claim set out by CAIP makes little sense and serves to create noise that interferes with being able to hear a more fundamental, focussed discussion on internet access policy.
Technorati Tags:
privacy, CAIP, Bell, traffic shaping, net neutrality, Canada
One commentator says that CAIP "rightly" notes that a privacy violation arises since there is no contractual relationship between Bell and the customers of the independent ISPs. CAIP's application said:
By examining the packet data and packet header information of GAS customer traffic, Bell can identify, inter alia, the type of data being transferred, the ISP upon whose network the data is being transferred, an end-user’s intention to acquire certain types of Internet content and the IP address and, hence, the identity of the end-user customer who is sending/receiving the data. The collection and use of such information by Bell, which in this case would have clearly been done without the prior consent of the end-user customers so affected, violates the privacy of such individuals.It seems to me that the privacy complaint is predicated on carriers actually collecting and using individual information. But all of the statements seem to indicate that carriers don't actually use any personal information. The DPI technology looks at packets and treat all packets associated with certain applications equally. The network management is non-discriminatory on an individual level.
Isn't this precisely why traffic shaping has impacted both legitimate and inappropriate file transfers without differentiation?
Is this any different from compression technologies that were historically used in long distance telephone networks? Such technologies looked at the nature of the traffic and applied appropriate compression algorithms based on whether the call was fax, voice, dial-up data, broadcast audio, etc.
Think of enforcement of high occupancy vehicle lanes during peak traffic periods. The police can quickly look in the windows to see if there are 2 or more passengers in the car without pulling over the car, determining where the people are from, where they are going, who is in the car, the purpose of the trip, etc.
We can have an intellectual discussion about the rights of service providers to manage their networks and the methods that may or may not be appropriate. But, the invasion of privacy claim set out by CAIP makes little sense and serves to create noise that interferes with being able to hear a more fundamental, focussed discussion on internet access policy.
Technorati Tags:
privacy, CAIP, Bell, traffic shaping, net neutrality, Canada
Posted by Mark Goldberg @ 4/24/2008 06:11:00 AM 
Comments:
<< Home
Your commentary leaves one issue unclear to me:
It seems to me that the privacy complaint is predicated on carriers actually collecting and using individual information.
Here you clearly indicate "collecting and using" in a linked fashion.
But all of the statements seem to indicate that carriers don't actually use any personal information.
But here you refer only to usage.
So my question; is Bell collecting the information as outlined by the CAIP? In my opinion there is no difference between collection and usage. Data collected and retained is data that can be used at some later date. Statements of current intention carry little or no value.
It seems to me that the privacy complaint is predicated on carriers actually collecting and using individual information.
Here you clearly indicate "collecting and using" in a linked fashion.
But all of the statements seem to indicate that carriers don't actually use any personal information.
But here you refer only to usage.
So my question; is Bell collecting the information as outlined by the CAIP? In my opinion there is no difference between collection and usage. Data collected and retained is data that can be used at some later date. Statements of current intention carry little or no value.
No ambiguity was intended. I am unaware of any data collection / retention associated with DPI.
Posted by 
Mark Goldberg : 8:29 AM, April 24, 2008
Mark Goldberg : 8:29 AM, April 24, 2008
There is no need for collection AND use. Collection of personal information alone is sufficient for the law to apply.
The issue is not whether privacy law prohibits DPI between an ISP and their customer (it doesn't since the ISP can build consent into their privacy policy), but rather whether DPI of someone's traffic who does not have a commercial relationship is permitted. Bell doesn't have a commercial relationship with CAIP's customers and so its privacy policy doesn't apply. Analogies to police activities make no sense in this context.
If the data subject to DPI is personally identifiable, the law applies and there is no obvious exception that Bell can rely upon. They would need to force CAIP to build in a DPI provision into their policies on their behalf and I can't imagine CAIP is interested in doing so.
The issue is not whether privacy law prohibits DPI between an ISP and their customer (it doesn't since the ISP can build consent into their privacy policy), but rather whether DPI of someone's traffic who does not have a commercial relationship is permitted. Bell doesn't have a commercial relationship with CAIP's customers and so its privacy policy doesn't apply. Analogies to police activities make no sense in this context.
If the data subject to DPI is personally identifiable, the law applies and there is no obvious exception that Bell can rely upon. They would need to force CAIP to build in a DPI provision into their policies on their behalf and I can't imagine CAIP is interested in doing so.
Posted by 
: 9:54 AM, April 24, 2008
: 9:54 AM, April 24, 2008
Seems to me there are two practical solutions to the network congestion issue (privacy complaint aside). You manage the P2P traffic that is causing the problem, or you move to a usage based billing model - which I suspect would not generate a nickel of revenue, but rather curtail the usage of those applications causing the problem of congestion. Be interesting to see whether users of P2P would opt for a larger bill, or unlimited usage of an application that is given lowere priority during peak traffic periods.
Posted by : 11:31 AM, April 24, 2008
: 11:31 AM, April 24, 2008
In Appendix 2 of Bell's Answer to the CAIP Application, Bell provides a copy of an information circular that was sent to the affected ISPs. The circular is a Q&A sheet which includes one that says:
QUESTION: What technology was used and how does it differentiate between applications?
Bell has implemented Deep Packet Inspection (DPI) which identifies the packet mapping, but does not monitor, track, or access the content of your customers’ P2P traffic.
This seems to be a pretty clear indication that there should be no privacy issue.
QUESTION: What technology was used and how does it differentiate between applications?
Bell has implemented Deep Packet Inspection (DPI) which identifies the packet mapping, but does not monitor, track, or access the content of your customers’ P2P traffic.
This seems to be a pretty clear indication that there should be no privacy issue.
Posted by Mark Goldberg : 4:33 PM, April 24, 2008
Mark Goldberg : 4:33 PM, April 24, 2008
Sorry Mark, but if an IP address is personal information (and the Commissioner has ruled that it is), the identification of the type of Internet traffic linked to a particular user may be as well.
Posted by : 11:04 PM, April 24, 2008
: 11:04 PM, April 24, 2008
I think you should read up a bit more on the technology behind DPI. A good place to start is at www.dpacket.org, which is a vendor funded website-- Bell's vendor is one of the founding / supporting members.
https://www.dpacket.org/introduction-deep-packet-inspection-processing
A packet is analogous to a physical postal mail message. The address on the outside of the envelope is analogous to the “packet header” and the information inside the envelope is analogous to the “payload.” DPI is analogous to taking action on that mail message not only based on the address on the envelope, but also making considerations based on the contents of the envelope.
So please, lets move beyond the rubbish of "we are just looking at the headers"... The whole selling point of DPI is that its Deep PACKET _INSPECTION_... ie it moves beyond the simple protocol ACL and moves to an application layer ACL which is indeed looking at the data.
In Bell's point 40,
"All P2P file sharing applications can
still be used, but they will simply be slower for some users when traffic management is applied
so as to redistribute P2P traffic from peak periods to off-peak periods...However, even though
all P2P traffic is subject to the same rates during peak periods, those users with low to
moderate usage of P2P during peak periods will simply not experience the same delay in their
level of use."
I dont think they are telling the whole truth about how this DPI stuff works or the people writing are kept from understanding how it actually works. Regardless, they cant keep the story straight. From the dpacket.org link, its clear that there are a LOT of things that the technology can do. One of them is detailed subscriber billing.... So that no matter the IP, they can tie back the bandwidth used to a particular subscriber, be that Bell or wholesale.... (Think in the wireless world how very useful this is where bandwidth is a scarce commodity and IP addresses change by the minute.) BUT, in order to do this, they must accumulate data on that customer endpoint. In otherwords, they must track what that user is doing over time in order to "selectively" throttle customers as they say in their point 40. Is it allowed under the tariff for Bell to keep a record of the types of network activity Wholsale customers engage in ? No I dont think so. What about "abuse situations you ask"... Sorry, downloading from the CBC is NOT network abuse. Perhaps artistic abuse, but not network abuse :)
If we are to believe Bell in 40... They are indeed collecting data and using that data to act on the end user (which is NOT Bell's customer). This jives with what DPI is about from the vendors of DPI technology themselves..
Also take a look at
http://www.ellacoya.com/products/IPServiceControlSystem.pdf
It has a nice visual 2 page overview of what DPI is really all about.
https://www.dpacket.org/introduction-deep-packet-inspection-processing
A packet is analogous to a physical postal mail message. The address on the outside of the envelope is analogous to the “packet header” and the information inside the envelope is analogous to the “payload.” DPI is analogous to taking action on that mail message not only based on the address on the envelope, but also making considerations based on the contents of the envelope.
So please, lets move beyond the rubbish of "we are just looking at the headers"... The whole selling point of DPI is that its Deep PACKET _INSPECTION_... ie it moves beyond the simple protocol ACL and moves to an application layer ACL which is indeed looking at the data.
In Bell's point 40,
"All P2P file sharing applications can
still be used, but they will simply be slower for some users when traffic management is applied
so as to redistribute P2P traffic from peak periods to off-peak periods...However, even though
all P2P traffic is subject to the same rates during peak periods, those users with low to
moderate usage of P2P during peak periods will simply not experience the same delay in their
level of use."
I dont think they are telling the whole truth about how this DPI stuff works or the people writing are kept from understanding how it actually works. Regardless, they cant keep the story straight. From the dpacket.org link, its clear that there are a LOT of things that the technology can do. One of them is detailed subscriber billing.... So that no matter the IP, they can tie back the bandwidth used to a particular subscriber, be that Bell or wholesale.... (Think in the wireless world how very useful this is where bandwidth is a scarce commodity and IP addresses change by the minute.) BUT, in order to do this, they must accumulate data on that customer endpoint. In otherwords, they must track what that user is doing over time in order to "selectively" throttle customers as they say in their point 40. Is it allowed under the tariff for Bell to keep a record of the types of network activity Wholsale customers engage in ? No I dont think so. What about "abuse situations you ask"... Sorry, downloading from the CBC is NOT network abuse. Perhaps artistic abuse, but not network abuse :)
If we are to believe Bell in 40... They are indeed collecting data and using that data to act on the end user (which is NOT Bell's customer). This jives with what DPI is about from the vendors of DPI technology themselves..
Also take a look at
http://www.ellacoya.com/products/IPServiceControlSystem.pdf
It has a nice visual 2 page overview of what DPI is really all about.
Posted by : 3:22 PM, April 25, 2008
: 3:22 PM, April 25, 2008
Hello all,
I'm happy to see discussions like this unfolding. I started dPacket.org with the intention to help facilitate useful discussion around DPI. First, on behalf of dPacket.org, I think it is important to point out that while dPacket.org is vendor funded the vendors do not control the organization. The organization is built to involve all stakeholders in DPI; that includes a broad set of viewpoints and people. Please feel free to contact dPacket.org directly with questions by using the sites contact form. I am very interested to speak with people to learn how the site can help facilitate education and collaboration around the challenges that DPI presents-- technical, ethical, and legal. I'm also happy to share insights and information on the topic.
Post a Comment
I'm happy to see discussions like this unfolding. I started dPacket.org with the intention to help facilitate useful discussion around DPI. First, on behalf of dPacket.org, I think it is important to point out that while dPacket.org is vendor funded the vendors do not control the organization. The organization is built to involve all stakeholders in DPI; that includes a broad set of viewpoints and people. Please feel free to contact dPacket.org directly with questions by using the sites contact form. I am very interested to speak with people to learn how the site can help facilitate education and collaboration around the challenges that DPI presents-- technical, ethical, and legal. I'm also happy to share insights and information on the topic.
Posted by : 8:14 PM, May 09, 2008
: 8:14 PM, May 09, 2008 << Home
Syndicate
