The Privacy Implications of Deep Packet Inspection

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Danielle Keats Citron

March 2009

Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.

Note: This essay was contributed by the author to the Office of the Privacy Commissioner of Canada's Deep Packet Inspection Project

Broadband providers increasingly use deep packet inspection technologies (DPI) that examine consumers’ online activities and communications in order to tailor advertisements to their unique tastes.^{Footnote 1} Although providers emphasize the market efficiencies that DPI provides, they have not adequately addressed the privacy concerns that it raises. Providers insist that because they discard consumers’ communications after analyzing them, any privacy concerns are illusory.^{Footnote 2} Nonetheless, privacy concerns remain despite these assurances because nothing prevents providers from simply altering their policies—in the U.S., the law does not restrict the secondary use of DPI data.^{Footnote 3} And the public has no means to oversee what broadband providers are actually doing because DPI operates invisibly.^{Footnote 4} In the future, network providers could collect our online communications and sell them, including medical data and private correspondence, to employers, insurance companies, credit bureaus, and landlords.^{Footnote 5} Broadband providers could morph into powerful data brokers of our online communications. But even if providers only retain DPI data and do not sell it, their databases are vulnerable to accidental leaks and theft.^{Footnote 6} These scenarios would be permissible and possible if broadband providers decide to retain such data.

Another concern is the government’s ability to subpoena the digital surveillance of a person’s online life from broadband providers. Consumers may deserve notice and an opportunity to be heard before the disclosure of such information to governmental actors, if courts construe the data as implicating an individual’s important property or liberty interests.^{Footnote 7} More generally, if DPI becomes a fact of life, informed consumers may curtail their online communications rather than risk its release to others. This would stunt our creativity and intellectual privacy, so critical to the development of our ideas and free speech.^{Footnote 8}

Network providers dismiss these concerns on the grounds that consumers can opt out of DPI tracking of their online life with a single click.^{Footnote 9} Optimism about a properly functioning marketplace, however, is misplaced. Network providers bury notice of their inspection practices in densely worded privacy policies and do not email users to note the change in policy.^{Footnote 10} Thus, a basic information asymmetry problem arises—consumers cannot reasonably be expected to know about, and protect themselves from, opaque practices. Even if consumers opt out of the creation of behavioral profiles for use in delivering ads, they may not be opting out of the copying of their traffic. And if some network providers switch to an opt-in approach or reject DPI entirely, consumers still cannot totally control the use of DPI technologies by those with whom they communicate, thus rendering consumer choice illusory.^{Footnote 11} As a result, privacy concerns may not be self-correcting and thus consumers can safeguard their privacy only through costly encryption practices.

Given the difficulties of opt-in and opt-out solutions, should law curtail the use of DPI? One solution may be to ban the use of DPI for commercial benefit. Alternatively, law could insist upon greater oversight over providers’ use of DPI. To that end, the Center for Democracy and Technology suggests a variety of ways to enhance the transparency and oversight over DPI practices, including instituting a “Do Not Track” list, requiring providers to disclose their data collection practices, establishing an Online Consumer Protection Advisory Committee, and providing remedies for abuses of DPI data.^{Footnote 12} These solutions would enable providers to continue to use DPI to combat spam, assist prosecutors who obtain warrants, and identify child porn traffickers, precisely the sort of “Good Samaritan” monitoring efforts that Section 230 of the Communications Decency Act^{Footnote 13} anticipates, without compromising consumers’ privacy.

Footnote 1

See Allot Communications, Digging Deeper into Deep Packet Inspection 1 (2007), available at http://www.getadvanced.net/learning/whitepapers/networkmanagement/Deep%20Packet%20Inspection_White_Paper.pdf (“DPI is the foremost technology for identifying . . . applications”).

Return to footnote 1

Footnote 2

See, e.g., Jerome Tollet, Myth 7: All IP Traffic Can Be Recorded, [d]packet.org, Sept. 22, 2008, https://www.dpacket.org/articles/myth-7-all-ip-traffic-can-be-recorded; Letter from Neil Smit, President and CEO of Charter Communications, to the House Subcommittee on Telecommunications and the Internet (Aug. 8, 2008), available at http://energycommerce.house.gov/Press_110/Responses%20to%20080108%20TI%20Letter/110-ltr.080108responseCharter.pdf.

Return to footnote 2

Footnote 3

What Your Broadband Provider Knows About Your Web Use: Deep Packet Inspection and Communications Laws and Policies, Hearing Before the Subcomm. on Telecommunications and the Internet of the H. Comm. on Energy and Commerce, 110th Cong. 13 (July 17, 2008) [hereinafter DPI Hearing], available at http://energycommerce.house.gov/cmte_mtgs/110-ti-hrg.071708.Cooper-testimony.pdf (prepared testimony of Alissa Cooper, Chief Computer Scientist of Center on Democracy and Technology)

Return to footnote 3

Footnote 4

Carol Wilson, DPI: A Scorned Technology that’s Thriving, Telephony Online, July 21, 2008.

Return to footnote 4

Footnote 5

Declan McCullagh, Web Monitoring For Ads? It May Be Illegal, c/net News.com, May 19, 2008

Return to footnote 5

Footnote 6

Danielle Keats Citron, Reservoirs of Danger: The Evolution of Public and Private Law at the Dawn of the Information Age, 80 S. Cal. L. Rev. 241, 252-53 (2007) (discussing risk of identity theft posed by release of Social Security numbers)

Return to footnote 6

Footnote 7

DPI Hearing, supra note 3, at 13 (Cooper testimony)

Return to footnote 7

Footnote 8

See Julie E. Cohen, Examined Lives: Informational Privacy and the Subject as Object, 52 Stan. L. Rev. 1373, 1426 (2000); Neil M. Richards, Intellectual Privacy, 87 Tex. L. Rev. (forthcoming 2008).

Return to footnote 8

Footnote 9