Review of the Internet traffic management practices of Internet service providers

Submission of the Office of the Privacy Commissioner of Canada to the Canadian Radio-television and Telecommunication Commission (CRTC)

February 2009

---

In November 2008, the Canadian Radio-television and Telecommunication Commission (CRTC) initiated a public proceeding to review the Internet traffic management practices of Internet Service Providers (ISPs).

The CRTC called for written submissions by February 23, 2009. A public consultation is scheduled for July 2009. The OPC welcomed the opportunity to contribute to the public discussion with respect to the protection of personal information on the Internet.

The CRTC and the Office of the Privacy Commissioner of Canada have complementary statutory roles regarding privacy protection. The CRTC’s mandate under the Telecommunications Act specifically includes contributing to the protection of the privacy of persons as a matter of Canadian telecommunications policy.  The OPC’s submission is made pursuant to our legislative mandate to protect the privacy rights of individuals, foster public understanding of privacy, and promote the privacy protections available to Canadians. The OPC’s submission is focused on the privacy implications about the potential uses of Deep Packet Inspection (DPI).

---

February 18, 2009

Mr. Robert A. Morin
Secretary General
Canadian Radio-television and Telecommunications Commission
Ottawa, ON
K1A 0N2

Dear Mr. Morin:

Re: Telecom Public Notice CRTC 2008-19 - Review of the Internet traffic management practices of Internet service providers; CRTC Reference: 8646-C12-200815400

1. On 20 November 2008, the Canadian Radio-television and Telecommunication Commission (CRTC) initiated a public proceeding to consider Internet traffic management practices for both wholesale and retail Internet services. In its Public Notice of consultation and hearing, the CRTC invited parties to comment on particular issues and topics it identified in a series of interrogatory questions.
2. On 16 December 2008, the Office of the Privacy Commissioner of Canada (OPC) informed the CRTC of our intention to participate in the proceedings because we believe they raise important issues with respect to the protection of personal information on the Internet.
3. The OPC makes these submissions as an interested party to the proceedings, pursuant to its legislative mandate to protect the privacy rights of individuals and promote the privacy protections available to Canadians.^{Footnote 1}
4. The OPC’s submissions to these proceedings are focused on the privacy implications of Internet traffic management practices employed by internet service providers (ISPs). Specifically, the OPC’s comments address privacy concerns about the potential use of Deep Packet Inspection (DPI).
5. Our submissions will address the following:

   I. The Mandate and Mission of the Office of the Privacy Commissioner of Canada

   II. OPC’s Involvement in Privacy and DPI Technology Issues

   1. Current Complaints and Investigations
   2. Research and Publications

   III. Deep Packet Inspection and its potential impact on privacy

   IV. Responses to interrogatory questions:

   6(a) Privacy Implications of DPI use and the policy objectives of the Telecommunications Act
   8(a) Initiatives in other jurisdictions concerning privacy and Internet traffic management practices using DPI
   8(b) The possible applicability of initiatives with respect to privacy and the use of DPI in Canada.

I. The Mandate and Mission of the Office of the Privacy Commissioner of Canada

6. The CRTC and the OPC have complementary statutory roles regarding privacy protection.^{Footnote 2} The CRTC has jurisdiction over privacy issues arising from the operation of telecommunications networks.^{Footnote 3} The CRTC’s mandate under the Telecommunications Act^{Footnote 4} specifically includes contributing to the protection of the privacy of persons as a matter of Canadian telecommunications policy.
7. The mandate of the OPC is to oversee compliance with the Privacy Act^{Footnote 5}, which applies to the personal information handling practices of the federal government department and its agencies and the Personal Information Protection and Electronic Documents Act (PIPEDA)^{Footnote 6}, Canada’s private sector privacy law. PIPEDA applies to organizations that collect, use and disclose personal information in the course of commercial activity. ^{Footnote 7}  PIPEDA also covers the personal information of customers and employees of federal works, undertakings and businesses such as telecommunications companies.^{Footnote 8} PIPEDA, therefore, applies to ISPs in two ways: as telecommunications network operators, and as employers.
8. The mission of the OPC is to protect and promote the privacy rights of individuals. To that end, the Office seeks opportunities, to promote public awareness and education of privacy rights and obligations through engagement with federal institutions and bodies,  the private sector, a wide range of other interested stakeholders, and the public at large.
9. The OPC’s submissions to the CRTC on privacy and DPI are intended to fulfill the Office’s mandate and mission.

II. The OPC’s Involvement in Privacy and DPI Technology Issues

i) Current Complaints and Investigations

10. At the date of this submission, the OPC has received a few complaints under PIPEDA related to DPI. These complaints are currently being investigated. The OPC has made no findings and no resolutions between the parties have yet been reached.

ii) Research and Publications

11. The OPC is conducting ongoing research into the privacy implications of DPI and Internet throttling, from legal, policy-based and technical perspectives. The OPC’s Official Blog has posted commentary on the issue.^{Footnote 9} In the near future, the Office will publish a collection of essays on privacy and DPI written by international experts in privacy, telecommunications law, technology and the social sciences. An interactive website will be simultaneously launched with the publication to facilitate public discussion and education. The OPC will continue speaking with experts in the field, and exploring ways to enhance privacy protection on the Internet.

III.  Deep Packet Inspection and Its Potential Impact on Privacy

12. Deep Packet Inspection (DPI) is a form of computer network packet filtering.  DPI has been available for several years and has its origins in information technology security.  The original purpose of DPI was to examine the data and/or header portions of a packet as it passes an inspection point, searching for indications of protocol non-compliance, viruses and other malicious code, spam and other forms of intrusion.  DPI also enables Internet data mining, eavesdropping/lawful intercept, censorship, copyright enforcement and network traffic optimization (e.g., quality of service and priority services). One of the reasons DPI technologies raise privacy concerns is because it can involve the inspection of information content sent from end-user to end-user, thus enabling third parties to draw inferences about users' personal lives, interests and activities.
13. DPI devices have the ability to look at Layer 2 (link layer) through Layer 7 (application layer) of the Open Systems Interconnection (OSI) model.^{Footnote 10}  DPI devices can, therefore, examine headers and data protocol structures as well as the actual payload of the message.  In other words, DPI technology can look into the content of a message sent over the Internet. To use a real-world example, using DPI is akin to a third party opening an envelope sent by surface mail, and reading its contents before it reaches its intended destination. This ability to examine packets in their entirety makes it possible to detect certain attacks that traditional intrusion detection/intrusion prevention systems and firewalls cannot catch on their own. In addition to helping prevent attacks from viruses and worms at wire speeds (effectively, in real-time), DPI can also be effective against other security threats including buffer overflow attacks, Denial of Service (DoS) attacks, and sophisticated intrusions.
14. DPI identifies and classifies traffic based on a signature database that includes information extracted from the data part of a packet, allowing finer control than classification based only on header information (sometimes referred to as shallow or stateful packet inspection).  A classified packet can be redirected, marked/tagged, blocked or dropped, rate limited, and of course reported to a reporting agent in the network.
15. The OPC’s privacy concerns centre on four proposed uses of DPI:
    1. For targeted advertising based on analyzing users’ web-browsing behaviour.
    2. scanning Internet traffic for undesirable or unlawful content, such as SPAM, unlicensed distribution of copyright material or dissemination of hateful or obscene materials;
    3. capturing and recording selective packets for law enforcement surveillance; and
    4. monitoring traffic loads to measure network performance, and plan for future facilities investments.
16. The OPC is concerned with the potential collection, use and disclosure of users’ personal information without their knowledge and consent, and in certain circumstances, in the absence of lawful authority. The retention and appropriate safeguarding of personal information obtained by DPI is also a privacy issue of interest to the OPC.

IV.  Responses to Interrogatory Questions:

6(a) Privacy Implications of DPI use and the policy objectives of the Telecommunications Act

17. Privacy is often viewed as a fundamental human right and, arguably, the right from which many other essential freedoms flow: individual autonomy and decision-making, freedom of speech, freedom of association, and freedom of thought.^{Footnote 11} Historically, Canadian law has not allowed surveillance simply because of increased technological capabilities.  Criminal Code sanctions, together with privacy law requirements, have set strict limits on government action or private sector practices with regard to accessing private information.^{Footnote 12}
18.  Privacy is not just an individual right — it is a public good that reflects decisions we have made as a people about how we want to live as a society. These values are reflected in privacy legislation throughout Canada, the Charter of Rights and Freedoms^{Footnote 13} and in the policy objectives of the Telecommunications Act 1993, c. 38 T-3.4.
19. One of the policy objectives under the Act is to safeguard the privacy of individuals and their communications. This policy is set out in paragraphs 7(a) and (i) of the Act:

    7. It is hereby affirmed that telecommunications performs an essential role in the maintenance of Canada’s identity and sovereignty and that the Canadian telecommunications policy has as its objectives ?

    (a) to facilitate the orderly development throughout Canada of a telecommunications system that serves to safeguard, enrich and strengthen the social and economic fabric of Canada and its regions;?

    (i) to contribute to the protection of the privacy of persons.

20. Canadians are amongst the heaviest Internet users in the world,^{Footnote 14} spending, on average, 17 hours a week online.^{Footnote 15} Forty percent use community or social networking sites to interact and socialize with family and friends.^{Footnote 16} They also use the Internet to connect with political and social issues, with over one-half of home Internet users aged 18 and over reporting that they read online newspapers or magazines to be informed about a particular issue.^{Footnote 17} A 2007 Statistics Canada study showed that Canadians spent almost $12.8 billion online in one year, the vast majority issuing payment directly over the Internet, using a credit or debit card for some or all of their orders and purchases.^{Footnote 18}  Given the fact that Canadians spend a significant amount of their personal and professional lives online, it is imperative, in our view, that their privacy is protected when engaged in Internet activity.
21. We respectfully submit that in order to advance the privacy objectives contained in the Act, telecommunications policy, decisions and regulation with respect to Internet traffic management practices in general, and DPI specifically, should consider the potentially invasive nature of DPI technology, and the manner in which it has been implemented by ISPs (e.g., without notice, consent, etc).

    The use of DPI raises a number of privacy questions:

    1. What are the appropriate uses of DPI?
    2. When should DPI be activated and under what authority?
    3. What information management processes and controls should be used by organisations deploying DPI technology, or third parties with access to this information?
    4. What should be required regarding:
       1. Informing the customer about the use of DPI?
       2. Customer choices regarding use of DPI for security?
       3. Customer choices regarding use of DPI for selling profiling data to third parties?
    5. What information that is potentially examinable by DPI constitutes personal information and is, therefore, subject to the protections of privacy legislation?^{Footnote 19}
    6. Should consideration be given to the appropriateness of underlying design decisions as the exploitation of weaknesses gives rise to the need for DPI?

8(a) Initiatives in other jurisdictions concerning privacy and Internet traffic management practices using DPI

22. In the United States, the House Committee on Energy and Commerce, Subcommittee on Telecommunications and the Internet held a hearing in July 2008 on broadband providers and their use of DPI for behavioural advertising.  Then Chairman Edward Markey argued that:

    "From a privacy perspective, given the sheer sophistication of the technology's capability and the obvious sensitivity of the personal information that can be gleaned from a consumer's Web use, I believe broadband providers deploying deep packet inspection technologies must adopt clear privacy policies.  In my view, consumers deserve, at a minimum, 1) clear, conspicuous, and constructive notice about what broadband provider's use of deep packet inspection will be, 2) meaningful, "opt-in" consent for such use, and 3) no monitoring or data interception of those consumers who do not grant consent for such use."^{Footnote 20}

23. In September 2008, the Network Advertising Initiative (NAI), an advertising industry association that supports self regulation for on-line advertising, was reported as supporting an opt-in standard when DPI is used by ISPs for behavioural advertising.^{Footnote 21}  NAI Executive Director Trevor Hughes was quoted as saying:

    “The ISP-behavioral model requires enhanced protections to ensure that consumers can maintain appropriate control of their browsing experience. In light of this fundamental difference between how notice and choice can be offered to consumers, we agree with recent statements from the Federal Trade Commission that ISP-based behavioral advertising is different from publisher-based forms of behavioral advertising."^{Footnote 22}

24. The Federal Communications Commission (FCC) ruled on internet service provider Comcast Corporation’s network management practices of using DPI and false reset packets for traffic management against peer-to peer (P2P) applications.  According to the Order, the FCC found that “?the company’s discriminatory and arbitrary practice unduly squelches the dynamic benefits of an open and accessible Internet and does not constitute reasonable network management.  Moreover, Comcast’s failure to disclose the company’s practice to its customers has compounded the harm.”^{Footnote 23}
25. The FCC found that Comcast’s level of disclosure to its customers was inadequate and that individuals would not have been able to reasonably recognize that P2P applications were being discriminated against.^{Footnote 24}
26. The FCC also found that Comcast’s “?practices are not minimally intrusive?but rather are invasive and have significant effects.”^{Footnote 25}  The FCC noted that Comcast was using DPI to monitor its customers and route electronic communications based on the contents of the communication and not the address.^{Footnote 26}
27. It has been reported that Comcast provided the FCC with a new network traffic management plan that is based on shallow packet inspection – and where traffic is not measured by the type of application that is being used, but by the congestion in an individual’s immediate neighbourhood and by the bandwidth an individual is using.^{Footnote 27}  Therefore, we would like to note that other jurisdictions have found less intrusive methods that apparently do not involve the use DPI to implement network management practices to address traffic congestion.
28. The FCC sent Comcast a letter in January 2009 asking them to clarify their revised network management principles related to voice over internet protocol (VOIP) services.^{Footnote 28}  They noted that in Comcast’s revised network traffic management plan, when an individual has reached a certain bandwidth usage for a certain period of time while their neighbourhood node has been near capacity  for 15 minutes, VOIP calls may have reduced quality, however it appears that Comcast VOIP applications may not be affected.^{Footnote 29}   The FCC’s questioning of this possible differential treatment practice was noted by the Free Press, and Ben Scott, policy director at Free Press, stated:

    "This letter is a positive sign that the FCC's Comcast decision was not a one-and-done action on Net Neutrality. We are pleased that the commission is conducting an ongoing investigation into network management practices that might impact users' access to the online content and services of their choice.

    An open Internet cannot tolerate arbitrary interference from Internet service providers.”^{Footnote 30}

29. Former FCC Chairman Kevin J. Martin has indicated he supported providers disclosing their practices to consumers as a reasonable network management practice. ^{Footnote 31} He has also noted that “?because of the importance of the Internet, we must maintain an open and dynamic Internet that will allow it to continue to be an engine of productivity and innovation that benefits all persons.” ^{Footnote 32}
30. Viviane Redding, European Commissioner for Information Society and Media has noted the importance “?to ensure that the internet remains open from the point of view of service providers wanting to deliver new, innovative services, ANDopen from the point of view of consumers wanting to access the services of their choice and create the content of their choice.” ^{Footnote 33} [emphasis in original] Although she indicated that there may be a need to address issues related to traffic prioritization, she clearly stressed that anti-competitive behaviour limiting consumer choice is a serious risk and that transparency is an important guiding principle. ^{Footnote 34}

8(b) The possible applicability of initiatives with respect to privacy and the use of DPI in Canada.

31. There are two principal concerns with respect to the use of DPI technology.  The first relates to network management.  There is concern that the implementation of DPI for Internet traffic management has been done in a manner that is less than transparent and potentially inconsistent with an individual’s/consumer’s expectations.  There has been some evidence in a number of jurisdictions suggesting that such technology has been used for “unreasonable network management practices.”
32. The second concern relates to privacy.  Not only does DPI permit the examination of packet headers, including source and destination IP addresses (which, in some instances, are considered to be personal information), but it also has the ability to examine the content of an electronic communication.  It is not clear that examination of content is necessary for network management and may constitute an unreasonable invasion of an individual’s privacy.
33. These concerns need to be addressed to develop an Internet traffic management framework that supports service providers’ requirements, the privacy of individuals/consumers and a dynamic Internet that can serve as an engine for innovation and growth.
34. In the Canadian context, the following points should be considered when discussing or examining the impact of using DPI for Internet traffic management on individual  privacy:
    • S. 7(i) of the Telecommunications Act indicates that one of the objectives of  Canadian telecommunications policy is to contribute to the protection of the privacy of persons.  As such, we respectfully submit to the Commission that future considerations related to Internet traffic management should ensure that this policy objective is given full consideration.
    • A responsible Internet traffic management strategy should integrate privacy management frameworks to protect individuals/consumers.
    • This framework should address the potential/actual uses of DPI for reasonable network traffic management.  It should include the potential privacy risks associated with a network traffic management strategy and should address:
      • transparency;
      • the extent that DPI can view online activity
      • the extent that DPI can come across personal/sensitive information;
      • what happens to this information – an analysis of information management practices, including the collection, use and disclosure of the information and any third-party access to the information;
      • limiting the intrusive invasion of content with respect to online activity;
      • safeguards to protect an individual’s personal information; and
      • consumer choice.
35. The use of DPI has not just been limited to Internet network management practices. DPI has also been used for the purposes of behavioural advertising.  We submit that any discussion of DPI should include the possible uses of the technology in other applications and related privacy concerns.
36. In the US and the UK, it has been reported that third-party advertisers (most notably Phorm and NebuAd) have undertaken discussions with ISPs to deploy DPI on an ISP’s network for the purposes targeted advertising.  In this type of partnership, an online profile about an individual is created and is based on the individual’s entire online history.  The vast amount of personal information related to this type of profiling has raised significant privacy concerns.
37. Activities like this raise concerns that service providers are not adequately advising individuals that this type of tracking/profiling is taking place.  In addition, the lack of an adequate consent model – or in the case of some service providers the lack of even seeking consent – has also been raised.
38. Other privacy concerns include, but are not limited to
    • Sensitive Personal Information: The DPI system on an ISP’s network can analyze an individual’s online activity, which can include personal information and sensitive personal information.
    • Scope and Scale of Personal Information: DPI has the ability to look at the detailed contents of all of an individual’s entire on-line communication. Therefore, DPI may be able to look at a vast amount of personal and sensitive information, whether it is intentionally or not.  Careful consideration should be given to the fair information practices including limiting the collection, use and disclosure of information.
    • Anonymization: Although user profiles may be anonymized, it is still possible to link a profile to an individual.  Profiles that are based on detailed marketing categories can potentially lead to the identification of an individual.
    • Redirection of Communication: Technical assessments of Phorm and NebuAd indicate that these systems seem to redirect an individual’s communication without an individual’s consent by pretending to act as the end-user an individual is trying to reach. 
    • Cookies: One issue identified was that if an individual chooses to opt-out, an opt-out cookie may be issued. The appropriateness of an opt-out cookie has been questioned.  If an individual cleans their cookies on a regular basis - which can be considered a reasonable network maintenance practice - they may be opted back in.  Therefore an opt-out cookie may only temporarily comply with an individual’s choice not to have their entire online activity tracked.
39. DPI also has implications for personal privacy if it is used with other electronic devices, such as cellphones and other mobile wireless devices. 

Conclusion

40. The prospective uses of DPI technology raise serious concerns about individual privacy. DPI technology has the potential to give ISPs and other entities wide ranging access to vast amounts of personal information sent over the Internet. Canadians spend a significant amount of their lives on online as consumers, professionals, and citizens. They are entitled to privacy protection pursuant to Canadian telecommunications policy, as set out in the Telecommunications Act, and under privacy laws of Canada. We respectfully submit that before DPI technology is employed, careful consideration should be given to what impact it may have on individual privacy.

Sincerely,