Oct. 16, 2008 at 8:00 AM ET
Deep down, most Net users realize that everything they do online can be watched and tracked. Most, however, forget this on a day-to-day basis. That's why a new technology called deep packet inspection is potentially very disturbing.
The data is already dismal when it comes to people peeking at your Internet travels. Twenty percent of U.S. companies hire employees specifically to snoop at employee e-mail and 41 percent perform some kind of e-mail monitoring, according to a survey published earlier this year by Proofpoint. Two-thirds of companies monitor Web surfing, and 12 percent even monitor outside blog activity. Even if your company doesn't watch you as a matter of policy, employees might be sneaking a peek anyway. In a survey published in June by security firm Cyber-Ark, one-third of IT workers confessed to abusing their administrative passwords to read colleagues’ e-mail and compare salaries, and the like.
Still, people at work often realize their time is not their own, and their expectation of privacy -- at least according to under U.S. law -- is low. But now, a technology called deep packet inspection offers similar kind of monitoring capabilities that can be used on all Internet users -- at home, at work, even when using mobile devices.
Until recently, the concept of peeking at every data packet while it flew into and out of an Internet service provider’s networks quickly ran into practical problems. There was just too much data to inspect; doing so would bog down even the most robust network. But recent technology advances have made deep packet inspection both practical and affordable, and the technology began finding its way into ISPs around the world this year.
So did emotional objections to it. In May, the Canadian Internet Policy and Public Interest Clinic filed a complaint with Canada's privacy minister after deep packet inspection was implemented by Bell Canada. The complaint accused Canada's largest telecom firm of "unnecessary and nonconsensual collection and use of personal information." The agency called for an investigation, which is ongoing.
Bell Canada responded by saying that it peeks only at packet header information -- the equivalent of the outside address on an envelope -- never inside the packet to inspect the content. But in its complaint, the Internet policy agency said that's impossible -- deep packet inspection by definition requires a look inside every digital message.
While no major U.S. Internet provider is known to utilize deep packet inspection, the controversy has reached the United States. Earlier this year, a set of smaller ISPs began experimenting with a related technology called behavioral marketing designed by a small California firm named NebuAd. Behavioral marketing uses deep packet inspection to watch Internet users' surfing and deliver context-sensitive advertising to their screens. After an outcry from privacy advocates, and unwelcome attention from Congress which culminated in a July hearing on Capitol Hill, ISPs pulled the plug on their experiments.
An important tool for balancing the load
Defenders of deep packet inspection say the technology is vital to keeping the Internet from bogging down under massive traffic loads at a time when use of bandwidth-hogging technologies like video downloads is exploding. Bell Canada, for example, says it is simply engaging in traffic management, also called “traffic shaping.” That practice enables ISPs to give priority to basic Internet tools like e-mail during periods of high traffic, and shift bandwidth away from heavy users like peer-to-peer networks.
If that sounds like ISPs want to discriminate against certain kinds of Internet traffic, that's because they do. Earlier this year, Comcast was sanctioned by the Federal Communications Commission for secretly dropping or degrading service to peer-to-peer users in a ruling that was seen as a victory for those who favor "Net Neutrality."
Deep packet inspection would provide a more elegant solution to this problem, supporters say, allowing ISPs to be less brutal in their "traffic shaping."
But there are other, less invasive solutions to bandwidth management, says Phillippa Lawson, director of Canada's Internet Policy and Public Interest Clinic. Even Comcast has found a better way, she wrote in her May complaint against Bell Canada.
"Comcast ... acknowledged that its use of traffic shaping programs involving the identification and slowing down of specific types of traffic (namely, P2P) was not in fact necessary in order to maintain the integrity of its network, and announced that it would migrate by the end of 2008 to a bandwidth-management technique that is 'protocol agnostic,'" she wrote. In other reports, Comcast said it would base its "throttling" on a consumer's overall bandwidth use, rather than discriminate against a particular software or type of download activity.
Plenty of applications
But there are still plenty of agencies and firms that could benefit greatly from implementation of deep packet inspection. Government agencies have long sought more efficient ways to monitor Net use and hunt down criminals, dating all the way back to the FBI's ill-named "Carnivore" project. As msnbc.com reported Thursday, law enforcement has already taken a keen interest in the technology as a child-pornography fighting tool. Copyright holders -- particularly in the music, movie, and software industries -- could find it an effective tool for sniffing out illegally copied files and fighting piracy. And, as we've seen, advertisers would find the detailed logs of Net users' activities to be a treasure trove.
But none of this can happen unless Internet service providers agree to install the tracking tools, and so far, U.S. based ISP's are steering clear of them. In a Sept. 25 hearing before the Senate Commerce Committee, Verizon, AT&T, and Time Warner all said they have not deployed deep packet inspection.
"To be clear, Verizon has not used – and does not use – packet inspection technology to target advertising to customers, and we have not deployed the technology in our wireline network for such purposes," said Thomas J. Tauke, executive vice president of Verizon. Still, he left the door open to future use, and called for an industrywide agreement on privacy-protecting principles like informed consent.
"The perceived problem with 'packet inspection' is not the technology,” he testified. “Many useful technologies can be used for nefarious purposes. The problem arises if packet inspection is used to inappropriately track customers’ online activity without their knowledge and consent and invade their personal privacy.”