Conversations are overheard and recorded. Email is intercepted and read. Someone poses as a friend in order to obtain details about you.
All of these examples depict an intermediary invading or undermining a basic form of communication, violating an implicit trust in the process.
Unfortunately, Internet service providers have triggered an ongoing flap about deep packet inspection (DPI) over just this kind of activity.
DPI, which identifies and filters packetized data according to its payload as well as its header, is gaining in use. There are machines like the Procera PacketLogic PL 10000 that can track the online sessions of millions of Netizens. There are vendors with (luckily for opponents) ominous names like NebuAd Inc. and Phorm that have conducted (or plan to conduct) tests of “behavioral advertising” in conjunction with ISPs -- tracking all online user activities in the process.
The technical details of marketing efforts deploying DPI may be fascinating -- just how does Phorm pretend to be the Website you thought you were visiting? -- but the implications are deeply troubling to a lot of people.
The DPI tussle has triggered Congressional interest and has launched a general uproar that will likely be with us for a long time.
Internet engineer David Reed has testified before Congress that DPI technologies violate longstanding Internet standards and pose risks to consumers. The Center for Democracy & Technology has stated that DPI systems may threaten consumers' trust that their online communications will be delivered without interference. The group says the use of these systems likely violates many state and U.S. federal laws, including laws prohibiting wiretapping and barring cable operators from using consumer data inappropriately.
ISPs have a range of claims on their side of the argument, including:
- Web services like Google deploy DPI-like techniques, so why shouldn't ISPs use them, too?
- They need to manage their networks to avoid congestion, and DPI provides helpful tools.
- ISPs need the revenue they get from DPI-based marketing in order to provide better services.
- DPI tools can be used in the ongoing fight against spam and viruses; it is fundamental for security, content-based billing, and all other important applications.
My own view is that we’ve lost track of the foundation of communications law: the idea that carriers have a duty to serve their market in a nondiscriminatory fashion, instead of leveraging their position as providers of basic transport for use in other ways.
If we take that idea seriously -- and it appears that some constituents are doing just that -- it also forces the question of whether carriers whose business it is to get us online are really entitled to discriminate against particular types of data.
DPI isn't for marketing use. I hope we’ll see real movement toward basic, nondiscriminatory transport under a new presidential administration next year.
— Susan Crawford, visiting professor at Yale Law School, teaches Internet law and communications law