For my first session of the day on Tuesday of the TRISC 2009 conference I attended a presentation by Andrew MacFarlane from Data Foundry, Inc. on “Deep Packet Inspection and the Loss of Privacy and Security on the Internet”.  While the concept of DPI is nothing new to me and I remember first hearing about it around the FBI’s Carnivore project, this particular use case was something that I hadn’t heard about.  Apparently pretty much every Tier 1 ISP has hopped onboard the DPI bandwagon and is now using the technology for everything from traffic prioritization to targeted advertising.  To make matters worse, you automatically agree to this type of monitoring by accepting your ISP’s terms of service.  Data Foundry has been one of the few ISP’s who have spoken out against this practice, but unless more people (especially end-users) lobby their congressmen to remove this waiver of privacy rights as part of our terms of service acceptance, the future of privacy and security on the internet is awfully bleak.  My notes from the session are below:

  • ISPs’ “advanced network management” practices are changing the way that bits are transmitted across the internet
  • Content of online communications is now inspected as it travels between endpoints
  • ISP customer contracts require users to consent to the monitoring of their online activities
  • ISPs claim increasing Internet traffic is leading to network congestion that requires new non-standard network mgmt practices
  • Many ISPs are introducing network systems that identify traffic by type or application to delay “low-priority” bits
  • One HD video download is roughly equivalent to visiting 35,000 web pages
  • A few users account for most of the downstream traffic.  Upstream disparity is even greater.
  • Mandatory and non-negotiable ISP customer contracts authorize the wholesale inspection of user communications.
  • As a condition of service, customers (individuals and businesses) must consent to this inspection

Deep Packet Inspection

  • Network-level appliance that captures Internet traffic on ingress and egress.
  • Examination of the packet’s header information and payload (content).
  • Analysis of (up to) all 7 layers of the OSI model
  • Network-based parental controls, spam filtering, detection and protection against adware, spyware, malware, or viruses
  • Network-based bandwidth prioritization
  • Filtering of IP, child porn, and provider or government-determined “unacceptable” or “illegal” speech
  • Targeted advertising through monitoring and data-mining
  • Enforcement of “Net Neutrality” based “nondiscrimination” imperative

Network-Level Targeted Advertising

  • In 2006 and 2007 Phorm and British Telecom began secretly monitoring 54,000 Internet users and testing DPI-facilitated targeted advertising
  • By the end of 2009, all British Telecom Internet users will be monitored and presented with targeted ads
  • In 2008, NebuAd partnered with 30 American ISPs to track users on the Internet and perform targeted advertising
  • Network-level targeted advertising uses DPI to monitor everything that users transmit or receive over their Internet access connections
    • Web browsing
    • E-mail
    • IM
    • Downloads
    • Applications and Devices
  • Advertising systems generate a profile which is then sold

No Way to Opt-Out of DPI

  • ISPs claim that users can opt-out of targeted advertising by installing a cookie that will turn off the ads, but not the tracking
    • Purging cookies will re-opt-in users
    • Disabling cookies will default to opt-in
  • ISPs provide now way for users to opt-out of the underlying DPI
  • New DPI systems can block, segregate, or defeat user encryption

DPI: Privacy Implications

  • Consent to monitoring is a waiver of privacy rights
    • Including automated, non-human inspection
  • All privileges are waived on an inspection network
  • Private communications will be available to others through a 3rd party subpoena to the ISP with a showing of mere relevance, and without user notice
  • ISP TOS require businesses to consent to the monitoring of their online communications
  • Information gleaned from inspection can be used for any and all purposes by the ISP
  • Trade secrets, proprietary information, confidential communications, transaction records, customer lists, etc are all exposed
  • Businesses risk violating customer privacy laws
    • Allowing third party access to medical, tax, financial, and credit records is often prohibited

Solutions to Protect Privacy on the Internet

  • DPI has legitimate uses and need not be banned
  • However, wiretapping without a warrant should require express, voluntary (opt-in) and informed user consent
  • Full and complete disclosure of inspection practices and legal consequences to users
  • Educated and voluntary consent is OK
  • Requiring consent as a condition of receiving service is not voluntary
  • Intrusive regulation by industry-captured regulators is the wrong way
  • Need an administrative or legislative declaration of a public policy against internet access contracts that fail to disclose practices and privacy implications and/or require waiver of privacy rights as a condition of service
  • Privacy is preserved without regulation