When the ISP Tracks Your Every Move: The Power (and Abuse) of Deep Packet Inspection

As the temperatures rise in a typical Washington summer, so grows the pressure on some online advertising firms. 

Yesterday the House Energy and Commerce Committee’s Telecommunications and the Internet Subcommittee held a hearing on the questionable methods for advertising currently being used by some Internet service providers (ISPs).  The hearing was entitled, “What Your Broadband Provider Knows About Your Web Use: Deep Packet Inspection and Communications Laws and Policies.”   Panelists included: Bob Dykes, the CEO for NebuAd, David Reed, an early Internet pioneer and professor at MIT, Alissa Cooper, the Chief Computer Scientist for the Center for Democracy and Technology, Scott Cleland, President of Precursor, LLC, and Bijan Sabet, a General Partner at Spark Capital. 

Committee members expressed concerns about ISPs working with third party advertising firms that monitor their customers’ web habits for advertising purposes.  Several people compared deep packet inspection techniques on the Internet with the United States Postal Service opening people’s packages.  They said a basic level of privacy is violated when an ISP employs DPI for the sake of increasing revenue, especially when unwitting customers are not aware their web browsing is being monitored. 

DPI is a computer network packet filtering that allows for the inspection of data for viruses, spam, or other content.  In other words, this inspection process would provide an ISP or other entity with the power of conducting data mining, eavesdropping or even censorship.  While DPI has benefits, panelist Bijan Sabet said the Comcast/BitTorrent debacle demonstrates that is also has its drawbacks.  A few weeks ago, it was revealed that Comcast was blocking BitTorrent on its network through the use of DPI technology.

This marks the second week that advertising firm, NebuAd, has testified before Congress on its “robust” security practices.  Last week, NebuAd faced questioning by the Senate Commerce Committee.  The firm says targeted advertising “provides consumers with significant benefits, serving them with more relevant ads, which they want, while ensuring they have robust privacy protections and control over their online experience.” 

Taking NebuAd to task, Chairman Ed Markey said DPI “can indicate every site a user visits and much more.”  He said he would not expect the postal service or UPS to open up his packages, and believes tactics used by firms like NebuAd are subjecting Americans to unwarranted invasions of privacy.  Furthermore, he said the notices that are provided to users are lost in the fine print or ignored. 

“When people use the world wide web, they don’t want it to turn into the wild, wild west when it comes to their personal information,” said Markey.

Ranking Member Cliff Stearns, on the other hand, urged Members to use caution when approaching this issue, saying the FTC testified last week that no new regulations were needed for the online advertising arena.  

“As the overall economy continues to take a downturn, the government shouldn’t be contemplating how to make it harder for small businesses to succeed.  Targeted advertising may be essential for small businesses to compete with larger ones,” said Stearns.  “Let’s look very closely at these issues before we leap to legislative proposals that even the FTC is not calling for at this time.”

Other Members said a policy of opt-in should be the norm, rather than the current opt-out choice.

“Why is the burden [of opting out] on me?” asked Representative Greg Walden.  “I think for the Internet to succeed as an instrument of commerce,” people need to opt-in to the system.

Citing another issue, Representative Hilda Solis said she was concerned that vulnerable populations, like the elderly or those who cannot speak English, may be targets for predatory advertising tactics. 

WHAT THEY SAID:  Here is a brief summary of the panelists’ testimonies.

Bob Dykes (NebuAd)- Dykes said his company, which he says does not use personally identifiable information, has designed a service “so that no one- not even the government- can determine the identity of our users.”  Dykes said they do not store raw data that can be linked to individuals.  He also said they provide users “with prior, robust notice.”  Dykes, who faced tough questioning from Chairman Markey and others, said they continue to innovate on privacy controls, including the development of better notices.  He said the Internet “is more than 50% supported by advertising,” so it is imperative that firms like his have access.

David Reed (Professor, MIT)- Reed, who began working on the Internet in the late seventies, said he believes DPI is “not at all necessary” for operating the Internet.  He said DPI technologies “actually violate long-agreed standards and principles that have been part of the Internet’s design from the beginning.”  Furthermore, Reed said they “pose major risks to the economic successes of the Internet … by normalizing non-standard and risky technical activity on the part of telecom operators who may choose to exploit captive customers.”  He said DPI is particularly harmful for unwitting customers, especially when they do not know how their information is being tracked (or even that it is tracked in the first place).  Reed said users must have informed consent and know exactly how their data is being used. 

Alissa Cooper (Chief Computer Scientist, CDT)- Cooper said that while DPI is benign and even beneficial at times, it “runs the risk of violating the trust of consumers for the Internet.”  She said this technology allows networks to see the political or religious sites a user may visit, while providing little notice they are doing so.  Cooper suggested that current online advertising techniques may violate federal wiretapping laws and might also interfere with normal Internet use.  She urged Congress to seek more information from ISPs and other companies about how they are using DPI, and asked that they consider a larger, comprehensive privacy bill to protect consumers.

Scott Cleland (President, Precursor, LLC)- Cleland said the hearing should have focused on the search engines like Google and Yahoo, which he says have a double standard when it comes to consumer privacy.  He said the committee should focus on “a comprehensive approach to Internet privacy,” rather than attacking the ISPs alone.  He said firms like Google are truly “Orwellian” in that they have access to a full spectrum of people’s information through Google searches, Gmail, Picasa pictures, Google health, Google calendars, etc…  Cleland said, “We are worried about perfect blinds on the windows when there are no walls on the house.”   For full disclosure purposes, he noted that his business involves working for ISPs, but said he was speaking on his own behalf.

Bijan Sabet (General Partner, Spark Capital)- Sabet said DPI is a significant technology breakthrough, which provides consumer and economic benefits.  But he said DPI could be used to thwart net neutrality, since it allows ISPs to slow down or turn off third party services or applications.  Sabet warned that a closed Internet will not thrive as incentives for innovation decrease.

In a press release, the American Civil Liberties Union (ACLU) warned consumers about the “privacy landmines inherent in DPI.”

“The expanding use of DPI is increasingly sophisticated, complicated and lacking in transparency.  The risk to Americans’ privacy is massive,” said Timothy Sparapani of the ACLU. “Every time we visit the Internet, everything we read, everything we see- all of it is up for grabs with DPI. … Congress must be Americans’ firewall on this issue.”