Critics: Commercially driven deep packet inspection (DPI) is akin to wiretapping

Published 12 March 2009

New technology now allows third parties to engage in deep packet inspection (DPI), a technique that makes it possible to peer inside packets of data transmitted across the Internet; data collected is then sold to other companies to allow them more targeted advertising

The increasing power of computers may help the Internet to grow, but it is also threatening the Internet’s future. This is the warning delivered by Tim Berners-Lee, the inventor of the Web, and online security specialists at the Houses of Parliament in London yesterday. Their concerns are centered on deep packet inspection (DPI), a technique that makes it possible to peer inside packets of data transmitted across the Internet.

New Scientist’s Colin Barras writes that DPI is already being used for commercial purposes, without the consent of users, said Richard Clayton, a security expert at the University of Cambridge and treasurer of the Foundation for Information Policy Research. Companies sell DPI-acquired data to other firms that use the information for targeted advertising. DPI is also used for more sinister purposes — for example, by the Chinese government to enforce its Web censorship program.

Barras writes that Berners-Lee has no issue with targeted adverts, which he said offered online users an improved service, but is uncomfortable with using DPI to provide them. He said DPI was like wiretapping, and pointed out that companies could use it to learn a huge amount about our “lives, hates and fears.” One example he gave was that the Web is often the first point of call for people with health concerns.

DPI has become possible thanks to improvements in computing power, said Robert Topolski, chief technologist of the Open Technology Initiative. This allows Internet servers to relay data and simultaneously snoop inside data packets. Until recently that was beyond the capabilities of the available technology. DPI threatens the trust that exists between Web users and Internet service providers, Topolski said. It makes it possible for a “man in the middle” not directly accountable to a Web site’s operators or its users to intercept and use data sent over the Internet, from details of purchases made online to messages shared on social sites, he explained.

Topolski told Barras that this is very different from the widespread practice of monitoring online activity such as search terms, with the user’s consent, to offer similar targeted adverts.

This week Google revealed its own targeted ads service. Crucially that service is opt-in rather than opt-out: consumers have to sign up before they can use it.

There are defenders of the use of DPI, and one of them is Kent Ertugrul, CEO of the digital technology company Phorm. Phorm sells information gleaned this way to ISPs in the United States and the United Kingdom who wish to deliver targeted adverts, but Ertugrul claims his firm’s privacy protection protocols are unrivaled. Phorm strips user data of anything that could link it to an individual in the real world, he says.

Topolski dismissed this as a side issue. Phorm captures people’s private data without permission, before those protection filters are implemented. Because companies like Phorm are accountable only to their shareholders, this leave the privacy of users and their data compromised, he said.

Clayton and other members of the discussion group said DPI should be tested against existing data-protection and privacy laws before it becomes more widely used. This would either establish precedents that protect Web users, or make it clear that new legislation is needed, they said.