Privacy Concerns with Deep Packet Inspection

Deep Packet Inspection (DPI) has been around since the early 2000’s. It started out as a security feature – enabling organisations to interrogate messages and make sure they aren’t concealing a virus or other nasty content, before forwarding them on to their destination.

Now, as DPI technology has become faster and more powerful, it is being used for a whole range of other purposes. One of the more common new uses is to prioritise internet traffic based on the type of traffic. Some ISPs are using this technology to ‘tune’ their systems to allow speed-sensitive applications to have priority (e.g. streaming media, gaming), and other applications (e.g. downloads, VoIP) are pushed to the bottom of the priority list.

This new use of DPI raises a number of privacy concerns, primarily:

• the unregulated collection of data, and
• a lack of control by users over their data.

In addition to privacy concerns, DPI poses a major threat to the concept of ‘net neutrality’. Until now, the Internet has been based on this principle of allowing users to travel anywhere on the Internet, and not placing restrictions on content, sites, platforms etc. Free Press have released a paper: “Deep Packet Inspection: The End of the Internet As We Know It?” which makes a strong case for limiting the ways that DPI can be used so that network operators can’t inspect the content of messages and control everyday Internet use.

So, is the world doing anything about it?

• The USA is – they’ve had a string of wins against companies that used DPI for unlawful purposes, including:
  • the Federal Communications Commission (FCC) voted to sanction American ISP Comcast, for using DPI to identify P2P traffic, and throttling it, and
  • NebuAd, who trialled the use of DPI to find out about users likes and habits in order to target advertising at them. A US Congressional inquiry resulted in NebuAd’s CEO resigning and the trial being put on hold.
• UK-based group NoDPI are helping to raise the profile of DPI.
• The Canadian Privacy Commissioner’s office has started a DPI project designed to increase understanding of DPI and the potential privacy implications.

But what about Australia? When will our government decide to step in and take action to protect the privacy of its citizens against DPI abuse?