CIPPIC Requests Investigation Over Deep Packet Inspection Drew Wilson | July 30, 2008 Deep Packet Inspection (DPI) hasn’t been getting many headlines these days, but that could change – at least in Canada. Note: This is an article I wrote that was published elsewhere first. It has been republished here for archival purposes The Canadian Internet Policy and Public Interest Clinic (CIPPIC) is requesting the privacy commissioner to investigate major telecom companies in Canada like Rogers, Shaw and Eastlink who use DPI to profile their customers. Deep Packet Inspection has frequently been sighted as the solution to tracking and throttling users who use file-sharing applications – regardless of legality. The idea of DPI hasn’t been seen much outside of Sandvine claiming that 44% of all bandwidth consumption is P2P related despite counter-evidence that shows a different story. Bell, one of Canada’s largest ISPs have been under fire in the recent past for throttling its customers. Comcast has received a fair share of headlines for similar actions. While it may, at first, seem like DPI is strictly a p2p related issue, the issue raises many concerns that spans farther beyond simply whether or not a person is able to download RadioHead’s ‘In Rainbows’. There’s one particular issue that may grab the attention of more than the Canadian file-sharing community – it’s a privacy related issue. Should ISPs be able to profile it’s customers internet usage? It’s a topic currently being handled in a number of countries. In Britain for instance, there’s been no shortage of controversy surrounding the infamous Phorm technology being rolled out. In the United States, similar actions are being taken by ISPs. the most recent case is an ISP known as Embarq being pressured to admit to spying on their customers for the purpose of profiling and targeted advertising. Sweden is currently dealing with privacy related to web use through the FRA wiretap law that was passed a little while ago. So clearly, the concerns of eavesdropping is justified when one looks internationally. In a press release issued by CIPPIC the other day: “Behavioural targeting raises a number of serious privacy concerns and may violate federal privacy laws.” said CIPPIC Director Philippa Lawson. The CIPPIC analysis concludes that behavioural targeting by ISPs likely violates the Personal Information Protection and Electronic Documents Act (“PIPEDA”), alleging that ISPs engaging in the practice often fail to provide sufficient notice to users, do not obtain meaningful consent from users, and do not offer users effective ways to control such uses of their personal information. “Most users are not comfortable with the idea of being followed around online,” said CIPPIC Staff Counsel David Fewer. “Canadians would be surprised if their ISP not only started profiling them for its own purposes, but used that information to sell advertising.” Along with the call for an industry-wide investigation regarding behavioural targeting, CIPPIC filed company-specific privacy complaints against Rogers Communications Inc., Shaw Communications Inc. and Eastlink Inc. for their use of Deep Packet Inspection in the context of “traffic-shaping”, another controversial ISP practice that is currently the focus of another CIPPIC complaint against Bell Canada (as well as a CRTC proceeding initiated by the Canadian Association of Internet Providers against Bell Canada). So, pretty much every ISP other than Telus/AT&T is being brought under fire for such technology, though a precedent setting case that affects all ISPs could be made as a result of all of this. It could very well make it more difficult in the future to roll out programs as seen in Britain where the MPAA among others are getting ISPs to police their networks. While there is an emphasis on privacy concerns, there is definitely the issue of throttling certain protocols as well that could easily be affected by this movement. It will be interesting to see where all this goes. Drew Wilson on Twitter: @icecube85 and Google+.