European NGO’s Call on Europe to Enforce Ban on DPI Drew Wilson | May 22, 2019 European lawmakers banned the use of Deep Packet Inspection (DPI). The ban, NGOs are saying, is largely ignored. That needs to stop. Deep Packet Inspection (DPI) is a very controversial technology. The technology started popping up at a substantial rate by around the late 2000’s. Before DPI came about, most file-sharing traffic was unencrypted. ISPs began blocking or throttling file-sharing traffic, legal or otherwise, under the excuse of “network management”. File-sharing developers, in turn, began encrypting the traffic so packet headers would ultimately be scrambled. ISPs then began deploying DPI to examine the traffic beyond just reading packet headers. This, in turn, sparked an encryption arms race. ISPs would get better at identifying traffic packets and software developers began employing better encryption. Since then, it has been a constant encryption arms race between software developers and ISPs. All this partly helped bring network neutrality to the forefront. While it was browser session injections to push ads that initially brought forward the network neutrality debate, file-sharing pushed it faster into the public forefront. Eventually, the debate came to a head when lawmakers wound up siding with privacy advocates who wanted to enforce a ban on DPI because it could also be used to violate user privacy and discriminate against anything ISPs didn’t like. Fast forward to today and it seems providers are largely ignoring the rules in a quest to put in place the controversial zero-rating system. In a nutshell, zero-rating means that ISPs won’t count traffic from certain ISP backed services against a users data limit. Most people agree that this practice pretty much kills off the free market online where ISPs tilt the balance in their favour. Why would anyone use Netflix when that service is throttled and the bandwidth counts towards the limit when they can use their ISPs service? So, with providers flaunting the rules, NGO’s (Non-Governmental Organization) and academics are calling on lawmakers to enforce the ban on DPI. Together, they released an open letter (PDF) which says in part: We are writing you in the context of the evaluation of Regulation (EU) 2015/2120 and the reform of the BEREC Guidelines on its implementation. Specifically, we are concerned because of the increased use of Deep Packet Inspection (DPI) technology by providers of internet access services (IAS). DPI is a technology that examines data packets that are transmitted in a given network beyond what would be necessary for the provision IAS by looking at specific content from the part of the user-defined payload of the transmission. IAS providers are increasingly using DPI technology for the purpose of traffic management and the differentiated pricing of specific applications or services (e.g. zero-rating) as part of their product design. DPI allows IAS providers to identify and distinguish traffic in their networks in order to identify traffic of specific applications or services for the purpose such as billing them differently throttling or prioritising them over other traffic. The undersigned would like to recall the concerning practice of examining domain names or the addresses (URLs) of visited websites and other internet resources. The evaluation of these types of data can reveal sensitive information about a user, such as preferred news publications, interest in specific health conditions, sexual preferences, or religious beliefs. URLs directly identify specific resources on the world wide web (e.g. a specific image, a specific article in an encyclopedia, a specific segment of a video stream, etc.) and give direct information on the content of a transmission. Given the scale and sensitivity of the issue, we urge the Commission and BEREC to carefully consider the use of DPI technologies and their data protection impact in the ongoing reform of the net neutrality Regulation and the Guidelines. In addition, we recommend to the Commission and BEREC to explore an interpretation of the proportionality requirement included in Article 3, paragraph 3 of Regulation 2015/2120 in line with the data minimization principle established by the GDPR. Finally, we suggest to mandate the European Data Protection Board to produce guidelines on the use of DPI by IAS providers. European Digital Rights (EDRi), one of the organizations that signed the letter, offered some additional thoughts on the matter: Deep Packet Inspection allows telecom companies to examine the content of our communications. Information about which apps we use, which videos we watch, and which news articles we read should be off limits for the telecom industry. Yet, with the proliferation of zero-rating in all but two European countries, the industry has started to deploy DPI equipment on a large scale in order to charge certain data packages differently or to throttle services and cram more internet subscribers in a network already running over capacity. EDRi and its members have for many years advocated in favour of strong net neutrality rules that protect people’s privacy and prevent the discrimination of selected types of internet traffic. And yes, Europe’s current net neutrality rules indeed ban DPI technology that examines specific user information for the purpose of treating traffic differently. Yet, a mapping of zero-rating offers in Europe conducted by EDRi member Epicenter.works identified 186 telecom services which potentially make use of DPI technology. Most regulators have so far turned a blind eye on these net neutrality violations. Instead of fulfilling their enforcement duties, they seem to now aim at watering down the rules that prohibit DPI. The negotiations of Europe’s new net neutrality rules are expected to continue behind closed doors and will be followed by a public consultation in autumn 2019. The final rules are then expected to be decided in March 2020. While some people may be debating the government restricting social media such as regulating fake news and misinformation, half the time, this only really impacts a couple of large websites. DPI goes, pardon the pun, far deeper in that it ensures other services may never have a chance to thrive. Want to use a smaller competitor to Facebook because you don’t like one of their policies? Sorry, the DPI technology has detected your attempt to access that service and has been blocked. Want to start a streaming service that competes against YouTube and Netflix? Sorry, not happening. That’s why DPI is such a concern in the long run – not just from a free speech perspective, but also from a free market perspective as well. Drew Wilson on Twitter: @icecube85 and Facebook.