Privacy Commissioner Requested to Investigate Bell Canada Over Filtering Drew Wilson | May 11, 2008 The Canadian Internet Policy and Public Interest Clinic recently announced that they are making a request to the privacy commissioner to investigate Canadian major Internet Service Provider Bell Canada. Note: This is an article I wrote that was published elsewhere first. It has been republished here for archival purposes The complaint is directed at Deep Packet Inspection technology. Internet Service Providers (ISP) have a legal sore spot these days – that sore spot is internet intervention on the ISP level. In Canada, a form of that sore spot may be in the form of Deep Packet Intervention and its impact on privacy. Considering the kind of privacy laws Canada has, it may prove very interesting to see where this goes. A hint on the kind of privacy laws that are in place is the fact that Canada has commissioners dedicated to privacy which is often said is a rarity in the world today. The complaint (PDF) made by CIPPIC says, among other things: 1. This is a complaint under s.11 of Part I of the Personal Information Protection and Electronic Documents Act (PIPEDA), regarding the unnecessary and non-consensual collection and use of personal information by Bell Canada and Bell Sympatico (collectively, “Bell”) through the use of “Deep Packet Inspection” (“DPI”) technology. Our attention has been drawn to this matter by individual internet users, media reports, and most recently, an application filed with the Canadian Radio-television Telecommunications Commission (CRTC) on 3 April 2008 by the Canadian Association of Internet Providers (CAIP). 2. In brief, we understand that Bell is engaging in internet “traffic management” practices that involve the inspection of internet traffic headers and content, both of which contain information that can be linked to internet subscribers, purportedly to classify traffic for purposes of network optimization. Such practices i.e., those involving the collection and use of personal information – are not necessary to ensure network integrity and quality of service. Moreover, subscribers whose traffic is being inspected have not consented to the inspection and use of their data for this purpose. Finally, Bell does not make readily available to individuals specific information about these practices. 3. We submit that Bell is violating Principles 4.3, 4.4, and 4.8 of PIPEDA, Schedule 1 by failing to: a. Obtain informed consent from affected individuals to the collection and use of their personal information for the purpose of traffic management (Principle 4.3); b. Limit the collection of personal information to that which is necessary for its stated purposes (Principle 4.4); and c. Make readily available to the public specific information about its traffic management policies and practices insofar as they involve the collection and analysis of personal information (Principle 4.8). Internet traffic shaping practices have typically focused on identifying and slowing down Peer-to-Peer (“P2P”) traffic during peak hours of usage, for the alleged purpose of ensuring adequate bandwidth availability for other users. In order to distinguish P2P traffic from other types of traffic, ISPs typically use Deep Packet Inspection technologies. DPI examines the contents (commonly called the “payload”) rather than just the header of the data packet. A press release (PDF) has the following: Large ISPs including Bell Canada and Rogers Communications Inc. may be monitoring internet subscribers’ online activities contrary to Canada’s privacy legislation, and the Canadian Internet Policy and Public Interest Clinic has asked Canada’s Privacy Commissioner to investigate. The Canadian Internet Policy and Public Interest Clinic (CIPPIC) today filed a complaint with Canada’s Privacy Commissioner about Bell Canada’s alleged practice of monitoring internet subscribers’ internet activities without their knowledge or consent. Bell began to apply “deep packet inspection” to its own Sympatico retail customers late in October 2007, but only admitted this practice late in March 2008, after it began applying the same practice to subscribers of other, independent internet service providers. There is evidence that other large ISPs such as Rogers, Shaw, and Cogeco may be engaging in similar practices, said Lawson. “Our complaint focuses on Bell, but we are asking the Commissioner to investigate all ISPs who engage in traffic-shaping practices.” “Canada has privacy legislation that Bell and other ISPs must follow,” Ms. Lawson pointed out. “We’re asking the Privacy Commissioner to investigate just what Bell’s use of deep packet inspection involves. Canadians have a right to know who is looking over their shoulders, and why.” So, first of all, what are principles 4.3, 4.4, and 4.8 of PIPEDA? Here’s what we find in these sections: 4.3 Principle 3 ï¿½ï¿½” Consent The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Note: In certain circumstances personal information can be collected, used, or disclosed without the knowledge and consent of the individual. For example, legal, medical, or security reasons may make it impossible or impractical to seek consent. When information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information. Seeking consent may be impossible or inappropriate when the individual is a minor, seriously ill, or mentally incapacitated. In addition, organizations that do not have a direct relationship with the individual may not always be able to seek consent. For example, seeking consent may be impractical for a charity or a direct-marketing firm that wishes to acquire a mailing list from another organization. In such cases, the organization providing the list would be expected to obtain consent before disclosing personal information. 4.4 Principle 4 ï¿½ï¿½” Limiting Collection The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means. 4.4.1 Organizations shall not collect personal information indiscriminately. Both the amount and the type of information collected shall be limited to that which is necessary to fulfil the purposes identified. Organizations shall specify the type of information collected as part of their information-handling policies and practices, in accordance with the Openness principle (Clause 4.8). 4.8 Principle 8 ï¿½ï¿½” Openness An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information. 4.8.1 Organizations shall be open about their policies and practices with respect to the management of personal information. Individuals shall be able to acquire information about an organization’s policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable. Considering Bell Canada was very secretive in their business with filtering technology, among other things, it definitely sounds like Bell Canada is about to get nailed for their use of Deep Packet Inspection. It also sounds like that ‘33% overloaded’ complaint from Bell, as we reported last month, is going to be a part of the trouble Bell put themselves in to. Second of all, there was mention over the CAIP submission at the CRTC. Michael Geist posted about this, highlighting the privacy concerns Deep Packet Inspection, the technique used to filter P2P traffic: CAIP is also raising privacy concerns with the throttling, seeking an order that “Bell has acted unlawfully and contrary to the prohibition on carrier interference with the content of messages carried over its telecommunications network contrary to section 36 of the Act and contrary to the Canadian telecommunications policy objectives set out in paragraphs 7(a) and (i) which, inter alia, seek to protect the privacy of persons.” The privacy argument is based on Bell’s deep-packet inspection of Internet traffic. In particular: “In order to throttle the Internet traffic originating from/or destined for end-user customers of independent ISPs, Bell is using measures to first, open each data packet, examine the packet data and header information, and then apply certain rules to the content in question. This aspect of Bell’s wholesale throttling activities give rise to concerns that Bell’s actions violate the privacy of the communications of its wholesale customers (as well as that of their own end-user customers). It also gives rise to concerns that Bell has violated its duty under section 36 of the Act not to control the content or influence the meaning or purpose of telecommunications carried by it for the public.” Michael Geist is noting this connection as well: With CAIP raising the privacy issue in its submission to the CRTC, it was only a matter of time before the Privacy Commissioner was asked to intervene. Finally, it seems that the complaint stems specifically from a few things, some of which include the fact that Bell did not obtain permission from its customers to use the technology, it didn’t disclose it’s practices in, not only a clear manner, but a timely manner, limit the amount of information they obtain, and the fact that filtering the internet is clearly not an essential practice on the network in the first place. The case has a number of similarities to the Phorm controversy in Britain where two analysis, one from Richard Clayton and the other from FIPR (which complimented Claytons analysis) Phorm, of course, has a few key differences in the fact that it’s based on analysis of web surfing behavior while the DPI technology analyzes specific packets from a few protocols. At the same time, the similarities are very real in the fact that both deal with intervention from an Internet Service Provider and capturing and using private information indiscriminately. One thing to consider is the simple fact that the privacy laws in Britain are different from that of Canada. Either way, when an ISP starts collecting personal information in some form or another, there’s bound to be high level controversy at some point. Whether or not the Privacy Commissioner of Canada will respond is, of course, another matter. There was a case in the past where CIPPIC filed a privacy complaint (namely against Abika.com) back in June of 2004 (second from bottom). The privacy commissioner initially refused to intervene due to a jurisdiction issue, but after going through court for a judicial review, the courts ruled in favor of CIPPIC and the case resumed in 2007. It’ll be interesting to see what the Privacy Commissioner has to say about this case and if the commissioner will intervene. Looking through the laws CIPPIC sites, it seems reasonable to assume that there’ll be fewer issues in this case. Drew Wilson on Twitter: @icecube85 and Google+.