http://www.techworld.com/security/news/index.cfm?newsID=114856&pagtype=all&tsb=print#tsb 24 April 2009 Deep packet inspection could be outlawed in US By Grant Gross, IDG news service US lawmakers are set to limit the way ISPs use deep packet inspection (DPI), even though no American service providers are using the technology. Representative Rick Boucher, a Virginia Democrat, and three privacy experts, speaking at a hearing before the House Energy Commerce sub-committee urged lawmakers to pass comprehensive online privacy legislation in the coming months. While DPI can be used to filter spam and identify criminals, the technology raises serious privacy concerns, Boucher said. "Its privacy-intrusion potential is nothing short of frightening," he added. "The thought that a network operator could track a user's every move on the Internet, record the details of every search and read every email ... is alarming." Boucher, chairman of the House Subcommittee on Communications, Technology and the Internet, said he planned to introduce a privacy bill for online users. That legislation could possibly prohibit DPI for use in behavioural advertising and other uses not related to security or network management, he suggested. Officials with Free Press, the Center for Democracy and Technology (CDT) and the Electronic Privacy Information Center (ERIC) all spoke in favour of online privacy legislation. "In our view, deep packet inspection is really no different than postal employees opening envelopes and reading letters inside," said Leslie Harris, president and CEO of CDT. "Consumers simply do not expect to be snooped on by their ISPs or other intermediaries in the middle of the network, so DPI really defies legitimate expectations of privacy that consumers have." Comcast and Cox Communications, both cable-based broadband providers, have experimented with using DPI in conjunction with behavioural advertising, but panelists at the hearing said they knew of no US ISP now using DPI that way. However, there are about a dozen companies offering DPI services to ISPs, said Ben Scott, policy director at Free Press. With ISPs staying away from DPI, Congress should let ISPs self-regulate, said Kyle McSlarrow, president and CEO of the trade group the National Cable and Telecommunications Association. "Any technology can be used for good purposes and for bad," he said. "We recognise that no one would want us looking at the communication in e-mail. We don't particularly want to do that." The technology is changing so rapidly, it may be difficult to draft appropriate legislation, he added. "There are new models being created," he said. "It's fairly hard to freeze, in one point and time, a fairly immature marketplace. We should allow industry and all stakeholders to try to work together ... come up with self-regulatory principles that protect consumer privacy." Some Republicans on the subcommittee also questioned whether legislation should be targeted only at ISPs. "Our focus should ... look at the entire Internet universe, including search engines and Internet advertising networks," said Representative Cliff Stearns, a Florida Republican. "Consumers don't care whether you are a search engine or a broadband provider; they just want to ensure that their privacy is protected." Privacy advocates also urged lawmakers to go beyond rules that would force ISPs to get opt-in permission from customers before tracking their online activities. In many cases, customers don't completely understand what they're being asked to opt into, said Marc Rotenberg, EPIC's executive director. "I don't think [opt-in] is sufficient because it won't be meaningful unless consumers understand what data about them is being collected and how it's being used," he said.