deep packet inspection could be outlawed in the US

[Eugen Leitl]

http://www.techworld.com/security/news/index.cfm?newsID=114856&pagtype=all&tsb=print#tsb 

24 April 2009

Deep packet inspection could be outlawed in US

By Grant Gross, IDG news service

US lawmakers are set to limit the way ISPs use deep packet inspection (DPI),
even though no American service providers are using the technology.

Representative Rick Boucher, a Virginia Democrat, and three privacy experts,
speaking at a hearing before the House Energy Commerce sub-committee urged
lawmakers to pass comprehensive online privacy legislation in the coming
months.

While DPI can be used to filter spam and identify criminals, the technology
raises serious privacy concerns, Boucher said. "Its privacy-intrusion
potential is nothing short of frightening," he added. "The thought that a
network operator could track a user's every move on the Internet, record the
details of every search and read every email ... is alarming."

Boucher, chairman of the House Subcommittee on Communications, Technology and
the Internet, said he planned to introduce a privacy bill for online users.
That legislation could possibly prohibit DPI for use in behavioural
advertising and other uses not related to security or network management, he
suggested.

Officials with Free Press, the Center for Democracy and Technology (CDT) and
the Electronic Privacy Information Center (ERIC) all spoke in favour of
online privacy legislation. "In our view, deep packet inspection is really no
different than postal employees opening envelopes and reading letters
inside," said Leslie Harris, president and CEO of CDT. "Consumers simply do
not expect to be snooped on by their ISPs or other intermediaries in the
middle of the network, so DPI really defies legitimate expectations of
privacy that consumers have."

Comcast and Cox Communications, both cable-based broadband providers, have
experimented with using DPI in conjunction with behavioural advertising, but
panelists at the hearing said they knew of no US ISP now using DPI that way.
However, there are about a dozen companies offering DPI services to ISPs,
said Ben Scott, policy director at Free Press.

With ISPs staying away from DPI, Congress should let ISPs self-regulate, said
Kyle McSlarrow, president and CEO of the trade group the National Cable and
Telecommunications Association. "Any technology can be used for good purposes
and for bad," he said. "We recognise that no one would want us looking at the
communication in e-mail. We don't particularly want to do that."

The technology is changing so rapidly, it may be difficult to draft
appropriate legislation, he added. "There are new models being created," he
said. "It's fairly hard to freeze, in one point and time, a fairly immature
marketplace. We should allow industry and all stakeholders to try to work
together ... come up with self-regulatory principles that protect consumer
privacy."

Some Republicans on the subcommittee also questioned whether legislation
should be targeted only at ISPs. "Our focus should ... look at the entire
Internet universe, including search engines and Internet advertising
networks," said Representative Cliff Stearns, a Florida Republican.
"Consumers don't care whether you are a search engine or a broadband
provider; they just want to ensure that their privacy is protected."

Privacy advocates also urged lawmakers to go beyond rules that would force
ISPs to get opt-in permission from customers before tracking their online
activities. In many cases, customers don't completely understand what they're
being asked to opt into, said Marc Rotenberg, EPIC's executive director.

"I don't think [opt-in] is sufficient because it won't be meaningful unless
consumers understand what data about them is being collected and how it's
being used," he said.