'Deep packet inspection' could become the target of legislation
The two biggest threats to Internet users' privacy, from the point of view of Rep. Rick Boucher (D - Va.), come from behavioral advertising technology and from deep packet inspection (DPI) -- the ability for an ISP to scan the contents of IP packets, and make determinations as to their handling based on those contents. But the specter of another company using both of these technologies together, like liquid hydrogen and liquid oxygen, spelled out a more explosive danger. Chairing hearings of the House Subcommittee on Communications, Technology, and the Internet yesterday, Rep. Boucher made that clear:
"What services that consumers consider essential to the safe and efficient functioning of the Internet are advanced by DPI?" asked Boucher during his opening remarks yesterday. "Since the death of NebuAd's DPI-based behavioral advertising service last year, are other companies using DPI to deliver behavioral advertising? What, if any, safeguards are in place to ensure that consumers are giving meaningful consent to the tracking of their activities on the Internet?"
The nation's broadband providers would like to be able to use DPI as a method for implementing traffic control, especially for narrowing the bandwidth allowed for applications such as BitTorrent. In instances where they're involved in programming and content services, they'd also like to at least not be barred from implementing behavioral advertising, perhaps as a way of checking which clips viewers are watching online and targeting ads to parallel those clips.
But both weapons in the arsenal of the same companies could spell disaster, which is why NCTA President and CEO Kyle McSlarrow tread very carefully during his prepared opening remarks yesterday, acknowledging the existence of both but only exclusively and individually.
"Packet inspection serves a number of pro-consumer purposes," read McSlarrow (PDF available here). "First, it can be used to detect and prevent spam and malware, and protect subscribers against invasions of their home computers. It can identify packets that contain viruses or worms that will trigger denial of service attacks; and it can proactively prevent so-called Trojan horse infections from opening a user's PC to hackers and surreptitiously transmitting identity information to the sender of the virus. Packet inspection can also be used to help prevent phishing attacks from malicious e-mails that promote fake bank sites and other sites. And it can be used to prevent hackers from using infected customers' PCs as 'proxies,' a technique used by criminals, in which user PCs are taken over and used as jumping-off points to access the Internet, while the traffic appears to be generated by the subscriber's PC. As a result, the technology can be used in spam filters and firewalls."
Never mind, for the moment, that the whole concept of proxies was relegated to the realm of the malicious user. For Georgetown professor and Electronic Privacy Information Center Executive Director Mark Rotenberg, even if ISPs use DPI responsibly and not in concert with behavioral ad targeting, that doesn't make it right. From his perspective, breaching privacy bounds in the name of traffic control simply isn't ethical.
"In the communications context, service providers and their businesses partners also have an obligation not to intercept the content of a communication except for the purpose of providing the service, to comply with a court order or other similar legal obligation," read Rotenberg's prepared testimony (PDF available here). "It is possible that the techniques being developed by these firms may help in some ways to safeguard privacy if they are robust, scalable and shown to provably prevent the identification of Internet users. But the essential problem is that they simply do not have the right to access communications traffic for this purpose. Also, I would not recommend that you alter current law or enable consent schemes to make this permissible."
Though no new bill has been drafted, Rep. Boucher said up front it's his intent to draft one this year. He told the Subcommittee Thursday, "It's my intention for the Subcommittee this year to develop legislation extending to Internet users that assurance that their online experience is more secure. We see this measure as a driver of greater levels of Internet uses such as e-commerce, not as a hindrance to them."