Saturday, April 5, 2008

Deep Packet Inspection - An Assault on Individual Privacy and on the Purity of Internet Protocol

Here is a Washington Post article on deep packet inspection, a practice by which ISP's will actually open up internet protocol packets as they traverse the ISP's network and look inside at the data portion of the packet. You can think of internet protocol packets as wrappers, with metadata information, that tell internet routers where to carry the data that is inside the packet that is actually used by end applications such as a web browser or email client. An analogy that is often made is that the data portion of the packet is like a letter and the metadata wrapper is like an envelope. Deep packet inspection, then, is equivalent to the mail carrier opening up your envelope and reading your letter. The purpose of ISP's using this technology now is for targeted advertising. This is not so bad by itself, especially as it seems from the article that the companies providing the DPI take great pains to not actually include any personally identifying information. And it seems that they do allow a customer to opt out of the DPI, although it is stated that most customers don't even know that this is happening because the information is burried in a 27 page sign-up agreement with the ISP.

"Each company allows users to opt out of the monitoring, though that permission is buried in customer service documents. The opt-out systems work by planting a 'cookie,' or a small file left on a user's computer. Each uses a cookie created by NebuAd."

The main problem I have with this is that it can and will eventually be used for giving priority to certain packets based on what is inside them. I have a problem with this, because for one, the protocols that make up the internet were designed in a tiered manner, where each tier is designed to function completely independently of any layers that are on top of it and that depend on it. Internet Protocol is layer 3 and deep packet inspection is peeking at layer 5, or the application layer: also the highest layer. Tier 3 is just designed to get the packets where they need to go. It does not care what is inside them. Deep packet inspection blurs the well-defined line between the layers and pollutes a pristine protocol that was designed in a tiered manner for very good reasons. Upper layer protocols can rely on the lower layer protocols to do their jobs correctly every time. They do not need to implement or even understand all the complexity and details of having it function correctly. This functionality is abstracted and the higher levels trust the lower levels to "just work," and therefore, the higher levels can be much more productive because the wheel doesn't need to be reinvented for every application. The writer of a letter does not need to know exactly how his letter is transported from source to destination. The writer just trusts the mail system. Also, as any programmer (or anyone who has ever had to solve a problem) knows, abstraction of details into discreet and separate components helps in debugging and troubleshooting problems because the exact location of an error or problem can be much more effectively isolated than when everything is just garbled together in an unintelligable mass. It just makes it harder to deal with!

Secondly, deep packet inspection is evil because it threatens Net Neutraility
in a big way. Eventually, if not already in practice, ISP's will start giving lower priority to internet traffic based on content. They will slow down the packets transporting internet game data, torrent data, and possibly even any type of traffic that is negative toward, cable, if you use cable, or satellite, if you use satellite.

The point is, do you really want your ISP spying onto you by reading your traffic? I would suggest that everyone call their ISP and find out if they use deep packet inspection techniques, and if so, find out how you can opt out of this discraceful privacy infringing practice.

2 comments:

jughead said...

I will certainly contact mine. But how will you ever know?

Nondeterministic Finite Automaton said...

You probably will never know unless you ask or unless you start wondering how coincidental the different ads are becoming. Current;y services that do something like this are supposed to provide notification to the user by law, but as the article says, this practice is a little bit ahead of the current law. I will just sit back and wait to see the lawsuit those people are bringing forth will result in a law requiring ISP's to give more notice to their customers.