DPI Poses Privacy Concerns

4/25/2009 2:00 AM Eastern

The following is an excerpted transcript of testimony offered by Free Press policy director Ben Scott to members of the House Subcommittee on Communications, Technology and The Internet last week:

You have already heard about the uses of [deep packet inspection] for the collection of personal information about Internet users for advertising. But I’d like to focus on other uses of DPI technology. Because any time a network monitors Internet traffic, we have a potential privacy problem. That harm is compounded by DPI tools that violate network neutrality with anti-competitive practices.

Let me offer some context. Three years ago, we had a robust debate over the necessity of net neutrality and privacy rules to protect consumers. That debate turned on whether the harms were hypothetical. Indeed, the technology did not exist in 2006 that would permit wide-scale violations of either.

Today those technologies do exist. They are deep-packet inspection devices, and they are now widely deployed. Worse still, an entire industry has emerged that markets DPI explicitly to monitor and control consumer behavior. All a network owner has to do is flip the switch.

DPI use will have a broad impact on the Internet. Without this technology, everything you do online is sent through the network anonymously. E-mail, sports scores, family photos — the network doesn’t know or care what you’re doing. Online anonymity also has the virtue of nondiscrimination.

But with DPI, it’s a whole new ballgame. This technology can track every online click. Once a network owner can see what you are doing, they have the power to manipulate your online experience. They can sell your personal information to advertisers. They can block content. They can slow things down or speed things up. …

Let me be clear: the technology itself is not necessarily problematic. However, in the past year, deep packet inspection has evolved from basically innocuous to downright insidious. DPI was created as a network security tool. But it has become a mechanism of precise surveillance and content control.

We have already begun to see incidents of bad behavior. This subcommittee has had hearings on Comcast and NebuAd, which both used DPI in secret, questionable ways. Today, Cox Communications is using DPI to speed up some applications and slow others.

These types of practices may have short-term traffic management benefits. But the trade-off is the unprecedented step of putting the network owner in control of consumers’ online options. After this first step, it is a slippery slope. …

Let me offer an analogy. Think of these DPI technologies as similar to complex financial instruments like credit-default swaps. Properly regulated, they can be used as a constructive part of our banking system. Without oversight, they can run amok and severely harm consumers. What we need are bright-line rules of consumer protection. …

Before these technologies become firmly entrenched, we encourage Congress to open a broad inquiry to determine what is in the best interest of consumers. Once DPI devices are activated across the Internet, it will be very difficult to reverse course.