Security Experts:

Group Seeks Investigation of Deep Packet Inspection Use by ISPs

European Digital Rights Organization Seeks Investigation Into Internet Service Providers' Use of Deep Packet Inspection (DPI)

European Digital Rights (EDRi), together with 45 NGOs, academics and companies across 15 countries, has sent an open letter to European policymakers and regulators, warning about widespread and potentially growing use of deep packet inspection (DPI) by internet service providers (ISPs).

In simple terms, DPI is the analysis of the content of a packet. This is far more than is required by the ISP to perform its basic purpose -- to provide user access to the internet, and route that access to its required destination. It is therefore by its nature privacy invasive, and not strictly legal within the EU.

Nevertheless, EDRi is concerned that its practice and use within Europe is growing, and that "some telecom regulators appear to be pushing for the legalization of DPI technology." One of the drivers appears to be the growing use of 'zero-rating' by mobile operators. "A mapping of zero-rating offers in Europe conducted by EDRi member Epicenter.works identified 186 telecom services which potentially make use of DPI technology," writes (PDF) EDRi. Zero-rating is the inclusion of specified services where any use counts as zero usage of the purchased bandwidth.

It's a complex area. Net neutrality is required, but some traffic management is allowed, and zero-rating is permissible under certain conditions. EDRi's concern is that the practice of zero-rating encourages the use of DPI which could be used to bring down net neutrality. "DPI," it says in the letter, "allows IAS [internet access service] providers to identify and distinguish traffic in their networks in order to identify traffic of specific applications or services for the purpose such as billing them differently throttling or prioritizing them over other traffic."

Zero-rating is not the subject of this letter, but is also a concern for EDRi. Mobile operators sell the idea as a 'value-added service' for their subscribers -- offering it as something for free. There are suggestions, however, that the overall effect is the opposite -- regions with plentiful zero-rated offerings tend to have higher charges for their bandwidth.

"Zero rating only helps big companies to cement their market position and kill off their competition. Without zero rating, your internet access provider could be offering you more data volume that you could freely decide how to use," wrote EDRi in 2016. Using this argument, there is perhaps an anti-competitive argument against the practice -- but for now, EDRi is primarily concerned about the growing use of DPI, at least partly as a result of the increasing use of zero-rated offerings.

To a large degree, Europe has separated telecommunications issues from user privacy issues. DPI, however, cuts through both -- and EDRi sees a lack of communication between the two regulatory areas. "We observe a lack of cooperation between national regulatory authorities for electronic communications and regulatory authorities for data protection on this issue, both in the decisions put forward on these products as well as cooperation on joint opinions on the question in general."

EDRi wants this to change. Europe is now discussing new net neutrality rules. The discussions are not currently being made public, but a public consultation on proposals is expected in autumn 2019. The final rules are expected in March 2020. To a degree, this current open letter is an attempt to get the EDRi voice heard before the public consultation begins (by which time, the basic proposals will have been decided). EDRi's primary request is that the principles of personal privacy protection also be applied to net neutrality provisions.

"We recommend to the Commission and BEREC to explore an interpretation of the proportionality requirement included in Article 3, paragraph 3 of Regulation 2015/2120 in line with the data minimization principle established by the GDPR. Finally, we suggest to mandate the European Data Protection Board to produce guidelines on the use of DPI by IAS providers."

It's going to be a hard sell. There is little political will to control ISPs' access to personal data. DPI at ISP level enables too many political priorities -- control for copyright infringement detection, censorship, and the detection of criminals, pedophiles and terrorists to name a few. Political control of the internet starts at the ISP; and especially the internet usage data that DPI can provide.

Related: Security Implications of the End of Net Neutrality 

Related: Net Neutrality: Party Politics and Consumer Concerns 

Related: Internet Provider Redirects Users in Turkey to Spyware: Report 

Related: UK Government Proposes Digital Harms Laws to Regulate Online Content 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.