Out-Law News 3 min. read

Deep packet inspection standard cannot guarantee privacy, says academic


It is either "clueless or recklessly dishonest" to claim that 'deep packet inspection' (DPI) operations respect privacy, a Cambridge academic has said.

Ross Anderson, professor in security engineering at the University of Cambridge Computer Laboratory, told Out-Law.com that DPI technology is used by "repressive" Governments around the world to monitor citizens' communications.

Anderson was commenting after a UN agency announced that it had approved a new standard on DPI which it said would help internet service providers (ISPs) become more efficient and reduce their costs when managing data traffic that passes through their network. The International Telecommunications Union (ITU) said that privacy concerns around the use of DPI had been addressed.

DPI is a technique that can serve a variety of purposes but which ISPs sometimes use to analyse the content of communications when engaging in 'traffic management' activities.

ISPs sometimes block or slow down users' access to some content during busy periods on their networks. This is to ensure that one user's heavy use of a network for downloading material does not prevent another user of that network from being able to perform basic tasks such as sending or receiving email or looking at web pages.

The use of DPI has raised privacy concerns, but the ITU has said that the new standard it has approved addressed the issue.

"The World Telecommunication Standardisation Assembly (WTSA) held in Dubai last November resolved some concerns regarding maintaining privacy after it was noted that the standard deals with the identification of the application used rather than the inspection of users content," Toby Johnson, head of media outreach at the ITU, said in a blog post. "The standard does not allow access to users’ private information and allows measures to ensure the secrecy of correspondence."

Under the standard "implementers and users" would be required to "comply with all applicable national and regional laws, regulations and policies." However, Ross Anderson said that DPI technology allows Governments to monitor their citizens.

"If the ITU claims somewhere that DPI operations will respect privacy, it's either clueless or recklessly dishonest," Anderson said. "DPI kit is used by repressive governments for the purposes of repression." He said that the fact that 'implementers and users' of DPI would have to comply with the law "does not contradict that at all".

"Repressive regimes often have laws making repression legal," Anderson said but also noted that in the UK "the use of DPI is legally problematic as Section 8 [of the] European Convention on Human Rights doesn't allow warrantless suspicionless mass surveillance."

Anderson added that DPI "kit" is often sold by UK and EU firms to "really bad governments" without the trade being controlled by export licenses from "our own governments".

The ability of DPI to be used for surveillance purposes would raise data protection concerns for EU businesses.

EU data protection laws prevent companies sending personal data outside of the European Economic Area (EEA) except where adequate protections have been put in place or in circumstances where the destination country has been pre-approved as having adequate data protection. When a company wants to send personal data to servers based in other non-EEA countries that company must ensure that data protection safeguards are in place. This is the case even when the transfer takes place between one company within a group and another.

There are a variety of mechanisms organisations can use to obtain the 'adequacy' standards. Businesses can commit to 'binding corporate rules' over the transfer to, and processing of, personal data in 'third' countries, or, alternatively, companies can insert European Commission-drafted 'model contract clauses' into contracts to govern the international transfer of data, for example.

In a formal opinion adopted last year, the European Data Protection Supervisor (EDPS) Peter Hustinx said that ISPs could legitimately review the content of communications in order to conduct traffic management on their service. However, he said that the ISPs risked breaching the law if they used the information they gleaned to block some content or serve behavioural advertising, for example.

"ISPs can apply traffic management policies intending to provide security of the service, delivering the service, including limiting congestion, pursuant to... the ePrivacy Directive," Hustinx said. "ISPs need another specific legal ground, and possibly users' consent, to apply traffic management policies which entail processing of traffic and/or communication data for purposes other than the above."

"The proportionality principle plays a crucial role when ISPs engage in traffic management policies, whatever the legal ground for processing and the purpose: delivering the service, avoiding congestion or providing targeted subscriptions with or without access to certain services and applications," the privacy watchdog said.

"This principle limits ISPs ability to engage in monitoring of the content of individual's communications that entail processing of excessive information or accruing benefits for ISPs only," he added. "What can logistically be performed by ISPs will depend on the level of intrusion of the techniques, the results required (for which they may accrue benefits) and the specific privacy and data protection safeguards applied. Prior to deploying inspection techniques, ISPs must engage in an assessment of whether these comply with the proportionality principle."

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.