European internet service providers are under scrutiny for their use of deep packet inspection (DPI), an advanced method of examining traffic over the internet.

Not unlike postal mail, information is sent over the network in data packets that are usually filtered or managed by looking at the header of each packet, thus the content remains private – in other words, the “envelope” has not been opened.

Under current EU law, DPI is permitted for network optimization or “traffic management.” It is not allowed for commercial or surveillance purposes.

However, that may be about to change. Europe’s net neutrality rules – bundled under Regulation (EU) 2015/2120) – are about to be overhauled and some telecom operators are hoping to push the envelope (pun intended!) on the use of DPI technology. A public consultation is expected in autumn this year, with the final regulation likely to be agreed in the first half of 2020.

The European Digital Rights group (EDRi) is worried. Together with 45 NGOs, academics and companies across 15 countries, it has sent an open letter to European policymakers and regulators, warning about widespread and potentially damaging use of DPI by internet service providers.

Watching cellular traffic

With DPI, internet access service providers – aka telcos – can inspect in detail the data being sent. Specifically, DPI allows internet service providers to see exactly what sort of data packets users are receiving: email, websites, music, video or software files, etc. Telcos can then take steps to block, filter, throttle or re-route particular packets.

There are legitimate reasons an operator might want to do this to reduce network congestion. For example, a VoIP or video conferencing call requiring low latency might be prioritized over web browsing which does not.

However, there are a lot of other more dubious reasons DPI might be deployed that could infringe net neutrality or privacy rules. Even if not actively deployed for sinister reasons, widespread use of DPI should be a cause for concern.

DPI is not currently allowed for commercial or surveillance purposes – telcos hope to change that

“There are a range of potential use cases where DPI can be useful. Being able to track and trace access of or distribution of child abuse imagery is one of them,” says legal expert Daragh O’Brien, Managing Director of Castlebridge in Ireland. “However, with that comes the ability to identify at a very granular level the things that people are browsing for and looking at online. In effect, DPI is like having someone from the telcos marketing department peering over your shoulder and making detailed notes, in real-time, about what you are accessing over their network.”

He added that it is worth distinguishing DPI from traditional ISP log data which records sites visited because DPI is much more granular and far more revealing.

Net neutrality already violated

Despite the fact that using DPI for commercial purposes is banned under current law, many telcos are already doing it.

One of EDRi’s members Epicenter Works mapped so-called zero-rating offers (where some services or platforms are offered for free in a bundles from telcos, leaving out other sites) and identified 186 such products which potentially make use of DPI technology in Europe.

“Telecom operators want to exercise more control over the flow of information in their networks,” says Thomas Lohninger, Executive Director of Epicenter Works. “Monetizing user information and vertically integrating their own products with the services we use on the internet, such as in the case of zero-rating, only works with the level of control that deep packet inspection affords them.”

“DPI is like having someone from the telcos marketing department peering over your shoulder and making detailed notes about what you are accessing” – Daragh O’Brien

Such flouting of net neutrality is not uncommon in Europe, where reports from 2017 found that European ISPs offered at least 75 zero-rated apps in their data plans.

“Consumers’ freedom of choice is replaced by telecom operators making the choice for us what we can and can’t do online and how much we pay for which service,” says Lohninger.

Privacy in an information society

Net neutrality isn’t the only area of concern. According to Lohninger, privacy advocates should also be alarmed.

“Telecom companies know a lot about our lives, where we are and what we do online. Without strong legal protections against abusive business models our information society will soon become dystopian,” he says. “Our freedom to choose and speak freely also depends on a level of privacy and secrecy of correspondence. Knowing that, it’s hard to understand why politicians and regulators don’t place a higher value on our privacy.”

Indeed, in the open letter sent to EU policymakers, the EDRI lambasted regulators for having so far “turned a blind eye on these net neutrality violations. Instead of fulfilling their enforcement duties, they now seem to aim at watering down the rules that prohibit DPI”.

Meanwhile, the telcos themselves are adamant they are following the letter of the law.

“EU telcos proudly embrace the confidentiality of information principle,” says Alessandro Gropelli, an ETNO (European Telecoms Network Operators) spokesperson. “What is more, we advocate for its extension to all types of communications. This comes on top of full compliance with both the GDPR and the Open Internet Regulation.”

Pervasive profiling possible

Unlike internet companies and providers of apps and other platforms such as voice assistants, European telcos are regulated by the ePrivacy Directive (another bit of EU law that is currently under review) and must also abide by the confidentiality of information principle.

Telcos argue that DPI-based traffic management requires the user’s agreement – hence its GDPR compliance – and that traffic analysis is based on the protocols or applications used. Because it is general in nature rather than conducted on a per-customer basis, they say, personal data is not involved.

However, according to Pat Walshe, data protection and privacy consultant, past examples of the use of DPI have not properly complied with data protection law, the ePrivacy Directive, and regulations on the interception of communication.

“Current practices leave still much unanswered as to the transparency of their use and the legal basis of use,” he says. “DPI can be used for good and bad purposes. However, how ‘deep’ any analysis of web traffic needs to go [for good purposes such as] to safeguard against threats to networks and individuals is another matter, and one requiring fresh discussion as the use of DPI increases globally.”

The extent to which DPI could be leveraged for “bad” purposes is concerning for online privacy.

“Widespread DPI would allow telcos to build micro-targeted data sets similar to Facebook and Google, but at the level of the device and the instance of interaction with a site or an app,” says O’Brien. “This would mean an expansion of the surveillance capitalism model. I might choose not to use Google or Facebook, but I have no choice in whether I use an internet service provider to get online, so the harvesting would be at a more pervasive level.”

Past examples of the use of DPI have not properly complied with all of data protection law.

The fight against DPI

So can VPNs protect us? Some evidence that VPNs are indeed shielding us from this kind of intrusion lies in the fact that the Chinese government is forcing Apple to remove VPN applications from the App Store, points out O’Brien.

However, VPNs are not in themselves a silver bullet against online privacy intrusions, as they replace the ISP as the entity that can view users’ web traffic, making it imperative to choose one with an appropriate data security policy.

“VPN providers themselves have access providers, both of which may even operate under entirely different legal frameworks,” says Lohninger. “In any case, privacy in communications should be afforded to everyone and not just technically skilled people who know how to use a VPN.

Should the European telcos get their way with the law, increased DPI use could eventually look a little like the post office opening every letter or package you send, classifying and categorizing the content of that letter, and making assessments and inferences about who you are (and perhaps what you want to buy).

DPI is a preferred technology of regimes such as Iran, North Korea, and China – whether the EU will align itself with such human rights abusers in the use of this kind of technology is something digital rights activists will fight hard against in the coming months.

Photo credit: Muhammad Raufan Yusup