Header graphic for print
Steptoe Cyberblog

US Head of Delegation at WCIT Badmouths Deep Packet Inspection

Posted in International, Privacy Regulation

It’s been a contentious meeting in Dubai at the World Conference on International Telecommunications (WCIT), where the United States and its allies have been trying to fend off efforts by Russia, China, and others to expand the writ of the International Telecommunications Union to cover the Internet. Besides that fundamental dispute, there have been some interesting comments on side issues. In an on-the-record briefing, Ambassador Terry Kramer, head of the US delegation to the meeting, made comments on deep packet inspection (DPI) that might disturb US government agencies, as well as American communications providers that have otherwise been joined at the hip with Kramer in trying to keep the Internet off limits to the ITU.

In response to a question, Kramer said: “[D]eep packet inspection has a good and a bad connotation. The original connotation of deep packet inspection was for operators to be able to look at their networks and say, ‘Are they performing well?’ So in the mobile sector, it’s do you have blocked calls and dropped calls, et cetera. What’s happened, though, is some companies have used deep packet inspection technologies to not look at aggregate customer information, traffic information, et cetera, but to look at individual customer information. So looking at individuals and what sites they’re on and how much capacity they’re using, et cetera, as you can imagine, we’re very much opposed to that because we feel that’s a violation of people’s privacy and gets into, obviously, censorship, et cetera….[A]nything that would go past aggregated customer information would be problematic.”

The problem with Kramer’s statement is that deep packet inspection is critically important to the government’s and the private sector’s efforts to detect malware in electronic communications traversing the Internet. Unless communications providers can search at least some of the content of those communications, it would be substantially harder for them to protect vital networks from destructive viruses and other malware that can be used by foreign nation-states, organized crime groups, and others to destroy or degrade critical infrastructure systems or to steal confidential information and trade secrets from the government and private companies.

Deep packet inspection is also an important part of telecommunications companies’, Internet service providers’, websites’, and other Internet companies’ business models. Many of those companies depend greatly on online behavioral advertising (i.e., serving you ads targeted to your interests based on your Internet activity) for their revenue, which allows them to provide free or low-cost services that Internet users have become used to. Take away their ability to engage in deep packet inspection, and they would need to look for other sources of revenue, including fees for service.

So Kramer is clearly right that deep packet inspection can be used by governments to engage in censorship, in addition to surveillance of political dissidents, and to invade people’s privacy. But it is also critically important to cybersecurity and to the maintenance of free and cheap services on the Internet. What’s sorely needed, then, is not a blunderbuss dismissal of all deep packet inspection other than that used for network management, but a careful delineation of the rules by which the government and private companies can engage in DPI to protect network security and to engage in online behavioral advertising (with customer consent) without trampling on privacy and other civil liberties.