Deep Packet Inspection and why it's blatantly wrong

This is an essay from the site of the Office of the Privacy Commissioner of Canada. Bell Canada, one of the major Canadian ISP's, has been perform Deep Packet Inspections for some time now, is it only a matter of time before they begin using it to generate actionable data and build profiles?Phorm is the software that is used in Britain to do so - I suspect it's only a matter of time before it makes its way across the pond, if it hasn't already.

So, what's more important: individual privacy rights or data/profiles for marketers?


Objecting to Phorm

Written by: Richard Clayton

Imagine the postal service steaming open your letters so that they could scan the content, work out your interests, and then deliver a better class of junk mail. Most people would be horrified, yet some of the UK’s largest ISPs are planning to do something even more intrusive. They will capture the details of all the online searches you make, all of the web pages you visit – solely to serve up targeted online adverts. This isn’t happening for some altruistic aim of making adverts more relevant, but because the ISPs will get a cut from the advertising revenue, and Phorm, the technology vendor involved, will charge advertisers extra for delivering up an especially receptive audience.

You might think that “there ought to be a law against it” – and you’d be right. Analysis by the Foundation for Information Policy Research (FIPR) shows that the complicated way in which the Phorm system works means that the ISPs will commit criminal offences, and could also face civil litigation for the unauthorised processing of copyrighted material.

The Phorm system snoops on all web page requests, and in particular it picks out the search terms used on Google and other search engines. The system also monitors the contents of any web pages visited, looks for the commonest words, and tries to discern what the pages are about. This works up to a point – early search engines used similar schemes – but isn’t especially accurate. Accurate or not, a distillation of this information is matched against advertiser word lists, for example, if “flight” and “hotel” appear, then perhaps you’ll be a sucker for a travel advert. If so, then when you next visit a participating website, the adverts won’t be random but will have a travel theme to them – with the highest bidder getting to put their message in front of you, and the ISP getting a back-hander for participating.

However, UK criminal law calls snooping on web traffic “interception” and can send you to prison for it. There are statutory defences for the ISP (or indeed the postal service) looking at traffic for operational purposes (so your mailman can look at the address on the envelope), but this is irrelevant because it isn’t an ISP operational matter to deduce whether or not you’re a travel junkie.

The ISPs involved with Phorm will obtain the permission of their customers to be snooped upon (albeit this permission is rather an afterthought, and early trials didn’t bother with such niceties). Unfortunately for the ISPs, in the UK this is necessary but not sufficient, because interception is illegal unless BOTH ends of the communication give permission. This is a fundamental (and clearly intentional) change made by Parliament in 2000 from the previous one-sided regime. What’s more, the 2002 EU “Directive on Privacy and Electronic Communications” also makes it clear that both ends’ permission is needed.

As it happens, the two-sided requirement gave the legislators several headaches, and so there are special provisions to permit the police to listen in to a kidnapper’s ransom demand and secondary legislation sets out “Lawful Business Practice” to permit stockbrokers to record their instructions, and call centres to perform quality monitoring. None of what the ISPs intend will come under Lawful Business Practice.

Readers may be surprised to have got this far without any mention of the UK’s Data Protection Act 1998 (DPA). It is relevant, in that the Phorm system will regularly be processing “sensitive” personal data and must therefore arrange for an informed opt-in. However, not much more of the DPA will apply because Phorm has carefully designed its systems to evade the provisions of the Act – and providing pseudonyms for users in the form of unique identifiers gets them an awfully long way.

But the real reason the DPA is scarcely relevant is that people’s outrage at the system is expressed in the language of privacy, and there is a significant difference between “privacy” and “data protection”.

When the taxman looks at your financial affairs, they trample all over your privacy, but their systems are completely DPA compliant. Likewise, the Phorm system may learn that someone they know of by an opaque identifier is fascinated by the prospect of travelling to Israel, and they will stay with the letter of the DPA law. However, they’ve learnt something very private about that user’s opinions. If they were a Saudi Arabian student studying in the UK, subsequent serving of targeted adverts, and the information thereby revealed, could lead to embarrassment or much worse.

The bottom line for me, when I consider the Phorm system, is that having ISPs snoop into the personal lives of their customers for a trivial financial gain is inherently objectionable. It is simply not what ISPs should be doing. That the system turns out to infringe a number of laws should simplify blocking its deployment; it’s not the reason that it has to be stopped.

1 comment:

John Berard said...

As much as I applaud all who argue for appropriate privacy and data protection behavior (after all, I was a founding member of the board of TRUSTe), I think behavioral targeting in general and companies like Phorm in particular are being viewed only by the specter of what might be wrong, not by what is clearly right. I have (as I think have others) concluded that advertising is essential to my access to what I want on and from the Web. But why can't it be more relevant? Companies have targeted me by my postal code, by my age and profession, by my purchase habits, so why would I not be willing to trade a look at my browsing for relevant advertising?