Consumer Privacy Jeopardized by DPI Technology

Consumer Privacy Jeopardized by DPI Technology

In response to the complaint against Bell Sympatico (Bell) by the Canadian Internet policy and Public Interest Clinic, based at the University of Ottawa, the Office of the Privacy Commissioner produced a report of findings dated August 13, 2009. The complaint launched under the Personal Information Protection and Electronic Documents Act (PIPEDA) alleged 1) that the Deep Packet Inspection (DPI) technology used by Bell during Internet transmission collects customers' personal information without their consent; 2) this practice collects more personal information than is necessary to ensure quality of service and network integrity; and 3) Bell has failed to adequately inform its customers of its policies and practices with respect to personal information collection during Internet transmissions.

DPI technology is a tool which provides ISPs the ability to view information transmitted on Internet, such as e-mail exchanges, any uploads and downloads.  The merits of this technology are in dispute since on one hand, it enables networks to manage traffic, but on the other, it is often used to help target advertisements on these networks. DPI has traditionally been used as an intrusion prevention system, an intrusion detection system or with traditional firewall technology. While the technology itself is old, it is being applied in new and creative ways. Bell uses DPI in traffic management by identifying peer-to-peer file sharing so that it can be slowed down. According to Bell, the congestion problems peak between 4:30 p.m. and 2:00 a.m.

While potentially the DPI technology can be used to re-create from Internet traffic a readable record of e-mails, web browsing activity, Voice-over-Internet protocol (VoIP) calls and passwords, Bell emphasizes that its use of DPI does not extend to other applications, such as streaming applications via Internet radio or You Tube. Bell had earlier also represented that the network does not use any personal identification information of an individual user or have any specific knowledge of a user's real identity or browsing history. This has been accepted by the privacy commissioner, despite the fact that with a simple change in the design, by a simple installation of a filter, the ISPs can inspect content.

Essentially, of the initial complaints, the only one seen as a problem was the lack of openness about the DPI technology. The assistant privacy commissioner instructed the company to change its service agreement and the frequently asked questions section to notify customers of the fact that it collects and retains personal information through the use of its DPI. What is problematic about this finding is the assumption that by merely updating the privacy information on Bell's website, the consumers will have a true choice- whether to be a part of Bell network or not.

However, the inequality of bargaining power and the reluctance of people to shop for new ISPs may prevent such information to be of any use to the end consumer. It is almost certain that no customer would even contemplate negotiating contracts with network giants, such as Bell. Although it is commendable that the privacy commissioner acknowledged this complaint and invested time and effort to reach its findings, what remains to be seen is whether accepting Bell's word as evidence for its non-involvement in inspecting content and recording private information is right in the long run.