Privacy, “Deep Packet Inspection” and the internet

Baroness Sue Miller hosted an interesting meeting earlier today, billed (slightly tendentiously) as “The Internet Threat: Who needs privacy when we can have relevant ads?”.  Speakers included Sir Tim Berners-Lee (inventor of  of the World Wide Web) and a variety of other experts.

Sir Tim Berners-Lee was arguing that the integrity of the internet is under threat by the emergence of Deep Packet Inspection by Internet Service Providers (ISPs) – this now enables ISPs to scan the contents of all communications and the contents of all web pages viewed by their customers, and for that data to be analysed so that customer-specific targetted advertising can be produced.  This raises substantial privacy issues – as one speaker pointed out each person will have a different view as to what is private for them.

Of course, such privacy issues are not new.  Already, websites place cookies on the computers of those visiting the site “to enhance the experience” of those that visit the site again and many of these track what the user does (individuals can of course block cookies or subsequently erase them – so in a sense the user can control this).  Search engines like Google also keep track of the search terms typed in by those who use them and again target advertising and recommend links accordingly.

What is new about Deep Packet Inspection is that for effectively the first time ISPs are looking routinely into the material that is being transferred through their service – it is as though Royal Mail sorting office staff were given access to the content of all the correspondence that they were sorting.

In the US this is apparently explicitly banned.  In the UK, the Regulation of Investigatory Powers Act would appear to forbid this unless (Section 3 (3) (b)) it is “for purposes connected with the provision or operation of that service”.  So is targetted advertising a purpose connected with the provision or operation of that service?  Ultimately, this will no doubt be a question for the Courts, but, so we were told, Home Office guidance suggests that Deep Packet Inspection is permissable ….

Part of the argument has to be that websites and ISPs have to be able to make their money somehow and Peter Bazalgette, consigned to the audience, forcefully pointed out that the internet had destroyed the existing business model of many newspapers, much of the music industry and may do the same for films and books and that service providers had to evolve to find new ways of making revenue.

Some of my Parliamentary colleagues were keen to divert the debate on to the Government’s consultation on the draft Communications Data Bill.  However, there is a world of difference between a government that is accountable to Parliament collecting data and commercial companies that are accountable to no-one but their share-holders doing so.

There is a real debate to be had here and Sue Miller is to be congratulated for facilitating this morning’s meeting.

7 thoughts on “Privacy, “Deep Packet Inspection” and the internet”

  1. Phorm is intrusive, invasive and yet to be proven legal. To allow a private company such access to private data when they are charged under the law to protect my data is placing the interest of big business over the rights and privacy of citizens and should not be allowed under any circumstances. Sadly the evasion and misdirection of government departments involved in this debacle gives me great cause for concern. I speak from personal experience here after communications with BERR, the Home Office,the ICO ,UKIPO. Buck passing at its best
    This governments attitude to personal privacy and its love of the database disguised as an attempt to protect us in the ‘war on terror’ leaves me more in fear of them than any terrorist.
    Any terrorist that get themselves on a government database is in the wrong job. The only ones that need to fear this government are it’s law abiding citizens.
    FOI Mr. Straw? Only when it suits you.

    You wonder why no one trusts this government.

  2. I do hope that while the real debate is being considered, the following question will be asked:

    It has been claimed that the current internet model has been affecting the revenues of newspapers and the music/media industry. If Deep Packet Inspection Systems are deployed within the ISP networks in an attempt to divert advertising revenues to these industries, what system is waiting in the wings to protect all the other internet based businesses who will be having trade diverted from their businesses to those businesses which are buying the advertising which will be given prominence so that newspapers and music/media industries are funded? There seems to be great danger that using the ISPs to fix a small problem, one not caused by the ISPs, will result in a much larger problem which could result in loss of business revenue over much wider market segments, and the loss of confidence in the Internet as a secure and confidential communication medium between businesses and their customers.

  3. Well done for grasping the main points of the meeting. What Phorm are trying to do is a new departure in internet tracking, as they want to use (have with BTs connivance, already BEEN using) the priveliged access that ISPs have to every customers data stream. Customers have NO choice about the equipment being put between them and the internet, and nor do the websites, whose data is snooped on by the Webwise system when those ISP customers visit the sites which breaches site copyright and possibly also the Fraud Act. Phorm and Webwise have not even worked out a way of avoiding profiling the protected private “Friends” pages on Facebook as they are protected by cookie based authentication and Webwise (because of the way it forges cookies) can’t handle that, so the private pages are profiled by the system. So much for a privacy revolution- this must be stopped and stopped for good. Are the Culture Media and Sport committee interested? We have material you can study.

  4. To take a quote from above:

    “Part of the argument has to be that websites and ISPs have to be able to make their money somehow and Peter Bazalgette, consigned to the audience, forcefully pointed out that the internet had destroyed the existing business model of many newspapers, much of the music industry and may do the same for films and books and that service providers had to evolve to find new ways of making revenue.”

    Get used to it companies, it’s called competition.

    To take my personal data, opt in or otherwise, and use it for this purpose…. thats a BIG NO.

    And for one, if the Government wish to have a huge database of citizens in this country (internet usage), sorry but that gives me the impression that the Government class everyone guilty before innocence. And another impression it gives me is that various Government departments are so lazy they wish a machine (or two) to investigate for them, no point having a secret service then, is there really?

    I for one will cancel our long standing account with Virgin Media (uhmmm NTL) if it is verified that they are using such a system.

    I would like to thank on behalf of me and my wife (who is physically disabled) for those who are standing up for our basic human right of privacy.

  5. received today as I was about to write a further comment here. I asked what independant experts where consulted before the ICO accepted verbatim the word of BT and Phorm as to how the system really worked, the privacy implications thereof and what research they conducted of their own.

    From the ICO (toothless watchdog)

    17th March 2009

    Case Reference Number IRQ0235827

    Dear Mr Main

    Your email of 22 February 2009 refers to the privacy implications of the Phorm DPI system as trialled by BT.

    We understand that BT conducted what they describe as two small-scale technical tests in September/October 2006 and in June 2007. They have told us these were designed to evaluate “the function and technical performance of a new advertising platform”. We did not become aware of these trials until late March 2008. Given that there was no evidence that these trials had caused privacy detriment to individuals, our view was that carrying out an in-depth investigation into exactly what these trials involved would not be a sensible use of our necessarily limited resources. Instead, our focus was on any future use of the technology.

    However, we did read both the technical analysis of the Phorm Webwise system produced by Richard Clayton of FIPR on 4 April 2008 and the legal analysis of the system produced by Nicholas Bohm of FIPR of 23 April 2008. Therefore, whilst we did not commission any ‘evidence’ from independent sources, we did study the analysis of FIPR.

    Much of FIPR’s legal analysis concerned the alleged contravention of RIPA. The Commissioner has no remit to enforce RIPA. This is a matter for the police. Our concern is with the DPA98 and PECR03. Our conclusion was that, on the basis of what we were told by both BT and Phorm and what we took to be an authoritative independent analysis of the Phorm Webwise system, the system could be deployed without breach of the DPA98 or PECR03 if it was deployed with the consent of the individual customers concerned. We made this point clear to Phorm, to BT and in a public statement on our website.

    Subsequently, in late 2008, BT carried out a relatively small-scale pilot involving customers in the Kingston area. Shortly before this pilot began they sent us a copy of the ‘invitation’ page on the basis of which customers would choose whether or not to take part in the pilot. We made clear to BT that we had strong reservations about the nature of the explanation provided, largely because it concentrated on security advantages rather than on the targeted advertising. We made clear that we would want to discuss with BT the basis on which individuals would be invited to elect to receive targeted ads in the event that BT rolled out the system commercially. BT has provided us with assurances that they will do so. They are in do doubt that, in our view, individuals can only give valid consent if it is fully informed on the basis of clear and balanced information. Therefore, I am confident that in the event that BT does decide to deploy this technology commercially, they will meet with us to discuss this matter first. They appreciate that they will be leaving themselves open to regulatory action if they were to go ahead on a basis that we did not feel acceptable.

    I would like to emphasise that as a regulator we generally have to take the assertions of companies, government departments etc on trust. It would be quite impractical for us to double check the technical assertions made to us in all the many matters that are referred to us. However, in this particular case, it was our view that accepting the technical analysis of Richard Clayton of FIPR, it was perfectly possible for BT to deploy the Phorm system in compliance with the DPA98 and PECR03. In short, we did not believe that it would be a sensible use of limited regulatory resources to commission an analysis from independent sources.

    Yours sincerely

    PHIL JONES

    ASSISTANT COMMISSIONER

    DIRECTOR OF DATA PROTECTION PRACTICE

    I repeat my previous comment

    You wonder why no one trusts this government

  6. Lord Harris, I thank you for taking the time to understand this issue. The Baroness, Sue Miller, certainly is to be congratulated. I was shocked when I read her first comments about the Phorm issue in the House and I took the time to write and say so. I’m absolutely delighted that she followed up with real focus and attention to the detail of the problem that Phorm’s Webwise represents. We need a second chamber that questions and challenges what our Government do, what they allow to take place and what bodies such as the ICO and Ofcom do (or DON’T do!)

    For example, “We made clear to BT that we had strong reservations about the nature of the explanation provided, largely because it concentrated on security advantages rather than on the targeted advertising. We made clear that we would want to discuss with BT the basis on which individuals would be invited to elect to receive targeted ads in the event that BT rolled out the system commercially.”

    WHY, does the ICO think that allowing the use of an invitation page which does NOT comply with their requirements is acceptable for a trial when it is not acceptable for rollout? Why is it okay for a “small number” of people to be mislead because they at the ICO don’t have the resources? Surely they have the authority to say, “No, that is not acceptable, go away and come back with a revision.” And then keep saying that until the revision IS acceptable and is not only acceptable for a trial but for rollout if the Internet Service Provider is daft enough to do that.

    Such a joke. Phil Jones should be considering his position (IMHO). And Phorm must be stopped, because what they want to do it is wrong. And the public, when they know what Webwise is, won’t want it either.

    They anonymise their snooping on us all? No, they don’t. They pretend to. It’s called Pseudonymisation.

    Hank

Leave a Reply

Your email address will not be published. Required fields are marked *