Network News

X My Profile
View More Activity

"Deep Packet Inspection" Means Deep Trouble

Today's column digs into "deep packet inspection" -- an ongoing, automated, detailed inspection of your online traffic conducted to gain a better idea of your interests and to display ads that better match those interests.

My colleagues have been following this issue for a while -- see, for example, Ellen Nakashima's piece last week, which covered the House Committee on Energy and Commerce's research into the tests several Internet providers made of Silicon Valley startup NebuAd's deep-packet-inspection system.

(Yes, the The Washington Post Company's Cable One was among them. No, I wasn't thrilled to learn about that either -- or the fact that its users weren't given a chance to opt out [PDF] of the test.)

The basic concept of deep packet inspection ("DPI," to some) creeps me out. I'll stipulate that somebody could build a DPI system that strictly limited its scrutiny to innocuous topics that people happily discuss in public all the time, and which rigorously guarded the identities of users (indeed, NebuAd vows that its system does exactly those things). Customers might even jump to use such a system if it knocked a few bucks off their monthly bills, as Slate's Farhad Manjoo observed earlier this week.

But we're not living in a hypothetical universe in which everything runs exactly as designed and is operated by people and companies with the highest ethical standards. You have to consider how a DPI system would perform when the inevitable mistakes are made: Would it fail gracefully, with minimal collateral damage, or would it fail badly? (For an in-depth discussion of this concept of failing badly -- which I think is an excellent way to assess any new technology -- see security expert Bruce Schneier's book "Beyond Fear.")

In that light, deep packet inspection looks like yet another example of technological overreach -- taking a decent idea and stretching it to its irrational, unsustainable extreme. And it's likely to fare no better than such earlier misadventures as, for example, the movie industry's crusade to lock up video downloads with "digital rights management" controls and Microsoft's attempts to stamp out software piracy with automated enforcement software.

If you can think of a scenario in which you'd accept deep packet inspection, let me know in the comments. Or talk to me during today's Web chat, starting at 2 p.m.

By Rob Pegoraro  |  August 21, 2008; 10:14 AM ET
Categories:  Gripes , The Web  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Survey: Apple, Google Gaining in Customer Satisfaction
Next: Timing Is Something: PR and Tech Reviews


Would using a subscription Virtual Private Network, which encrypts data at the user's computer and unscrambles it later past the reach of the internet service provider, make this whole problem go away? After all, encrypted data passing through the ISP can't be inspected at all.

Posted by: BB | August 21, 2008 12:14 PM | Report abuse

Using DPI outside of it's original network maintenance purpose will simply promote more point to point encryption which will negate DPI as a tool for the network admin and make it harder to prioritize packets/traffic.

Posted by: SpecTP | August 21, 2008 2:07 PM | Report abuse

I'd be for DPI in an opt-in basis. If I'm shopping for stuff or looking for certain things I'd want to make it clear to whoever is snooping that this is what I'm looking for. Perhaps someone will come along who is willing to sell me the item for less.

However, I only support this in an opt-in basis. The biggest reason is that I don't trust the owners of the data to protect it effectively.

Posted by: slar | August 21, 2008 2:19 PM | Report abuse


when we had to replace a burned out modem, the one that embarq sent FORCED us to first click/accept some sort of WAIVER before we could get back on the internet.

Are you interested in receiving a copy of this 'statement' of terms and waiver and would you / WP be willing to do some sort of story/investigation about it in depth?

please -- i have a feeling that embarq is doing all the stuff the others like comcast have been accused of doing and even more!

Posted by: embarksuks | August 21, 2008 3:30 PM | Report abuse

On a home that has a common router to the ISP....

I search for porn. My (hypothetical) daughter (on the same computer which I've got separate logins for) searhes for ponies.

How long before my non-existant daughter gets a YouTube video of Mr Hands?

Posted by: PJH | August 21, 2008 4:10 PM | Report abuse

In a similar creepy vein, check out this post from the Consumerist. Turns out Dunkin Donuts has already started using facial recognition software to determine your age and gender and then display ads targeted towards you on video screens in two stores in Buffalo. This whole thing is definitely past my comfort level.

Posted by: Jen | August 21, 2008 4:30 PM | Report abuse

Your introductory paragraph characterizes DPI in a limited context. You specifically call out a subset of the capabilities that are breaking new ground and "feaking" people out.

Using DPI to gain a better idea of interests, usage patterns is only a minor part of what DPI can do. It would be good to remember that in itself the technology is just an enabler and there are many instances where new services or business models may emerge that are both palatable and demanded by the American public.

Ultimately the consumer will drive the appropriate use of the technology. Just remember Google is trolling your Gmail account for key words and definately knows exactly what you are and were searching for. Let's not forget every company is trying to leverage customer intimacy to market/promte their services.

Recently the explosion of ove the top contect (especially long form video) along with the proliferation of HD capable flat screens in the home seems to be a likely beneficiary of DPI. QoS (Quality of Sevice)promotion of the flow to enable a high quality experience for streaming media (no waiting for your Apple TV downloads anymore) would sure be nice. No need to take the kids to Blockbuster for an anoying 30 hour lineup on Friday evenigns anymore -- the average Joe can probably buy into the need to pay his carrier somthing extra to both dynamically broaden his pipe when he wants to view on-line VOD/streaming content and have it guaranteed for the duration of his session. The next evolution of the technology is actually called "Deep Session Inspection". Subscriber and flow awareness for the duration of a particular application or service by a particular end subcriber device (be it mobile, STB, TV or PC).

Most consumers will recognize the value when DPI is used appropriately.

Other uses could be:
- guaranteeing priority of VPN services for remote workers (eco friendly)
- maximizing the efficency of available bandwidth under contstrained scenarios(limiting the need for capital investments for peak loads which are ultimately passed on to the consumer)-- ie. I want my VoIP 911 call to be prioritized thank you.

It would be disappointing to see a promising technology sunk because it becomes an appropriate political hot potator to toss around during an election year.

Posted by: Justin | August 21, 2008 6:35 PM | Report abuse

I don't disagree with most of what you say, but the bottom line is that security matters. If something can be used nefariously, it will be.

Posted by: slar | August 22, 2008 12:46 PM | Report abuse

Much of the debate thus far acknowledges the power of discerning behavioral patterns in data for monetary benefit. Some have even offered that additional business models be explored to give consumers control/awareness of the process as beneficiaries in this barter proposition: data for relevance. Certainly, the current deployment of said services is suspect at best - and consumers are definitely not empowered to participate in any direct value-based line of site in the current DPI manifestations.

My company provides a free tool to prevent the collection and storage of packet level information and the corresponding personally identifiable information surreptitiously collected at the network level. It's called HotSpot Shield – and while we originally acquired millions of users in repressive regimes internationally (e.g. censorship) , our US usage is surging for exactly the reason spurred in this blog post. Admittedly a nascent concern to most of the population in our on-line economy, security, privacy, and advertising have yet to find a model that boasts equilibrium. I think AnchorFree and its HotSpot shield are on the right track. We do leverage contextual relevance (e.g. domain names) to serve a nominal amount of advertising. But, we don’t build persistent user profiles or otherwise store any personally identifiable information – and that is the differentiating factor in the journey toward converging privacy and advertising. The user benefit? Users are assured anonymity and security. The difference? We are transparent in our model and at the end of the day, this gives consumers control and awareness where the industry at large has failed us.

Posted by: Mark Smith -AnchorFree Inc. | August 22, 2008 1:07 PM | Report abuse

The poster from AnchorFree who got some free advertising about his "free" service omitted mention of a very questionable para in AnchorFree's TOS, to wit-
"Description of Services:
Through its network of Sites, AnchorFree provides you with access to a rich variety of resources, including tools, download areas, premium content, communication forums and product information (collectively, "Services"). You understand and agree that the Services may include advertisements and that these advertisements are necessary for AnchorFree to provide the Services. The Services, including any updates, enhancements, or new features, are subject to these Terms.

Say WHAT? Not very clear what kind of ads they're talking about -
Are they intrusive, obnoxious and bandwidth hogging flash-based ads like Yahoo abuses?
Are they just on AnchorFree's pages or are they somehow piggybacked on or replace the ad banner slots on other pages (which now are blessedly blank thanks to Hostsman and other ad server blockers)
Are tracking cookies or web beacons going to be deposited on our PCs or is some form of deep packet data stored server-side?
Will the download require an overhaul of our existing ad server blockers in order to function?

My desire to even read the web site (to try to find answers to questions the TOS raised) has at least temporarily evaporated. If I'm making a mountain out of a molehill, clarification would be appreciated.

Posted by: Vote4TermLimits | August 24, 2008 9:48 AM | Report abuse

I agree that DPI is creepy for the consumer, but there's another element of this that I wonder about.

What about the "common carrier" rules? As I understand it, the rules were that they carried the traffic, but didn't meddle into the content, a sort of "hear no evil" approach. The common carrier rule kept the phone company from having to be responsible for the bad behavior of users on their networks.

DPI gets so far away from that, that it would seem to open up some serious liability for the ISP's. Once they start looking at the packets, aren't they then responsible for what's inside them? So, for instance, couldn't an ISP be held liable if someone using the network to disseminate kiddie porn or download copyrighted content?

Why do these guys want anything to do with this? Not only is it going to upset their customers, but it seems incredibly short sighted and dangerous for them.

Posted by: Bill D | August 24, 2008 11:48 AM | Report abuse

DPI is market-inefficient. Pretty soon the advertisers will realize that they can buy this information from the NSA, which already has seven years worth of web traffic and e-mails.

Posted by: Stratocaster | August 24, 2008 7:10 PM | Report abuse

Stratocaster is right ... see ArsTechnica article -

Posted by: SunInDC | August 25, 2008 6:04 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company