Why Deep Packet Inspection Is A Privacy Threat We Can’t Ignore

For the uninitiated, deep packet inspection might just sound like more internet jargon that the average user doesn’t need to know. Unfortunately, this particular piece of technology may have long-lasting implications for the average user. According to AT&T, Deep Packet Inspection (DPI) allows an individual or company to monitor the contents of packets as they pass a particular digital checkpoint. You can think about this as your ISP having a police barrier, opening up every mail envelope you send, and reading its contents. More than just an invasion of privacy, DPI is a curtailment of a lot of rights. In this article, we’ll take a deep dive into what DPI is and why it’s such a clear and present danger to our way of life.

How Deep Packet Inspection Works

DPI is typically implemented as a packet-filtering function of your firewall. Either you or another individual or organization (ISP, government, etc.) assigns rules to the firewall that allows it to compare the values of any packet leaving your machine. If it’s a match, the firewall discards the packet without sending it. DPI can check each packet and determine which application sent it and where its destination will be. Depending on the sophistication of the DPI software, it may even be able to redirect traffic from sites you don’t want the user to go to into “safe” sites. Security professionals will immediately notice how useful it can be in isolating malicious software from making contact with servers.

Deep Packet Inspection vs. Conventional Packet Filtering

Most firewalls already have packet filtering built into them. However, there’s a distinct difference between how traditional filtering and DPI works. Conventional packet filtering doesn’t delve into the packet itself but only deals with the header data. All information within the packet remains secure, even from the firewall’s filter. This implementation was a design choice since early firewalls didn’t have the processing power to open and read each data packet. It’s the same as if you skimmed the title of a book as it passed you by. DPI is like opening the book and reading it cover to cover before passing it on. All the data on the inside of the packet is now part of what the firewall knows about the information package. It can even log that data for easy access to it later, along with which user it originated from. Today’s massive amounts of processing power have made it more feasible to institute DPI in firewalls that can be used on ecommerce sites such as Creative Cabinets and Fine Finishes

Ethical Implications of DPI

Immediately, proponents of freedom of speech will recognize how closely DPI resembles what we know as China’s Great Firewall. However, there are some positive applications of this type of packet scanning. Internet security experts who may want to stop traffic to a particular IP can easily block action, preventing malware from “phoning home” and making contact with its originator. Parents can institute blocks on specific sites as a hard parental filter, keeping kids safe from the seedy underbelly of the internet. As with any technology, the morality of its use lies with the user.

SSRN Electronic Journal mentions that this technology has the potential to be abused in otherwise free societies. While there isn’t any particular legislation in place to address DPI as yet, there have already been legal concerns. UK magazine Silicon reports that The European Commission has taken the UK to court for playing host to DPI provider Phorm since their business practices breach the privacy of data act. Legal situations like these highlight that individuals prefer not having all their communication read by a third party.

A Comparison to Social Media

Some arguments rely on a similarity between how users allow for the sale of their data on social media and liken it to data collected through DPI systems. There’s one glaring problem with this comparison. Users on social media allow their data to be sold to someone else through the provider’s service agreement. While many people don’t know exactly how much of their data is being bought and sold, they do have a vague sense of what the product is. The difference is that collecting data from users without their consent risks breaching their right to privacy. The ISP or governmental agency can potentially force the user to sign a DPI agreement. Still, a decision like that may be considered coercion if the user has no other choice of providers.

Potential Abuse By Governmental Agencies

Authoritarian governments will always find ways to monitor their citizens. For free societies like the US and EU, the thought of government watching private citizens has many people uneasy. A common argument that security offices make when confronted with the privacy invasion that technology leads to is that data monitoring for the safety of all excuses the behavior. Privacy should be a right guaranteed in a free society, and DPI has the potential to remove that right altogether. For most individuals that have enjoyed the rights and freedoms of a civilized community, the thought of losing one’s privacy of communication should send up some red flags. DPI can be quickly instituted on an ISP’s firewall and be monitored by security agencies for “questionable” traffic. Surveillance is the hallmark of an authoritarian government.

How Do We Deal with DPI?

DPI has already made its way into many broadband provider services. They use deep packet inspection to collect user data that helps advertisers pinpoint which users make up their core demographic. ISPs using the technology claim to discard the data after analyzing it, but there’s no way to verify that information and privacy concerns remain. There’s nothing that stops providers from merely changing the wording on their agreements to allow them to save the data they intercept. As they are the gatekeepers of all data in and out of a country, ISPs could become the world’s data brokers, retaining DPI data and selling it to the highest bidder. Dealing with DPI requires lawmakers that understand the potential threat it presents to the privacy of individuals. Governments cannot ignore the danger this technology can represent to the freedom and security of individuals.