ISP Deep Packet Inspection And Your Privacy

Sunday, October 19, 2008

Internet SecurityImagine an Internet Service Provider (ISP) watching you by having a key to unlock your private browsing habits and secure websites being visited on their Internet superhighway.

Recently NebuAd, a Silicon Valley startup company introduced DPI, or deep packet inspection for ISPs to use in order to deploy ads based on the user's Web browsing history. This detailed information is garnered directly from ISP subscribers, through the users' navigation of the Internet Service Providers' conduits and gateways. Read the following Report: NebuAd Forges Packets, Violates Net Standards, to have a better understanding of what NebuAd is doing.

Internet Service Providers range in all shapes and sizes. ISPs employ a range of technologies for small businesses and home users. Cable companies offering broadband high speed internet cable, phone companies that offer DSL and ISDN, broadband wireless, fiber to the premises (FTTH), and dial-up service providers fall into the list of types of ISP technologies. Customers with more demanding Internet requirements such as medium to large businesses or other ISPs, are more likely to use DSL (often SHDSL or ADSL), Ethernet, Metro Ethernet, Gigabit Ethernet, Frame Relay, ISDN (BRI or PRI), ATM, satellite Internet access and synchronous optical networking (SONET) technologies. Source Wikipedia

Based on market share (numbers of subscribers)

Currently- Spring 2008 (numbers are approximate)

  1. Comcast Corp. 24 million
  2. Time Warner Cable 13.3 million
  3. Cox Communications 6 million
  4. Charter Communications 5.7 million
  5. Cablevision 3.3 million


Personal And Business Security And Privacy Concerns

When a user is visiting a website online, the ISP has a record of that particular website being visited. They know for instance, what IP address was being used to travel through their pipes at that specific time of day, and how long a user remained on a particular website. They can also track what type of computer is being used, what brand web browser was active, what video display screen resolution was being used to display the website, what operating system was in use, and even where someone navigated from. There is also concern that ISPs may even be able to tell what keystrokes are being used too.

Now imagine your ISP potentially gathering that information into a useful contextual ad serving system, and one can quickly see that there are billions of dollars to be made for any ISP company with online advertising.

While many might not see any harm with this, imagine if your web browsing information were to be sold to others, or accidentally or intentionally be released to unauthorized people. Do you really want others to gather your personal browsing habits and allow advertisers and other online entities to target you based on where you have been and what you are reading. What if you accidentally mistyped a website and went somewhere you didn't really want to go online?

All website servers produce a set of log files which gives indirect feed back for their owners to help improve the functionality of the site along with a better understanding of, how an interested visitor navigates the website, and how much time is spent on various pages, though not all website owners take advantage of the log files or even have direct access to these log files. Yes, it is true that an online website hosting company can track all the previous information I mentioned at the beginning of this article, except not to the depth or the personal details of what an ISP can track. Most websites publish an online privacy policy statement of some type, which typically provide the specifics on how this information is used. Most websites and web hosting service providers keep this browsing information private and do not share it with others. While most websites and website hosting service providers have this data information at their disposal, these websites can not directly identify you as you. There is not a direct correlation between an IP address and the user. That means that even though your IP address might show up and logged, and also be able to keep track of your visits with cookies, they can not positively say that John Doe is located at IP address 132.62.255.255. However, that is not the case with ISPs.

ISP databases keep track of all this personal information and can actually link IP addresses to ISP subscriber names. They know when John Doe, with IP address 132.62.255.255, navigates from point A to point B online. They also know how long John was visiting a specific website. Additionally it appears that possibly this DPI technology can even track other visits, such as banking and email visits. With the central depository of information residing with the ISPs, this is an example of Big Brother at its worst in action, especially if this information were to fall into the wrong hands. Don't be fooled and think that just because you don't have a static IP address and may get a different dynamic IP address every time you log in with your ISP, that the ISP can't cross reference a certain IP address, at the specific time, to your name.

The legislative history of Section 631 of the Communications Act of 1934, which was added as part of the Cable Act of 1984, notes that "[c]able systems, particularly those with a "two-way" capability, have an enormous capacity to collect and store personally identifiable information about each cable subscriber," and that "[s]ubscriber records from interactive systems can reveal details about bank transactions, shopping habits, political contributions, viewing habits and other significant personal decisions."


In an article titled: Broadband Providers Vow to Protect User Privacy, the large ISPs are trying to put to rest about the use of deep packet inspections on their subscribers.

The writer, Roy Mark stated, "After a summer of debate over NebuAd's deep package inspection advertising model leads to Congressional hearings and harsh criticism by consumer groups, the nation's largest broadband providers hope industry guidelines calling for consumer opt-in regimes will stave off new Internet privacy laws. AT&T, Verizon and Time Warner deny using deep packet inspection."


Charter Communications had planned to deploy NebuAd's DPI technology. However, after much concern was expressed by consumer groups, and a letter drafted by Ed Markey, Democrat chairman of the House Subcommittee on Telecommunications and the Internet along with ranking Republican Rep. Joe Barton co-signature, sent this letter off to Charter Communications; Charter dropped their plans for DPI from NebuAd.

Letter to Charter Communications

Congress of the United States
Washington, DC 20515

May 16,2008


Mr. Neil Smit
President and CEO
Charter Communications 12405 Powerscourt Drive
St. Louis, MO 63131

Dear Mr. Smit

We are writing with respect to recent media reports that Charter Communications has announced plans to begin collecting information about websites that subscribers visit and then disclosing such data to a firm called NebuAd. This firm, in turn, will use such data to serve ads to individual Charter customers on subjects directly related to their interests as gleaned from subscribers' use of Charter Communications services.

As you are likely aware, Section 631 of the Communications Act contains privacy provisions regarding cable operators. The legislative history of Section 631 of the Communications Act of 1934, which was added as part of the Cable Act of 1984, notes that "[c]able systems, particularly those with a "two-way" capability, have an enormous capacity to collect and store personally identifiable information about each cable subscriber," and that "[s]ubscriber records from interactive systems can reveal details about bank transactions, shopping habits, political contributions, viewing habits and other significant personal decisions." (see H. Rep. No. 934, 98th Con., 2d Sess.29-30 (1984)).

In addition, in 1992, as part of the Cable Television and Consumer Protection and Competition Act (PL 102-385), Congress added the term "other services" to the statute. Congress did so "to ensure that new communications services provided by cable operators are covered by the privacy protection embodied in Section 631 of the Communications Act." (see H.Conf.Rep. No. 102-862, 1992 U.S. Code Cong. And Adm. News 1275-76).

Any service to which a subscriber does not affirmatively subscribe and that can result in the collection of information about the web-related habits and interests of a subscriber, or a subscriber's use of the operator's services, or the identification of an individual subscriber, and achieves any of these results without the "prior written or electronic consent of the subscriber," raises substantial questions related to Section 631.

We respectfully request that you do not move forward on Charter Communications' proposed venture with NebuAd until we have an opportunity to discuss with you issues raised by this proposed venture.

Thank you in advance for your time and attention to this request. We look forward to hearing from you.

Sincerely,

Edward J. Marke (D-MA) Joe B on (R-TX)
Chairman, House Subcommittee Ranking Member, House Committee on

Telecommunications and the Internet Energy and Commerce


Now I don't know about your thoughts on ISP DPI technology, but in my opinion I think we have to be eternally vigilant, and protect our Internet privacy as much as possible. Let's not let a Big Brother take over. Maybe we do need tougher legislation on the books to prevent DPI technology from being deployed online.

Get your business discovered on the Internet today with online marketing services from Professional Web Services.

Marketing Services For Your Business

Marketing Service