In reading through the recent CRTC filings, something that has been striking me is that the ‘regular’ metaphor for how Deep Packet Inspection (DPI) technologies work seems a bit awkward. When you send packets of data along the ‘net, they are broadly composed of a header and a payload. The metaphor goes as follows: the header is like the addressing information on an envelop, and the payload is the actual letter in the envelop. DPI opens the envelop, sees the content of the letter, examines it, reseals it, and then passes the letter along to its destination (assuming that the contents aren’t of a type that shouldn’t be sent onwards).
I like the metaphor because of its power, but at the same time I have to wonder about its accuracy, at least in the Canadian situation. When reading the ISP’s CRTC filings, I keep reading that they use DPI devices for flow analysis – they’re not looking for the content of your email, they just want to identify whether you’re sending email or an instant message. Rather than assume that the ISPs are being duplicitous, why not reconsider the metaphor to see if it can’t be developed to distinguish between different usages of DPI equipment.
In the already stated metaphor, we have a case where the equipment is looking at the content of messages – what messages you send to your friends via instant messenger, for example. This is a terribly heavy computational process, and really only works well (at the moment) when either targeting particular packet streams, or when putting massive resources behind content-inspection capacities. This isn’t exactly cost efficient (as I understand it) for ISPs at the moment. ISPs, as I note in a working paper that should be live soon (I hope), are interested in enhancing revenue streams, not in invading people’s privacy unnecessarily.
In light of this, and in how ISPs claim they use DPI equipment, I suggest the following way of ‘conditioning’ the already existing metaphor. DPI can be understood to be looking past the envelope/wrapping of the mailed package, but not so that it can read the contents, but so it can identify the kind of mail that you’re sending. Does the envelop/package hold written text? Does it hold a pair of scissors? Have you stuffed it with cat fur?
The contents of the letter are then categorized according to a particular metric and then a ‘content flow analysis’, that is a regulated enumeration of the categories of content-types, can be made. This analysis allows the postal service/ISPs to more efficiently identify when they need to make adjustments to their transmission network – where it is found that people are sending packages that are all marked ‘delicate’, and the packages actually contain crystal swans, extra training should be provided to mail handlers so that they don’t damage items. Conversely, to the region that labels everything ‘delicate’ but is actually sending pieces of steel to one another, such extra training probably isn’t necessary. For ISPs, packet flow analysis lets them see where they need to augment network capacity for ‘legitimate’ traffics, and areas where this isn’t such a substantial issue.
I’ll note in conclusion that: (a) this is still a rough thought-in-progress; (b) doesn’t alleviate the privacy/surveillance concerns that many hold surrounding DPI; (c) raises very real questions about what ‘legitimate’ traffic is. Regardless, I think that it might be a better metaphor (if slightly longer, and thus a little less sexy) to try and explain how Canadian ISPs appear to be using DPI equipment in their day-to-day operations to throttle particular Internet traffic based on its content-type.
5 thoughts on “Deep Packet Inspection Analogies”
I think that the analogy is a good start, and probably technically accurate. I think that there is an emotionally disturbing aspect to the letter analogy, though: We all understand that the post office needs to know whether the letter is “fragile” or “delicate” in order to properly handle delivery. But I make the decision to tell the post office about the contents, or take my chances. With DPI, the Post Office, in effect, determines whether they need that information, and extract it from the letter whether I want them to or not.
And that brings me to the second point. In this analogy, the post office would have been delivering letters for years, without a single one being labeled “fragile.” Then one day, they assert that they can no longer deliver packages unless they’re properly labeled “fragile.” And if we don’t label the packages, they’ll take a peek inside to see whether their fragile or not.
Perhaps there’s a little hyperbole there, but I think it strikes at the root of any weaknesses in the analogy.
You raise good points! What are your thoughts if we think of ‘sending mail’ as ‘sending packages’ internationally? When I mail something across country lines, I’m required by Canada Post to declare what is in it – this isn’t a new practice. If I do lie and the package is inspected by customs, then I can have various nasty things happen to me. Given that packets travel internationally, maybe this kind of ‘postal model’ might be more appropriate?
Note that I’m not trying to doggedly stand by the analogy, but rather just have a good talk and though about it grin. Thanks for the comment!
Introducing the concept of international postage significantly complicates the metaphor, because it requires the introduction of legal regimes into the analogy itself. This presents a circular logic problem, since the analogy is intended to clarify a legal regime to begin with.
To grossly simplify International Law, once a person or thing crosses political borders, he/she/it becomes an “alien,” with no legal rights except those which the host country chooses (or is forced) to grant. Border protection is an essential component of any sovereign nation’s national defense.
Although I think it’s a really bad idea for a number of reasons, I think governmental DPI would probably be Constitutional at the border. But applying the “international mail” analogy on all packets is dangerous because it distorts the framework for discussion. For example, one significant flaw to the analogy is that postal services are generally governmental actors, who are bound by far more Constitutional limitations than private entities. However, the most likely organizations to implement DPI are private companies. Getting the question right is probably more important than the answer. I see permutations of possible questions involving these subjects:
Is DPI Legal?
Locally vs. extra-territorially vs. at the border
As applied to citizens vs. aliens
According to statutory law?
According to Constitutional law?
According to International Law?
Is DPI Good Public Policy? Ie, cost-benefit analysis.
…as applied to private entities?
…as applied to State actors?
So, which of the many permutations of those options are we asking? The question, properly asked, will inform an appropriate analogy.
I tried to include html bullets, but for some reason, they didn’t come through.
I’m with you that the international analogy strains the metaphor, and quickly begins to cloud its initial usefulness. Re: your questions. I prepared an introductory paper on the legalities, and expected legislation-types, that will likely follow in the next few years to begin thinking through the differences between corporate and government uses of DPI. As you mention, I expect that government uses of DPI would be legitimated (likely under national security or policing terms), whereas non-governmental uses may not. In Canada, we’ll soon see if its legal for private corporations to manage networks using DPI technology, and in the US we’ve seen the NebuAd debate start to sour regulators’ tastes for DPI. What the consequences will be in either country remains to be seen.
Thus, I think that we begin by asking “Is DPI legal?” and, if so, under what contexts? Can/should we be making a distinction between ‘citizens’ and ‘aliens’, and if so, how do we avoid examining citizens’ data as it courses through networks and only examine aliens’. At the moment, I can’t imagine how this could be done. Can you think of any international law that is binding that would preclude the use of DPI?
As for whether it’s good public policy, I think that the question quickly turns on who’s definition of ‘good’ and ‘public policy’ we’re speaking about. I tend to focus on citizens first, and ask whether DPI is good for them – is the possibility to manipulate packets based on application-layer data a good thing, or does it run the risk of doing more harm than good? I still don’t know exactly where I lie on this – I’ve ideas, but nothing 100% firm at this point. At the moment, my own worry is that DPI could operate as a massive threat to individuals’ privacy, and their perception of the technologies’ possibilities (regardless of how it is actually deployed in practice) could undermine the communicative freedoms that ground democracies.
If, on the on the other hand, we’re referring to good public policy for businesses (i.e. good in a cost/benefit analysis), then it’s likely a good thing for them – they can control data flows, comply with data capture legislation such as CALEA, etc. Whether DPI is the best equipment for this task is another question, and one that I lack an answer to at the moment.
So, what questions am I interested in? In addition to those above, a few are:
(1) Is DPI legal in Canada and in the US?
(2) Under what conditions is it permissible to deploy DPI in business operations (e.g. at the perimeter), and what can/should be done to data coming in and out of these networking spaces?
(3) What, empirically, is built into calculations of whether or not to deploy DPI equipment in large networking environments – what are thresholds that motivate networking groups to use these technologies?
(4) If DPI is legal to use generally, then what social responsibilties (if any) should telcos assume, given that they are rapidly becoming the gatekeepers of all of our data? By integrating ‘intelligence’ into the network, is their relationship with customer/citizen data changing, and if so, how?
(5) Should something be done to require ISPs to openly disclose their use of DPI, and should they be permitted to apply DPI processes to wholesalers as well as retail customers?
(6) What are telcos’ worries surrounding the use of DPI, if any?
Admittedly, several of those are fairly ‘basic’ questions (e.g. #6), but questions that would let me then approach broader question: ‘can we perceive this technology as facilitating, or undermining, a democratic (in Canada) or republican (in the US) system of governance that is predicated on freedom of expression?’
Comments are closed.