Background to North American Politics of Deep Packet Inspection

crtc566The CRTC is listening to oral presentations concerning Canadian ISPs’ use of Deep Packet Inspection (DPI) appliances to throttle Canadians’ Internet traffic. Rather than talk about these presentations in any length, I thought that I’d step back a bit and try to outline some of the attention that DPI has received over the past few years. This should give people who are newly interested in the technology an appreciation for why DPI has become the focus of so much attention and provide paths to learn about the politics of DPI. This post is meant to be a fast overview, and only attends to the North American situation given that it’s what I’m most familiar with.

Massive surveillance of digital networks took off as an issue in 2005, when the New York Times published their first article on the NSA’s warrantless wiretapping operations. The concern about such surveillance brewed for years, but (in my eyes) really exploded as the public started to learn about the capacities of DPI technologies as potential tools for mass surveillance.

DPI has been garnering headlines in a major way in 2007, which has really been the result of Nate Anderson’s piece, “Deep packet inspection meets ‘Net neutrality, CALEA.” Anderson’s article is typically recognized as the popular news article that put DPI on the scene, and the American public’s interest in this technology was reinforced by Comcast’s use of TCP RST packets, which was made possible using Sandvine equipment. These packets (which appear to have been first discussed in 1981) were used by Comcast to convince P2P clients that the other client(s) in the P2P session didn’t want to communicate with Comcast subscriber’s P2P application, which led to the termination of the data transmission. Things continued to heat up in the US, as the behavioural advertising company NebuAd began partnering with ISPs to deliver targeted ads to ISPs’ customers using DPI equipment. The Free Press hired Robert Topolski to perform a technical analysis of what NebuAd was doing, and found that NebuAd was (in effect) performing a man-in-the-middle attack to alter packets as they coursed through ISP network hubs. This report, prepared for Congressional hearings into the surveillance of Americans’ data transfers, was key to driving American ISPs away from NebuAd in the face of political and customer revolt over targeted advertising practices. NebuAd has since shut its doors. In the US there is now talk of shifting towards agnostic throttling, rather than throttling that targets particular applications. Discrimination is equally applied now, instead of honing in on specific groups.

In Canada, there haven’t been (many) accusations of ISPs using DPI for advertising purposes, but throttling has been at the center of our discussions of how Canadian ISPs use DPI to delay P2P applications’ data transfers.In 2008 Bell and the Canadian Association of Internet Providers (CAIP) got into a regulatory scuffle over Bell’s use of DPI appliances to throttle wholesale customers. Wholesale customers are ISPs (e.g. TekSavvy, Execulink) who purchase bandwidth with the intention of reselling it, whereas retail customers are (in Bell’s case) customers of Bell Sympatico. Bell had already been throttling their own retail customers’ P2P traffic, but unexpectedly began impacting wholesale data traffic flows on the basis that they had to manage the entirety of their network. Bell was required to justify their use of DPI to modulate data traffic flows, and at the end of they were told that since they were discriminating against both retail and wholesale customers that the application of DPI was fair. Konrad von Finckenstein, head of the CRTC, noted that this decision was just the ‘tip of the iceberg’ – more hearings into network neutrality were coming…

Over the course of the Bell v. CAIP proceeding, Canadians really started hearing a lot about ‘network neutrality‘. This term really has (at least) three principles (not necessarily inclusive, or mutually exclusive) behind it:

  1. Net Neutrality as an end-to-end principle, where the ISP should not concern itself with the protocols or applications that are being used to transmit data.
  2. Net Neutrality as Nonexclusionary Business Practices; where ISPs should not be permitted to apply surcharges to application/service providers to carry their traffic.
  3. Network Neutrality as Content Nondiscrimination; where ISPs should not discriminate against messages/packets based on their content.

While I would argue that Tim Wu, Jack Goldsmith, and Lawrence Lessig are recognized as championing points (1) and (2), it is (3) that I personally find most worrying. In Canada, CIPPIC,, P2Pnet, Michael Geist, and PAIC have all taken facets of these network neutrality principles to heart in their discussions of how Canadian ISPs throttle traffic and oppose the position that network neutrality is, in fact, laughable.

With the most recent CRTC public notice about traffic management, the language has against shifted to network neutrality, privacy, and drawn DPI appliances back into the spotlight. The CBC has put up an article that gives a nice overview of the present situation of this notice, and what each of the players are looking to get out of the proceeding. What is distinctly different between the present hearing and the CAIP v Bell hearing, is that advocates of network neutrality can try to leverage the language that ISPs used during the New Media hearing a few months ago to demonstrate that ISPs are not presenting a coherent position on DPI to the CRTC. What remains unchanged, of course, is that Sandvine continues to assert that network neutrality simply doesn’t exist, with Juniper Networks maintaining that there is a qualitative different between the Internet of the past, and the Internet of the present and future.

The hearings will be continuing for the next few days. CIPPIC is live blogging each day, and Michael Geist has been producing summaries of each day’s activities. If you want to learn about congestion, from a semi-technical point of view, head over to Security Now’s podcast on the subject; it’s a bit dated (and a bit long, at almost 90 minutes), but still informative and worth your time. Further, the Office of the Privacy Commissioner of Canada has a website devoted to DPI, and Ralf Bendrath has written a post pulling together an excellent collection of papers that have been written about the technology.

Hopefully, with this post and its links, you’ll be able to delve into the DPI discussions with a slightly broader background to what the technology is, and the controversies that have erupted thus far about it in North America. If you think I’ve missed a clearly critical article/event that’s taken place, and pertains to the North American situation, leave a note in the comments!