Exploiting DPI Surveillance for Advertising Will Track If You Surf For Work or Fun

Deep Packet Inspection (DPI) involves the use of network equipment to intercept, examine, modify, restrict, or copy the content of data communications on the fly. It serves many purposes from analyzing network traffic to being used by law enforcement or spy agencies for surveillance. DPI potentially allows ISPs to collect and analyze Internet communications of millions of users simultaneously. Two U.S. companies plan to use DPI to target online ads to consumers. The technology has come under fire before and is again raising serious privacy concerns about the alarming potential for abuse.

The Wall Street Journal reported on Phorm and Kindsight intending to use DPI for adversnooping. Unlike using cookies for tracking, which create one behavioral profile no matter how many people share a computer, DPI can provide extremely detailed profiles of one person based on if the Internet activity is for work or for fun. It then targets ads accordingly. Kindsight says its “secret sauce” is the ability to identify “multiple characters per human.”

Phorm which was previously known as 121Media, pushed behavioral advertising systems in the UK by calling it an anti-phishing solution. 121Media’s adware system was flagged as malicious and a trojan by Microsoft’s Malware Protection Center and was identified as spyware by many other security scanners. While Phorm is taking a different approach this time than secretly tracking consumers, Kindsight seems to be trying to copy what Phorm was. According to WSJ, “To persuade Internet users to opt in to be profiled, Kindsight will offer a free security service, while Phorm promises to provide customized web content such as news articles tailored to users’ interests. Both would share ad revenue with the ISPs.”

“If you’re trying to engage in one-stop-shopping surveillance on the Internet, deep packet inspection would be an awesome tool,” said David Vladeck, Director of FTC’s Bureau of Consumer Protection.

Exploiting DPI surveillance for advertising is not a privacy-enhancing thought as it can harvest much more personal details for a profile than website tracking cookies can — and the information collected by cookies is openly sold or traded for advertising purposes. Microsoft and Google have amassed huge amounts of information about email and search engine users, making millions by selling the most relevant ads, and that is without using DPI as an advertising tool to determine if you are in work or fun mode.

By 2013, DPI is expected to be a $1.5 billion business, reported Ars. Top customers will be mobile networks “optimizing” traffic which means “limiting or prioritizing traffic from data-hungry mobile devices.” Since the technology can be used to block peer-to-peer or other traffic, some people are concerned about network neutrality if ISPs use DPI to ban, limit, or throttle services.

EPIC has questioned the legality of Homeland Security’s cybersecurity tool “EINSTEIN 3” which uses DPI for active monitoring of network traffic. Market Research Media reported that U.S. government-related IP traffic will quintuple from 2010 to 2015 . . . and the government is fond of using DPI technology. “While technological advantages of the DPI technology leave no doubt about its significant role in cyber security, lawful interception and data leakage protection, the perception of DPI as ‘postal employees opening envelopes and reading letters inside’ and privacy concerns hurdle its deployment.”

Despite those assurances, we’ve seen the dangers of DPI used by governments for surveillance and censorship. The EFF stated that tech companies should be held responsible when they “knowingly sell customized human surveillance technologies to repressive regimes that are then used to target people for arrest, torture, and disappearance.” Nokia, in a court case, claimed that as a corporation, it should never be held accountable for its role in human rights violations.

The Center for Democracy and Technology listed privacy risks of ISPs using DPI. “There are several characteristics inherent to ISPs and their use of DPI that significantly increase the privacy stakes as compared to these other entities . . . ISPs are uniquely situated in three respects: they serve as gateways to all Internet content, switching ISPs can be difficult for Internet users, and their use of a tool as powerful and versatile as DPI makes it prone to mission creep. An exploration of each of these factors reveals that they are difficult or impossible to mitigate. Taken together they form the fundamental basis for the heightened privacy alarm that has characterized DPI debates.”

If people are concerned about potential privacy risks when ISPs use DPI, how much more invasive might DPI be as a marketing tool? Will Kindsight and Phorm snoopvertising protect people’s privacy this time? Do we really want marketing based upon deep packet inspection determining if we are surfing for work or for fun?