This testimony is also available in PDF format.
Oral Statement of Gigi B. Sohn
President, Public Knowledge
Before the
U.S. Senate
Committee on Commerce, Science, and Transportation
September 25, 2008
Chairman Inouye, Ranking Member Hutchison and Members of the Committee, thank you for giving me the opportunity to testify today. I’d like to focus on the growing use of technologies known as “Deep Packet Inspection,” or DPI, for short. The use of DPI technology has serious implications for the privacy rights of the American public. Public Knowledge, in partnership with Free Press, has been analyzing these technologies and their impact on both privacy and an open Internet. In June, our organizations published a white paper entitled “NebuAd and Partner ISPs: Wiretapping, Forgery and Browser Hijacking,” which examined the technical and policy aspects of DPI. I applaud the Committee for its scrutiny of the use of these technologies.
Simply put, Deep Packet Inspection is the Internet equivalent of the postal service reading your mail. While a postal worker might read your mail for any number of reasons, the fact remains that your letter is being read by the very person whose job it is to deliver it.
When you use the Internet for Web browsing, email or any other purpose, the data you send and receive is broken up into small chunks called “packets.” These packets are wrapped in envelopes, which, much like paper envelopes, contain addresses for both the sender and the receiver–though they contain little information about what’s inside. Until recently, when you handed that envelope to your Internet Service Provider (or “ISP,” for short), the ISP simply read the address, figured out where to send the envelope in order to get it to its destination, and handed it off to the proper mail carrier.
Now, we understand that more and more ISPs are opening these envelopes, reading their contents, and keeping varying amounts of information about the communications inside for their own purposes. In many cases, ISPs are actually passing copies of the envelopes on to third parties who, in turn, read and make use of the information inside. And for the most part, customers are not aware that their ISPs are engaging in this behavior. The end result is much like if the postal service were to open your letter, photocopy it, hand that copy to a third party and then re-seal the letter, so that you would never know it had been opened in the first place.
Thus far, we’ve seen ISPs like Comcast use DPI as a means to identify and block certain types of Internet traffic, in violation of the FCC’s Internet Policy Statement. We’ve also seen advertising companies like NebuAd use DPI to collect browsing histories, online habits and other potentially personal information about users, in order to display advertisements that cater to a specific user’s interests.
The very nature of DPI technology raises grave privacy concerns. As a result, when evaluating an implementation of DPI, there are three basic questions that must be answered in order to assess both the impact on a user’s privacy and acceptability of use of the technology in question:
What purpose is the collected data being used for?
How is the data collected and utilized?
How was affirmative informed consent obtained?
Given the power of DPI and the scope of its possible uses, it is critical that we establish industry guidelines and legal protections for users. And while the use of personal data by web service providers is not the focus of today’s discussion, such uses raise a separate yet important set of privacy questions. Thus, any solution should strive to be comprehensive in scope and ensure that the basic principles of privacy protection are applied across the entire Internet ecosystem. These protections should meet three major goals. They must ensure:
First that the purpose of the use of customer data is one that is consistent with users’ privacy expectations.
Second, that the amount and type of data collected is narrowly tailored to the proposed use, and that the data is not kept or disseminated to third parties past what is necessary.
Third, that customers have access to and actually receive adequate information about the proposed use, and have affirmatively and actively consented to any practices that might violate their privacy expectations.
In order to achieve these goals, the Committee should seek to pass legislation that encapsulates these requirements and makes clear that the FCC has the power to enforce them. Even though the Communications Act aims to provide comprehensive privacy protection for users of all communications technologies, gaps in the law have allowed the privacy of some Internet users to fall through the cracks. The time has now come to address these inequalities and guarantee the right to privacy for all Internet users.
As the FCC has observed, “The [Communications Act] recognizes that customers must be able to control information they view as sensitive and personal from use, disclosure, and access by carriers.” Congress need only make it clear that Internet users’ privacy is yet another area of communications where the Commission is empowered to protect a user’s rights.
Public Knowledge is eager to work with the Committee to craft privacy legislation that will protect all Internet users. I look forward to your questions.
