Public Knowledge Shines a Light on Deep Packet Inspection

“Deep packet inspection” is a bogeyman which is being used by lobbyists to justify intensive, unnecessary regulation of the Internet. It’s also a misnomer. Packets are one-dimensional strings of bits. They have no “depth” at all! They’re analogous not to mail (which comes in an envelope) but rather to a post card.

What’s more, every time a packet passes through an Internet router, the router must make routing decisions based on bits in the packet. It also changes bits in the packet so that other routers know where the packet came from, where it’s going next, and how many hops it’s taken on the way to its destination. So, having Internet equipment “look at” (and change!) bits in the packet is not something novel; it’s necessary to the operation of the Internet.

What’s more, this is all done mechanically. A human isn’t “inspecting” the packet or remembering what it contained, so it isn’t any more analogous to reading your mail than it is when the postal service looks at a postcard you’ve sent so as to deliver it.

Why, then, this effort to brand Internet service providers’ normal and necessary practices as evil? Because Washington lawyers and lobbyists make their money by pursuing causes, and one of the favorite things they like to do is create bogeymen and then alarm the public about them. They can then say, “Give money to my organization to help fight this evil!” This allows them to grow their empires and their own salaries. In this case, in doing so, they rely on the public’s lack of knowledge of how the Internet functions.

As a small ISP, however, I can tell you what will happen if these groups succeed in imposing stifling regulation — as they tried to do both in this hearing and in the Comcast hearings before the FCC. Only the cable companies and the telephone companies will be able to figure out all of the regulations, much less comply with them. Small and independent ISPs will vanish, leaving consumers will no choice except (if they’re lucky) between the phone company and the cable company. This concentration of power will give the lawyers and lobbyists lots of work, but it’ll hurt consumers, raise the price of your Internet service, and jeopardize service to rural areas (which are mostly served by small independents). If that’s what you want, support Ms. Sohn’s position on DPI. But if you’re an informed and skeptical consumer, you won’t fall for the scare stories so quickly and will take time to be informed about the issues.

ISP, thanks for your comment. There are a few points in your comment that I'd like to address, for the sake of clarification.

In terms of technical accuracy, you're absolutely right that an IP packet is more like a postcard than a letter. As a matter of fact, we had an internal discussion here as to whether we should use a letter or a postcard analogy. We decided that the letter analogy would be easier to understand, though the fundamental idea behind both analogies is the same. Does a postcard not have discrete sections for the address and the message--much like an IP packet has a discrete header and body? The reading and changing of bits that you refer to all takes place in the header of the IP packet, or the address section of the postcard, if you will. Whether the body of the packet is referred to as a letter inside an envelope or the message section of a postcard, the point still stands. (Anyone looking for more information on IP packet structure should check out this diagram)

Nowhere in either Gigi's written or oral testimony is it ever suggested that DPI involves humans actively inspecting packets--the very thought is impractical to the point of absurdity, as I'm sure you recognize. That notwithstanding, does the fact that it's a machine rather than a person that's reading the contents of your communications and then storing that information for later use make you any more comfortable? Would you be okay with the phone company recording all of your calls, as long as the recording and archiving of those calls was automated?

I sympathize with the difficulties faced by small, rural ISPs and Public Knowledge has always worked to ensure greater consumer choice in the broadband market, through support for a national broadband strategy, proposals to reform the Universal Service Fund, etc. However, I'm not sure how legislation curtailing certain uses of DPI will give national ISPs the upper hand while regulating the little guy out of existence--as you seem to suggest.

First, as was noted in Gigi's testimony, Public Knowledge is not calling for DPI to be outlawed. Public Knowledge has never advocated that any technology be made illegal--we have only worked to restrict specific uses of technology that harm users. In her oral testimony before the Sentate Committee on Commerce, Science and Transportation, Gigi even went so far as to recognize that DPI has legitimate uses. Gigi called for DPI to be barred from use only if: the data culled from its use is not consistent with users' privacy expectations; the amount and type of data collected is not narrowly tailored to the proposed use; or if customers do not receive adequate information about the proposed use and do not actively consent to the collection of their data.

NebuAd's behavioral advertising system is a good example of a use of DPI that violates these guidelines: they collected all of a user's data (including private data and data that was irrelevant to their user profiling) unbeknown to that user, they did not provide users with an adequate amount of information regarding their practices and they deployed their system without active user consent.

Second, in your post you claim that "Small and independent ISPs will vanish, leaving consumers [with] no choice except (if they’re lucky) between the phone company and the cable company," if any sort of legislation is crafted that regulates the use of DPI. I'm assuming here that you're referring to the coming "exaflood" and that you're suggesting that small ISPs will find themselves overwhelmed if they're not allowed to use DPI for network management--though you do not make that point clear.

While I have yet to see any convincing evidence that the exaflood will actually create a scarcity of bandwidth on the Internet, I also have yet to see an implementation of DPI that addresses the problem that ISPs claim they're trying to solve: peak-time congestion. All of the DPI-based network management solutions we've seen thus far (see: Comcast) throttle connections irrespective of time or current network load, thereby failing to address the crisis that supposedly justifies their use.

At the end of the day, Public Knowledge is not asking for a set of detailed, over-specified, technical regulations. Rather, we would like to see a legislative body adopt a broad principle of nondiscrimination--one that applies equally to all players in the Internet ecosystem, be they large or small. And while we don't dispute an ISP's right to manage its traffic, we do ask that certain consumer-protection provisions be adopted and enforced, to prevent a few bad actors like NebuAd from abusing a powerful tool like DPI.

As for your suggestion that we're only drawing attention to this issue in order to "grow [our] empires" and fortunes, I'd like to invite you to visit our office the next time you're in Washington, D.C. It will be quite clear to you that we possess neither an empire nor a fortune--just a belief that all Internet users deserve to have their rights respected while surfing the Web.

- mehan

Mehan, I admire your passion and your dedication as an activist. Unfortunately, many of the activists who believe that they are doing a public service when they lobby for “network neutrality” simply do not understand how the Internet works. As a real life ISP, I work on actually building out the Internet every day. (See my testimony before the FCC at http://www.brettglass.com/FCC/remarks.html for an overview of my ISP and its background.) And I can tell you that the constraints being proposed by your organization — as well as the ones that it advocated in the proceeding against Comcast (the order in which was illegal and will surely be overturned upon judicial review) — would do great harm to the public.

The fact is that the difference between a postcard and a letter as an analogy to an Internet packet is vitally important. People understand that the information on the outside of a postcard can be read by anyone who handles it, and that it’s actually difficult to read the address without noticing what the postcard says. What’s more, Federal law has long held that a “mail cover” — recording of what’s on the outside of mail, including the text of postcards — can be conducted without a warrant, and that there’s no reasonable expectation of privacy in the text of a postcard for that reason. (The same is true of an unencrypted Internet packet. It can pass through hundreds of hands — public, private, and even outside the country — before arriving at its destination, and it isn’t reasonable to assume that no one will look at it. If you want privacy, encrypt.)

The analogy to an old fashioned telephone call is also invalid. During the days of the Bell System monopoly, there was (again) a single carrier from end to end. On the Internet, no one knows who might carry the packet. It may pass through the air over an unecrypted wireless network. It may go through Canada, Mexico, or some other country. It may pass through a corporate network whose owner is not an ISP. It may pass through an educational institution, public or private. This is just due to the fundamental design of the Internet. It was not designed to be secure or private; it was just designed to get the data there while the user took responsbility for any protection of privacy. As an ISP, I fiercely guard my users’ privacy. But I also warn them: this is not the telephone system. It’s a different beast. And if they are ignorant of the technology and try to apply the expectations that were inherent in the phone system of old, they will be sorely disappointed.

As for the regulation you propose: It will, most assuredly, hurt smaller and independent ISPs — just like the regulation you promoted in the Comcast case. By attempting to legislate that the Internet must work like the Bell System, you are leaving room only for a heavily regulated monopoly or duopoly. Small providers would not be able to jump through all of the hoops or deal with the regulatory burden. They would also not be able to manage their networks, because what you call “DPI” (and, again, the term should be dropped because it is grossly inaccurate and is merely intended to alarm the public) is in fact necessary to reasonable network management. For example, if we don’t know what traffic is Voice over IP, we cannot ensure that VoIP will be of adequate quality, and users will go to cable telephony (which doesn’t run over the Internet) or buy conventional phone lines, cutting out third party ISPs.

Again, Mehan, before you advocate or lobby, understand what the consequences will be if you are successful. I’d be glad to speak with you at leangth about this, so long as you’re willing to listen to an “old timer” in the field who really does have the best interests of consumers at heart. (I’ve given up on folks like Ben Smith, who seem to want there to be a duopoly so that they can crusade against it.)

P.S. — The name above should have been Ben Scott, not Ben Smith. Ben Scott, of the lobbying group known as “free press,” has been gloating over the Comcast decision while in fact it has harmed consumers by forcing ISPs to put cell phone-like caps on their connections. Technology policy should not be dictated by DC lobbyists who do not understand the technology.