According to House Subcommittee on Communications, Technology, and the Internet Chairman Rick Boucher (D-VA)
Deep packet inspection enables the opening of the packets which hold the content of Internet transported communications. Through the use of DPI the content can be fully revealed and examined.
It has generally accepted beneficial uses such as enabling better control of networks and the blocking of Internet viruses and worms. It also enables better compliance by Internet service providers with warrants authorizing electronic message intercepts by law enforcement.
But its privacy intrusion potential is nothing short of frightening. The thought that a network operator could track a user’s every move on the Internet, record the details of every search and read every email or attached document is alarming.
And while I’m certain that no one appearing on the panel today uses DPI in this way, our discussion today of the capabilities of the technology, the extent of its deployment and the uses to which it is being put will give us a better understanding of where to draw lines between permissible and impermissible uses or uses that might justify opt-in as opposed to opt-out consent.
But as Kyle McSlarrow, CEO of the National Cable and Telecommunications Association notes,
Packet inspection serves a number of pro-consumer purposes. First, it can be used to detect and prevent spam and malware, and protect subscribers against invasions of their home computers. It can identify packets that contain viruses or worms that will trigger denial of service attacks; and it can proactively prevent so-called Trojan horse infections from opening a user’s PC to hackers and surreptitiously transmitting identity information to the sender of the virus.
Packet inspection can also be used to help prevent phishing attacks from malicious emails that promote fake bank sites and other sites. And it can be used to prevent hackers from using infected customers’ PCs as “proxies,” a technique used by criminals, in which user PCs are taken over and used as jumping-off points to access the Internet, while the traffic appears to be generated by the subscriber’s PC. As a result, the technology can be used in spam filters and firewalls.
Second, packet inspection can be used for network diagnostics and capacity planning. Cable operators cannot plan for network growth without understanding how Internet traffic is growing and the uses to which it is put. By using this technology to analyze the aggregate growth and usage changes in network traffic patterns over time, cable operators can anticipate the needs of their subscribers and appropriately plan for network growth.
Third, packet inspection can help network operators accurately respond to formal requests from law enforcement agencies for the interception of communications for law enforcement purposes. When law enforcement agencies identify traffic of concern, this technology allows network operators to comply with their legal obligations to flag that traffic.
Finally, the Internet is not static. Different opportunities and challenges will emerge and this technology may prove useful in providing consumers more choice and control in ways that are difficult to predict today. For instance, as streaming video capabilities increase, this technology could be a means of supporting more advanced parental controls.
It will not be possible for Congress to outlaw deep packet inspection, because the consumer benefits are too compelling.
And besides, deep packet inspection is only one of the ways oneline providers can accumulate personally-identifiable information about consumer preferences.
If Congress tries to regulate how online providers collect sensitive consumer data it runs the risk of choosing the wrong technology winner and losers.
Consumers ought to be allowed to opt in or out.
AT&T says it will let consumers opt in
AT&T will not use consumer information for online behavioral advertising without an affirmative, advance action by the consumer that is based on a clear explanation of how the consumer’s action will affect the use of her information.
But other entities, such as Google, are using an opt-out approach.
Both are excellent business models which allow consumers to choose. The AT&T approach may promote more privacy; the Google approach may promote more free services. Both approaches give consumers notice and control.
AT&T, Google and others ought to be allowed to compete. And consumers ought to be allowed to choose.
With freedom to innovate, who can predict what new service and features the providers will come up with?
A legitimate issue for Congress is what should the liability for online providers be for violations of privacy policicies, including breaches of sensitive consumer data?
This is an area in which it would be appropriate for Congress to enact tough sanctions, if it is so inclined.