Deep Packet Inspection a threat to net neutrality, say campaigners

Some of Europe’s biggest ISPs and mobile operators stand accused of using Deep Packet Inspection (DPI) technology to quietly undermine net neutrality rules and user privacy.

News of the troubling allegation first reached the public domain earlier this year in an analysis by German organisation It claimed it had detected 186 products offered by providers that appeared to involve applying DPI to their customers’ traffic. Deep packet inspection filters network traffic by looking at the contents of data packets.

Naked Security’s Mark Stockley explains:

Traditional network filtering is like directing road traffic based on the type of vehicle. DPI is like looking at who’s driving and what’s in the trunk.

Now a group of academics and digital rights campaigners headed by European Digital Rights (EDRi) has sent EU authorities an open letter pointing out the implications of this. The EDRi letter states:

Several of these products by mobile operators with large market shares are confirmed to rely on DPI because their products offer providers of applications or services the option of identifying their traffic via criteria such as Domain names, SNI, URLs or DNS snooping.

EU regulation outlaws DPI for anything other than basic traffic management, but it seems that providers in many countries have found a grey area that allows them to bend – and increasingly bypass – those rules.

The frontline of this is something called ‘zero rating’ whereby mobile operators attract subscribers by offering free access to a specific application – a streaming service would be one example – without that counting towards their data allowance.

By its nature, this favours larger application providers, in effect busting the principle of net neutrality that says that all applications and services should be given equal prioritisation across networks.

DPI is the technology that makes this possible because:

DPI allows IAS providers to identify and distinguish traffic in their networks in order to identify traffic of specific applications or services for the purpose such as billing them differently throttling or prioritising them over other traffic.

DPI has Phorm

DPI is a technology that’s been around in business LAN/WAN networking for years and has plenty of legitimate uses, including simply looking at traffic at a packet level to make sure important applications are given higher levels of prioritisation.

ISPs can also use it to detect traffic they deem to be in breach of terms and conditions – such as that sent by a small number of users to torrent and file-sharing sites.

Inevitably, the technology is open to abuse, as appeared to be the case in the UK when a number of UK ISPs signed up with an ad targeting company called Phorm in 2008.

Its system worked by using DPI to scan user traffic and searches for keywords, and using this data to show users individualised ads. Worse, the platform had been used in trials without the privacy implications being explained to subscribers.

The storm that erupted around (and eventually killed) Phorm turned DPI into a technology with a bad reputation that has stuck ever since in some countries.

A decade on, mobile providers are the big players and rather like early broadband networks these operate according to rules that ruthlessly conserve, meter and prioritise data capacity.

It’s the basis on which they’re doing that which EDRi objects to. Its letter to the EU paints a picture of a slow slide towards DPI and with it the end of true net neutrality. At the point, it claims, user privacy will be in deep packet trouble.

Prevention v cure

One difference in today’s battles with DPI is the emergence of standards and technologies that allow users to fight back. These include widespread HTTPS and emerging standards that secure DNS traffic such as DNS over HTTPS and encrypted Server Name Identification (SNI).

Alternatively, VPNs are an even simpler way to prevent DPI monitoring because all traffic crossing the ISP’s network is encrypted. Arguably, that’s a kludge. Not all VPNs have a trustworthy reputation and the ones that do tend to be expensive and far from seamless to set up. There’s also the possibility of DNS leaks too.

If a newer generation of privacy-oriented VPNs such Cloudflare’s proposed Warp service don’t offer a way out for users it’ll be down to the EU to tighten the rules. Mobile companies won’t go down without a fight because DPI has been built into their business models and can’t easily be ripped out.

DPI has the potential to turn into a decade-defining fight.