DPI: The future is out there

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Ronald Deibert

March 2009

Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.

Note: This essay was contributed by the author to the Office of the Privacy Commissioner of Canada's Deep Packet Inspection Project


In recent years a controversy has erupted in Canada, the United States and other parts of the industrialized world regarding the provision of Internet services. The controversy centers on the relationship between the entities that provide connectivity to the Internet (ISPs) and the traffic that flows their networks. A long-standing principle of the Internet’s architecture — known as “network neutrality” — says ISPs should not discriminate on the basis of the content that flows through their pipes. And yet today, ostensibly for reasons of efficiency and cost, that is precisely what many ISPs are doing. The practice, known as Deep Packet Inspection (DPI), involves network managers of ISPs developing procedures that track, inspect, and re-route or delay traffic based on the type of protocol being employed or the content of the communication being transmitted. Like many others, I believe that if DPI is adopted as the Internet’s norm, it will undermine the Internet’s foundational architecture and much of its novel and beneficial effects, threaten freedom of speech, access to information, and privacy online, and further carve up and degrade a valuable global commons.

While the controversy has bubbled up in North American and Europe, DPI is, in fact, widely practiced around the world, and an examination of some of the ways it is employed elsewhere may give us a glimpse of the future here. For the last six years, working with colleagues at Harvard, Cambridge, and Oxford Universities plus partners worldwide, I have helped marshal a talented pool of researchers, organized under the OpenNet Initiative (ONI) and Information Warfare Monitor (IWM) projects, to lift the lid on the Internet and document what goes on “beneath the surface.” For most people, the Internet’s infrastructure is largely invisible; the user’s experience begins and ends with the terminal that sits in front of them. However, it is deep within the subterranean realms of the Internet’s infrastructure – through the fibre optic cables, long haul lines, satellite uplinks, routers, and Internet exchanges — that power is increasingly exercised. Fortunately, as the Internet is an open public network, those with the knowledge and skills are able to interrogate it directly and uncover and expose these types of practices.

According to the latest findings of the ONI, more than two dozen countries now engage in some kind of Internet content filtering in which ISPs act as the frontline defense against content deemed politically, socially or strategically threatening. As evidence of mounting problems, we are presently testing for Internet censorship in 71 countries. Presumably dozens more engage in surveillance for the same reasons, although far less is known and documented about those practices. In countries where the rule of law is not regularly respected, and free speech and access to information is rare, widely cherished norms concerning “network neutrality” have little basis in reality. In China, Burma, Vietnam, Tunisia, Saudi Arabia, Yemen, Ethiopia, UAE, Syria, Pakistan, Iran, and Uzbekistan, to name a few of the worst offenders, governments routinely order ISPs to engage in DPI to block access to the websites of political opposition movements and human rights groups. In some of the most egregious cases, like Kyrgyzstan and Belarus, we have documented ISPs secretly disabling access to opposition websites leading up to and during election periods, and then restoring normal Internet connectivity afterwards — a phenomenon we have dubbed “just in time” filtering. Most of the ISP’s DPI practices take place without oversight or public accountability, and so errors, malicious redirects, and collateral blocking are legion. So is a phenomenon we call “mission creep”: once the practice of filtering has been enabled for whatever reason, the temptation to use it for a wide variety of other social and political problems is enormous. For example, Pakistan started out filtering access to satirical images and videos of the Prophet Muhammed; it now also blocks access to any websites related to the troublesome domestic Baluchistan insurgency.

To be sure, Canada is not Belarus, China, or Pakistan. And, of course, ISPs here claim they are engaged in DPI for narrow reasons of bandwidth control, and not for political reasons. Can we trust them? Recent research from the IWM should raise concerns. As detailed in our report, called Breaching Trust, our researcher Nart Villeneuve discovered that the Chinese version of Skype was not only filtering keywords on the instant messaging client, it was systematically uploading the messages containing the keywords to insecure servers in China. We were able to access, view, and download millions of messages containing sensitive political and economic information ostensibly collected at the behest of Chinese public security organizations. Many people suspected there was a “backdoor” in Skype and that the Chinese version was a Trojan horse for Chinese intelligence; the company publicly denied these worries in 2006. Our research proved they were wrong.

Even more instructive is our August 2005 ONI bulletin, which found that the Canadian ISP, Telus, was blocking subscribers’ access to a website set up by an employee labor union. Our research at the time showed that not only was Telus blocking access to the pro-union website, but it was collaterally filtering 766 additional, unrelated websites. Although our report and other observers questioned whether Telus violated CRTC regulations in blocking access to the pro-union website, Telus responded by saying that under contractual agreements with its customers, it has the right to block access to certain sites, such as those containing child pornography. No mention was made of the collateral filtering we discovered and as far as we know, Telus was not disciplined in any manner by the CRTC.

Once the norm against network neutrality is breached for whatever reasons, the relationship between Internet intermediaries and the communications they facilitate fundamentally changes, and with it the character of the Internet itself. The research of the ONI and IWM suggests strongly that pressures around mission creep mount, collateral blocking explodes, and the enforcement of public security is delegated to often unaccountable and mendacious private entities. Is that the Internet we want?

Date modified: