Deep Packet Inspection and the Transparency of Citizens

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Bert Jaap-Koops

March 2009

Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.

Note: This essay was contributed by the author to the Office of the Privacy Commissioner of Canada's Deep Packet Inspection Project

Each day, billions of messages roam the Internet, divided into small packets that each seek their way across the Internet. Only the sender and recipient reassemble the packets to get the message. Unfortunately, many messages today are malicious, with worms, viruses, or spyware, which organised criminals exploit to commit cybercrimes on a large scale. Here, deep packet inspection (DPI) might come to the rescue, since it allows monitoring and filtering of packets wherever they happen to pass. DPI can also meet other objectives in security, service provision, or compliance assurance. But do we really want to have a technology that enables instant, ubiquitous monitoring of everything that travels the Internet?

DPI is the next surveillance application that enters society unnoticed and suddenly is there, begging to be used. It follows closed-circuit television (CCTV), aerial photography, miniature cameras, directional microphones, biometrics, olfactory sensors, automated face and number-plate recognition, data mining, and profiling as yet another way of watching (over) us. In recent years, we have seen an enormous increase in data generation, processing, and storage: we are not only a networked but also a database society. DPI enlarges the surveillance toolkit primarily by allowing many more actors to collect data and to use them for their own purposes.

Leaving aside issues of private-actor surveillance, I want to call attention here to the use governments are likely to make of DPI. Once Internet Service Providers (ISPs), or other companies for that matter, embrace DPI, they can monitor and select passing traffic much more sophisticatedly than by merely scanning header information. This capacity can prove of great benefit to law enforcement agencies and intelligence services, who can use existing investigation powers to enlist assistance of ISPs. Particularly relevant is that DPI allows for real-time monitoring, and hence facilitates a preventative approach as opposed to the retroactive approach that law enforcement traditionally used.

DPI therefore adds to the trend that broader groups of unsuspected citizens are under surveillance: rather than investigating relatively few individuals on the basis of reasonable indications that they have committed a crime, more people, including groups, are nowadays being watched for slight indications of being involved in (potential) crimes. Thus, the ‘footprint’ of criminal law and intelligence is slowly widening to cover more circles of society. This preventative tendency in law enforcement fits the movement towards a risk society (Beck) and a culture of control (Garland). The factual explosion of data generation, inspection, and storage enable the government to collect and use significantly more data about citizens than before, and this increase is not only quantitative but also qualitative. The personal lives of citizens are reflected in their Internet behaviour, and if that can be monitored ubiquitously and perpetually, they are becoming increasingly transparent to the government.

An increased government power of knowledge over citizens is not necessarily wrong, since changes in society may warrant such a shift. However, it should be carefully argued that increased surveillance is indeed necessary, and empirical data are required to substantiate this. Surveillance developments are, however, often rather matter-of-fact; the whole process is piecemeal with small individual steps, which together constitute a giant leap. The policy and societal debates often focus on the individual steps rather than on the entire leap, and it is questionable whether the cumulative move towards surveillance and preventative risk control is evidence-based and well-considered. A key recommendation for legislatures is to pay more attention to empirical underpinning of surveillance measures and their cumulative effect, to commission evaluation studies, and to use sunset clauses in legislation in case a measure does not show effect.

Also, more checks and balances are required. The increased government power needs to be balanced by additional checks, notably with more transparency requirements (citizens must know which data are being collected and processed for which purposes) and with enhanced audit and supervision. Independent authorities should regularly check whether the government uses its powers correctly and legitimately. The criminal court is no longer the primary instrument to check the execution of investigation powers, since many cases are not brought before the court, and alternative supervision mechanisms should be considered.

In surveillance debates, data protection is a key element. To my view, the legal framework for data protection has become outdated. The assumption of preventing data processing as much as possible is no longer valid in the current networked database society. Large-scale data collection and correlation is inevitable nowadays, and the emergence of DPI serves to underline this. Therefore, instead of focusing data protection on prevention in the data collection stage, it should rather be focused on decent treatment in the data usage stage. In other words, data protection is valuable not so much to enhance privacy, but to ensure transparency of government and non-discrimination.

While data protection can serve to regulate the use of data, it remains to be discussed whether DPI should be allowed for government use in the first place. Here, other elements of privacy come to the fore: protection of the home, family relations, and correspondence. These elements are likely to be infringed by DPI. Since privacy is a core constitutional value to safeguard citizens’ liberty and autonomy in a democratic constitutional state, DPI should be critically assessed. DPI could be accepted as a new tool for law enforcement, if it turns out a necessary addition to the current investigation toolkit. But the cumulative power of this toolkit to make unsuspected citizens completely transparent to the government surely requires a fundamental rethinking of legal protection. Society needs substantial new checks and balances to counter-balance the increase in government power over its citizens.

Date modified: