Badware and DPI

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Maxim Weinstein

March 2009

Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.

Note: This essay was contributed by the author to the Office of the Privacy Commissioner of Canada's Deep Packet Inspection Project


For the past few years, StopBadware has been leading a community-based effort to develop and update guidelines that define badware and to hold software producers publicly accountable when their applications violate these guidelines. As the definition has evolved, it has come to include a superset of software that includes traditional malware (viruses, Trojans, etc.), certain types of adware and spyware, and even some mainstream applications. The common thread that binds all of this badware together is a failure to give the user control. This lack of control—over a user’s computer, his personal information, and/or his online experience—threatens the user’s privacy and security.

Unlike the software that we typically review at StopBadware, the new breed of deep packet inspection (DPI) advertising products are not applications that are installed on a user’s personal computer. Instead, they are elaborate systems set up by the product’s creator in collaboration with an ISP. All of the software and hardware exist “in the cloud.” That said, the system has a direct impact on the user, her computer, and her personal information, so it seems reasonable that the same basic principles of user control—even if implemented differently—should apply.

Using an analysis of PhormFootnote 1, one such system, as an example, let’s look at how these DPI advertising systems can affect the user:

  1. Advertisements displayed to a user by participating websites are targeted to the user based upon the user’s browsing history.
  2. The history of web pages the user visits and the content she sees on those web pages are logged by the ISP and connected to a unique identifier associated with that user’s computer/browser.
  3. That same information about the user is sent, semi-anonymized, by the ISP to the advertising system provider.
  4. Some of the user’s web browsing sessions are intercepted and diverted to the advertising system’s servers without the user’s knowledge.
  5. The cookies stored on the user’s computer by websites that she visited are modified by the advertising system, which pretends to be the website that the user was actually trying to visit.

Where are the points at which it is reasonable for a user to have control? It is probably reasonable to discount the first point, regarding the user’s experience of seeing targeted advertisements. While the method of targeting (see points two through five) may be of concern, the typical user is unlikely to care how a website decides which ads to display when the user visits the site.
Points two and three involve the disclosure of information a user might consider personal—what sites am I visiting and what am I reading about on those sites—to parties the user might not expect to be receiving that information. That the system is designed to keep the data anonymous (when the system is functioning properly and not being abused by staff of the ISP or the advertising company) is not sufficient. A user should know about the data being collected and shared and decide for herself whether the companies in question can be trusted to keep their commitment to anonymity.

The fourth and fifth points raise a different type of trust question: can you trust your ISP to deliver traffic between your computer and another computer on the Internet unimpeded? It seems like a reasonable expectation that, while an ISP may route traffic in various ways, it always delivers that traffic to its intended destination. One can argue about whether such interference by the ISP should be permissible even with user consent, but it at least seems clear that users should have control over a decision that fundamentally changes the ISP’s role.

It should now be clear that the same principles of user control that apply to local applications should also apply to DPI advertising systems, given the significant impact these systems have on the user. At a minimum, this would require ISPs implementing such a system to provide full, accurate, clear, and conspicuous notice to the user in plain language and to receive affirmative consent from the user prior to the system’s use. The challenge, albeit a necessary one for ISPs considering such a system, will be to make the disclosure clear enough that it sets the user’s expectations accurately while still being understandable to a typical user. The vast majority of reputable software producers have risen to this challenge for their products, and we expect the same respect for user control from ISPs.

Date modified: