News

Bell Canada Hit With Privacy Complaint Over Deep Packet Inspection Practices

CIPPIC has filed a privacy complaint with the Privacy Commissioner of Canada over Bell's deep packet inspection practices.  With CAIP raising the privacy issue in its submission to the CRTC, it was only a matter of time before the Privacy Commissioner was asked to intervene.  CIPPIC highlights several privacy concerns with Bell's network management practices including:

  • Bell's failure to obtain consent for the collection of personal information through DPI from customers of the independent ISPs
  • Bell's failure to obtain informed consent from its own customers given the lack of information on network management practices
  • Bell's violation of the principle of limiting collection, since the evidence "suggests that Bell can manage its network adequately without inspecting the content of user communications."  CIPPIC notes that other providers do not engage in the same practice and that there are less privacy invasive means to address network congestion concerns.
  • Bell's violation of the openness principle, given its failure to disclose "in a clear and conspicuous manner to the public its use of DPI for traffic management purposes."

The case obviously has implications that extend beyond just Bell.  Indeed, CIPPIC urges the Privacy Commissioner to also investigate DPI usage by other Canadian ISPs.

18 Comments

  1. Good news. I hope Bell (and their similarly sleazy rivals) clean up their act before losing whatever goodwill that their customers have left for them.

  2. Goodwill? Customers here are like sheep, they follow blindly accepting whatever crap these monopolies dictate to them. It doesn’t matter how bad it is, they still accept it. That’s why we are in this mess in the first place.

  3. Sheep?
    I’d say the politicians are the sheep, opening up markets without the requisite checks and balances to enable competition rather than just allow prices to skyrocket.

    Users have, in large numbers, moved over to the competitive providers because they aren’t sheep, and now that option is getting neutered, but that’s not what this privacy complaint is about (but probably the impetus).

    Anyways, time for me to start reading through PIPEDA.

  4. Anonymous says:

    Thought Michael Geist and CIPPIC are the same thing/prson

  5. Network Management & Privacy
    I have worked with ISP’s for almost 10 years and there are many effective ways of managing bandwidth without ever really seeing your customers actual data. I think we (Canadians) need to keep an eye on this sort of practice by ISP’s. Using DPI to manage their bandwidth is not a lot different than Bell deciding to record and listen to all of our telephone conversations so that they can graph when we talk to loved ones or call our friends to talk shit.

    DPI is just not necessary.

  6. DPI is not Network Management
    DPI is *not* about network/traffic management.

    If you look at the facts, and think a little, you will see why this cannot make sense. (Please take the time to do so.)

    In the end, it is about copyright enforcement by mass surveillance. Not unlike national security by mass surveillance.

    Bell and Rogers both have an interest in keeping the RIAA, MPAA, and other major media corporations happy. These organizations are constantly lobbying the US and Canadian governments to look after their interests.

    By using the guise of network/traffic management, the communications providers are using existing exclusions to the law (i.e. preventing interference with their network) to extend their powers of enforcement of policies dictated to them by their business partners.

    This isn’t a tin-foil hat alert, either. Take a look at some of the recent headlines of a foreshadowing of what is to come:

    AT&T and Other I.S.P.’s May Be Getting Ready to Filter
    [ link ]

    My favourite quote from the above article:

    “… AT&T has been talking to technology companies, and members of the M.P.A.A. and R.I.A.A., for the last six months about carrying out digital fingerprinting techniques on the network level.”

    Leaked letter shows RIAA pressuring ISPs, planning discounts for early settlements
    [ link ]

    There are many more examples, but I think I’ve made my point.

  7. YOU MEAN says:

    WRONG
    your point is made about what that its ok to LIE to people what you are doing to assume like DRM that we all are criminals when i went to a store in 2003 and saw a music cd for 30$ at future shop?

    Tell me sir who is the real criminal the person who downloads music to be enjoyed and shared ( which has been how it was done for thousands of years before hollywood)
    and/or entertainment that was done free as well.

    OR is it the people that overcharge cellphone rates, internet traffic shaping that spies and gov’ts that tell you “weapons of mass destruction” and get our kids killed cause THEY wanted oil or more importantly money.

    Once again we see greed over take true democracy.
    Soon the people will speak and boy are liberals and CONservatives going to pay.

    and its not illegal nor considered infringement to download with teh cdr levy.

    the SAC proposal could be done for music at 50cents and if they applie dit world wide would net them hundreds a milions, a simple buck would suffice world wide for movies. and then the non sense can be over and some of that cash can go to an ISP ONLY IF HE MAKES FASTER the internet or increases capacities.
    SIMPLE remember.
    spying on me only has me hack ways around it all.
    DPI does not work with my custom encryption, all it does then is slow me down on both ends AND they shape you cause they don’t know what your up to.

    if this sounds familiar remember the canuck that did 7 years of jail time for sending the encrypted word “HELLO” at above the legal limit overseas( an old cold war rule that said if you do the encrypted send you are considered a traitor )

    you will make traitors of us all as i will encrypt beyond there ability to decrypt….

  8. big brother says:

    getting rid of privacy
    I would also like that Internet Providers start to inspect all bank transactions and bank balances in order to flag any suspicious “making money” activity. If all that effort is put to stop copyright infringers why do not use it “democratically” to stop any kind of criminality. Since the goal of criminality is to make money checking people bank accounts could be the solution(privacy laws could just be changed or forgot). If Internet Providers could be considered responsible for copyright infringement why not considering banks responsible for money made illegally?

  9. Tin Foil Hat says:

    Expensive Gears
    Look at the price tag of the new DPI announcement – $800,000 for a box that does 80Gbps of traffic and serve 5 million subscribers.

    – Where are the legal market for these expensive boxes? Recent legislation introduced in the U.S. Senate on Tuesday in support of Net Neutrality.

    – Why spend $800,000 when you can buy a Cisco router for 80Gbps traffic at $44654 listed price at 5.58% cost of a DPI box! Cisco is also known to sell at high discount to selected customers. The real question is how can short sighted, publicly traded corporations hope to recoup when the alternative is so much cheaper? What are they using these boxes for really?

    Reference: [ link ]
    Converted to U.S. dollars and have 30% discount taken off.

    – $800,000 and 5 million subscribers is a lot for a small ISP. That\’s 1/6 of population of Canada and likely one is more than we need at the moment.

  10. DPI is not Network Management
    Placing DPI in the Network Management category is simply a way to hide the true intent of DPI. We can assume that the network is managed to begin with else it would not exist or function, so the introduction of DPI begs a major question, for me at least from a common sense stand point; If most traffic information can be gleaned from packet headers, destination IP addresses, flow patterns, handshakes, and the like, why bother to put DPI in place to do a deeper inspection?

    The only reason for DPI is to go further, further then the boundaries of law permit, further then the trusting souls, the customer, who use the internet service provider envisioned. Yes. the only reason for DPI is to disclose what is in those millions of packets flying around in cyberspace, and that folks points to another very fundamental invaision that can only come from one source, that source is the MPAA and others like it who would have the only reasons for wanting to disclose whats in a packet. Why does it matter to an ISP as to whats in a packet anyway…their networks are for routing packets and moving them around, not for trying to see whats in them. All it will take is one unscrupulous person to get hold of someones personal information and use it for a criminal reason.

    We enact laws to limit the sale of guns, we enact laws to stop the sale and distribution of drugs and other things harmful to society as a whole, we enact laws to protect the public as a whole. We enact these laws when the boundaries of a normal peaceful society are breached or threatened, and we enact them before the real harm is done or to prevent real harm. Its a cinch that allowing the ISP’s to control this technology is like allowing the fox to guard the hen house. This is no different, if we do not enact laws to prevent things like DPI, to prevent the harm from being done to begin with, to remove the control of the ISP’s and providers from having the ability use such things against us, then we have lost control of our own society.

    In WWII Hitler had the Gestapo gather information on those that were considered ‘undesirable’, more recently Sadamm Hussein did the same thing and persecuted thousands, all thru history we have gone to war over such things. Make no mistake, the cyberspace world is part of our real world and our society. DPI and those things like it are the Hitlers and Saddam’s of the cyberspace world, and just as Hitler and Saddamm had their detrimental effect on the real world and history, DPI will have the same effect on the cyberspace world.

  11. Anonymous says:

    bill
    Lets see the big isp,s can look or inspect anything . Ok the current gov wants to call an election . The prime minister notifies all MPs by internet . , Big isp sees this . Then it sells this info to the NDP Liberals . Conservitives lose .
    Canada cares to stop a Taliban attack in Afganistan . Big isp sees this and sells this info too the Taliban , Canadians die .
    Company invents the latest greatest wiget . Big isp sees it sells it to other Big company , makes millions . Internet security is a national security issue , not just a privacy issue .Wake up regulators this is very important . Its not about p2p its about who can control the world . Im not kidding

  12. Steven G says:

    Nice, BetaNews picks up the story.
    [ link ]

  13. Read PIPEDA
    As a law student I have studied PIPEDA carefully and also reviewed the complaint from the CIPPIC, but I have yet to see evidence where the ISPs are collecting personal information. Also these DPI devices are real time systems, so is it feasible for the ISPs to gain consent of parties which are potentially all around the globe. Gaining consent may not be possible in such a system as the internet.

    7. (1) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may collect personal information without the knowledge or consent of the individual only if

    (a) the collection is clearly in the interests of the individual and consent cannot be obtained in a timely way;

    Since Bell\’s main goal is to manage it\’s network to ensure quality of service for all of it\’s customers, woudldn\’t it be in the best interest of customers to allow Bell to shape traffic and be aware of applications used for maliscious activities if it. For example if you were to purposely conduct a denial of service attack on an ecommerce website and interfering with business, you would be breaking the law, and you can bet that you would receive a phone call once network administrators identified the issue. People may also recall horror stories of the @home service failure out of Redwood, California. No traffic shaping was employed and the network degradation was so severe in 2000 ~ 2001 that network outages were disrupting services all around Western Canada/US. Is that what we stand to gain with true net neutrality?

    I note there is a false analogy used in the letter of complaint as well, such as the \”opening of the letter\” in which a single letter example is used. It is not a single letter that is being opened by an individual, it is billions of data packets that are opened by a networking device. In fact all packets are opened and closed everywhere in the internet, that is how the internet works. The issue is that these packets are potentially coming from a single application or user activity that are contributing to degraded network which is the Internet shared across all ISPs. Let\’s continue to use this opening of a letter post office analogy for a sec. If you were to instantly send 300 million letters from your home, wouldn\’t the postal system slow down? What about the other people who want to send a birthday card to Grandma, or conduct commerce. So let\’s assume then that your postal system could handle it there were no complaints from others wanting to use the local postal system, You send all 300 million letters to a single destination, could the receiver handle this capacity, what about the postal infrastructure? You would likely receive complaints from all directions, and things would certainly slow down which is a more accurate analogy.

    We have not gained any evidence of several points in this letter so far.

    How do we know if Bell is in violation of the principle of limiting collection? \”evidence suggests that Bell can manage its network adequately without inspecting the content of user communications.\” Data travels across it by being copied from one location to the next in the form of packets. Therefore, the internet cannot really be anonymous as many believe. Even encrypted packets must adhere to the rules of the road in order to travel across it.

    \”CIPPIC notes that other providers do not engage in the same practice and that there are less privacy invasive means to address network congestion concerns.\” Is this factual? It would appear contrary to the norm for ISPs.

    Bell\’s violation of the openness principle, given its failure to disclose \”in a clear and conspicuous manner to the public its use of DPI for traffic management purposes.\” What is reasonable here? I\’m not so sure that average people can grasp computing science concepts that someone at a Master\’s or PhD level may even have difficulty with. We are taking about network engineering with hundreds of protocols, and the travelling salesmen here. Not only this, but companies also have intellectual property and trade secrets which they simply can not always share.

    One thing I have learned as a law student is that when evaluating an argument you must adhere to the facts and weigh them carefully. After initially jumping on the net neutrality bandwagon as the obvious way to go, I feel the letter of complaint from the CIPPIC is quite a weak argument. Bell definitely makes a stronger argument. Unfortunately, there seems to be an overwhelming amount of misconception and false speculation surrounding the issues which only hurts the net neutrality argument.

  14. Jack Robinson says:

    Privacy in the Panopticon Age?
    Once again, Mr. Geist… I’d like to offer my sincere appreciation for your efforts in preserving the free exchange of knowledge and information in an increasingly corporate-controlled electronic Zeitgeist… and the forum which you provide.

    In my estimation, the issue of Deep Packet Internet user monitoring and profiling by Bilious Bell is hardly a bellwether issue, as digital content and service providers have been tracking our usage preferences ever since the once-egalitarian Web became a hugely profitable enterprise for mega-server and apps providers.

    And given the buckaroo-driven lobbying clout the Big Kahunas have systematically achieved… particularly here in our ‘terrorized’ Pax Americana Republic… they will inevitably justify their invasive sovereignty over our tiny on-line transgressions in the name of New Rome Democracy.

    So get used to it, kiddies… or start reading Tsun Tsu and trip-wire your virtual bunkers!

  15. There’s no privacy violation.
    The original complaint has it all wrong. The machines being installed don’t allow DPI. What they allow is wholesale DPI.

    The packets are already being transferred across the network unencrypted. Anybody could grab any selection of packets at any time and inspect them all they want to any level of depth. All these machines allow them to do is AUTOMATED packet inspection in real-time.

    This can (and will) be used for purposes that the users will probably not want but this isn’t a privacy violation. It’s as if we already have video cameras in everybody’s houses recording everybody but no one ever looks at the videos. What they have just added is a robot that watches every video stream, all the time.

    If you want privacy, you can’t rely on the government to legislate it for you.

  16. Is this just the tip of the iceberg?
    Take a look at this:

    [ link ]

    Just exactly where are we heading??? As far as our communications companies are concerned, there IS NO PRIVACY. They will sell you like livestock for the almighty dollar with or without your knowledge or consent, and they don’t care!

    It doesn’t say much for us, our governments, or western civilization in general. Disgusting!

    Since nobody seems to care, guess we’ll get what we deserve. Then it will be too late.

  17. Re: Read PIPEDA
    Hi Rick,

    Your post is too long winded.

    Let’s assume that from a privacy perspective, Bell is our best friends, and in the clear.

    Re: 7.1.a:
    DPI is not about quality of service. Take a look at packet scheduling schemes such as weighted fair queuing (and all of its children). It is a CONTENT AGNOSTIC way to ensure everyone gets their fair slice of the available network pie. It is also *much* cheaper to implement.

    What DPI is allowing Bell to do is to selectively restrict types of traffic that happen to be competing with their core business. This gives them powers that they could not otherwise legally have, under the guise of quality of service.

    While Bell must have to manage their available bandwidth, they should not have the authority to treat traffic differently based on the type, save the traffic that is tagged by the end user as to be treated differently (within their own available queue).

  18. Pricing based on DPI content
    With the big ISPs having media interests, I suspect DPI will be used by the ISPs to price their offerings not only on how much you download but also on what you download. Wait for next years bundle offerings.