Five Rules for and some Thoughts on Deep Packet Inspection

By | May 18, 2015

One of the many things on my mind in the online world these days is “deep packet inspection.” First, let me digress, packet sniffing isn’t new to web analytics. From Accrue to Omniture (Visual Discover Sensor?) to AuriQ to Metronome Labs. Packet sniffers are used to “do web analytics.” It’s an uncommon method when compared to JavaScript page tags.

Web analytics packet sniffers are used to write logs for sessionization (and thus measure) the traffic on behalf of site owners (who don’t want to use tags or logs). Once you’ve logged and sessionized you know what content people have looked at or downloaded on your site.

Deep packet inspection,” like WA sniffers looks at the entire payload-of packets in real-time across a huge number of simultaneous sessions. Deep packet inspection, like regular packet sniffing, examines the files downloaded and the content of the pages viewed – the whole ball of wax.

Deep packet inspection is being offered as a hardware/software technology by companies like FrontPorch and Sandvine (in the US) and Phorm(in the UK). These companies are selling the technology to ISP’s (like Charter, Comcast, and Virgin Media) so that they can monitor the sites visited and the keywords used by customers, and then use the data collected for behavioral targeting. The ISP’s want a slice of the juicy, lucrative online ad business.

What’s the Difference?

Site owners collect data about what you do on ONE site (or a portfolio of their sites). ISP’s collect data about what you do on EVERY site you visit. As I understand it, some of these companies create an anonymous profile of your surfing activity by assigning a unique key to your browser. Then they monitor the site’s visited by your browser, and use that data so that the ISP, or the companies to which they sell your data, can serve you what they conclude to be relevant, behaviorally targeted ads.

Get it? Packet sniffing by site owners = knowing about one site you visit. Deep packet inspection by ISP’s = knowing about every site you visit.

Now to digress… In web analytics, we know that web analytics data is collected anonymously. Unless there’s a login, you don’t know exactly who is coming from that IP address. And in many cases, most companies data warehouses only contain purchase information, not the entire click-stream. Once the data is collected, if you have the right architectures you can decode cookie values to people, and make that data non-anonymous (i.e PII). Not difficult to do with some smart BI folks on your side.

An ISP already knows who you are and can already identify the sites you visit. Probably not that easily though on individual level. They can dig through the logs, etc…

So what’s the big deal and all the hoo-hah about the “deep packet inspection” Phorm and FrontPorch are doing? It’s the data they are collecting and the repository they are building containing data about every site you visit and all the content you view and download… Of course, these companies say that it’s all done anonymously and that your “privacy” is preserved “to the greatest extent possible.

Now let me quote Sir Tim Berners-Lee about the data collected from Phorm’s ISP tracking: “It’s mine – you can’t have it. If you want to use it for something, then you have to negotiate with me. I have to agree, I have to understand what I’m getting in return.”

And that’s the point of the blogviation, Tim is correct. In web analytics, we do this – we try to operate within Tim’s constraints. We enable opt-in with P3P statements and disclosures when you register/login. Privacy policies disclose what we are doing with the data. It’s just ethical and smart business practice to do so.

Thus, I think FrontPorch and Phorm and all the ISP’s who want a piece of online advertising should adhere to the following five rules for their services.

Deep Packet Inspection Rules

  1. Move to an obvious “opt-in” model with full disclosure. Tracking via “deep packet inspection” should be an all opt-in model. If you want anonymous data from your browser collected so that you can be behaviorally targeted, then you should opt-in to be. Right now, it’s seems to be all opt-out. You probably don’t know if it’s being done to you. It’s buried in fine print you’ve probably never read. Is that your fault you didn’t read the fine print? Yeah, but the point is it shouldn’t be buried in the fine print…
  2. Provide me with access to the data collected. If I opt-in, I should be able to see the data collected from my browser. It’s very simple. I demand to see what you are collecting about my browser. If you are building a profile, then I demand to see the data collected in the profile. If it’s all anonymous, then explain how it is in detail, and then follow rule #1
  3. Enable me to edit or prevent the data from being collected. If I opt-in, I want to be able to edit or prevent certain types of data from being collected. If you’re tracking my browser, alert me before the data is transmitted, so I can decide if I want to share it. If a profile is built, I want to be able to edit it!
  4. Let me opt-out at any time EASILY. If I’ve opted in, and I’m unhappy with the service, allow me to opt-out simply. Having to set an opt-out cookie on my browser is absolutely and completely absurd. I want to be able to fully opt-out at the ISP level, just once forever, not at the browser level every time cookies are deleted. Make it easy and permanent, not easily deletable.
  5. Disclose who you sell my data too. Like online list rentals, the next step in all this ISP profiling is selling the data to third-parties. Let me know what you’re doing with my data-before you do it- so I can opt out or prevent it from being sold to parties to which I don’t want it being sold.

Consumers must be given a choice for preserving their privacy. Anonymity to the “greatest extent possible” is not enough and neither are short-sighted opt-out cookies. Companies like Phorm and Front Porch would be wise to apply these rules to regulate themselves. Otherwise freedom-loving governments will almost certainly regulate them.

And I haven’t even mentioned the issues with net neutrality and deep packet inspection (i.e. traffic shaping and access restrictions called “throttling”), have I?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.