DPI is not a Four-letter Word!

As founder and CTO of Ellacoya Networks, a pioneer in DPI, and now having spent the last year at Arbor, a pioneer in network-based security, I have witnessed first hand the evolution of Deep Packet Inspection. It has evolved from a niche traffic management technology to an integrated service delivery platform. Once relegated to the dark corners of the central office, DPI has become the network element that enables subscriber opt-in for new services, transparency of traffic usage and quotas, fairness during peak busy hours and protection from denial of service attacks, all the while protecting and maintaining the privacy of broadband users.

Yet, DPI still gets a bad rap. Guilty until proven innocent! Why is that?

DPI means different things, because it is an overloaded term. I can think of at least four separate product categories of DPI:

1) Traffic Management: DPI that classifies application traffic by examining the headers, without looking into the actual content itself.

2) Surveillance: DPI that logs, reconstructs, or plays back communication exchanges.

3) Ad-Insertion (and profiling): DPI that profiles subscriber web browsing or search activities, inserts cookies, or logs URLs visited by a subscriber.

4) Security: DPI that examines content for viruses, trojans, or other forms of vulnerabilities.

Paramount to each of these product categories is privacy. Service providers and consumers share in concerns over privacy, as do industry luminaries. Yesterday, according to ZDNet, Sir Tim Berners-Lee, “inventor” of the World Wide Web, spoke out against the use of deep packet inspection citing concerns over how snooping on clicks and data reveals more information about people than listening to their conversations.

His concerns are valid. And I can attest, having worked with service providers around the globe, that service providers are deeply aware of how important it is to protect consumer privacy. That is why service providers are becoming more transparent and giving consumers choices with opt-in and opt-out capabilities. This new era of transparency is as much a result of consumer interests, service provider best practices, and increasing regulatory pressures, as it is an indication of the broader shift of how DPI-based services are being used.

That is why Phorm, the targeted advertising service company mentioned in the ZDNet article which uses DPI, has a technology that can’t know who users are and allows users to switch it off or on at any time (opt-out or opt-in).

But transparency and consumer opt-out are not limited to broadband service providers and DPI. Yesterday, Google launched “interest-based” advertising on their partner sites and on YouTube, where ads will associate categories of interest based on the types of sites you visit and the pages you view. And, in line with DPI and service provider models of transparency and consumer choice, Google is offering transparency, choice with Ads Preference Manager, and a non-cookie based opt-out capability.

So at the heart of any service over broadband, not just DPI-based services, is the need for transparency, fairness, consumer choice and protection while preserving the privacy of individuals. These are the new discussion points that need to transcend specific technologies in the network. The public debate and regulatory directions has to be centered on these key areas – stay tuned as Arbor becomes more active in these arenas.

As for DPI itself, it has proven to be a critical network element in service provider networks, by providing those things that we all hold dear: privacy, protection, fairness and transparency. DPI is not a four-letter word!

Reblog this post [with Zemanta]

One Response to “DPI is not a Four-letter Word!”

March 12, 2009 at 6:45 pm, rawsome said:

Wow – you defend some of the most egregious uses of DPI (secretly gathering information by linking to the pages of the company accused of them. I hope you can find a company that wasn’t found by the FTC to have engaged in deceptive practices and marked as spyware by multiple AV companies for your next product model.

But let’s look at the claims:
“Can’t know who users are”
Pharms says it assigns users a random unique ID number and saves the URL of pages that users go to as well as the search queries that those users entered. As proven by the AOL Search data release (http://en.wikipedia.org/wiki/AOL_search_data_scandal), key search terms and unique numerical can very easily be matched back to the users identities.

“Switch it on or off at any time (opt-out or opt-in)”
As those who have dealt with abuse know, there’s no such thing as opt-out or opt-in. There’s either opt-out (which usually means the users have to opt out again and again and again) or there’s opt-in (in which a user specifically chooses to participate in the program). As we’re hearing, many of the users who had data collected on them were never informed that a 3rd party was collecting their data. In the US, this is equivalent to violation of wiretapping laws – and I hope that the parties involved go to jail for a long time, as well as any company that attempts to do that type of thing again (hint hint). http://en.wikipedia.org/wiki/Phorm

Of course, the opt-out had all of it’s own flaws which kept it from being any kind of reasonable measure – so for all functional purposes, even the users who knew about it couldn’t opt-out.

DPI may have a legit and valuable function for networks and enterprise customers, but as long as it’s deployed secretly in an exploitative function against internet service consumers – your next business model better not have those these three little letters in it.

Comments are closed.