Privacy Groups Warn On ISPs’ ‘Widespread’ Use Of Deep Packet Inspection

Matthew Broersma,

The practice undermines the EU’s existing net neutrality rules and also has worrying privacy implications, campaigners say

Privacy campaigners have accused some 186 European internet service providers, including major mobile network operators, of making illicit use of deep packet inspection (DPI) and flouting EU net neutrality regulations on the issue.

A group of 45 NGOs and academics from 15 countries said ISPs’ actions, and national telecoms regulators’ failure to enforce rules that have been in place since 2016, means network neutrality is increasingly being worn away.

DPI is widely used across Europe in order to offer zero-rating packages, commercial promotions that omit certain services from data caps, said the organisations, led by digital rights group EDRI.

“With the proliferation of zero-rating in all but two European countries, the industry has started to deploy DPI equipment on a large scale in order to charge certain data packages differently or to throttle services and cram more internet subscribers in a network already running over capacity,” they said in an open letter to EU authorities.

The European Commission. Image credit: European Commission
Image credit: European Commission

Enforcement

In a separate statement, EDRI said most regulators had “so far turned a blind eye” to the use of packet inspection.

“Instead of fulfilling their enforcement duties, they seem to now aim at watering down the rules that prohibit DPI,” the group said.

Aside from its use to undermine network neutrality, the groups said deep packet inspection has worrying privacy implications, since it involves the analysis of which websites and services users access.

“The evaluation of these types of data can reveal sensitive information about a user, such as preferred news publications, interest in specific health conditions, sexual preferences, or religious beliefs,” they said in the letter.

Data protection

The groups referred to an analysis in January 2019 by campaign group Epicenter.works that found 186 European ISPs were employing DPI, in spite of net neutrality rules prohibiting it.

National communications regulators do not appear to be working with data protection authorities on the privacy implications of DPI, the letter said.

“We observe a lack of cooperation between national regulatory authorities for electronic communications and regulatory authorities for data protection on this issue,” the groups wrote.

“Given the scale and sensitivity of the issue, we urge the Commission and BEREC (the Body of European Regulators for Electronic Communications) to carefully consider the use of DPI technologies and their data protection impact in the ongoing reform of the net neutrality regulation and the guidelines,” the letter reads.

The EU and national telecoms regulators are currently negotiating new net neutrality rules behind closed doors, with a public consultation expected this autumn and final rules to be decided in March of next year.