Internet Providers' New Tool Raises Deep Privacy Concerns

By Rob Pegoraro
Thursday, August 21, 2008

If you're reading this story on our Web site, I don't know what you did online before you reached this page.

But your Internet provider might if it engages in something called deep packet inspection.

That phrase may sound like what the Transportation Security Administration does to uncooperative airline passengers, but on the Internet it means a thorough and automatic inspection of online traffic -- not just where you've been but also what you've seen.

Peering inside the digital packets of data zipping across the Internet -- in real time, for tens of thousands of users at once -- was commercially impractical until recently. But the ceaseless march of processing power has made it feasible.

Unsurprisingly, companies have been trying to turn this potential into profit. By tracking users' Web habits this closely, they can gain a much more detailed picture of their interests -- and then display precisely targeted, premium-priced ads.

Equally unsurprising, these attempts have become a public-relations tar pit for Internet providers that experimented with this technology without giving users fair warning.

The House Committee on Energy and Commerce recently asked dozens of providers to explain whether they had done any such testing.

Most companies said they had yet to try the technology and had no plans to do so. (Although AT&T allowed that "if done properly," deep packet inspection "could prove quite valuable to consumers.")

A handful of providers -- for example, the Sprint spinoff Embarq and The Washington Post Co.'s Cable One -- said they briefly tested a deep-packet-inspection ad service provided by NebuAd, a start-up from Redwood City, Calif.

These companies said the tests guarded their customers' privacy. Cable One, for example, told the committee that it did not monitor encrypted Web traffic (such as bank transactions), e-mail, instant messages or Internet phone calls and said that NebuAd stripped out all personal references before analyzing those limited data.

The providers also said that were they to engage in deep packet inspection again, they would record data only from users who expressly allowed it.

Taking these companies at their word, what's there to worry about? We trade privacy for convenience all the time. We visit sites that keep far less detailed records of our comings and goings with "cookies" -- the small placeholder text files they drop on our hard drives. Millions of people subject themselves to more intensive scrutiny when they use Google's Gmail service, which scans the text of each message to place more relevant ads.

CONTINUED     1        >

© 2008 The Washington Post Company