The End of the Net as we know it? Deep Packet Inspection ...Deep Packet Inspection and Internet...
Transcript of The End of the Net as we know it? Deep Packet Inspection ...Deep Packet Inspection and Internet...
Electronic copy available at: http://ssrn.com/abstract=1653259
1
The End of the Net as we know it?
Deep Packet Inspection and Internet Governance
Ralf Bendrath, European Parliament
Milton Mueller, Syracuse University School of Information Studies
Abstract
Advances in network equipment now allow internet service providers to monitor the content of
data packets in real-time and make decisions about how to handle them. If deployed widely this
technology, known as deep packet inspection (DPI), has the potential to alter basic assumptions
that have underpinned Internet governance to date. The paper explores the way Internet
governance is responding to deep packet inspection and the political struggles around it.
Avoiding the extremes of technological determinism and social constructivism, it integrates
theoretical approaches from the sociology of technology and actor-centered institutionalism into
a new framework for technology-aware policy analysis.
Key words: Internet governance; Internet regulation; Deep Packet Inspection; Privacy; Surveillance; Censorship; Internet service providers; Actor-Centered Institutionalism; Disruptive technology; Socio-technical systems; Network Neutrality; Social Construction of Technology; Technological Determinism.
Electronic copy available at: http://ssrn.com/abstract=1653259
2
Introduction
In academic and policy circles, there is increasing awareness of the ability of technological
change to fundamentally alter the nature of the Internet. There is a growing literature on attempts
to place the internet, as well as the devices attached to it, under closer control. The methods
employed include monitoring and filtering technologies (Deibert et al, 2010; Ohm, 2008), digital
rights management (Gillespie, 2007), and less open, restricted device hardware (Zittrain, 2008).
Tarleton Gillespie aptly summarizes this trend as “a fundamental shift in strategy, from
regulating the use of technology through law to regulating the design of technology so as to
constrain use.” (2007, p. 6; see also Boyle, 1997) One of the leitmotifs of this literature has
become “the end of the Internet.” (Chester 2006; Riley and Scott 2009; Walker 2004)
This paper is about the possible future as well as the possible end of the internet as we
have known it. “Deep Packet Inspection” (DPI) is a new technology that may, depending on
one’s perspective, either change the internet’s future or mark its end. DPI introduces
“intelligence” into what has often been called a “dumb” network, facilitating comprehensive
surveillance and discrimination of data packets moving through the network. If broadly
deployed, Internet Service Providers who use DPI could more effectively monitor, speed up,
slow down, block, filter, or otherwise make decisions about the traffic of their users, based on
knowledge of what kind of information they are transmitting. This could potentially have a major
impact on privacy, the free flow of information, intellectual property protection online, network
security and virtually all other internet governance issues.
This paper is a first attempt to analyze the policies and regulations forming around DPI
from a scholarly and theoretical perspective. We view DPI as a potentially disruptive technology,
one with the ability to dramatically change the architecture, governance and use of the Internet.
3
At the same time, it is also possible that DPI will be domesticated and regulated in ways that will
limit its use in ways consistent with the principles and norms of the existing Internet. In our
view, technological changes do not determine social interactions, but they do have distinctive
effects that are derived from the way their unique capabilities interact with the interests of
specific actors and the institutional environment. In short, this is a study of the co-production of
technology and society (Brey, 2005). As such, the project requires synthesizing the literature on
Internet governance, science, technology and society and political science. The paper develops a
framework for analyzing the changes wrought by the deployment of DPI capabilities, drawn
from the actor-centered institutionalism of political scientist Fritz Scharpf (1997). That
framework avoids simple technological determinism but also avoids those forms of social
constructivism that seem to have no place for the material capabilities of the technology itself.
The paper is divided into three parts. The first explains how DPI works and why it has the
potential to be a radical or disruptive technology. The second section describes our model for
analyzing the impact of DPI on Internet governance, which we call “technology-aware policy
analysis.” The third section applies this framework to an empirical analysis of four cases in
which DPI has become the subject of political contention. The case studies reveal significant
variation in the governance of DPI across use cases and institutional settings, and highlight the
non-deterministic nature of the political interactions shaping technological change.
1 The disruptive potential of Deep Packet Inspection
1.1 DPI: The technology and use-cases
The original Internet protocols assumed that the network's routers would scan only the header of
an Internet Protocol (IP) packet. The packet header contains the origin and destination address
4
and other information relevant to moving the packet across the network. The “payload” or
content of the packet, which contains (all or part of) the text, images, files or applications
transmitted by the user, was not considered to be a concern of the network operator. (Figure 1)
Figure 1: DPI diagram
Deep packet inspection (DPI) allows network operators to scan the payload of IP packets as well
as the header. (Dharmapurikar et al, 2003) DPI systems use regular expressions to define patterns
of interest in network data streams (Kumar, Turner, & Williams, 2006). The equipment is
programmed to make decisions about how to handle the packet or a stream of packets based on
the recognition of a regular expression or pattern in the payload. This allows networks to classify
and control traffic based on the content, applications, and subscribers.
Many of the functions provided by DPI technology have been available before. But it has
two potentially paradigm-changing characteristics. First, the scanning takes place in real time on
the wire; i.e., it is much faster than its predecessors. (Artan and Chao, 2007) Second, it integrates
these diverse functions into one piece of equipment, thus creating the possibility for major
economies of scope in implementation. A vendor’s promotional literature explains the
combination of control functions:
Domain of deep packet inspection
Domain of traditional packet forwarding
5
The Ellacoya e100 is a carrier-class and carrier-scale network platform that enables
providers to identify and manage each packet of network traffic dynamically by
subscriber, service type, time-of-day… Together with Ellacoya’s rich suite of software
applications, the e100 can: provide granular reports on network usage; manage traffic
dynamically with precision; ensure VoIP quality; identify and prevent network threats;
and provide the basis for quota management, differentiated service plans and quality
assured premium services (IPTV, VoIP, streaming video).1
Still, DPI is not magical – its capabilities hinge critically on the ability to define codes or
algorithms that accurately capture the features of what one is searching for in the traffic stream.
1.2 The use-cases of DPI
There are six basic categories or “use cases” into which DPI applications can be
classified:
Network security: DPI equipment was first developed for intrusion detection and
prevention systems. It allowed network operators to detect and intercept recognized
forms of mal-ware (viruses, Trojans, worms, and other dangerous code) before it reached
their customers or employees. (Sourdis 2007)
Bandwidth management: DPI is also used to manage bandwidth. It enables ISPs to
discriminate among different types of traffic streams to try to maintain quality of service
standards, or to throttle down “excessive” traffic, such as peer-to-peer file-sharing or
voice over IP calls on mobile networks. (Renals and Jacoby, 2009)
Governmental surveillance: DPI equipment can be used for real-time government
surveillance of Internet communications. (Singel 2006; Rhoads and Chao, 2009)
6
Content regulation: DPI can be used to recognize and block access to content deemed
illegal or harmful. Content blocking may be narrowly constrained – e.g., to images of
child-abuse (Dedman and Sullivan 2008; Kleinz 2009) – or applied broadly to anything
considered a threat to the government (Rhoads & Chao, 2009; Wagner 2008).
Copyright enforcement: Copyright holders have tried to force ISPs to use DPI to
automatically detect and block unauthorized sharing of music or video files. Some U.S.
universities have installed DPI to prevent student downloading. (Mateus and Peha, 2008)
Ad injection: DPI can enable ISPs to inject advertisements into websites that match the
assumed interests of the users. The interests of these potential consumers are inferred by
a detailed analysis of their internet traffic, called behavioral targeting. (Topolski, 2008)
By converging different functionalities, DPI facilitates convergence of the interests of a
diverse set of actors. Government agencies, censors and some copyright holders are interested in
the monitoring and filtering of information flows. Network operators are concerned with
blocking malware and optimizing their bandwidth investments. The business managers of the
network operators may also want to create additional revenues by moving into content,
applications or advertising, or to protect profitable services from competing, independent
applications.
1.3 Is DPI a disruptive technology?
Theories of “disruptive technology” recognize that new technologies can destabilize
established social structures and practices by catalyzing changes in the social arrangements
around which we build our lives. (Klang, 2006) The term “disruptive” in connection with
technological change is often associated with the work of Clayton Christensen on industrial
innovation. (Christensen, 1997; Daneels, 2004) While this literature successfully brings notions
7
of disruptive change into studies of technology in society, it also narrows the focus to the
survival of old and new products in the commercial market. We prefer to employ a more general
meaning of disruptive – one that, like Klang, incorporates the impact of technologies on
established social arrangements as well as on the market for specific products. We are especially
interested in the way technological change affects the public policies and governance institutions
applied to Internet service providers and users.
Technology is not disruptive to society just by its pure existence; it must be embedded
into social routines and practices. Scholars who have examined the co-production of
technological and social systems note that there must be a “fit” between the technological
structures and machines on the one hand and the social and institutional structures in which they
are embedded. (Weingart 1989; Dierkes et al. 1992) Otherwise, we can expect adaptive conflicts.
The outcome of these conflicts can lead to the integration of technology into existing social
structures or to changes in the social structures that adapt to the technology. Neither way is pre-
determined. While many adaptive conflicts are confined to single organizations or to specific
industry sectors, some of them become subject to broader public debates and political conflicts.
These political interactions play a major role in determining whether the technology transforms
society, or is controlled and contains so as to sustain existing social structures and policies.
DPI’s disruptive potential can be attributed to the way its use can clash with three
established principles for Internet architecture and governance: 1) the end to end argument; 2)
the limitation of public carriers’ responsibility for the actions of their users; 3) users’
expectations of privacy.
A central design principle of the internet for its first 20 years was the “end to end
argument.” (Saltzer et al. 1984; Carpenter 1996) The internet protocols were designed to execute
8
a relatively simple packet-forwarding function; all other functions are supposed to be performed
at the end users’ networks or computers (often referred to as “the edges” of the network). The
network layer of the protocol stack only cares about moving data packets from the sender to the
receiver without regard to their content or security. The effect of this separation is to empower
the edges or users of the network. Lawrence Lessig (1999) employs a nice metaphor for
describing the end-to-end principle:
"Like a daydreaming postal worker, the network simply moves the data and leaves
interpretation of the data to the applications at either end. This minimalism in
design is intentional. It reflects both a political decision about disabling control
and a technological decision about optimal network design."
In policy discourse, three arguments have been made to support the end-to-end principle. One
concerns technical flexibility or optimal network design. The original developers of the Internet
were concerned about efficient, scalable network architecture that would allow any kind of
application to run on top of it. The second is political freedom. A network that does not care
about the content of the packets it moves is a network that cannot easily be used for censorship
or surveillance. The third argument is one of economic openness. (Lessig 2002; Wu, 2003) A
network confined to simple packet-moving is also one that enables multiple service providers to
compete on equal terms using the ISP as a platform. No one needs the network operator’s
permission to enter a service or content market, and fewer service-specific investments are
needed in the infrastructure. This reduces entry barriers and facilitates innovation.
Another important legal and regulatory principle in the initial stages of the Internet’s
commercial development was the limitation of Internet service providers’ liability for the actions
of their users. This exemption was thought to enhance freedom of expression and economic
9
innovation by removing the incentive for service providers to monitor and restrict customers’
actions in order to shield themselves from legal liability. It also implied a respect for the privacy
of end user communications.
Now imagine a postal worker who is not daydreaming, but instead:
Opens up all packets and letters;
Reads the content;
Checks it against databases of illegal material and when finding a match sends a copy to
the police authorities;
Destroys letters with prohibited or immoral content;
Sends packages for its own mail-order services to a very fast delivery truck, while the
ones from competitors go to a slow, cheap sub-contractor.
Imagine also that the postal worker could do this without delaying or damaging the packets and
letters compared to his (former, now fired) daydreaming colleague. This is what DPI technology
is capable of. It enables the network operator to analyze the datagrams passing through the
network in real-time and discriminate among them according to their payload.
Such a postal system undermines the values and principles described above. With respect
to political freedom, it invades the privacy of communications and introduces opportunities for
regulation and censorship while increasing the feasibility of imposing intermediary responsibility
on ISPs. Regarding technical simplicity, it creates additional overhead and enables the network
to assume many new functions. Regarding economic openness, the network’s ability to
discriminate among applications and senders makes it more of a gatekeeper to the products and
services available over the Internet. In short, by attacking the separation between the network
10
and the applications at the edges, and by making the ISP “aware” of what is passing through its
pipes, DPI has the potential to fundamentally alter Internet operations and governance.
To characterize DPI as “disruptive,” however, requires an important qualification: we are
talking only about its potential. Realization of that potential is contingent upon a number of
social, economic and political factors. In the next section, we develop a framework for analyzing
interactions between the technology and other factors.
2 Technology-Aware Policy analysis
DPI is already at the center of several important debates in Internet policy and governance.
Normally, analysis of public conflicts and struggles is the domain of political science and related
forms of policy analysis. But typically, political scientists focus on the way the institutional
environment and surrounding politics shape the technology; they neglect the technology itself.
In order to develop a framework for technology-aware policy analysis, we build on prior
political science research on policy analysis, and specifically the theoretical framework known as
“actor-centered institutionalism” (ACI). (Mayntz and Scharpf 1995) The ACI framework is
diagramed in Figure 2 below. Based in rational-choice institutionalism, it accepts the fact that we
always have to deal with “real actors” who do not follow mathematically modeled game-theory
strategies, but are also guided by normative and cognitive interaction orientations. Their mode of
interaction is also constrained by the institutional context, which varies in its allowance for
individual freedom of action, market regulation, negotiated agreements, and hierarchical
decision-making.
While the framework of ACI has been used in a number of studies of technical systems
(Mayntz and Schneider 1995; Schneider and Mayntz 1995; Schneider 1999), these have mostly
taken a pure social constructivist approach, where the technology is the output, not the input, of
11
political interactions. The challenge for technology-aware policy analysis is to also explain how
a technological capability that has emerged behind the backs of political actors affects the
subsequent decisions about how to govern a socio-technical system. Technology in this sense
becomes an exogeneous factor capable of generating policy change and adaptation. To adapt
Figure 2 to our needs, technological change would become one of the Problems that emerge out
of the Policy Environment and feed into the chain of actor orientations and capabilities,
constellations and modes of interaction.
Fig. 2: The domain of interaction-oriented policy analysis.
Source: Scharpf (1997, 44)
If we further develop this model to make it more applicable to technological change, it
would begin with an analysis of the specific properties of a new technology and the way it
contributes to the interests of the actors involved. The list of use cases in section 1.2 exemplifies
this stage of analysis. It indicates how specific actors stand to benefit from DPI capabilities, and
12
how control over those capabilities is distributed among the actors. It is evident that new
technologies bestow upon a set of actors different capabilities, governance capacities, or power
resources (Knill and Lehmkuhl 2002). As a simple illustration, a corporate owner of a private
network can unilaterally decide to install DPI because it actually owns and operates the network,
and its users are employees with limited legal autonomy. On the other hand, a copyright holder
or governmental agency demanding installation of DPI capabilities by a public ISP must
negotiate with ISPs, or seek new laws and regulations compelling them to use it.
A change in actors’ orientations and capabilities can in turn lead to different strategic
constellations and therefore different types of interactions among groups of actors, even for
different use-cases of a single new technology. Scharpf and others have used game theory to
elaborate on this model without, however, becoming overly formal or quantitative. (Scharpf
1997) He found, for example, that pure coordination games, such as getting society to agree on
which side of the road cars should be driven, can be solved through decentralized, self-governing
arrangements. Games where parties can be hurt by defection or free-riding may require binding
mechanisms for collective action. Redistributive games require institutions with hierarchical
authority. Thus, different types of policy objectives require what Scharpf calls different “modes
of interaction,” and these different modes dictate a different kind of political process.
One must also take account of institutions, which will have an important effect on how
technologies with broad public impacts will be deployed and how much of their disruptive
potential will be realized. Political interactions around new technological capabilities will be
shaped by existing laws and regulations, by the existence or non-existence of partisan groups
Figure 3
The analytical model of technology-aware policy analysis and its application to DPI governance
13
promoting specific norms and their degree of organization, and by the properties and legacies of
the political system. The challenge for technology-aware policy research is to empirically link
the specific capabilities of new technologies with an analysis of the concrete conflicts and
interactions around its usage and governance. Figure 3 summarizes the analytical framework
graphically. At the core is a political interaction that produces the specific governance regime for
DPI as an output.
DPI emergence
technological change
impact on internet architecture general disruptive potential
DPI Use-case 1
DPI use-case 2
DPI use-case n
context-dependent disruptive potential
actors: interests &
constellation institutional
context, modes of interaction
political interaction
initial strategic setting
structuring factors
policy process
DPI governance
regime
policy output
technology-aware
policy analysis
14
3 Case studies: Usage and Governance of DPI
The model will now be applied to four empirical cases. As noted previously, DPI has been at the
center of many incidents of political contention over Internet governance. The space constraints
of this journal prevent a complete analysis and discussion of all known cases; only a few
examples can be explored in depth. Our selection of cases for this paper was guided by the
following criteria:
First, we chose cases where there was public, political contention around DPI. DPI’s
capabilities must have generated open conflict over legal and regulatory arrangements.
Second, the selections had to span more than one use-case. The analytical model predicts
that there is no generalized politics of DPI but rather a distinct “game” or strategic
situation around each major use-case; the nature of the game hinges on the specific
technological properties of the application. Examining two use-cases allows us to test the
model’s prediction that different actor-constellations will form around the different
applications of DPI.
Third, in order to explore the properties of the model we needed to find cases where
public contention over the same use case was present in at least two different countries.
This allows us to test the expectation that different institutional settings will lead to
variation in the outcomes.
Based on these criteria, we selected two distinct use-cases being pursued by ISPs: bandwidth
management and copyright protection. In the first use-case, ISPs can make what Scharpf calls
“unilateral moves” to deploy DPI. In the second use-case, the demand for DPI comes not from
ISPs but from external actors. Both use-cases allow for variation across institutional settings. In
15
bandwidth management, there has been action in U.S.A. and Canada. In copyright protection, we
are able to compare and contrast the U.S. and the E.U.
3.1 DPI and Network management
Bandwidth is a shared, scarce resource on the internet, especially the so-called “last mile.” The
growth of video and file-sharing traffic consumes ever more bandwidth, putting pressure on ISPs
to economize on its use. In the absence of explicit legal constraints, commercial ISPs seem to
have the ability to install network management applications based on DPI – but their capacity to
make such unilateral moves is constrained by competitive alternatives and government
regulators.
One of the precipitating causes of the use of DPI was the growth of peer to peer (P2P)
file-sharing platforms, such as BitTorrent. P2P applications are both bandwidth-intensive and
legally suspect due to copyright infringement concerns. Additionally, the download capability of
cable networks exceeds their upload capacity, which makes serving P2P users who seed or
upload large files more costly. ISPs relying on cable-modem technology, therefore, were
especially likely to discriminate against P2P traffic as part of a bandwidth conservation strategy.2
The initial actor constellation here involved vendors of DPI equipment and network operators;
from 2005 on, many ISPs either started to use or expressed interest in DPI for bandwidth
management. But another important element of the actor constellation was an organized network
neutrality movement. The regulatory issues surrounding bandwidth “tiering” had already been
politicized in the U.S. by groups such as Electronic Frontier Foundation, Free Press and Public
Knowledge.
Bandwidth management practices led to a political uproar in the United States when, in
August 2007, a blog post uncovered an especially intrusive practice by U.S. cable provider
16
Comcast. (Ernesto 2007) Using DPI equipment from SandVine, Comcast not only slowed down
P2P traffic, but actively disrupted it.3 After this was revealed, Comcast said the practice was
confined to peak traffic hours, but this claim was quickly proven false. Comcast’s disruption
generated wide publicity, provoking complaints and petitions with the Federal Communications
Commission (FCC) and a class action lawsuit.4
The bad publicity prompted Comcast to adjust its bandwidth-rationing activities toward
application-neutral methods.5 (Karpinsky, 2009; Kravets 2008; Lee 2008b) Nevertheless, the
incident fueled public anxiety about the potential for ISPs to interfere arbitrarily with customer
traffic or discriminate against content or service providers. Thus, it greatly aided the organized
network neutrality movement and politicized DPI. In August 2008, the FCC ruled that the
Comcast actions violated a 2005 policy statement that customers were entitled to access the
lawful content and services of their choice. (FCC 2008) Comcast appealed the decision, claiming
that the FCC policy statement did not have the force of law. The Obama FCC, which was openly
committed to network neutrality, issued a Notice of Proposed Rulemaking to transform the
earlier policy statement favoring net neutrality into full-fledged regulations.6
In the public debate over the proposed network neutrality rules, network operators
(especially wireless and co-axial cable operators) lobbied hard to retain the ability to actively
manage their bandwidth. The FCC recognized a legitimate interest in “reasonable network
management” to prevent heavy users from degrading the service of other customers, but pushed
for rules that would maintain transparency and prevent bandwidth management techniques from
being used to discriminate against independent service providers. Thus the definition of
“reasonable network management” became one of the critical issues driving regulatory change.
The FCC’s plans to regulate bandwidth management, however, were disrupted in March 2010,
17
when the federal district Court upheld Comcast’s appeal. The court ruled that the Commission
lacked statutory authority to regulate Comcast’s bandwidth management practices.7
The ruling posed an interesting dilemma for communications regulation in the U.S. The
FCC now has three options. 1) It can accept the status quo, which gives ISPs the legal right to
use DPI, even in the intrusive, discriminatory ways it was applied to BitTorrent users, although
most ISPs choose not to use it that way for the time being. 2) It can seek completely new
legislation from Congress empowering it to regulate the industry to pursue network neutrality
goals. This option would take years and would generate an enormous political and lobbying
battle with unclear success prospects. 3) It can reverse its own 2002 ruling that cable modem
Internet service providers are deregulated “information services” and re-classify them as
“telecommunication services” regulated as common carriers. This, too, would generate a
controversial regulatory proceeding that would alter the basis of Internet regulation in the U.S.,
but has better prospects for success given Democrat Party control of the FCC. This paper need
not speculate on which option the FCC will pursue and why; the relevant points are, first, that
DPI has clearly destabilized the political and regulatory equilibrium around Internet governance
and the system is still adjusting; and second, that DPI could indeed be regulated and in fact
political pressure has already succeeded in constraining its use.
In Canada the institutional setting is different, but not radically so. It is a federal system
and a federal regulator, the Canadian Radio-Television Commission, holds powers similar to the
U.S. FCC. One important difference is that Canada has required its largest, incumbent Internet
service provider, Bell Canada, to sell bandwidth at wholesale, regulated rates to competing
internet service providers. That has significantly affected the actor constellation by making many
smaller ISPs stakeholders in the regulations applied to Bell Canada. Another significant
18
difference is that Canada has stronger federal data protection laws and a national Privacy
Commissioner. Thus while there was, at the time the DPI controversy started, no organized
network neutrality movement in Canada, there was an active and professional community of
privacy and civil liberties groups. These groups framed the struggle over DPI and bandwidth
management primarily as a privacy issue.
Bell Canada’s interest in DPI goes back to 2005, when it invested in Ellacoya Networks,
a company that designs traffic management tools using DPI. In March 2008 Bell sparked
regulatory complaints when it notified its wholesale customers that it was applying DPI to their
services. In April 2008, only a week after being notified of these practices, the Canadian
Association of Internet Providers (CAIP) filed a complaint with the CRTC demanding that Bell
“cease and desist from ‘throttling’ its wholesale [Internet] access services.” Shortly after that, a
public interest group filed a complaint with the Privacy Commissioner claiming that Bell’s use of
DPI for network management violated the nation’s privacy law.8
In November 2008 the CRTC seems to have realized that the complaints about Bell’s use
of DPI were turning into a broader policy debate over bandwidth management and network
neutrality. (CRTC 2008) The CRTC initiated a proceeding to review “the current and potential
Internet traffic management practices of Internet service providers.” Its final ruling in October
2009 did not ban DPI for bandwidth management, but rather mirrors the FCC’s attempt to define
“reasonable bandwidth management.” (CRTC 2009) The CRTC developed a framework that it
claimed balanced “the freedom of Canadians to use the Internet for various purposes with the
legitimate interests of ISPs to manage the traffic thus generated on their networks [taking into
consideration] privacy legislation.” The regulations attempted to require transparency and
prevent applications that are “unjustly discriminatory” or “unduly preferential.” Wholesale
19
applications of DPI were more carefully regulated than retail services. “When an ISP employs
more restrictive [traffic management] for its wholesale services than for its retail services, it will
require Commission approval to implement those practices… and must not have a significant
and disproportionate impact on secondary ISP traffic.” The privacy litigation is still pending.
3.2 DPI and Copyright Protection
In the prior section, we discussed applications of DPI by network operators to achieve ends that
serve the interests of the operators themselves. It is also possible for third parties to be interested
in DPI use, and to seek its adoption and use by ISPs. One source of third-party demand for DPI
use comes from copyright owners who want to detect and stop illegal file transfers.
Since 2004, the European music industry has tried to use the courts to force ISPs to set up
filtering technology that would detect and block copyrighted music automatically. This was seen
as a way for the copyright industry to avoid the high costs of identifying and suing individual
users found to be sharing copyrighted material. The DPI products of one company, Audible
Magic, were promoted by the music industry as a suitable solution to the problem. Audible
Magic uses a fingerprinting technology to recognize copyrighted music files in the data stream.
In this actor constellation, the economic interests of the DPI vendors and copyright holders
converged. But the interests of ISPs and their trade associations did not. ISPs have strongly
resisted copyright filtering, seeing it as a cost burden on their systems and as likely to alienate or
cut off paying customers. The entertainment industry tried to resolve this conflict of interest
through lawsuits.
In June 2007, the Belgian music industry association, SABAM, demanded in court that
ISP Scarlet install Audible Magic. The Court of First Instance in Brussels agreed with SABAM
and issued an injunction. (EDRi 2007) Surprisingly, the court held that making ISPs responsible
20
for copyright surveillance did not violate the EU E-Commerce Directive 2000, which some
thought shielded ISPs from intermediary liability and from any obligation to monitor their
customers. The music industry then moved on to sue the largest Internet provider in Ireland.
EMI, Sony, Warner and Universal sought an injunction from the Dublin High Court which
would have required Eircom to establish the same filtering system as in Belgium. (McIntyre
2008a)
But in October 2008, the Belgian case turned out differently than expected. On appeal,
ISP Scarlet convincingly demonstrated to the court that the Audible Magic technology proposed
in both Belgium and Ireland did not perform properly and that the music industry had deceived
the court by falsely claiming it was already used successfully elsewhere. The trial court in
Belgium then lifted the injunction against Scarlet (McIntyre 2008b), which created a problem for
the music industry’s litigation in Ireland. The industry now needed to prevent a legal precedent
being set in Belgium that would impose a long-term ban on copyright filtering obligations in the
E.U. So it quickly settled the Belgian case out of court, and in Ireland, the parties reached a
settlement requiring Eircom to implement a policy that would disconnect users from the internet
after they have been identified as repeat copyright offenders. (McIntyre 2009)
The main reason for the outcome in this case was not just the technological feasibility;
politicians or judges often attempt to mandate use of ineffective technology. It was the ISPs’
determined opposition that made the difference. While the final decision was made by
hierarchical order (the court), an important part was the negotiations over the truth claims.
Because Scarlet had control over its network and the exact technical set-up, it was in a better
position to convince the judges of its version of the truth claims, and so convince the court that
Audible Magic technology does not deliver what it promises. The out-of-court settlement in
21
Ireland a bit later shows even more signs of a negotiated agreement. Unable to win a requirement
to use DPI, the content industry prevented a negative precedent and thereby left the legal space
open for technological improvements of copyright filtering software.
Copyright owner tactics in the U.S. could not rely on the same methods pursued in
Europe, but their overall strategy was similar. Starting in 2007, they began to de-emphasize
lawsuits against individual file-sharers and instead tried to enlist ISPs in the policing of copyright
infringement. American ISPs, however, have rebuffed these efforts. Like European ISPs they see
no need to incur significant costs in identifying and handling infringers, especially when this can
only lead to cutting off paying customers. Further, the U.S. institutional environment is more
supportive of the ISPs. The Digital Millennium Copyright Act provides a very strong notice and
takedown regime for copyright protection, but it includes a safe harbor provision that explicitly
limits ISPs’ responsibility for illegal actions they are unaware of. Enhancing their awareness
through DPI actually increases their liability and risk. The 1996 Communications Decency Act
also contains a strong provision (Section 230) that shields ISPs from liability for actions taken by
their users. The legal strategy pursued by SABAM against Scarlet would be unlikely to succeed
in any jurisdiction in the U.S.
Copyright interests have therefore been forced to pursue more indirect, negotiated
solutions in the U.S. They have shifted their attention to the higher education sector, where
campus networks are perceived as a hotbed of P2P file sharing. Using various means they have
attempted to pressure universities (which serve as ISPs for thousands of students) into using
technical measures to attack file sharing. They inserted into legislation funding universities a
provision requiring them to “inform their students about their campus policies on copyright
infringement and illegal downloading” and to report their policies and procedures for addressing
22
violations annually.9 The law also ordered universities eligible to receive funds under the law to
develop, “to the extent practicable,” “a plan to explore technology-based deterrents to prevent
such illegal activity.” But the bill did not impose any penalties if universities don't develop such
plans.
The entertainment industry also pressured universities directly. In the first weeks of April
2007, the RIAA sent pre-litigation settlement letters to 22 universities informing them that they
were about to sue individual students. Negotiations between universities and the copyright
holders took place through the Joint Committee of the Higher Education and Entertainment
Communities (JCHEEC), a group created in December 2002 to serve as the nexus for university
information technology experts to interact with entertainment industry lobbying organizations.
The group held a Workshop on filtering technologies in October 2006; another workshop on
technical requirements for control of illegal file sharing was held April 19-20, 2007, which
included university network managements, entertainment industry and DPI technology vendors.
The Workshop record is fascinating reading for anyone interested in the detailed
practicalities of how a network administrator in a large institution of higher education would
actually apply and use DPI to detect and block copyright infringement. (JCHEEC, 2008) In the
end, the university representatives were simply unable to agree on a common approach. While a
few universities have deployed Audible Magic and others do block BitTorrent (mostly for
bandwidth management reasons), any hope the entertainment industry had for systematic and
uniform implementation of technical measures such as DPI were not fulfilled.
A recent development indicates that the issue will not die, however. In mid-2009, British
ISP Virgin Media announced that it had reached a deal with Universal to offer unlimited
streaming and downloads of non-DRMed music files. Access to the music would be included in
23
the subscription fee for Internet access. As part of the deal, Virgin complied with content
industry demands to monitor copyright infringement by its users. In November 2009 it
announced that it would use a DPI product named CView for this purpose. (Anderson, 2010)
Virgin claimed the application would not identify users, but merely measure the total volume of
unauthorised file sharing. The UK-based NGO Privacy International promptly complained to the
European Commission about the implementation. It claimed that the DPI application violates the
UK Regulation of Investigatory Powers Act, which makes intercepting communications a
criminal offence regardless of what one does with the data. The EU replied that it would monitor
the situation. As ISPs enter content-related services, their incentives to utilize DPI can change.
4 Conclusion
The theory of technology/society co-production suggests that “artifacts and their properties
should be analysed neither as objective facts nor as mere social constructions, but as both real
and constructed.” (Brey, 2005) The framework developed in this paper attempts to flesh out that
insight by linking the concrete characteristics of DPI technology to specific actor constellations,
modes of interaction and institutional settings. In the empirical cases, one can see technology
structuring the politics, and politics constraining and channeling the technology.
When DPI is considered as an input into a socio-technical regime, our framework helps
to explain the variation across different DPI use-cases. Each use-case provides for variation in
the interests, motivations and capabilities of network operators and other actors, which structures
the initial strategic interaction situation. A critical factor is how the technology affects the mode
of interaction. DPI must be installed and maintained by network operators. That gives them first-
mover advantages and a stronger ability to veto or resist proposals for uses coming from other
parties. If ISPs have an interest in DPI usage for bandwidth management, they can and often will
24
go ahead and just do it. When DPI is desired by third parties like copyright holders, on the other
hand, those actors must invest heavily to make ISPs cooperate. In this respect, technology
determines politics.
On the outcome side, our analysis of the political environment and institutions in which
the interactions took place helped to explain the variation within use-cases of DPI. If DPI usage
threatens existing norms, ISPs can expect public agencies and interest groups to interfere with
their deployments and strive to re-align them with societal norms and regulations. The existence
of an organized net neutrality movement able to work in concert with some business interests is
shown to be especially important in the U.S. In Canada, a framework was created to legalize
usage of DPI for bandwidth management in a way that is transparent, nondiscriminatory and
consistent with privacy laws. Although idiosyncrasies in the U.S. regulatory regime prevented
the FCC from directly regulating Comcast’s (and other ISPs’) bandwidth management practices,
bad publicity and user objections led to much the same result: DPI can be used, but for the time
being it is used in a “protocol agnostic,” more transparent way. Doing otherwise risks triggering
legislation or new regulations. In this respect, politics determines technology.
These four case studies are only a beginning. Additional research into other cases, and
especially other institutional settings, is needed. We were not able to explore known use-cases
around censorship and content filtering, ad injection, or national security surveillance. Our cases
are confined to Western, democratic governments and do not include developing countries, or
authoritarian governments such as China and Iran that are known to rely on DPI for Internet
control. This is, however, merely an initial test of the framework. It is intended to pave the way
for more detailed and longer-term studies.
25
Much of the critical literature on the growing sophistication and widespread deployment
of technologies of Internet control paints a dystopian picture. The very existence of these
technologies, it is implied, leads inexorably toward their uniform application. This grim picture,
however, is as one-sided and unrealistic as the Enlightenment narrative of technology promoting
continuous upward progress. If there is no simple “technical fix” to the problems of the Internet,
neither is there a one-way march into the Panopticon. Our findings suggest that the “end of the
Internet” is not pre-determined, nor is its freedom secure; its future rests very much in our own
hands.
26
References
Anderson, Nate. 2010. "EU has doubts as ISP rolls out DPI for copyright enforcement." Ars
Technica, January 26, 2010 2:30 PM. http://arstechnica.com/tech-
policy/news/2010/01/eu-has-doubts-as-isp-rolls-out-dpi-for-copyright-enforcement.ars
Artan, N. Sertac, and H. Jonathan Chao (2007) 'Design and analysis of a multipacket signature
detection system.' International Journal of Security and Networks 2 (1-2):122 - 36.
Blumenthal,Marjory S.and David D.Clark (2001) 'Rethinking the design of the Internet: the end-
to-end arguments vs. the brave new world,' ACM Transactions on Internet Technology, 1,
1, 70-109
Brey, P. (2005) Artifacts as social agents. In H. Harbers (Ed.), Inside the politics of technology:
Agency and normativity in the co-production of technology and society (pp. 61-84).
Amsterdam: Amsterdam University Press.
CRTC, 2008. Review of the Internet traffic management practices of Internet service providers.
Telecom Public Notice CRTC 2008-19. Reference: 8646-C12-200815400. Ottawa,
Canada: 20 November.
CRTC 2009. Review of the Internet traffic management practices of Internet service providers.
Telecom Regulatory Policy CRTC 2009-657. Route reference: Telecom Public Notice
2008-19. Ottawa, 21 October 2009. File number: 8646-C12-200815400
Carpenter, Brian E. (1996) RFC 1958: Architectural Principles of the Internet. Fremont/CA:
IAB Network Working Group.
Chester, Jeff (2006) 'The End of the Internet?' The Nation, 1 February
27
Christensen, C. (1997) The innovator's dilemma: When new technologies cause great firms to
fail. Boston: Harvard Business School Press.
Danneels, E. (2004) Disruptive technology reconsidered: A research agenda. Journal of Product
Innovation Management, 21, 246-258.
Dedman, Bill, and Bob Sullivan (2008) 'ISPs are pressed to become child porn cops.'
MSNBC.com, 16 October 2008. http://www.msnbc.msn.com/id/27198621/
Deibert, R., Palfrey, J. G., Zittrain, J., Rohozinski, R., & Haraszti, M. (Eds.). (2010). Access
controlled: The shaping of power, rights, and rule in cyberspace. Cambridge, Mass: MIT
Press.
Dharmapurikar, Sarang, Praveen Krishnamurthy, Todd S. Sproull, and John W. Lockwood
(2004) "Deep Packet Inspection using Parallel Bloom Filters." IEEE Micro 24 (1):52-61.
Dierkes, Meinolf, Ute Hoffmann, and Lutz Marz (1992) Leitbild und Technik. Zur Entstehung
und Steuerung technischer Innovationen. Berlin: edition sigma.
Freeman, Christopher, and Carlota Perez (1988) "Structural Crises of Adjustment, Business
Cycles and Investment Behaviour." In Technical Change and Economic Theory, ed. G.
Dosi, C. Freeman, R. Nelson and L. Soete. London: Pinter.
JCHEEC (2009) Report on the Workshop on Requirements for Technological Control of Illegal
File Sharing on College and University Networks. April 19-20, 2007.
http://www.educause.edu/Resources/WorkshoponRequirementsforTechn/162056
Klang, Mathias (2006) Disruptive Technology. Effects of Technology Regulation on Democracy.
Göteborg: University Department of Applied Information Technology.
Karpinsky, Rich. 2009. Comcast's Congestion Catch-22. Connected Planet. Jan 23, 2:02 PM.
http://connectedplanetonline.com/residential_services/news/comcast-congestion-0123/
28
Kleinz, Torsten (2009) 'Bundesregierung treibt Netzblockaden gegen Kinderpornografie voran.'
Heise news, 13 January 2009.
Knill, Christoph, and Dirk Lehmkuhl (2002) 'Private Actors and the State: Internationalization
and Changing Patterns of Governance.' Governance: An International Journal of Policy,
Administration, and Institutions 15 (1):41-63.
Lessig, Lawrence (1999) Code and other Laws of Cyberspace. New York City: Basic Books.
——— (2002) The Future of Ideas. The Fate of the Commons in a Connected World. London:
Vintage Books.
Mateus, Alexandre, and Jon M. Peha (2008) "Dimensions of P2P and Digital Piracy in a
University Campus." In TPRC. Arlington VA.
Mayntz, Renate, and Fritz W. Scharpf (1995) "Der Ansatz des akteurszentrierten
Institutionalismus." In Gesellschaftliche Selbstregelung und politische Steuerung, ed. R.
Mayntz and F. W. Scharpf. Frankfurt a.M.: Campus.
Mayntz, Renate, and Volker Schneider (1995) 'Die Entwicklung technischer
Infrastruktursysteme zwischen Steuerung und Selbstorganisation.' In Gesellschaftliche
Selbstregelung und politische Steuerung, ed. R. Mayntz and F. W. Scharpf. Frankfurt
a.M.: Campus.
McIntyre, TJ. (2008a) 'Filter or Else! Music Industry Sues Irish ISP.' Computer & Law, April -
May 2008.
——— (2008b) "SABAM v. Scarlet: Belgian ISP released from obligation to filter network for
illegal downloads." IT Law in Ireland (Blog), 26 October 2008.
29
--------- (2009) "Three strikes" for Ireland - Eircom, music industry settle filtering case." IT Law
in Ireland (Blog), January 29, 2009. http://tjmcintyre.com/2009/01/three-strikes-for-
ireland-eircom-music.html
Ohm, Paul (2008) The Rise and Fall of Invasive ISP Surveillance. U of Colorado Law Legal
Studies Research Paper No. 08-22. (August 30) Available at SSRN:
http://ssrn.com/abstract=1261344
Renals, Peter, and Grant A. Jacoby (2009) Blocking Skype through Deep Packet Inspection.
Paper read at 42nd International Conference on System Sciences, at Hawaii.
Riley, Chris, and Ben Scott (2009) Deep Packet Inspection: The end of the internet as we know
it? Washington DC: Free Press.
Saltzer, Jerome H., David P. Reed, and David D. Clark (1984) 'End-to-end arguments in system
design.' ACM Transactions on Computer Systems 2 (4):277-88.
Scharpf, Fritz W (1997) Games Real Actors Play. Actor-Centered Institutionalism in Policy
research. Boulder/Co: Westview.
Schneider, Volker (1999) Staat und Technische Kommunikation. Wiesbaden: Westdeutscher
Verlag.
Schneider, Volker, and Renate Mayntz (1995) 'Akteurszentrierter Institutionalismus in der
Technikforschung. Fragestellungen und Erklärungsansätze.' In Theoriebausteine der
Techniksoziologie, ed. J. Halfmann, G. Bechmann and W. Rammert. Frankfurt a.M.:
Campus.
Singel, Ryan (2006) "Whistle-Blower Outs NSA Spy Room." Wired News, 4 July.
Sourdis, Ioannis (2007) Designs and algorithms for packet and content inspection. Delft: TU
Delft.
30
Topolski, Robert M. (2008) "NebuAd and Partner ISPs: Wiretapping, Forgery and Browser
Hijacking." Washington DC: FreePress.
Wagner, Ben (2008) "Modifying the Data Stream: Deep Packet Inspection and Internet
Censorship." In 3rd Annual GigaNet Symposium. Hyderabad, India.
Walker, John (2004) "Ende des Internet?" Telepolis, 2 February 2004.
Weingart, Peter (1989) 'Großtechnische Systeme' - ein Paradigma der Verknüpfung von
Technikentwicklung und sozialem Wandel? In Technik als sozialer Prozeß, ed. P.
Weingart. Frankfurt a.M.: Suhrkamp.
Wu, T. (2003). Network neutrality, broadband discrimination. Journal of Telecommunications
and High Technology Law, 2, 141.
Zittrain, Jonathan (2008) The Future of the Internet and how to stop it. New Haven & London:
Yale University Press.
31
Fig. 1: The domain of interaction-oriented policy analysis.
Source: Scharpf (1997, 44)
32
Figure 3
The analytical model of technology-aware policy analysis and its application to DPI governance
DPI emergence
technological change
impact on internet architecture general disruptive potential
DPI Use-case 1
DPI use-case 2
DPI use-case n
context-dependent disruptive potential
actors: interests &
constellation institutional
context, modes of interaction
political interaction
initial strategic setting
structuring factors
policy process
DPI governance
regime
policy output
technology-aware
policy analysis
33
1 Ellacoya e100 Platform (vendor brochure) http://www.maxnetsys.com.cn/download/e100_Datasheet.pdf
2 Data collected through collaborative P2P communities like Azureuswiki.com shows that mostly cable ISPs use this
kind of traffic shaping. http://wiki.vuze.com/w/Bad_ISPs.
3 See the Comcast filing to the FCC from 19 September 2008, http://www.eff.org/files/ Complete Comcast NM
Filing -- Date-Stamped 9 19 2008.pdf.
4 In December 2009 Comcast agreed to pay $16 million to settle the class-action lawsuit.
5 Describing Comcast’s revised deployment, Karpinsky (2009) observes Sandvine’s ability to peer into the contents
of packets aren’t even turned on, but simply monitors network usage levels. If congestion is present another network
element determines who is causing the congestion, and if that customer has exceeded a certain usage threshold then
their traffic is throttled back - regardless of what application they are using.
6 September 21, 2009 FCC NPRM
7 Comcast Corporation v. FCC and USA. U.S. Court of Appeals, D.C. Circuit No. 08-1291, April 6, 2010
http://pacer.cadc.uscourts.gov/common/opinions/201004/08-1291-1238302.pdf
8 The case was filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC), a University of Ottawa
branch working on internet-related law with a strong track record on privacy issues. The complaint is available at
http://www.cippic.ca/uploads/Bell-DPI-PIPEDAcomplaint_09May08.pdf. There are also interesting indications that
net neutrality norms and an organized movement are diffusing to Canada. See SaveOurNet.ca
9 The College Opportunity and Affordability Act, which was passed in 2008.