So KPN admitted it applies Deep Packet Inspection (DPI), a technique which makes it possible to look into the digital packets that as a whole make up an e-mail or data sent on the Internet.
Old telephony vs. the new Internet world
The world seems deeply alarmed by this admission (also of Vodafone and I have so far not heard convincing reasons why we should exempt other mobile operators from using the same techniques). It was admitted that DPI was used in order to see where traffic was sent. Why? Because mobile operators are losing money to alternative techniques their customers use on their smart phones. So no text messages but Whatsapp and no cell phone calls but Skype. This is a severe threat to mobile operators’ (present) business case. What KPN Mobile and all others are catching up on, is that it has entered the ISP realm, with different business models, different priorities, different security issues and moreover different customers, with different needs.
A dumb question
But now a maybe dumb question, but to quote my old German teacher, Mr. Ostendorf: “There are no dumb questions, only people that do not get answers because they do not ask questions”.
We do not want to receive spam, malware, phishing e-mails, etc. What techniques do ISP (and hopefully the mobile ISPs as well) use to filter these messages? Can they afford to discriminate between messages? In order to find the link leading to an infected or a spam site within a message, isn’t it necessary to delve deep into a packet to find the traces the spammers leave? Or is this different, a different technique? And hasn’t ENISA regularly asked ISPs whether they do ingress and egress filtering on spam for it’s spam report? What do AV companies’ products do? If there’s no difference in technique, is it then the moral difference between inspecting a message before it is really sent out on the web and inspecting a message before someone receives the message?
Privacy trots a thin line on the Internet
I appreciate this discussion is a very fine line from a privacy point of view. But it is only in fairness that within political and/or judicial circles this line should be defined. What is allowed and what is not? What if the criminal investigation that is allegedly started against KPN because of DPI concludes that DPI is not allowed? What are the consequence for spam, phishing and malware filtering? Is everything that is filtered on the Internet covered by im- or explicit consent of the end user? How can we ever expect ISPs to filter egress traffic and thus save the world from a lot of harm, if they are not allowed to do checks?
In short, conclusions drawn fast after this admission may have been drawn to fast. Does anyone care to react to my questions so we get clear what is exactly going on and more importantly where it should go?
Wout de Natris, De Natris Consult
Leiderdorp, 2 June 2011