The Privacy Commissioner of Canada is investigating a complaint that Bell Canada monitored people’s online activities and the content of their e-mails without their prior consent.
Reports that large Internet service providers (ISPs) such as Bell and Rogers Communications may be using so-called “deep packet inspection” (DPI) technology to peer into people’s e-mails, surfaced anew when Canadian Internet Policy and Public Interest Clinic (CIPPIC), an Ottawa-based Internet watchdog and privacy law advisory body filed the complaint before the commission late Friday.
“Yes, we are opening a complaint file on Bell and we will be investigating,” said Anne-Marie Hayden, public relations officer at the Canada’s Privacy Commissioner’s office.
Philippa Lawson, executive director of CIPPIC, said her organization’s attention was drawn to the matter by individual Internet users, media reports and a recent complaint by the Canadian Association of Internet Providers (CAIP), an organization of Internet service resellers.
CAIP complained to the Canadian Radio-television Telecommunications Commission (CRTC) that claimed Bell was using DPI.
“We felt the Privacy Commission was the proper venue [to resolve] this issue.”
Bell Canada, however, yesterday refuted allegations that it was breaching the privacy of Internet users.
“Bell respects the privacy of our customers,” said Pierre Leclerc, director of Media Relations, Bell Canada in an e-mail. “We are in compliance with our privacy obligations. We don’t look at the content customers access.”
Rogers Communications issued a similar denial.
“We are in no way monitoring customers’ online activity. Deep packet inspection is used purely for network management purposes,” said Ken Engelhart, senior vice-president, regulatory affairs, for Rogers Communications.
CIPPIC claims Bell Canada’s efforts towards informing customers about their privacy rights fall short of meeting the legal requirements – outlined in the Personal Information Protection and Electronic Documents Act (PIPEDA).
These call for “readily available” privacy policies that can be accessed by consumers “without unreasonable effort”.
Information sent through the Internet is broken into packets of data on transit. The network re-assembles these packets to form packets are re-assembled to form the original message when they reach their destination.
Typically, ISPs monitor online traffic using what is known as shallow packet inspection technology. The technique allows ISPs to read the headers of data packets being transmitted on the Internet.
It might provide information on the origin and destination IP (Internet Protocol) addresses of a particular packet but this is of very little use.
This is much like reading the writing on the outside of a physical postal mail message.
“DPI goes beyond the headers,” Lawson notes. “It can read the packet contents (also known as payload) much like opening a letter and reading its contents,” said Lawson.
Large ISPs say DPI technology is necessary to manage network traffic also known as “traffic shaping.”
For example, Engelhart of Rogers said his company uses the technology for network efficiency purposes such as when the company separates Peer-to-Peer (P2P) traffic from other transmissions.
P2P traffic is typically made up of the online uploads and downloads into computers of large files such as music and video files.
“These P2P transmissions need to be separated from other traffic because they take too much from our network’s capacity and slow down other types of traffic,” he said
It its submission to the Privacy Commission, CIPPIC said: “Critics have suggested, however, that there may be other motives behind traffic shaping by ISPs, including slowing down of competitor traffic (whether the competitor is a wholesale ISP or a user sharing competing content via P2P), and development of methods by which to extract more revenue from Internet traffic.”
CIPPIC noted that Bell had previously admitted to engaging in “Internet traffic management” at both retail and wholesale levels.
The telecom firm described its traffic management technique “as a mechanism to allow for a better allocation of bandwidth for all users that share a common network”
On March 28, the telecommunication company also wrote to some of its wholesale ISP customers and confirmed it had began using traffic shaping techniques on its own Internet subscribers and on the subscribers among CAIP’s membership.
Rogers Communications has also been the subject of earlier complaints about traffic shaping, and other Canadian ISPs including Shaw Communications, Cogeco, and EastLink have been accused in engaging in the practice, according to the Internet privacy watchdog.
One Canadian technology analyst said DPI technology can also be used for marketing purposes.
“It’s highly possible that the technology is being used to monitor Internet traffic in order to formulate more targeted marketing campaigns, ” said Michelle Warren, senior technology analyst at Info-Tech Research Group based in London, Ont.
Her concern though is that Internet users are not being adequately warned by ISPs that their e-mails are being monitored.
“They’re not really giving us any heads up on their activities.”
CIPPIC strongly opposes the use of DPI because it allows “intrusive monitoring of content and information which customers transmit and receive.”
“ISPs have no justifiable reason to capture this sort of information. We need to determine what privacy rights are being trampled and for what purpose,” Lawson said.
She said answers to these questions must be obtained soon because companies are using a highly intrusive technology that “continues to evolve even before we can comprehend its impact.”
She said DPI raises serious privacy concerns because such tools can peek inside data packets assemble them into legible records of a person’s e-mail, Web browsing activity, Voice over IP calls and passwords.
Information about data packets gathered by ISPs through the use of DPI can be associated with identifiable subscribers via the IP addresses attached to those data packets.
The technology can also encompass packet modification, blocking and filtering or re-direction of traffic.
“The Privacy Commissioner’s office needs to determine what sort of information is being accessed and to what end,” Lawson said.