Sandvine recently submitted our comments to the Federal Communications Commission’s (FCC) Notice of Proposed Rulemaking (NPRM), “In the Matter of Protecting the Privacy of Customers of Broadband and Other Telecommunications Services.”
In its NPRM, the FCC asked whether deep packet inspection should be used only for “reasonable network management,” and nothing else. Sandvine focused our response on this issue.
From a network engineering and architectural perspective, DPI is the act of any network equipment which is not an endpoint of a communication using any field other than the Layer 3 header information for any purpose. Even Wikipedia agrees with this definition, so it must be right.
DPI is (and has been) a core part of the Internet’s infrastructure (and Sandvine’s own offerings) for years, and for multiple critical use cases beyond reasonable traffic management. It’s surprising that the FCC, as industry regulators, wouldn’t know this. In Sandvine’s case alone, our DPI-supported solutions help communications service providers:
- Create and accurately charge for innovative application-specific (or agnostic) service plans that enhance consumer control and choice, like you may see with offerings like T-Mobile’s Binge On for video streaming (not a Sandvine customer);
- Gain an understanding of network traffic, down to the application level, to improve capacity planning, plan new services, understand and improve subscriber quality of experience and detect fraud;
- Manage traffic when the network is congested, to meet subscribers’ quality expectations;
- Protect the network and subscribers from malicious cyber-attacks, like phishing, cryptolockers, DDoS and Spam, enable parental controls, and support legislative requirements to block child pornography and other illegal material;
- Engage with subscribers at critical moments to improve service, such as through context sensitive alerts about usage levels, security warnings, roaming charges, and quality of experience issues;
Of these, reasonable network management (point 3) only represented 17% of Sandvine’s software order value in 2015; a full 62% supported innovative subscriber service plans (point 1).
Looking outside of Sandvine, if DPI was restricted to reasonable network management, here is an incomplete list of critical network equipment and solutions that the FCC would, with a wave of its regulatory wand, render obsolete:
- NetFlow (Cisco) (and Jflow (Juniper), NetStream (Huawei), Cflowd (Alcatel-Lucent), Rflow (Ericsson)). Data from NetFlow (and the variants listed here) is arguably the industry standard for BIAS providers’ capacity planning activities and is used extensively in network security and other use cases;
- IPFIX, essentially the IETF’s (the Internet’s primary standards body) implementation of NetFlow;
- IPDR (IP Detail Record): originally a billing standard and widely used today for quality, capacity, and billing purposes in the Cable industry;
- Packet gateways from Cisco, Huawei, Alcatel, Ericcson, etc., which incorporate DPI for multiple use cases, including charging for subscriber services;
- Routers: look at data like the Layer 7 Session Initiation Protocol (SIP) exchange to extract flow information to let VoIP call data through;
- Firewalls/intrusion protection systems, and intrusion detection systems all protect the network from malicious attacks;
- NAT – DPI is also a key part of the innovation in allowing a migration from IPv4 to IPv6, allowing a network operator to convert from one to the other using carrier-grade network-address-translation (NAT), and keeping protocols such as VoIP operational.
So why, then, would the FCC even be asking about DPI? Presumably they are unaware of the ubiquity and utility of DPI. Also, DPI’s “brand” was damaged in the U.S. during 2008 by a behavioural targeted advertising vendor called NebuAd. Their solution used DPI to track users’ behaviours online to present more targeted (and therefore higher priced) ads, and were deployed without asking subscribers if it was okay, or at best with opt-out permissions. Unsurprisingly, NebuAd failed, but know this:
Behavioural targeted advertising is not a common use case for DPI amongst service providers (and not one that Sandvine supports at all).
By way of reaction to the NebuAd debacle, the U.S. House Subcommittee on Telecommunications and the Internet held a hearing in 2008 on the privacy implications of DPI. It’s a little like holding a hearing on Single Lens Reflex technology in response to a peeper with a camera in your neighbourhood. The technology is not the problem. Certainly a video camera, sketch pad or just a set of eyes are just as problematic under the circumstances. The Subcommittee should have held a hearing on behavioural targeted advertising, however it’s achieved. For example, Google and others gather the same data about users’ behaviour online with an entirely different technology: “cookies.”
So, in our FCC submission we emphasized a single point: focus on the use case, not the technology.
Gathering the necessary data to create an accurate bill or to mitigate malicious traffic does not create a privacy issue. Interestingly the NPRM explicitly acknowledges that fact in paragraphs 115 and 117. Does the data become any more sensitive whether it’s collected by DPI or other technologies? Clearly not.
In its Open Internet Order, the FCC correctly emphasizes that service providers have no place picking winners and losers in what they call the Edge Provider market (e.g., Google, Facebook, etc.). Certainly then the FCC has no place picking winners and losers amongst networking technologies or vendors.
Perhaps the solution here is to “re-brand DPI”. After all, what self-respecting House Subcommittee would hold a hearing on “cookies”? They’re delicious, right? Kids love them. By contrast, you hear the words “deep packet inspection” and you simultaneously hear the snap of a rubber glove. That’s what happens when you let really smart engineers name something.
Here’s our suggestion. DPI is part of the “meat” of the Internet; it’s essential to the Internet’s health and operation; it’s good for subscribers; and it’s everywhere. Has been for years. How about: DPI, the Dietary Protein of the Internet?
Or, how about we just focus on the use case, not the technology. Your choice, FCC.