With so many debates at the moment about the sancitity of browsing data, and in particular with reference to ongoing discussions about net neutrality, the issue of deep packet inspection keeps cropping up. Alissa Cooper, of the Centre for Democracy and Technology and the Oxford Internet Institute, has just published a paper on the subject, which "assess[es] how the privacy impact of DPI varies depending on the context and attempt[s] to outline a practical definition of DPI" - it might be of interest.
A pre-print version of the paper is available from Alissa's website, here.
Hi Neil,
ReplyDeletethanks a lot. This is definitely very interesting. DPI for copyright enforcement is indeed an hot topic and I expect the debate to become more and more active in the next years.
In my experience, today the industrial approach (especially in Europe) to it is "DPI is bad, we cannot do it. full-stop." In particular, operators are concerned by the fact of wiretapping "innocent" people or communications that may happen with a node under surveillance or due to a "false positive" trigger raised by the DPI equipments.
I would be definitely interested to know how your companies/clients are today approaching this problem.
I will read the article you suggest and hopefully have some more educated comments soon ;-)
Salva
Two part response, because of Blogger's limitation of characters in comments :)
ReplyDeletePart 1
DPI for copyright enforcement is indeed an hot topic
Very much so. I've had numerous discussions with rightsholders about this over the last few years, including with most of the major record labels. I'm not aware of any of the labels in the UK insisting on DPI, but, obviously, details of commercial agreements including anti-piracy provisions which I might have negotiated are confidential :(
In terms of copyright infringement, part of the problem, to my mind, comes from the differing interpretations of Art. 11 of directive 2004/48/EC, which talks about injuntions available to rightsholders:
Member States shall ensure that, where a judicial decision is taken finding an infringement of an intellectual property right, the judicial authorities may issue against the infringer an injunction aimed at prohibiting the continuation of the infringement. Where provided for by national law, non-compliance with an injunction shall, where appropriate, be subject to a recurring penalty payment, with a view to ensuring compliance. Member States shall also ensure that rightholders are in a position to apply for an injunction against intermediaries whose services are used by a third party to infringe an intellectual property right, without prejudice to Article 8(3) of Directive 2001/29/EC.
The question at stake is whether the injunction which can be sought against an intermediary is one which curtails merely one instance of infringement (for example, a subscriber's downloading of "Shrek"), or whether an injunction can be applied to prevent future infringements by that subscriber (or even more widely). On the one hand, Art. 11 talks in terms of "an infringement" and is aimed at "prohibiting the continuation of the infringement" (my emphasis), which would suggest that the section is aimed at the curtailment of just one infringement, and that a separate injunction would be needed on a per-infringement basis, or else to list individually the infringements to be curtailed.
Part 2
ReplyDeleteHowever, on the other hand, the last sentence talks about measures against intermediaries, and seems to be a wider obligation to prevent infringements - for related discussion see, for example, EMI v. Eircom (although Charleston J does little to disguise his contempt for access providers, in my opinion), and, perhaps a better discussion, in L'Oreal v. eBay (CJEU).
In the fifth part of the judgment, the court held that national courts must be empowered to "order an online service provider ... to take measures that contribute not only to bringing to an end infringements committed through that marketplace, but also to preventing further infringements."
To this end, the injunctive power of the court must extend to more than merely obliging a provider to stop the behaviour at immediate issue, but also to oblige a provider to prevent repeat occurences of that behaviour.
(Since the relevant sentence of directive 2004/48/EC has not been transposed into English law yet, the High Court will need to apply the current English law as far as possible in the light of the non-transposed wording, until Parliament introduces the relevant wording.)
This would have particular impact on intermediary: if an injunction were to be obtained against an intermediary in respect of online infringement of copyright by a subscriber, the intermediary could be obliged to not only stop the active infringement, but also to prevent future infringements.
This could have a number of interpretations - that, if a subscriber is found to have infringed the copyright in a sound recording, the intermediary must act to prevent that subscriber from infringing further, and also that the intermediary must prevent- across its whole subscriber base - the infringement of copyright in a particular sound recording. The former is easier to do than the latter, and it is likely that an injunction requiring such preventative behaviour on the part of an access provider would be subject to particular scrutiny on the grounds of privacy, since it would entail the monitoring of all traffic of all subscribers. Even the former - monitoring all traffic of that one subscriber, is hugely invasive, and, if conducted on a DPI basis alone, would likely override any concept of "fair dealing" with copyright works - I'm particularly against the use of DPI without appropriate restraints to enable fair use / fair dealing (whatever you want to call exceptions to copyright's restrictions), since it makes copyright a far more powerful right than it should be.
More generally, the the CJEU laid down a high level overview of the requirements for the grant of an injunction, holding that whilst an injunction is an important tool in the enforcement of intellectual property rights, and may indeed be issued against online intermediaries, any injunction must must be effective, proportionate, dissuasive and must not create barriers to legitimate trade." (para 144) Clearly, when looking to impose a solution comprising DPI, a court would need to take into account whether this threshold has been exceeded or not.
Coincidence being what is it, I've just been asked for advice on exactly this: it transpires that the collecting societies in Greece have asked the Greek court to take interim (presumably injuctive) measures against all mobile and fixed operators, requiring them to block subscriber access to two websites. Relevant here, since one of the measures being demanded is blocking based on detection via DPI, as well as blunter filtering tools.
ReplyDeleteAlexandros - do you have any more (public) information about this?
This comment has been removed by the author.
ReplyDeleteDetection of the ISP the user is willing to connect to might be performed with or without DPI.
ReplyDeleteThe detection of the ISP with DPI is made possible by the standardization design of Lawful interception feature. Its applicability is then based on regional requirements and regulations. See: http://en.wikipedia.org/wiki/Lawful_interception
For non DPI method; the signaling which assist building the connection between the user equipment and the ISP carries information allowing the operator to allow or block that connection, or even back it off for a defined period of time (as done by 3GPP mobile phone standardization).
also see: http://www.out-law.com/en/articles/2011/october/isps-traffic-management-may-breach-data-protection-and-privacy-laws-eu-watchdog-says/
ISPs sometimes block or slow down users' access to some content during busy periods on their networks, but can also benefit from this kind of "traffic management" by charging content providers who are willing to pay for preferential access to their subscribers or by charging users more for fewer restrictions. To decide which content to "throttle" or block access to ISPs sometimes inspect personal data contained in communications. Hustinx said that this activity can be legitimate providing it complies with EU law.
ReplyDeleteLawful interception feature. Its applicability is then based on regional requirements and regulations.
Absolutely - although, whilst it varies from market to market, where LI capability is paid for by local law enforcement agencies, they are generally unwilling for it to be used for purposes other than lawful interception. Also, in the case of markets with similar rules to the UK, a service provider is not obliged to maintain interception capability sufficient to intercept all traffic all the time - for example, in the UK, capability is limited to the interception of the traffic of one subscriber in every ten thousand. Even if this were a legally (and publicly) viable solution, chances are it would not meet business demand for the kind of projects for which DPI is being considered, without a significant and costly capability upgrade. Finally, use of LI tools for non-LI purposes would likely create a *massive* PR backlash!
Hustinx said that this activity can be legitimate providing it complies with EU law.
On a similar line to the above, whilst it is perhaps reasonably straightforward to argue that something which complies with the law is legitimate, I'd be concerned about customer backlash and PR, which rather goes to the heart of the issue for me - whether, rather than if it is currently allowed, whether it should be allowed.
On the surface, traffic management seems a legitimate purpose for the use of DPI and other tools - network providers may need to manage their networks - but a counter argument would be that network providers should build infrastructure capable of handling the volume of traffic generated by their subscribers, rather than selling capacity and connections to many, and then throttling those connections when they choose to use them.
Similarly, even though the UK's Advertising Standards Agency (described by Ryanair's head of communications as "a bunch of unelected self-appointed dimwits ... clearly incapable of fairly and impartially ruling on advertising"!) seems happy with the use of the term, selling "unlimited" plans to customers, and then throttling the connection when the customer uses more than what the ISP considers reasonable, seems vaguely offensive to any notion of fair play.
Whilst the comparison is often made with the road networks, and the need to manage speed to keep the traffic flowing, it strikes me that, although a convenient analogy, it is flawed, and arises from overselling - if a restaurant offered smaller portions as the restaurant got busier during the day, to split its meat supply between all customers, I would expect it to be criticised, and told to be less greedy and serve fewer customers, rather than attempting to take as much money as possible and provide smaller portions, unless it was incredibly clear at the point of commitment that this was to be the case.
However, clearly, increasing capacity is expensive, and perhaps providers are caught between a rock and a hard place - charge too much, and they get criticised (and, in some cases, directly price regulated), even though to provide unlimited capacity to all customers would likely entail a considerable increase in bills, but attempt to manage the traffic and they get criticised too!