How European telcos are monitoring people’s online activity

by Katherine Barnett
The security and privacy of personal data are being jeopardised as Deep Packet Inspection is deployed by internet service providers.
Europe has not escaped the global move towards ‘surveillance capitalism’. Numerous pieces of legislation are under consideration which put online freedoms and privacy at risk—the UK’s Online Harms white paper is just one example.
Now European telecommunication companies and internet service providers (ISPs) are also under scrutiny for their use of invasive practices which disregard user security and infringe users’ right to privacy.
Deep Packet Inspection
The European Digital Rights (EDRi) organisation recently discovered that European telcos were monitoring internet connections and traffic through a technique known as Deep Packet Inspection (DPI).
European telcos have so far escaped penalisation for their use of DPI, on the grounds that it counts as ‘traffic management’. Under current net-neutrality law, it is technically allowed for purposes of network optimisation—but its use for commercial or surveillance purposes is banned.
In January, however, the EDRi produced a report, outlining how as many as 186 European ISPs had been violating this constraint, using DPI to affect the pricing of certain data packages and to slow down internet services running over-capacity. Alongside 45 other NGOs and academics, it is pushing for the use of DPI to be terminated, having sent an open letter to EU authorities warning of the dangers.
’Opening the envelope’
Deep Packet Inspection is a method of inspecting traffic sent across a user’s network. It allows an ISP to see the contents of unencrypted data packets and grants it the ability to reroute or block traffic.
Data packets sent over a network are conventionally filtered by examining the ‘header’ of each packet, meaning the content of data travelling over the network remains private. They work like letters, with simple packet filtering allowing ISPs to see only the ‘address’ on the envelope but not the contents.
DPI however gives ISPs the ability to ‘open the envelope’ and view the contents of data packets. It can also be used to block or completely reroute data.
Blatant disregard
Regulators have so far turned a blind eye to this blatant disregard for net-neutrality law and telcos are pushing for DPI to be fully legalised. This sparks major concerns about user privacy and security, as DPI renders visible all unencrypted data sent across a user’s connection, allowing ISPs to see browsing activity. In its letter to European authorities, the EDRi said DPI ‘can reveal sensitive information about a user, such as preferred news publications, interest in specific health conditions, sexual preferences, or religious beliefs’.
These data could be used by ISPs to alter one’s services, based on personal preferences and habits. Not only that, but any ill-intentioned individual with access could potentially use them to facilitate cybercrime, such as identity fraud.
As well as infringing our right to privacy, DPI enables ISPs to block or alter a user’s traffic. This could be used to slow or disrupt a user’s connection to competitor sites, giving the ISP an unfair advantage.
Slippery slope
If DPI is legalised, it is likely we will pay dearly. ISPs will feel encouraged to continue personalised pricing and site-throttling. And they will likely take it as a green light to use our data in more invasive and inventive ways.
Moreover, the legalisation of DPI could lead us down a slippery slope of surveillance. Used in totalitarian countries such as China, DPI enables governments to monitor their citizens’ internet habits and block easily any blacklisted sites. Not surprisingly, this allows mass censorship to flourish, with sites which don’t toe the party line or purportedly threaten ‘national security’ removed from public access.
It’s easy to see why the use of DPI should be a cause for concern among European citizens. If legalised, it would effectively give the go-ahead for increased surveillance by the companies we are already paying with our money and investing with our trust.
Huge mistake
With public consultation on the EU’s net-neutrality laws set to take place this autumn, and new laws being voted on in March 2020, the EDRi’s letter clarifies the dangers of DPI and how its legalisation would be a huge mistake.
In addition to supporting this work individuals can take measures to help secure their data. Using a virtual private network (VPN) is one. It ensures personal data remain private by encrypting them via a remote server, making them unreadable to anyone spying on the network, such as the ISP. The ISP is only able to tell that a VPN is being used—not what one is doing online.
VPNs also enable users to circumvent site-blocks, helping those living under oppressive, heavily-censored regimes to remain connected to the wider world. It is however important to pick a VPN which is highly trusted and meets one’s personal needs.
Digital rights
The EDRi has rightly identified the significant risks to privacy and security which would flow from authorising the use of DPI by European telcos. As this has so far gone unpenalised, we can only hope that the letter and associated publicity will go some way towards ensuring it does not become common practice.
What the use of DPI by ISPs has clearly shown is that companies cannot be trusted to look after our data and it is necessary for us to take our privacy into our own hands. Ultimately, our digital rights and freedoms depend on it.
(Katherine Barnett is a censorship and digital-rights researcher at the VPN review site Top10VPN.com.)