Is deep-packet inspection a criminal offence?

"These are not the packets you are looking for"

Things are heating up in the fight against piracy in the UK.  Virgin Media has announced that it will use deep packet inspection (DPI) software to analyse whether its customers are sharing copyright infringing material.  Privacy International has brought this practice to the attention of both the European Commission and the Information Commissioner, who are looking into the affair.  But most interestingly, Privacy International has also threatened to report Virgin Media to the Metropolitan Police for contravening the Regulation of Investigatory Powers Act (RIPA, yes, the acronym does sound like a flesh-eating dinosaur, or a killer robot).

It seems clear that Virgin’s DPI system is similar to our old friend Phorm, and the European Commission has already made it clear that it considers such technologies as interception, and that clear customer consent is required in such cases.  I would not be surprised if they have similar objections against Virgin Media’s software.

However, the claim that deep packet inspection might constitute a criminal offence is much more interesting from a legal perspective.  RIPA establishes a criminal offence for the interception of telecommunications.  It defines interception like this:

“For the purposes of this Act, but subject to the following provisions of this section, a person intercepts a communication in the course of its transmission by means of a telecommunication system if, and only if, he—

(a) so modifies or interferes with the system, or its operation,
(b) so monitors transmissions made by means of the system, or
(c) so monitors transmissions made by wireless telegraphy to or from apparatus comprised in the system,

as to make some or all of the contents of the communication available, while being transmitted, to a person other than the sender or intended recipient of the communication.”

There are several elements here, but the most important one is that some or all of the communication must be made available to non-intended receivers, and that such communication must have been interfered with or monitored.  Here is where we need to analyse in more detail what is considered deep packet inspection in order to ascertain if it fulfils the cited definition.  Internet transmissions are not a monolithic set of bits, they are broken up into packets of information; Internet packets (or IP packets), consist of two elements, the header (which describes the information contained in the packet), and the payload (the information itself).  Most packet inspection only looks at the header, and therefore it does not know what type of data may be contained in the payload.  Deep packet inspection looks at the packet information itself to determine if it may match a certain objectionable data profiles, such as viruses, worms, spam, or denial-of-service attacks.  DPI does not look at the semantic meaning of the data, but looks for data profiles, so DPI will in theory know that what you are looking is a picture, but it will not know that you are looking at a lolcat or a Picasso.  However, the uniqueness of information is such that it would be easy to build profiles of usage data that could have serious privacy implications.

Modern DPI systems claim to be able to provide both security and privacy, but as with Phorm, we might be faced with slippery-slope arguments.  Virgin claims that the data is anonymous, and that “CView works at a core-network level, and simply analyses, entirely anonymously, the percentage of data that flows across the network that is copyrighted and being shared unlawfully”.  Nonetheless, a strict reading of the definition in RIPA would lead one to believe that DPI fulfils that definition, and therefore it could be considered interception, and hence a criminal offence.  Nonetheless, the language of the relevant section in RIPA is very broad, so it is hard to determine if the Crown Prosecution and the courts would agree.

What seems clear is that Virgin may have a lengthy legal dispute in its hands if it insists on using DPI.  While they have not stated it, Virgin might be taking this decision in order to pre-empt any potential legal threats as content owners insist more and more on making ISPs liable for illegal content shared in their networks. It will be interesting to see if other ISPs follow Virgin’s lead.

Update: John Halton has usefully pointed out that the Lawful Business Practice Regulations 2000 might apply here. Interesting!

Update 2: And in an inevitable two fingers to surveillance, PirateBay announces its own VPN service.

3 thoughts on “Is deep-packet inspection a criminal offence?

  1. "The Lawful Business Practice Regulations 2000"

    signed by

    "Patricia Hewitt, Minister for Small Business and E-Commerce, Department of Trade and Industry"

    now a non exec director of BT Plc. Which is a little ironic.

Leave a Reply