Canada’s Privacy Commissioner is sticking to her guns in demanding Bell Canada clearly tell Internet subscribers on all of its networks that it collects some identifying information when it manages traffic.
The final decision came this week from commissioner Jennifer Stoddart, who in April found that the telco’s public explanations of its use of deep packet inspection technology (DPI) to slow traffic of some Internet subscribers doesn’t comply with its obligations under the federal privacy law, PIPEDA.
She had given time for Bell to reply to the finding, but said none of Bell’s submissions altered her conclusions and therefore issued the report.
Stoddart found Bell only collects the identifying Internet numbers of subscribers’ routers or computers, which is included in every packet of information on the Internet. These dynamic IP addresses can’t identify individuals. They can, however, be traced to a user’s ID. Stoddard concluded IP addresses are personal information, and therefore the telco could do a better job of explaining what it does.
It’s the second time an authority has chided Bell relating to its traffic management policies. Last November, the Canadian Radio-television and Telecommunications Commission rejected a call from the Canadian Association of Internet Providers to stop Bell from managing the traffic of independent Internet providers who buy connectivity from the telco. However, the commission did order Bell to better inform ISPs when it does things that will affect the performance of their networks. CAIP has asked the commission to re-examine that decision.
Bell uses DPI to punish those it believes hog bandwidth by using peer-to-peer (P2P) applications to share videos, music and other bulky files. The technology identifies the P2P headers on traffic, which the telco slows. Others online aren’t affected. Not only does Bell inspect the traffic of those on its own Internet service, it also watches the traffic of independent Internet service providers who buy connectivity from it.
The telco’s practice lead to a hearing this summer by the Canadian Radio-television and Telecommunications Commission into its authority over traffic management. The hearing is expected to resume shortly.
The privacy commissioner’s investigation stemmed from a complaint that Bell uses DPI to collect personal information from its Internet customers without their consent, that it collects more personal information than is necessary to manage its network and that it doesn’t adequately inform customers of the practice.
While Stoddart concluded that Bell collects and uses the IP addresses she also found “no evidence to believe that they are retained after they are no longer needed for the purpose of real-time traffic flow management.”
Stoddart apparently accepted Bell’s evidence that its DPI devices don’t capture any personal identification information of an individual user. Nor does it store or log any personally identifiable information including a user’s real identity, browsing history, e-mail or any content. With a filter on any network element it could inspect content, but the telco said it doesn’t.
However, the commission noted DPI can identify a user’s computer or router from its dynamic IP addresses through a user ID, although not the name of the user.
The commission has ruled before that an IP address is personal information. As a result, it concluded Bell can identify user addresses of not only its subscribers, but also of those who use Bell’s network – for example, a non-Bell subscriber who sends an e-mail to a Bell subscriber.
As for whether subscribers know this, the commission noted that in its written agreements after August, 2008 Bell subscribers have been told only “in a general way” that the telco might monitor their traffic.
The commission noted there is specific information about how and why Bell uses DPI is available on the company website in the form of questions and answers, under the heading ‘Network management.’ However, Stoddart added, there is no direct link to this page from Bell’s privacy statements meaning crucial information is spread out on Bell’s Web pages.
In fact, the commission added, although Bell said in July, 2008 it was working on adding a specific explanation for its use of DPI on its frequently asked questions page, that statement is still missing.
In April Stoddart ruled Bell has to clarify its written agreements with subscribers, that it integrate its privacy and traffic management practices better on its written and Web pages, findings she upheld. This week’s ruling says the commission is giving Bell 30 days to comply with changes to three specific documents.
The use of DPI has spawned much controversy, as evidenced by the ongoing CRTC hearing. Included in her findings, Stoddart also wrote this: “It is relatively easy to paint a picture of a network where DPI, unchecked, could be used to monitor the activities of its users. It is rarer to dispassionately examine a specific implementation of DPI on a network …
“We have found that consent and notification are commonly overlooked when new technologies are brought on line. Like many technologies, each implementation of DPI technology must be considered as an individual case and examined to ensure the appropriate protection and treatment of personal information is in place.”