School of Information Studies, Syracuse University, USA
This paper examines political conflict and negotiation over proposals to use deep packet inspection for online copyright enforcement. It conducts a comparative analysis of the way DPI (or other techniques that may be viewed as a substitute for DPI) has been promoted or employed in the battle against peer to peer file sharing in the EU and USA. Applying the “technology aware policy analysis” framework developed in Bendrath and Mueller (2011), it contrasts the distinct actors, actor constellations and modes of interaction across institutional settings to see how similar or divergent the governance outcomes are.
Proposal development supported by Next Generation Infrastructure Foundation, Netherlands
U.S. research supported by Science, Technology and Society program of the Social, Economic and Behavioral Science Directorate of NSF
The Internet created a new, globalized virtual space without borders and with very few controls. A vast expanse for communication opened up to its users, and as more and more media and modes of communication became digitized, internetworking came to dominate the entire information economy. The Internet’s initial freedom from control has led to many good things but has also opened a space for problems, such as cybercrime or cyberespionage, leading to growing calls for more regulation.
One of the most high-stakes clashes over Internet control involves copyright. The Internet has undermined the exclusivity of publishers’ control over digital (or digitizable) goods, such as recorded music, movies, books and software. The fate of this multi-billion dollar market on the Internet has sparked intense political, economic and regulatory contention for 15 years (Samuelson 1996; Litman 2001; Bach 2004; Gillespie 2007). Copyright holders are a powerful, globally organized economic interest group. Trade organizations such as publishers associations, the Business Software Alliance (BSA), the International Federation of the Phonographic Industry (IFPI), the Motion Picture Association (MPA) and the Recording Industry Association of America (RIAA) have gained strong influence over policy makers in national and international arenas. Equally mobilized, if not as well-resourced, are the supporters of Internet freedom and access to knowledge. They believe that copyright and other forms of intellectual property are being overextended, and transformed into monopoly rents and tools of online repression (Vaidhyanathan 2001; Stallman 2002; Lessig 2005). These battles over online intellectual property have been described as one of the four key drivers of global Internet governance (Mueller 2010).
Ten to fifteen years ago, it was unthinkable to contemplate regulatory mechanisms predicated on the notion that the network itself could monitor the activities of users and automatically detect and stop illegal or objectionable activity. Yet the progress of information technology now makes it not only thinkable, but in some respects do-able. A network management and surveillance technology known as deep packet inspection (DPI) can be used to detect or block the sharing of copyrighted digital media. That new capability is the topic of this paper. We analyze the way DPI has been promoted, debated or employed in the battles around copyright protection on the Internet. We use a case study method to compare and contrast developments in Europe and the USA. The research is part of a larger project conducted at Syracuse University with collaborators in Europe. It asks whether DPI constitutes a disruptive technology that is altering basic principles and norms of Internet governance, or whether the application and use of DPI will be constrained by pre-established principles and norms. Applying the “technology aware policy analysis” framework developed in Bendrath and Mueller (2011), it contrasts the distinct actors, actor constellations and modes of interaction across institutional settings to see how similar or divergent the governance outcomes are. In so doing, it tries to understand the co-production of technology and society, while providing a useful descriptive analysis of the policy debate over DPI use for copyright protection in both settings.
What is DPI?
The original Internet protocols assumed that the network's routers would scan only the header of an Internet Protocol (IP) packet. Deep packet inspection (DPI) allows network operators to scan IP packets in their entirety. (Dharmapurikar et al. 2004) A network using DPI is able to classify and analyze IP traffic using three techniques:
Pattern matching scans packets for strings or generic bit and byte patterns (known as “regular expressions” or “signatures”) anywhere in the packet, including the payload portion (Kumar, Turner, and Williams 2006; Artan and Chao 2007).
Behavioral analysis scans packets for recognizable, pre-defined patterns in the communication behavior of an application, including absolute and relative packet sizes, per-flow data and packet rates, number of flows and new flow rate per application (Mochalski and Schulze 2009).
Statistical analysis identifies different transmission types based on the statistical characteristics of packet flows.
The latter two allow DPI to analyze traffic even when it is encrypted (Rossenhövel 2008).
DPI does more than analyze the traffic; it can be programmed to make decisions about how to handle packets or a stream of packets based on the recognition of a regular expression or pattern in the payload. This allows networks to classify and control (e.g., block, slow down, record) traffic based on the content, applications, and users.
Our approach to the phenomenon of DPI is rooted in theories about the relationship between technology and society, specifically theories of “disruptive” technology and “co-production” of technology and society (Danneels 2004; Harbers 2005). Considered abstractly, DPI has the potential to be a disruptive technology in the domain of Internet governance and operations. By “disruptive” we mean that new technologies can destabilize established social structures and practices. The struggle over this destabilization is likely to play out in politics and in legal and regulatory arrangements as well as in markets and industrial organization. A new technological capacity can alter the prevailing governance regime.
Our approach tries to avoid what we see as the false dichotomy between realism (technological determinism) and pure social constructivism. As an alternative, we try to provide a more robust understanding of the co-production of technology and its social governance. Defined simply, co-production describes a path-dependent process in which technological capabilities, actors and institutions mutually constitute each other through strategic interactions. In this shaping, the characteristics and capabilities of the technology matter, but so does the institutional setting and the specific actors involved. The notion of co-production is an attempt to bridge the dichotomy between realism and a constructivism that sees technology as a construct of cultural and sociological forces with no agency of its own (Disco 2005).
DPI’s disruptive potential for Internet governance can be attributed to the way its use by specific actors in specific use cases can clash with three established principles of Internet governance: end to end architecture, carrierimmunity and user privacy.
1) The end to end argument is an architectural principle that tries to put control over networked applications in end users’ devices rather than in the network itself (Carpenter 1996; Saltzer, Reed, and Clark 1984);
2) Immunity refers to the limitation of public carriers’ responsibility for the actions of their users, such as Section 230 of the U.S. 1996 Communications Decency Act or the European Union E-Commerce Directive (2000/31/EC). These exemptions were thought to enhance freedom of expression and economic innovation by removing the incentive for service providers to monitor and restrict customers’ actions in order to shield themselves from legal liability. DPI alters the dynamics of the debate over intermediary liability by increasing the capacity of the intermediary service provider to detect and act on certain kinds of activities taking place over its facilities.
3) Privacy means that DPI can clash with the end user’s expectation that the content of their communications are private, and that the commercial network service provider is providing a simple conveyance function that leaves the user with primary knowledge and control over what is conveyed.
As one might expect, the clash between DPI capabilities and established Internet architectures, laws and norms means that the scope and manner of DPI use is being actively contested politically. At one extreme there are claims that it represents the “end of the Internet” (Chester 2006; Riley and Scott 2009); at the other extreme it is hailed as a straightforward technical solution to many of the Internet’s problems. (Allot 2007; Vorhaus and Bieberich 2007)
Copyright as an Application of DPI
DPI has many applications. It can be used to implement Internet censorship, to manage bandwidth, to institute governmental surveillance, and to profile customers for advertising purposes. We refer to each of these applications as a distinct use-case. Each use-case will have a different politics, as the DPI application and the institutional setting together create distinctive actor constellations and modes of interaction among the actors (Bendrath and Mueller 2011).
In response to the growth of file-sharing online and the limited success of litigation in protecting digitized material on the Internet, copyright holders have shown increasing interest in placing surveillance and enforcement directly in the network. Since about 2005, rights-holders have been promoting the idea that ISPs should take greater responsibility for policing the actions of Internet users (De Beer and Clemmer 2009). The concept of an ISP includes not only commercial service providers, but University residential and campus networks, long considered hotbeds of file-sharing activity. Copyright holders have seized upon the increasingly powerful capabilities of DPI technology to urge those who run networks to deploy “technical measures” – usually a code word for some form of DPI – to police copyright violations.
DPI for copyright enforcement typically works on a “fingerprinting” model. Copyright holders use a vendor’s (proprietary) software to generate a fingerprint or signature that calculates the distinctive perceptual features of the media that can identify its source. Unlike virus detection, DPI for copyright cannot rely on a simple match of a signature; it must recognize the same copyrighted video and music in different media formats or compression levels. Typically a DPI appliance is installed to examine copies of packets flowing over a network. It reassembles the streams of packets as if it was an end user’s computer and decides whether it is media content. If it is, it examines the content and creates a fingerprint of it. It then executes a calculation to determine whether the fingerprint of the file moving across the network matches the fingerprint of one of the millions of registered copyrighted material stored in the appliance.
There is an alternative model of copyright surveillance and enforcement that need not rely on DPI. In this model, sometimes called “over the top” (OTT), copyright holders or their hired agents conduct surveillance of network activity themselves, for example by operating torrents in file-sharing networks. They collect the IP addresses of those involved in file sharing and then ask ISPs to map the IP addresses they have gathered to specific customer accounts in an expedited fashion. The end users are then subjected to service of legal process. This model, too, works best with ISP cooperation. The ISP may be asked to identify users, notify them and restrict or discontinue their service.
Thus, through the combination of DPI-based or OTT surveillance, ISPs can be enlisted in i) surveillance of network activity, ii) the identification of users, iii) the notification of users, iv) the blocking of illicit traffic and/or v) disconnection of repeat offenders. Table 1 below diagrams the different modes of copyright enforcement, contrasting current methods (status quo) with DPI-based based methods (inside the network) and hybrid models under discussion in Europe. While we cannot claim that DPI technology is solely responsible for these challenges to the principle of intermediary immunity, its ability to scale up ISPs’ ability to identify network traffic and automate certain responses has played a major role in altering the terms of the dialogue and lending credibility to certain policy proposals.
Our theory leads us to believe that the application of DPI to copyright will differ in a very important respect from other applications. DPI use for network security, bandwidth optimization and targeted advertising directly serve the economic interest of the Internet service providers. Copyright protection, on the other hand, is mostly inimical to an ISP’s economic interests. While it benefits the right-holder, it imposes administrative and hardware costs on the ISP, undermines their immunities and alienates or cuts off customers. It follows that ISPs will not adopt DPI for copyright protection services of their own volition. Either they must be forced to do so through hierarchical exercises of state regulatory authority, or the copyright owners must negotiate with ISPs to induce them to comply. Some combination of both is of course possible. With this framework in mind, we now turn to the analysis of the case studies.
Modes of Copyright Enforcement on the Internet
Inside the Network
Outside the Network
Right holder (OTT)
DPI and Copyright Policing in the European Union
Online copyright enforcement has led to interwoven and complex political discussions in the European Union. Legislative and judicial proceedings spanning telecommunications law, copyright law, e-commerce and privacy, as well as private negotiations and MoUs among stakeholders, have elicited harsh political debates. The conflict pits copyright holders on one side against network operators and civil society on the other. The precipitating cause of this conflict was the phenomenon of peer to peer file sharing, which facilitated mass, unauthorized exchanges of copyrighted movies and music. This led rights holders to believe that ISPs should become partners in online copyright enforcement.
Proposals converged on the notion of “graduated response” and the associated shift of responsibilities towards ISPs. Graduated response, sometimes known as “three strikes,” involves ongoing surveillance of Internet users’ activities, the identification and notification of those responsible for copyright infringement, and suspension or termination of Internet service for repeat offenders. As noted earlier, ISP cooperation is a prerequisite for an effective graduated response strategy. In striving to achieve this goal, copyright holders’ first political achievement was the Cannes Declaration in 2005, which expressed the Ministers’ and EU Commissioners’ support for “the ‘graduated response’ to unauthorized file-sharing or downloading of films which is being advocated in a number of Member States now […].”1 But this policy was opposed by the representatives of ISPs, as well as activists for civil rights such as La Quadrature du Net, the European Digital Rights Initiative (EDRI), and representatives of consumer protection organizations. In Europe, political debate has focused on the cost and feasibility of making ISPs perform these functions, privacy, and whether its reliance on automated judgments and technical systems undermines fundamental human rights to Internet access and judicial process. The Bureau Européen des Unions de Consommateurs (BEUC), the European Consumers’ Organization, has repeatedly raised its voice against the deployment of technical measures and has opposed the weakening of ISP immunity regulations. BEUC explicitly mentions DPI techniques as a threat to the security of personal data and privacy rights.2
DPI and Graduated Response in Individual States
Before it flowered into a Europe-wide controversy, national-level battles over DPI and ISP responsibility set the stage. Since 2004, the European music industry tried to use national courts to establish a secondary liability for ISPs whose customers illegally share copyrighted material. If saddled with such liability, ISPs would be forced to install DPI technology to detect and block unauthorized sharing of copyrighted music.
This strategy appeared to succeed in June 2007, when the Belgian music industry association (SABAM) won an injunction from the Court of First Instance in Brussels requiring ISP Scarlet to install Audible Magic DPI technology to catch music piracy among its customers. EMI, Sony, Warner and Universal then sued the largest Internet provider in Ireland, Eircom, on similar grounds in 2008. The music industry sought an injunction from the Dublin High Court which would have required Eircom to establish the same Audible Magic appliance as in Belgium (McIntyre 2008a). But during the appeals process in October 2008, the Belgian ISP convinced the court that the DPI technology did not work and had not, as the music industry claimed, already been used elsewhere. The trial court in Belgium lifted the injunction against Scarlet (McIntyre 2008). This pressured the music industry to reach an out of court settlement with Eircom, in which Eircom would implement a graduated response policy disconnecting users from the internet after they have been identified using OTT methods as illegally distributing music on file-sharing platforms three times. (McIntyre 2009)
Horten (2011, 90-93) describes how France’s Olivenne Commission paved the way for a new law mandating graduated response. Late in 2007 the Commission engineered a Memorandum of Understanding (MoU) among ISPs and rights holders to experiment with technologies to identify and filter out illegal file sharing. For repeated infringers, a “Three-Strikes-Policy” was recommended. A regulatory entity would be created to oversee adherence to the agreement; non-collaboration by ISPs could lead to sanctions. The Olivenne MoU laid the basis for France’s HADOPI law and had a significant impact on the initial EU Telecoms Reform proposals.
As part of this agreement, two tests on P2P filtering were run by the German test laboratory EANTC in 2007 and 2009. The first test found that two appliances, the Ellacoya E30 and Ipoque PRX-5g detected 90% of the encrypted and non-encrypted P2P traffic with no significant impact on network performance. The second laboratory test found that a third technology (Vedicis VP10G) could detect 99.91% of P2P traffic and was able to block 99.98% of illegal content, allegedly with impact on the network performance or on ‘legal’ content.3 The UK also produced a ‘voluntary’ MoU among rights holders, ISPs and government agencies to address unlawful file sharing on July 24, 2008.4 It set a framework for a self-regulatory regime which attempted to achieve, within 2-3 years, notification of users when their account is used for unlawful file sharing; a three month trial to send notifications to 1000 subscribers per week who were identified to be engaged in illegal file sharing; and identification of mechanisms to deal with repeat infringers, “including technical measures such as traffic management or filtering, and marking of content”.5 Initially the agreement entailed warnings with no sanctions, but the British government stated its intention to legislate if the two industries could not agree on more permanent, followup measures.
The French and UK MoU negotiations both influenced and were affected by the EU Telecoms Package. In both cases, the ISPs were reluctant or opposed to the arrangement These negotiated agreements built the foundation for hierarchical decision making, as the graduated response approach was enacted into law in France in September 2009 (HADOPI law) and the UK in 2010 (Digital Economy Act).
The EU Telecoms Reform In the EU Telecoms Package, copyright lobbyists attempted to make a graduated response approach based on the French model compulsory on a Europe-wide basis. On November 13, 2007, Commissioner Viviane Reding introduced to the European Parliament the first draft of the EU Telecoms Package, a comprehensive policy reform that amended several existing directives in order to unify the EU Member States’ telecommunications market. The rights holders seized upon the telecom reform because it was the only way to get uniform contractual provisions authorizing ISPs to disconnect subscribers for copyright infringement; this could not be done through modifying copyright law. (Horten, 2011, 114) Internet activists and consumer protection organizations strongly resisted, seeing the right to information and freedom of expression threatened. In these debates, consumer advocates linked DPI technology to graduated response policies.6 Widespread public mobilizations against it ensured that the graduated response model was ultimately rejected in the European Parliament.
The European Parliament finally approved the Telecom Package in its 3rd reading on November 9, 2009. The regulations were supposed to be transposed into national laws by May 2011. Because of the graduated response controversy, the legislation contained a new “Internet Freedom” provision stating that any measures Member States take regarding end-users’ access to Internet services “shall respect the fundamental rights and freedoms of natural persons.” According to Commissioner Reding, then in charge of the EU Telecom Reform, “'Three-strikes-laws, which could cut off Internet access without a prior fair and impartial procedure or without effective and timely judicial review, will certainly not become part of European law” (European Commission 2009a).
The Internet Freedom provision may not be applicable to private agreements among ISPs and right holders, which made some Internet rights advocates critical about the outcome of the reform. But from the copyright holders’ perspective, the outcome was definitely a failure. No hierarchical direction obligates ISPs to police their network to prevent copyright infringements.