A bombshell letter was sent to European Union authorities last week from a collection of academics, activists, campaign groups, and private companies.
In it, they claimed that at least 186 European-based internet service providers (ISPs) were using highly invasive deep packet inspection (DPI) technology as a tool to break the regions net neutrality laws. They also claim that local regulators are turning a blind eye.
If true, this not only means that they are in breach of EU law but also that they are systematically undermining user privacy.
As readers familiar with the controversy over net neutrality in the USA will know, without effective laws, ISPs have the power to speed up or slow down connections for specific sites and services which can influence users online habits.
The only way to get around such practices is to use a VPN such as ExpressVPN or NordVPN. When you are connected to a VPN, your ISP cannot see which specific websites you are visiting and they therefore cannot speed up or slow down your connection based on what you are doing online.
EU Net Neutrality laws
The EU has had formal net neutrality laws in place since 2016. Under these rules, the use of DPI in the EU is prohibited.
However, negotiations are currently underway somewhere within the EU bureaucracy for these net neutrality rules to be updated and there is speculations that ISPs are starting to push for the legalization of DPI, something which would make any net neutrality rules much less effective.
Under the current rules, it is only permitted for ISPs to inspect and shape traffic for the purpose of network resource optimization. They are specifically not permitted to do it either to make profit or to carry out surveillance on their users. Needless to say, most ISPs would like this to change.
No specific timeframe of this renegotiation process has been made public, which is not unusual with the EU.
There is now expected to be a public consultation on the new proposals in Autumn 2019 with the EU Parliament voting on the outcome of that in Spring 2020. However, as with all EU schedules, there is considerable flexibility in these dates.
This letter is likely to force the whole process much more into the public domain but it could also slow things down too.
What the letter alleges
The letter has been spearheaded by the European Digital Rights (EDRi) organization but has drawn support from experts in no fewer than 15 EU countries.
It highlights a report published by Epicenter Works in January of this year. This report claimed that they had identified 186 EU-based ISPs which were already routinely using DPI technology in breach of existing EU law.
The report does not name specific ISPs but it does identify no fewer than ten different pricing offers in the UK. This is the eighth-highest number of the EU countries researched. The number suggests that the practice is as prevalent in the UK as anywhere else in the EU.
As the EDRi states, “[ISPs] are increasingly using DPI technology for the purpose of traffic management and the differentiated pricing of specific applications or services (e.g. zero-rating) as part of their product design.”
They claim that by using DPI, ISPs are able to identify traffic for specific applications or services and then either speed up or slow down traffic or otherwise bill customers differently depending on which sites they are using.
The EDRi also alleges that regulators are turning a blind eye to the practice and the suggestion is further made that regulators are expected the laws to be watered down in this latest review and that they might even be pushing for this to happen.
They are also deeply concerned about the impact of the practice on user privacy. Arguing that the practice can lead to unauthorized use of customer data under the guise of “approved” traffic management operations.
What the EDRi warns
The primary concern of the EDRi is that the use of DPI should not be legalized in the EU either for the purposes of making money or espionage. They suggest that such a move could leave ISPs using the practice to subvert net neutrality laws with ease as well as seriously undermine the EU’s highly regarded online privacy laws.
The question of what action the EU should be taking against ISPs already using the practice illegally is not explicitly referred to in the letter.
But it is clear that if they are using DPI currently then they are in breach of EU law and should face consequences for their actions.
But in the EU, as in the USA, ISPs are a rich and powerful lobby. Whether there is the political will to take them on over this issue, especially given that concerns have not been raised by local regulators is unclear.
But the EU has tried hard to build a reputation for being on the side of regular internet users when it comes to privacy issues like this. To overlook this serious allegation would do that reputation untold damage.
Meanwhile, EU internet users have a simple precaution they can use to keep their data safe from possible DPI use by their ISPs. They can sign up to a VPN like ExpressVPN and make sure their data is always keep hidden and private.