The Inability to Opt Out of DPI (or Why the Marketplace Cannot Cure Paul’s Worries)

You may also like...

3 Responses

  1. Paul Ohm says:

    I agree with all three points, and I would add a fourth: it is technologically difficult for an ISP to distinguish between users who have and have not opted out. For Google, this is easy to do–they merely need to look at the cookies sent to it. But you usually don’t send cookies to your provider.

    So the provider is left remembering the IP addresses of those who have opted out, which they probably don’t want to do because it is clumsy and imprecise. Or, they can “trick” users into sending them cookies by redirecting traffic. This is much more precise, but it is even more clumsy and the user suffers a performance hit.

    According to Richard Clayton’s report on Phorm, Phorm redirects user web requests as many as four times before allowing the user to connect. As far as I can tell, this is in part to allow Phorm to distinguish between those who have opted-out and those who have not.

  2. Another reason why ISPs doing it the IP address level is not a good idea… many devices can share an IP address by using a NAT router (most homes and businesses do this). IF I wanted, for some bizarre reason, to opt-in, it might be impossible if my IP address was opted-out. But the reverse is worse… my IP address got opted-in, but I want to opt-out for my device.

  3. Ah, I see now this is probably what you meant by imprecise”.

    The other alternative is no good from the consumer perspective either… redirection reduces performance as you mention, adds a finite probability of introducing errors, and also makes the operations done within those redirections opaque.