• by Wendy Davis  @wendyndavis, May 14, 2008

A public interest group in Canada has filed a complaint asking the country's privacy commissioner to investigate Bell Canada for allegedly managing Internet traffic in a way that violates users' privacy.

The complaint, filed by the University of Ottawa's Canadian Internet Policy and Public Interest Clinic, alleges that Bell Canada uses deep packet inspection technology to manage traffic. This technology can reveal the headers as well as content that's transmitted online, all of which can be tied directly to users' IP addresses. "Such practices involving the collection and use of personal information, are not necessary to ensure network integrity and quality of service," the complaint alleges.

Bell Canada denied that it infringed on users' rights. "We respect the privacy of our customers and we are in compliance with the privacy obligations," said media relations director Pierre Leclerc. He added that the company is only trying to manage congestion on its networks.

A spokesperson for Canada's privacy commissioner Jennifer Stoddart said the office had received the complaint and intends to launch a probe.

Canada's sweeping privacy law prohibits companies from collecting, retaining or using people's personal information without their informed consent. And even when users consent, companies are supposed to limit the material they collect.

Here, the law clinic argues that Bell Canada's traffic-shaping methods are too intrusive for the purpose of traffic management. "Information is flowing across their network, but they're not supposed to be looking at it," said clinic director Philippa Lawson.

Internet service providers theoretically have access to users' clickstream data anyway, but practical hurdles prevent the networks from reading that data on their own, said Peter Eckersley, a staff technologist with the digital rights group Electronic Frontier Foundation. "There's too much stuff there," he said. "Deep packet inspection is a technology for processing all of that huge volume of information in real time and going and looking inside people's computers in real time."

It recently came to light that Bell Canada was using that technique to throttle traffic of other Canadian Internet service providers--which purchase broadband service wholesale from Bell and then sell it to consumers. The other networks filed a complaint with Canadian communication regulators alleging a host of charges, including that Bell's techniques violated people's privacy.

The University of Ottawa law clinic filed a separate privacy complaint on Friday with Canada's privacy commissioner.

In the U.S., Comcast used similar technology to throttle traffic to peer-to-peer sites, sparking complaints from net neutrality advocates like Public Knowledge and Free Press. The U.S. debate has mainly focused on whether Internet service providers should manage traffic by targeting peer-to-peer sites, but the groups also charge that the deep packet inspection technique is improper.

"You can tell what kind of bits are in there--are they audio? are they video?--then you can go into the content and see what it is," said Public Knowledge communications director Art Brodsky. "We have raised concerns on privacy grounds as much as anything else."

The U.S. has specific statutes protecting privacy of certain types of information--medical records, for instance--but, unlike Canada and the European Union, doesn't have an overarching privacy law.

But what happens in other countries still potentially affects how companies do business in the U.S. For instance, Google last year promised European authorities it would limit the time it stores logs of users' IP addresses. The company said it would implement that concession in the U.S. as well.