Anyone who reads Ars knows that we have concerns about ISP monitoring and the deep packet inspection that often goes along with it, but Colorado Law School prof Paul Ohm takes these worries to the next level—then hauls them thirty floors up in the elevator, climbs the dingy stairway to the roof, and scales the attached cell phone tower. According to Ohm's new paper, ISP use of deep packet inspection gear could well lead to "the greatest reduction of user privacy in the history of the Internet, and users will suffer dire harms."

Be warned, all ye who enter here: Ohm's paper is so depressing that you may need to cope by intravenously administering large quantities of lolcat directly to the bloodstream.

The bad news

The basic arguments are ones we've made repeatedly (as shown by Ohm's repeated Ars footnotes), but Ohm makes a powerful case for the dangers of ISP filtering based on the staggering amount of personal and private information they routinely have access to.

"In modern connected life," he writes, "almost no other entity poses a greater threat to privacy than the ISP. ISPs pose a much greater threat to privacy than other online entities and they even pose a greater threat than offline institutions as well, including doctors, psychiatrists, and lawyers." Greater, even, than Google.

Internet-savvy users are fully aware of this, of course, but most haven't had major concerns about all that sensitive data they're pushing through the tubes. ISPs have generally been solid on privacy, as Ohm concedes, and they've lacked the technical means to really invade that privacy, anyway. So why all this talk of a privacy apocalypse that will see blood raining from the skies and screams of the damned outside making it tough to keep concentrating on that World of Warcraft session?

The two bulldozers, in Ohm's view, that are remaking the ISP landscape are "deep packet inspection gear" and "tremendous commercial pressures." ISPs at last have the technical capacity to monitor huge amounts of user web traffic in realtime, and advertisers like NebuAd and Phorm are (or were) simultaneously offering large cash payments for access to Internet traffic.

Apart from these two major commercial forces, government mandates also lurk in the background. CALEA rules have forced ISPs to install this sort of gear in order to provide full wiretap access to a user's Internet data stream when required by law. And content owners have been leaning on governments around the world, which in turn are leaning on ISPs to do something about the illicit P2P problem. Filtering has been one solution beloved of copyright owners, and ISPs like AT&T have even publicly committed to doing so. And then, of course, there's Comcast.

...and the good news

All these situations set the stage for the one-act play, Privacy: A Tragedy. But Ohm makes the case that much of this ISP monitoring and surveillance is already illegal thanks to strong US wiretapping laws. We've seen a preview of this argument already in the NebuAd case, where Congress raised the exact same question; unless these services are truly opt-in, some of them seem to run afoul of the rules preventing ISPs and phone companies from tapping electronic communications.

"Regulators need not regulate anew to prevent the worst ISP monitoring abuses, because these acts are probably already illegal under the American wiretapping laws," Ohm says.

Especially in the legal analysis, conclusions tend to be tentative, but Ohm isn't afraid of the occasional strong statement. While some forms of network management and surveillance may gain legitimacy from the implied consent of users (who chose to sign up for the service and empower ISPs to act on their behalf, for instance, against viruses or spam), major Internet backbone providers often have no direct customer relationship with the people whose data they transport.

"Tier 1 providers," says Ohm, "the providers who run the fastest networks and do no directly serve any users—are almost certainly prohibited under these [wiretapping] laws from conducting deep-packet inspection... Vendors might even be committing a federal crime by selling this technology."

Perhaps his most provocative point is that "network neutrality" and robust privacy actually turn out to have quite similar (though not identical) consequences. If Ohm is correct about the power of existing privacy and wiretap laws, he thinks that many of the concerns expressed by the network neutrality crowd can be addressed without contentious new rules.

If providers cannot scrutinize user communications closely—because of the wiretapping laws—they also cannot discriminate between different types of traffic," he writes. "A private network is a more neutral network."

So forget what I said about the need for lolcats. If Ohm is right and the goals of the net neutrality crusaders can be won by driving on existing highways rather than forging new roads, his analysis might be seen as excellent news for the movement. So good, in fact, that backers might need a dose of the fail whale to keep themselves from going giddy.

Further reading: