Canada's privacy commissioner, fresh off forcing Facebook to change how it handles users' data, is ordering Bell Canada to change how it informs internet customers of its network-management practices.
In a report dated Aug. 13 and made public on Friday, assistant privacy commissioner Elizabeth Denham told the company it must change its service agreements and the Frequently Asked Questions section of its website to notify customers that it collects and retains their personal information through use of its deep-packet inspection technology.
The commissioner found that Bell's DPI, which among other things is used to identify peer-to-peer file-sharing so that it can be slowed down, tracks a person's IP address — a numeric code that identifies a specific computer on a network. Users' IP addresses typically change each time they log onto the internet, but as is common practice among service providers, Bell ties the codes to subscribers' user identifications.
Denham considers this combination to be personal information that belongs to customers, which is protected under privacy laws.
"Given that Bell can link its Sympatico subscribers, by virtue of their subscriber ID, with internet activities (in this case, type of application being used) associated with their assigned IP addresses, in my view, IP addresses in this context are personal information," she wrote.
The report said the privacy commissioner's office will follow up with Bell within 30 days to see if the company has complied with its requests.
A spokesman for Bell said the company will comply. "We were waiting for their finding to add an FAQ [regarding] use of DPI on [the] Bell.ca privacy page but needed to know what language to use," he said.
The report was in response to a complaint by the Canadian Internet Policy and Public Interest Clinic, based at the University of Ottawa. The privacy commissioner rejected CIPPIC's two other complaints about Bell's DPI, that the company was collecting personal information about customers without their consent and that it is gathering more information than needed to manage its network.
Denham said the service agreements customers sign constitute their consent. She also said she had not found any evidence that Bell was using DPI to look at users' internet traffic for purposes such as advertising or boosting its own services.
"I am unconvinced that, at date of issue of this report, Bell is collecting or using any personal information of individuals other than the IP addresses and subscriber IDs of Sympatico customers when it uses its DPI technology for the purpose of network traffic management," she wrote.
CRTC mulling network-management rules
The Canadian Radio-television and Telecommunications Commission is currently pondering whether it should impose new regulations on how internet providers can manage their networks, with a decision due this year. The CRTC last year allowed Bell to continue slowing down peer-to-peer usage by its wholesale customers, who were represented by the Canadian Association of Internet Providers.
Mirko Bibic, head of regulatory affairs for Bell, welcomed the privacy commissioner's findings.
"We're pleased with the outcome as Bell takes privacy issues very seriously, and that includes respecting all privacy laws in our use of DPI," he said in a statement. "Hopefully with this decision, the network management proceeding, and the dismissal of CAIP's complaint last year all behind us, we can keep the focus where it belongs — on delivering exemplary service to all our customers."
The commissioner's findings were made public by telecommunications consultant Mark Goldberg on his blog. On Twitter, Goldberg said the commission "approves Bell's use of DPI."
A spokesperson for the commissioner, however, said the office was certainly not approving DPI.
"It would not be accurate to suggest, in reading the finding, that we are endorsing DPI," she said.
In the report, Denham reiterated her concerns about the technology.
"I am aware that DPI platforms have the capability to allow an organization to view information of a potentially very sensitive nature — for potentially different purposes and if the organization were to apply the proper configurations," she wrote.
"Bell has stated that the DPI platform it uses has this capability, but that it is currently not using it for this purpose. It has also assured this office that any added purpose for which it currently uses PI would respect the company's privacy obligations... its own privacy policies an applicable customer agreements."
Tamir Israel, a spokesman for CIPPIC, said the group was still working with the commissioner's office to have some of its complaints addressed.
The privacy commissioner on Thursday announced that Facebook will be complying with a number of its requests to strengthen users' privacy and control over their personal information on the social-networking website.