Apps uploading address books is a privacy side-show compared to DPI

While the hand-wringing over the future of journalism, blogging, the nature of conflicts of interest, yada yada, has been deeply interesting (alongside the personal attacks – we all like a good public fight don’t we?), it’s worth recalling that the furore was kicked off by a fairly pertinent point. To whit: Path was uploading user’s address books without their explicit permission.

Yes it was a rare omission by Nick Bilton to not call out the 50 or so other apps that often do this by default. But his essential point remains correct, and it’s kicked off a wave of excellent reporting into which apps behave like this, and why Apple has allowed this to go on for so long.

But while we continue to point the finger at startups with smartphone apps designed to be social, I’d like to remind Silicon Valley about another business which, despite claims to the contrary, is deeply interested in our private affairs, and is unlikely ever to be as contrite as Dave Morin was just recently.

I speak of the sector known as Deep Packet Inspection.

Now, while it’s not nearly as sexy as your latest mobile social iPhone app, DPI is likely to be just a little more invasive than the average Facebook-wannabe.

DPI allows network operators to delve into individual IP packets to develop an understanding of the type of content flowing through their networks.

Companies like NebuAd (which closed) and Phorm (dumped by BT, but continuing to cause controversy in its practices) have typically tried to shoe-horm themselves into ISPs as ad-targetting technologies.

But they’ve also become of huge interested to oppressive regimes over recent years.

The Iranian government, for instance, is probably not as interested in Path or Foursquare (I know, I know!), as it is interested in using DPI to censor and monitor Internet activity throughout the country. Indeed, we actually reported this back in 2009, long before the Arab Spring and the Green Revolution of the last couple of years.

In Iran, DPI is used to block certain types of content from being accessed within the country. Similar tactics have also been employed in China.

And, guess what, some of these companies have raised vast amounts of money.

Qosmos, a Paris, France-based network intelligence technology company, raised close to €20 million (approximately $28.5 million) in a deal that was co-led by DFJ Esprit and FSI, a French government fund just last year. Guys, Bivio Networks has $40.8 million in VC backing. Perhaps of interest?

There are lots and lots of DPI companies we could all be investigating, and asking which governments they are selling their technology to, right?

Here’s a list on Crunchbase we can start with. Companies like CloudShield, Procera Networks, Sandvine, Spotflux and WildPackets. OK, not sexy consumer startups, but – I’ll hazard – pretty interesting, especially when we want to talk about privacy.

Alas, I have to admit, while TechCrunch has chronicled the rise of Web 2.0 and social, our DPI tag is sorely neglected.

However, despite this neglect in the news stakes, DPI companies have not gone away, as sites like attest.

Currently Phorm is working with Oi and Telefonica in Brazil, using the name ‘Navegador‘. In Romania, they are in cahoots with Romtelecom under the name ‘MyClickNet‘.

And they are working to become harder to detect on the grid.

Unfortunately, reporting on DPI is not exactly mainstream and quite patchy, judging by this simple Google news search.

But it has relevance to this debate about smartphone apps and address books. Because even if the likes of Path and others made sure any address book uploads were first opt-in, and then encrypted, DPI companies are continuing to think of ways to get around this. As this article notes ominously “DPI systems will still be able to function in an encrypted world.”

They, literally, have the technology to do anything they like. Dutch telecom company KPN has been caught scanning customers’ mobile-data traffic with DPI in violation Dutch privacy law.

Iran has continually used DPI to quell political activism. The AS12880 government proxy uses Deep Packet Inspection to detect and prevent attempts to establish an encrypted international connection, even for email and online banking sites. And unencrypted connections in Iran are scanned for specific terms. Try searching for information on how to create a Tor in Iran. It doesn’t work.

So, even though iPhone/Android apps makers might move to encrypt that data transfer of your address book, as Chris Dixon suggests, the reality is that if you are dealing in a jurisdiction where DPI is employed, your privacy is at risk.

So, may I humbly submit a suggestion: Yes, we should absolutely take startups like Path to task for their lapses. Yes, your address book is sacred.

But let’s also investigate the companies that are doing weird things with our private communications on a more – how can I put it? – industrial scale.

And there is an implicit problem here.

Silicon Valley blogs and news sites, quite rightly, continue to pore over the practices of mobile apps.

But it shows that the page views are to be found in talking about our mobile social apps spilling the beans on us. Yes, folks that little intimate app we know and love is actually screwing us from behind. Bam! – page impression spikes!

It’s going to be much harder to squeeze page views out of investigations into relatively unsexy DPI companies – and maybe that’s a problem we should really be concerned about.