Privacy

Go to

Contact

KPN and privacy: a matter for great care

New means of communication are constantly being developed. As well as by telephone it is possible to communicate by e-mail, instant messaging or VoIP. KPN considers it important to ensure that communication in this new world remains simple and reliable. This applies also to the way we deal with our customers’ personal and usage data.

KPN has rules that it observes with respect to the use of personal and usage data. These are laid down in the KPN Privacy Statement(PDF, 134 kB). This statement applies to all our customers who purchase fixed telephony, mobile telephony, and/or TV from KPN or from a subsidiary of KPN*.

_{* Dutch subsidiaries of KPN N.V. with more than 50% of the shares, with the exception of Telfort B.V. and XS4ALL Holding B.V.}

In May 2011, some of the media reported that KPN monitors the data traffic of individual customers via Deep Packet Inspection (DPI) technology. KPN has not listened in on conversations and looked at messages from customers, has not breached privacy legislation and has not violated the general conditions for measuring data traffic.

Reaction of KPN Board of Management:
“I am very upset that the wrong impression has been given. Everyone in the Netherlands can be assured that we deal with customer data in the strictest confidence. We never listen to/look at the content of telephone calls, messages and data. We are not allowed to and anyway we don’t wish to”, says Baptiest Coopmans, member of the Board of Management of KPN. “We analyze data traffic to respond to future developments and to keep our networks up to date, but we never look at data at an individual level.”

What is DPI technology?
Deep Packet Inspection (DPI) is a technique that enables data traffic to be recognized. This can occur in several ways. DPI is used all over the world for:
- Pricing, in other words ensuring that the payment of data traffic remains on the right track, for instance by making sure that MMS is not charged twice or allowing our customers to upgrade their prepaid data credit.
- Network management, in other words making the load on a network transparent so as to allow maintenance of that network to be scheduled.
- Analysis of the data traffic, whereby the use of the data is monitored so as to be able to respond to it when developing products and services.

Analysis of the data traffic: no individual users’ data
Since November 2010 KPN has been using a technique to monitor the data traffic on the mobile network. The reason for this was the introduction of the iPhone at KPN in combination with the warnings of heavier network load because of the wholesale use of smartphones.

The technique used is able to distinguish between types of data traffic. This doesn’t mean the content of the data traffic but the sort of data traffic. In layman’s terms, KPN can see, for example, what use is being made of WhatsApp or other apps, but cannot read the messages. The number of messages sent is not counted either, only the volume of MBs involved.

Frequently asked questions

What is DPI in KPN’s view?
DPI is a technique that enables a distinction to be made between types of data traffic. This doesn’t mean the content of the data traffic but the sort of data traffic.
In layman’s terms, KPN can see, for example that WhatsApp is being used, but doesn’t look at the content of the messages sent by WhatsApp.

Why does KPN use this technology?
By using this technology KPN has the following aims:
* Pricing, in other words ensuring that the payment of data traffic remains on the right track, for instance by making sure that MMS is not charged twice. DPI also enables free calls to be made in order to upgrade a prepaid credit.
* Network management, which means making the load on a network transparent for the purpose of network management. This is necessary for maintenance of the network.
* Analysis of the data traffic, whereby the use of the data is monitored so as to be able to respond to it when developing products and services.

Has KPN breached laws or rules, as Bits of Freedom alleges?

The Penal Code forbids telecommunication providers to take cognizance of the content of data traffic. KPN has not taken cognizance of the content of data traffic.

The Personal Data Protection Act and the Telecommunications Act lay down rules for processing network traffic data. The applicable rules are set out individually below.

Network traffic data has been processed.
Network traffic data means all the data that is processed as traffic on a network and that is unrelated to the content of that traffic, such as date, time, login, logout and volume of data.
The data that KPN has processed here is network traffic data. KPN has obtained absolutely no information about the content of the traffic, only about the destination and volume of the data traffic.

The network traffic data has been used for network traffic management, which is permitted by law.
KPN has used the network traffic data for network traffic management, namely to make an analysis of the impact of the use of WhatsApp on the signaling network. Such use is permitted under the Telecommunications Act.

KPN has kept its customers informed in accordance with the legal requirements.
The law makes it mandatory to inform customers about the use of their data. Customers must also be told of the possibility of objecting to this. Data of customers who have made an objection are not allowed to be analyzed.
KPN has informed its customers about the use of network traffic data for purposes such as network traffic management, both via the general terms & conditions and via the privacy statement. These also state how the customer can make an objection. KPN operates an opt-out register in which all the objections are registered. The data of customers who are included in the opt-out register is not analyzed and has therefore not been analyzed in this instance.

KPN retains data in accordance with legal requirements.
The law requires data to be destroyed or anonymized as soon as it is no longer necessary for the purpose for which it was processed. The maximum time for which network traffic data may legally be retained is six months. The data used to make the WhatsApp analysis was kept for a little over three months for analysis purposes. It was anonymized, meaning in this case that the last four figures of the IMSI number were removed. The data could therefore not be traced back to individual customers.

In summary, privacy laws were not breached.

So KPN can easily listen in and tap data?
No. If so requested by competent authorities such as the Justice Ministry or the intelligence and security services, KPN must hand over tapped data, but in such cases KPN itself does not take cognizance of the content of the tapped data.

Is KPN aware of the legally and socially controversial status of DPI?
KPN is well aware of the sensitivities with regard to following telephone and data traffic. However, in this case no individual customers or the content of the messages they send and receive have been followed. KPN regrets that this was not made clear earlier this week.

Is DPI used for all mobile brands?
DPI is used for all KPN mobile brands to ensure that the payment of data traffic remains on the right track, for network management and to analyze data traffic.

Why has KPN not asked its customers for explicit permission?
When customers take out a subscription KPN asks them on the application form for permission to use the network traffic data. The use of DPI comes under the current general terms & conditions.

What data has KPN uncovered in its analysis of WhatsApp?
KPN has monitored whether people make use of it and how much volume is involved. The content of messages has not been inspected.