Their concerns are centred on deep packet inspection (DPI), a technique that makes it possible to peer inside packets of data transmitted across the internet.
DPI is already being used for commercial gain, without the consent of users, said Richard Clayton, a security expert at the University of Cambridge and treasurer of the Foundation for Information Policy Research. Companies try to sell DPI-acquired data to firms that can use it – for example, to target online adverts. DPI is also used by the Chinese government to enforce its web censorship programme, sometimes called the Great Firewall of China.
Lives, hates and fears
Berners-Lee has no issue with targeted adverts, which he said offered online users an improved service, but is uncomfortable with using DPI to provide them. He likened DPI to wiretapping, and pointed out that companies could use it to learn a huge amount about our "lives, hates and fears". One example he gave was that the web is often the first point of call for people with health concerns.
DPI has become possible thanks to improvements in computing power, said Robert Topolski, Chief Technologist of the Open Technology Initiative. That allows internet servers to relay data and simultaneously snoop inside data packets. Until recently that was beyond the capabilities of the available technology.
DPI threatens the trust that exists between web users and internet service providers, Topolski said. It makes it possible for a "man in the middle" not directly accountable to a website's operators or its users to intercept and use data sent over the internet, from details of purchases made online to messages shared on social sites, he explained.
Topolski pointed out that this is very different from the widespread practice of monitoring online activity such as search terms, with the user's consent, to offer similar targeted adverts.
This week Google revealed its own targeted ads service. Crucially that service is opt-in rather than opt-out: consumers have to sign up before they can use it.
Kent Ertugrul, CEO of the digital technology company Phorm, defended the use of DPI. Phorm sells information gleaned this way to internet service providers in the US and UK who wish to deliver targeted adverts, but Ertugrul claims his firm's privacy protection protocols are unrivalled. Phorm strips user data of anything that could link it to an individual in the real world, he says.
But Topolski dismissed this as a side issue. Phorm captures people's private data without permission, before those protection filters are implemented. Because companies like Phorm are accountable only to their shareholders, this leave the privacy of users and their data compromised, he said.
Clayton and other members of the discussion group said DPI should be tested against existing data-protection and privacy laws, before it becomes more widely used. This would either establish precedents that protect web users, or make it clear that new legislation is needed, they said.