ITU Approves Deep Packet Inspection Standard Behind Closed Doors, Ignores Huge Privacy Implications
from the and-they-want-us-to-trust-them? dept
Techdirt has run a number of articles about the ITU's World Conference on International Telecommunications (WCIT) currently taking place in Dubai. One of the concerns is that decisions taken there may make the Internet less a medium that can be used to enhance personal freedom than a tool for state surveillance and oppression.
Against that background, a story published by the Center for Democracy & Technology about the ITU's work in the area of standards takes on an extra significance:
The telecommunications standards arm of the U.N. has quietly endorsed the standardization of technologies that could give governments and companies the ability to sift through all of an Internet user's traffic -- including emails, banking transactions, and voice calls -- without adequate privacy safeguards. The move suggests that some governments hope for a world where even encrypted communications may not be safe from prying eyes.
The new Y.2770 standard is entitled "Requirements for deep packet inspection in Next Generation Networks", and seeks to define an international standard for deep packet inspection (DPI). As the Center for Democracy & Technology points out, it is thoroughgoing in its desire to specify technologies that can be used to spy on people:
The ITU-T DPI standard holds very little in reserve when it comes to privacy invasion. For example, the document optionally requires DPI systems to support inspection of encrypted traffic "in case of a local availability of the used encryption key(s)." It's not entirely clear under what circumstances ISPs might have access to such keys, but in any event the very notion of decrypting the users' traffic (quite possibly against their will) is antithetical to most norms, policies, and laws concerning privacy of communications.
One of the big issues surrounding WCIT and the ITU has been the lack of transparency -- or even understanding what real transparency might be. So it will comes as no surprise that the new DPI standard was negotiated behind closed doors, with no drafts being made available.
But probably most worrying is the following aspect:
Several global standards bodies, including the IETF and W3C, have launched initiatives to incorporate privacy considerations into their work. In fact, the IETF has long had a policy of not considering technical requirements for wiretapping in its work, taking the seemingly opposite approach to the ITU-T DPI document, as Germany pointed out [doc] in voicing its opposition to the ITU-T standard earlier this year. The ITU-T standard barely acknowledges that DPI has privacy implications, let alone does it provide a thorough analysis of how the potential privacy threats associated with the technology might be mitigated.
This apparent indifference to the wider implications of its work is yet another reason why the ITU is unfit to determine any aspect of something with as much power to affect people's lives as the Internet.
Follow me @glynmoody on Twitter or identi.ca, and on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: deep packet inspection, itu, privacy, wcit
Reader Comments
Subscribe: RSS
View by: Time | Thread
Yeah, worries me too -- as does commercial spying.
Problem with you and Mike is that you see only good in corporations spying. If any writer here has ever worried about that, I've missed it. But "commercial" spying becomes state spying simply by the state paying taxpayer money to access the data stored by corporations; they do that routinely on as-needed basis. There's no real distinction between state and corporations, just different aspects of same monster.
[ link to this | view in chronology ]
Re: Yeah, worries me too -- as does commercial spying.
[ link to this | view in chronology ]
Re: Yeah, worries me too -- as does commercial spying.
Failure to comprehend, met.
[ link to this | view in chronology ]
Re: Re: Yeah, worries me too -- as does commercial spying.
[ link to this | view in chronology ]
Re: Re: Re: Yeah, worries me too -- as does commercial spying.
...
I am WAY too tired to try and comprehend anything.
Sorry, Glyn, for some reason when I read your name, it was "Tim".
[ link to this | view in chronology ]
The UN: "You're perfect for the job."
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Ted "I lost $9B" Turner
[ link to this | view in chronology ]
Internet 2?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Welcome to world Leninism.
[ link to this | view in chronology ]
If your online banking doesn't use SSL, change banks. There's no way your banking data should be prone to such attacks.
[ link to this | view in chronology ]
Re:
Are there banks in the world not using SSL?
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: #9
[ link to this | view in chronology ]
Re: Re: #9
I wouldn't be surprised if the government isn't already demanding those authorities to hand over the certs allowing them to man-in-the-middle your 'secure' connections. How much chance they're already doing this?
[ link to this | view in chronology ]
Re: Re: Re: #9
[ link to this | view in chronology ]
Re: Re: Re: #9
Each SSL connection has a unique decryption key that is negotiated on session start.
Admittedly with enough monkeys and typewriters.......
[ link to this | view in chronology ]
Re: Re: Re: Re: #9
[ link to this | view in chronology ]
Re: Re: Re: Re: #9
Correct. But in a man-in-the-middle attack, the connection is being made, unknown to the end points, to the attacker's machine instead of each other. You've actually negotiated that key with the attacker (you can't tell because the public key he's forged is signed by the root cert and therefore declared valid). All of your traffic goes through the attacker's machine, is decrypted and then reencrypted with the proper key and sent along to the other end.
The recent spate of compromised keys and resulting attacks demonstrates that the SSL system is weak. It should not be relied upon for critical information.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: #9
I should have said it should not blindly be relied upon. In a private, properly configured setup where you can actually trust the root CS, you can use it effectively.
Even then, though, it's not unbreakable. It's also a good idea to use separate encryption for particularly sensitive data being transmitted in addition to the SSL.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: #9
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: #9
However, if they are talking about standardizing DPI, then what they are doing is legitimizing DPI and making it easier, both politically and technically, than it already is to be used by governments and other entities who want to engage in surveillance.
In other words, they are weakening security. Now, a debate could be had as to whether or not this is justifiable (I don't think it is, but reasonable people may differ), but the ITU is not having a debate about this that involves the people who are the most impacted by it. They actively want the public to remain as ignorant of it as possible.
That's the outrage.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: #9
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: #9
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: #9
[ link to this | view in chronology ]
Response to: Anonymous Coward on Dec 4th, 2012 @ 6:42am
[ link to this | view in chronology ]
Re: Response to: Anonymous Coward on Dec 4th, 2012 @ 6:42am
[ link to this | view in chronology ]
So insightful
[ link to this | view in chronology ]
i wonder now how this is going to be implemented, considering the opposition that the EU has already passed a resolution against the ITU.
i wonder what actions will be taken to stop the implementation or the prevention of the DPI? allowed to carry out this action will undoubtedly result in some serious shit hitting fan!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Because if you don't have that, you have nearly no information at all aside from what IPs have connected to the VPN and when.
A reputable and competent VPN provider wouldn't have any information that isn't obtainable from the ISP anyway. Certainly not access to the decrypted data stream.
[ link to this | view in chronology ]
So what
[ link to this | view in chronology ]
Re: So what
[ link to this | view in chronology ]
Re: So what
[ link to this | view in chronology ]
ITU.2770 Draft - here!
[ link to this | view in chronology ]
Re: ITU.2770 Draft - here!
[ link to this | view in chronology ]
I imagine a protocol where I could generate my own SSL certificates, then when someone wants to connect to my PC they would request my public key and then I send them it.
[ link to this | view in chronology ]
Re:
TCP was made by engineers, so it has strict layering rules which allows it to be modular.
If SSL was baked into TCP and a bug was found in SSL, you couldn't fix SSL without breaking TCP. By separating TCP, you allow different versions of SSL to run on top of it.
Anyway, who would want SSL's overhead on a game server that is using UDP?
[ link to this | view in chronology ]
Re: Re:
Seriously, though, I don't want people spying and learning my COD secrets.
[ link to this | view in chronology ]
Re: Re:
SSL just occurs at the Application/Presentation layer (top layers) where as TCP is the transport layer (middle layer) of the OSI model.
Also SSL is useless over UDP as it is a connectionless protocol.
[ link to this | view in chronology ]
Re:
That's how it works right now.
The weakness is in the key authentication (how can I be sure that the public key I have is really yours?) In SSL, this is done through trusted certification agencies validating them, but those agencies turned out not to be quite trustworthy enough.
[ link to this | view in chronology ]
Transparency school
Seems like the ITU and the USTR went to the same transparency school.
[ link to this | view in chronology ]
Re: Transparency school
[ link to this | view in chronology ]
Re: Re: Transparency school
[ link to this | view in chronology ]
Re: Transparency school
[ link to this | view in chronology ]
lawl
Mandating DPI increases costs for ISPs. Who pays for this? I assume the customers. Great, another tax, not only that, it is used *against* the citizens.
[ link to this | view in chronology ]
Re: lawl
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I have been personally buiding Computers since 1995 and was on the Internet back when you used gopher and telnet sessions so F#ck Off people who only know how to hit the On/Off Button, use email, and go on google and facebook.
People like me know quite a bit about Computers, IT, Internet, and we do understand the whole ITU/UN Thing.
And it is a very bad thing indeed.Get Set for the New World Order !!!
[ link to this | view in chronology ]
Re:
Well then. I'm certainly convinced as to your qualifications. Snapping tab A into slot B certainly tells me you're an interweb expert.
and was on the Internet back when you used gopher and telnet sessions
Expert indeed.
F#ck Off people who only know how to hit the On/Off Button, use email, and go on google and facebook
You're retarded, kid.
People like me know quite a bit about Computers, IT, Internet
Highly doubtful.
we do understand the whole ITU/UN Thing
Of course. You have a sixth grade writing level and the qualifications you're listing are something I could teach a housecat in a day, but you're much more in tune with these things than the rest of us.
Get Set for the New World Order
Oh FFS.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Obviously, once you have read enough of your logs so that you know what is normal, you can filter the basic and generate your daily alert page. But you will always fall for this sort of cruft until you start reading your logs, and learning what your pencil does!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
https://en.wikipedia.org/wiki/Key_size
So everyone should be using AES-256, to encrypt all their communications, do not trust only in the encryption that your service provider gives you, encrypt your data too and be happy.
You can also encrypt all your text in your profiles, emails and start using a key-manager.
This rant is about something old, is about the wisdom of letting others do the work for you, in time you become a slave to those who did that work. Make no mistake about, if you let the security of your communications be a problem to be solved by others they will abuse that power.
Do not let that happen and this ITU thing will not be of consequence, what is of consequence is that it shows how corrupt the system is and how it would be abused if we gave the ITU more power over the internet.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
What is worrisome is if global politics change enough so that ITU can mandate such standards. This is why what happens at the current WCIT meeting and the response of the world outside of their star chamber is so critical. However, I see the most likely path for adopting DPI standards is for individual countries to mandate this ability via laws such as an expanded CALEA in the US. This has to be done in a way that allows the protocol stack to still be interoperable with countries that respect privacy.
I apologize in advance for all the techy acronyms but my time is limited today so I am being lazy in writing this.
[ link to this | view in chronology ]
Interesting
How would all these people trying to regulate, LIKE their lives to be an open book?
REALLY how would they like their lives invaded..
Now for a better question. Wouldnt it be nice to FIND all the money that Corps ship out from the USA? without a Warrant? It would be fun to find this. If nothing else for blackmail and getting your 10% of it, BEFORe you reported it tot he gov.
[ link to this | view in chronology ]
Your Title's Wrong.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Confusing and Worrying
Add in the global politics. Guess we will still be debating this till WCIT-16.
:-)
[ link to this | view in chronology ]
Name and Shame
[ link to this | view in chronology ]
[ link to this | view in chronology ]
the only way draconian, totalitarian regimes can be overloards to the sheeple is that they must provide toys for the simpletons to be obsessed with, such as I-pads and I-phones and android 'spyware' apps for you to get all glaze eyed over while someone has their finger up your anus from the TSA checking for corn kernels.
people are too stupid to just walk away from it, in time, there will be a whole generation of idiot children who won't have a clue what PRIVACY is, and to be blunt about it, they won't give a rat's dick either.
de-evolved humans will eat their own feces rather than stand up and fight for personal freedom and liberty.
and that, sadly, is a fact.
[ link to this | view in chronology ]