ITU Approves Deep Packet Inspection Standard Behind Closed Doors, Ignores Huge Privacy Implications
from the and-they-want-us-to-trust-them? dept
Techdirt has run a number of articles about the ITU’s World Conference on International Telecommunications (WCIT) currently taking place in Dubai. One of the concerns is that decisions taken there may make the Internet less a medium that can be used to enhance personal freedom than a tool for state surveillance and oppression.
Against that background, a story published by the Center for Democracy & Technology about the ITU’s work in the area of standards takes on an extra significance:
The telecommunications standards arm of the U.N. has quietly endorsed the standardization of technologies that could give governments and companies the ability to sift through all of an Internet user’s traffic — including emails, banking transactions, and voice calls — without adequate privacy safeguards. The move suggests that some governments hope for a world where even encrypted communications may not be safe from prying eyes.
The new Y.2770 standard is entitled “Requirements for deep packet inspection in Next Generation Networks”, and seeks to define an international standard for deep packet inspection (DPI). As the Center for Democracy & Technology points out, it is thoroughgoing in its desire to specify technologies that can be used to spy on people:
The ITU-T DPI standard holds very little in reserve when it comes to privacy invasion. For example, the document optionally requires DPI systems to support inspection of encrypted traffic “in case of a local availability of the used encryption key(s).” It’s not entirely clear under what circumstances ISPs might have access to such keys, but in any event the very notion of decrypting the users’ traffic (quite possibly against their will) is antithetical to most norms, policies, and laws concerning privacy of communications.
One of the big issues surrounding WCIT and the ITU has been the lack of transparency — or even understanding what real transparency might be. So it will comes as no surprise that the new DPI standard was negotiated behind closed doors, with no drafts being made available.
But probably most worrying is the following aspect:
Several global standards bodies, including the IETF and W3C, have launched initiatives to incorporate privacy considerations into their work. In fact, the IETF has long had a policy of not considering technical requirements for wiretapping in its work, taking the seemingly opposite approach to the ITU-T DPI document, as Germany pointed out [doc] in voicing its opposition to the ITU-T standard earlier this year. The ITU-T standard barely acknowledges that DPI has privacy implications, let alone does it provide a thorough analysis of how the potential privacy threats associated with the technology might be mitigated.
This apparent indifference to the wider implications of its work is yet another reason why the ITU is unfit to determine any aspect of something with as much power to affect people’s lives as the Internet.
Follow me @glynmoody on Twitter or identi.ca, and on Google+
Filed Under: deep packet inspection, itu, privacy, wcit
Comments on “ITU Approves Deep Packet Inspection Standard Behind Closed Doors, Ignores Huge Privacy Implications”
Yeah, worries me too -- as does commercial spying.
“One of the concerns is that decisions taken there may make the Internet less a medium that can be used to enhance personal freedom than a tool for state surveillance and oppression.”
Problem with you and Mike is that you see only good in corporations spying. If any writer here has ever worried about that, I’ve missed it. But “commercial” spying becomes state spying simply by the state paying taxpayer money to access the data stored by corporations; they do that routinely on as-needed basis. There’s no real distinction between state and corporations, just different aspects of same monster.
Yeah, worries me too -- as does commercial spying.
OOTB didn’t read the article as a result fails at life.
Yeah, worries me too -- as does commercial spying.
Tim wrote the article, not Mike.
Failure to comprehend, met.
Yeah, worries me too -- as does commercial spying.
I see what you did there 🙂
The ITU’s resume: surveillance, censorship and oppression.
The UN: “You’re perfect for the job.”
Re: Ted "I lost $9B" Turner
Thanks Ted for giving these idiots $1B so they can further their march to a total global fascist state…
So once the ITU has successfully fragmented the Internet what are the US and the EU going to do?
Internet 2?
Re:
We’ll still have most of the good porn, so the rest of the world will want access and the cycle will repeat all over again.
Yeah, worries me too -- as does commercial spying.
*looks*
…
I am WAY too tired to try and comprehend anything.
Sorry, Glyn, for some reason when I read your name, it was “Tim”.
I don’t see the issue here. Any time you’re not using SSL, you’re asking for DPI. IF not from the government, the possibly another government or organized crime. And it probably already happens anyway.
If your online banking doesn’t use SSL, change banks. There’s no way your banking data should be prone to such attacks.
Re: So insightful
So insightful
Re:
*shrieks in horror*
Are there banks in the world not using SSL?
#9
You’re putting way too much faith in SSL and certification authorities…
basically, we can thank the USA for the meetings that are held in secrecy. they started them and now that others are doing the same, it isn’t liked. a case of ‘we can hold secret meetings that affect the rest of the world, but no one else can’. WRONG! this is now a result but i doubt if it will be the only one!
i wonder now how this is going to be implemented, considering the opposition that the EU has already passed a resolution against the ITU.
i wonder what actions will be taken to stop the implementation or the prevention of the DPI? allowed to carry out this action will undoubtedly result in some serious shit hitting fan!
Just how are they going to crack and sniff VPN? That would be all but impossible
Re:
Why would you want that? assuming the owner of the VPN is the author is way enough for the masses. And for official VPN providers, force them to provide any thing they ask.
Re: Re:
Because if you don’t have that, you have nearly no information at all aside from what IPs have connected to the VPN and when.
A reputable and competent VPN provider wouldn’t have any information that isn’t obtainable from the ISP anyway. Certainly not access to the decrypted data stream.
So what
This standard doesn’t give anyone any capabilities that they don’t already have. I think this is just a bit of alarmism. What difference does it make if there’s some government/criminal packet sniffer using standardized DPI versus non-standardized DPI?
Re: So what
With a standard, one country can require access of another country, and offer the guaranteed exact same access in return. So treaties can be negotiated without running the risk of one country knowing more about the other than the other knows about it in return.
Response to: Anonymous Coward on Dec 4th, 2012 @ 6:42am
ssl or encryption is pointless if u read,theyre talking about decrypting data u send securely
Re: Response to: Anonymous Coward on Dec 4th, 2012 @ 6:42am
That’s not what deep packet inspection is.
#9
I agree, the certificate authority model is broken.
I wouldn’t be surprised if the government isn’t already demanding those authorities to hand over the certs allowing them to man-in-the-middle your ‘secure’ connections. How much chance they’re already doing this?
ITU.2770 Draft - here!
http://broabandtrafficmanagement.blogspot.com/2012/12/itu-approves-dpi-recommendation-t2770.html
Re: ITU.2770 Draft - here!
I’v read ITU-labeled version of draft, but it seems pretty much the same. And horrifying.
#9
A VERY good chance.
Re:
I hear of one down in Nigeria……
Re:
perfect for a single drawing comic
#9
The problem with your theory is that SSL doesn’t work like this.
Each SSL connection has a unique decryption key that is negotiated on session start.
Admittedly with enough monkeys and typewriters…….
Re: #9
Oh shush with your facts and understanding of the issue and whatnot. You’re getting in the way of the conspiracy theory circlejerk.
Re: #9
If you have a root cert, you can trivially perform a man-in-the-middle attack. That’s the problem.
Correct. But in a man-in-the-middle attack, the connection is being made, unknown to the end points, to the attacker’s machine instead of each other. You’ve actually negotiated that key with the attacker (you can’t tell because the public key he’s forged is signed by the root cert and therefore declared valid). All of your traffic goes through the attacker’s machine, is decrypted and then reencrypted with the proper key and sent along to the other end.
The recent spate of compromised keys and resulting attacks demonstrates that the SSL system is weak. It should not be relied upon for critical information.
Re: Re: #9
I should have said it should not blindly be relied upon. In a private, properly configured setup where you can actually trust the root CS, you can use it effectively.
Even then, though, it’s not unbreakable. It’s also a good idea to use separate encryption for particularly sensitive data being transmitted in addition to the SSL.
Re: Re: #9
And the ITU’s little party here has done nothing to change this. It’s literally done nothing to change anything. Nothing at all is any more or less vulnerable than it was a month ago.
Re: Re: Re: #9
Since nothing’s been decided yet, that’s true. But the indications we’ve been seeing and things they’ve been saying are not reassuring.
However, if they are talking about standardizing DPI, then what they are doing is legitimizing DPI and making it easier, both politically and technically, than it already is to be used by governments and other entities who want to engage in surveillance.
In other words, they are weakening security. Now, a debate could be had as to whether or not this is justifiable (I don’t think it is, but reasonable people may differ), but the ITU is not having a debate about this that involves the people who are the most impacted by it. They actively want the public to remain as ignorant of it as possible.
That’s the outrage.
Re: Re: Re:2 #9
They’re not weakening security though. They’re pointing out where security is weak and how to exploit those existing weaknesses.
Re: Re: Re:3 #9
No, they are contemplating a standard. A standard says “if you’re going to do something, do it like this to facilitate interoperability. In other words, they are determining a way to do it better and cheaper. In other words, they are endorsing and encouraging the practice.
Re: Re: Re:4 #9
I fail to see how this creates any vulnerabilities that did not already exist.
Why isn’t SSL incorporated into every tcp/udp communication by default? Surely this would defeat state spying, would it not?
I imagine a protocol where I could generate my own SSL certificates, then when someone wants to connect to my PC they would request my public key and then I send them it.
Re: Re:
That’s how it works right now.
The weakness is in the key authentication (how can I be sure that the public key I have is really yours?) In SSL, this is done through trusted certification agencies validating them, but those agencies turned out not to be quite trustworthy enough.
Transparency school
Seems like the ITU and the USTR went to the same transparency school.
Re: Transparency school
Yup ! Bunch of fucking assholes.Looking forward to the Revolution.Wake me up when it happens.
Re: Re: Transparency school
You’ll be sleeping for a very long time, I’m afraid.
Re: Transparency school
Come come, they are paid to decide what to to and consulting with the people affected by their decisions is below their dignity./s
So what
You are correct when we are talking national security agencies, mostly having this power. Not police or other low tier law enforcement. Making an official standard for this technological brute force surviellance does add credibility to its use. It might encourage countries to escalate the priviledge structure and use it widespread instead of very specific as we see it today in the western world. Having a standard is a way to make it a lot easier to use this tool and that is dangerous.
Re:
Because SSL runs on top of TCP, not part of TCP.
TCP was made by engineers, so it has strict layering rules which allows it to be modular.
If SSL was baked into TCP and a bug was found in SSL, you couldn’t fix SSL without breaking TCP. By separating TCP, you allow different versions of SSL to run on top of it.
Anyway, who would want SSL’s overhead on a game server that is using UDP?
Re: Re:
I think Gee just wanted to see how many initialisms s/he could fit into one post.
Seriously, though, I don’t want people spying and learning my COD secrets.
Re: Re:
SSL was also created by engineers.
SSL just occurs at the Application/Presentation layer (top layers) where as TCP is the transport layer (middle layer) of the OSI model.
Also SSL is useless over UDP as it is a connectionless protocol.
lawl
ITU, meet IPv6+IPSec
Mandating DPI increases costs for ISPs. Who pays for this? I assume the customers. Great, another tax, not only that, it is used *against* the citizens.
Re: lawl
In draft, there is a specifications on how DPI will work with IPv6 and IPSec.
The 9-11 planes hit the wrong new york target.
Might add that seeing News on ITU/UN issues with Internet you see a Western Media Slant playing down the issues at hand and also reading thru the Comments show that there are mostly stupid and uneducated people claiming that the whole thing is nothing.They try to say people like me are a bunch of Conspiracy Freaks.Not So Idiots !!!
I have been personally buiding Computers since 1995 and was on the Internet back when you used gopher and telnet sessions so F#ck Off people who only know how to hit the On/Off Button, use email, and go on google and facebook.
People like me know quite a bit about Computers, IT, Internet, and we do understand the whole ITU/UN Thing.
And it is a very bad thing indeed.Get Set for the New World Order !!!
Re: Re:
I have been personally buiding Computers since 1995
Well then. I’m certainly convinced as to your qualifications. Snapping tab A into slot B certainly tells me you’re an interweb expert.
and was on the Internet back when you used gopher and telnet sessions
Expert indeed.
F#ck Off people who only know how to hit the On/Off Button, use email, and go on google and facebook
You’re retarded, kid.
People like me know quite a bit about Computers, IT, Internet
Highly doubtful.
we do understand the whole ITU/UN Thing
Of course. You have a sixth grade writing level and the qualifications you’re listing are something I could teach a housecat in a day, but you’re much more in tune with these things than the rest of us.
Get Set for the New World Order
Oh FFS.
Re: Re: Re:
I believe him more than you.
Re: Re: Re: Re:
If you’re already determined to believe the sky is falling, then I guess that’s not really surprising.
If you don’t own the wires, you have to assume the traffic is being collected. It probably is not, but you have no way of determining. Therefore, you must assume it is. Since that has to be the assumption, everyone should be capturing every packet entering or leaving their digital self (networks).
Obviously, once you have read enough of your logs so that you know what is normal, you can filter the basic and generate your daily alert page. But you will always fall for this sort of cruft until you start reading your logs, and learning what your pencil does!
The ITU should deep inspect my AES-1024 bit encryption LoL
Re: Re:
Careful what you wish for. Once the DHS gets involved, you might be up for some rubber-hose cryptanalysis.
On a serious note though the size of secure keys is 256 bit for symmetrical keys and 15360 bits for asymmetrical keys.
https://en.wikipedia.org/wiki/Key_size
So everyone should be using AES-256, to encrypt all their communications, do not trust only in the encryption that your service provider gives you, encrypt your data too and be happy.
You can also encrypt all your text in your profiles, emails and start using a key-manager.
This rant is about something old, is about the wisdom of letting others do the work for you, in time you become a slave to those who did that work. Make no mistake about, if you let the security of your communications be a problem to be solved by others they will abuse that power.
Do not let that happen and this ITU thing will not be of consequence, what is of consequence is that it shows how corrupt the system is and how it would be abused if we gave the ITU more power over the internet.
I have a great idea: disband the ITU. It’s proved it has outlived it’s usefulness.
Fortunately the ITU has no enforcement authority or mechanism. That seems to get lost in these discussions.
Re: Re:
This is currently true which is why it is not so worrisome that they are working on such a standard. Standards have to be adopted and implemented and the ITU, or it’s former moniker CCITT, does not have a good record on getting telecom initiated protocols standards adopted in the real internet world. A case in point, the Internet uses the TCP/IP protocol stack rather than a protocol stack based on the OSI Reference Model. The fact that a proposed DPI standard does not take privacy into account only makes it harder for the ITU to have any success in getting the standard adopted.
What is worrisome is if global politics change enough so that ITU can mandate such standards. This is why what happens at the current WCIT meeting and the response of the world outside of their star chamber is so critical. However, I see the most likely path for adopting DPI standards is for individual countries to mandate this ability via laws such as an expanded CALEA in the US. This has to be done in a way that allows the protocol stack to still be interoperable with countries that respect privacy.
I apologize in advance for all the techy acronyms but my time is limited today so I am being lazy in writing this.
Interesting
Lets ask a few things first..
How would all these people trying to regulate, LIKE their lives to be an open book?
REALLY how would they like their lives invaded..
Now for a better question. Wouldnt it be nice to FIND all the money that Corps ship out from the USA? without a Warrant? It would be fun to find this. If nothing else for blackmail and getting your 10% of it, BEFORe you reported it tot he gov.
Your Title's Wrong.
It should read “ITU Approves Deep Packet Inspection Standard Behind Closed Doors Embraces Huge Privacy Violations.”
UN in charge? oh yeah we are so SCREWED.
Confusing and Worrying
Very confusing and worrisome. One hand they (The ITU) is recommending standards, which can be used to invade digital privacy. On other hand they are trying to take over control of something which has had few controls (the internet).
Add in the global politics. Guess we will still be debating this till WCIT-16.
🙂
Name and Shame
Just who are the engineers who helped write this new standard?
So what can we do about it?
ultimately the internet will just become another marketing tool, once it has become rendered ‘useless’ for interpersonal communications and news sourcing (versus the SHILLS aka MSM)
the only way draconian, totalitarian regimes can be overloards to the sheeple is that they must provide toys for the simpletons to be obsessed with, such as I-pads and I-phones and android ‘spyware’ apps for you to get all glaze eyed over while someone has their finger up your anus from the TSA checking for corn kernels.
people are too stupid to just walk away from it, in time, there will be a whole generation of idiot children who won’t have a clue what PRIVACY is, and to be blunt about it, they won’t give a rat’s dick either.
de-evolved humans will eat their own feces rather than stand up and fight for personal freedom and liberty.
and that, sadly, is a fact.
Re:
Nope: massive jails housing all the nasty unwashed infringers that couldn’t afford lawyers or bribe money to pay their way out of the bogus “infringement” charges (“Dear Mister Arcana: you are being served notice that you are in DMCA violation for your use of your name ‘Tex Arcana’. Please report to the nearest internment center for forcible emptying of your pockets, and a thorough beating, forthwith.”).
Welcome to world Leninism.