ITU Approves Deep Packet Inspection Standard Behind Closed Doors, Ignores Huge Privacy Implications

from the and-they-want-us-to-trust-them? dept

Techdirt has run a number of articles about the ITU's World Conference on International Telecommunications (WCIT) currently taking place in Dubai. One of the concerns is that decisions taken there may make the Internet less a medium that can be used to enhance personal freedom than a tool for state surveillance and oppression.

Against that background, a story published by the Center for Democracy & Technology about the ITU's work in the area of standards takes on an extra significance:

The telecommunications standards arm of the U.N. has quietly endorsed the standardization of technologies that could give governments and companies the ability to sift through all of an Internet user's traffic -- including emails, banking transactions, and voice calls -- without adequate privacy safeguards. The move suggests that some governments hope for a world where even encrypted communications may not be safe from prying eyes.
The new Y.2770 standard is entitled "Requirements for deep packet inspection in Next Generation Networks", and seeks to define an international standard for deep packet inspection (DPI). As the Center for Democracy & Technology points out, it is thoroughgoing in its desire to specify technologies that can be used to spy on people:
The ITU-T DPI standard holds very little in reserve when it comes to privacy invasion. For example, the document optionally requires DPI systems to support inspection of encrypted traffic "in case of a local availability of the used encryption key(s)." It's not entirely clear under what circumstances ISPs might have access to such keys, but in any event the very notion of decrypting the users' traffic (quite possibly against their will) is antithetical to most norms, policies, and laws concerning privacy of communications.
One of the big issues surrounding WCIT and the ITU has been the lack of transparency -- or even understanding what real transparency might be. So it will comes as no surprise that the new DPI standard was negotiated behind closed doors, with no drafts being made available.

But probably most worrying is the following aspect:

Several global standards bodies, including the IETF and W3C, have launched initiatives to incorporate privacy considerations into their work. In fact, the IETF has long had a policy of not considering technical requirements for wiretapping in its work, taking the seemingly opposite approach to the ITU-T DPI document, as Germany pointed out [doc] in voicing its opposition to the ITU-T standard earlier this year. The ITU-T standard barely acknowledges that DPI has privacy implications, let alone does it provide a thorough analysis of how the potential privacy threats associated with the technology might be mitigated.
This apparent indifference to the wider implications of its work is yet another reason why the ITU is unfit to determine any aspect of something with as much power to affect people's lives as the Internet.

Follow me @glynmoody on Twitter or identi.ca, and on Google+



Reader Comments (rss)

(Flattened / Threaded)

  • This comment has been flagged by the community. Click here to show it
     
    identicon
    out_of_the_blue, Dec 4th, 2012 @ 6:01am

    Yeah, worries me too -- as does commercial spying.

    "One of the concerns is that decisions taken there may make the Internet less a medium that can be used to enhance personal freedom than a tool for state surveillance and oppression."

    Problem with you and Mike is that you see only good in corporations spying. If any writer here has ever worried about that, I've missed it. But "commercial" spying becomes state spying simply by the state paying taxpayer money to access the data stored by corporations; they do that routinely on as-needed basis. There's no real distinction between state and corporations, just different aspects of same monster.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    The Real Michael, Dec 4th, 2012 @ 6:18am

    The ITU's resume: surveillance, censorship and oppression.

    The UN: "You're perfect for the job."

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 4th, 2012 @ 6:30am

    So once the ITU has successfully fragmented the Internet what are the US and the EU going to do?

    Internet 2?

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Josh in CharlotteNC (profile), Dec 4th, 2012 @ 6:33am

      Re:

      We'll still have most of the good porn, so the rest of the world will want access and the cycle will repeat all over again.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      Tex Arcana (profile), Dec 5th, 2012 @ 8:03pm

      Re:

      Nope: massive jails housing all the nasty unwashed infringers that couldn't afford lawyers or bribe money to pay their way out of the bogus "infringement" charges ("Dear Mister Arcana: you are being served notice that you are in DMCA violation for your use of your name 'Tex Arcana'. Please report to the nearest internment center for forcible emptying of your pockets, and a thorough beating, forthwith.").

      Welcome to world Leninism.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 4th, 2012 @ 6:42am

    I don't see the issue here. Any time you're not using SSL, you're asking for DPI. IF not from the government, the possibly another government or organized crime. And it probably already happens anyway.

    If your online banking doesn't use SSL, change banks. There's no way your banking data should be prone to such attacks.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Zakida Paul (profile), Dec 4th, 2012 @ 6:44am

      Re:

      *shrieks in horror*

      Are there banks in the world not using SSL?

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Dec 4th, 2012 @ 6:51am

      Re: #9

      You're putting way too much faith in SSL and certification authorities...

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Dec 4th, 2012 @ 7:34am

        Re: Re: #9

        I agree, the certificate authority model is broken.

        I wouldn't be surprised if the government isn't already demanding those authorities to hand over the certs allowing them to man-in-the-middle your 'secure' connections. How much chance they're already doing this?

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          PRMan, Dec 4th, 2012 @ 7:41am

          Re: Re: Re: #9

          A VERY good chance.

           

          reply to this | link to this | view in chronology ]

        •  
          identicon
          Anonymous Coward, Dec 4th, 2012 @ 7:48am

          Re: Re: Re: #9

          The problem with your theory is that SSL doesn't work like this.

          Each SSL connection has a unique decryption key that is negotiated on session start.

          Admittedly with enough monkeys and typewriters.......

           

          reply to this | link to this | view in chronology ]

          •  
            identicon
            Anonymous Coward, Dec 4th, 2012 @ 8:14am

            Re: Re: Re: Re: #9

            Oh shush with your facts and understanding of the issue and whatnot. You're getting in the way of the conspiracy theory circlejerk.

             

            reply to this | link to this | view in chronology ]

          •  
            icon
            John Fenderson (profile), Dec 4th, 2012 @ 8:43am

            Re: Re: Re: Re: #9

            If you have a root cert, you can trivially perform a man-in-the-middle attack. That's the problem.

            Each SSL connection has a unique decryption key that is negotiated on session start.


            Correct. But in a man-in-the-middle attack, the connection is being made, unknown to the end points, to the attacker's machine instead of each other. You've actually negotiated that key with the attacker (you can't tell because the public key he's forged is signed by the root cert and therefore declared valid). All of your traffic goes through the attacker's machine, is decrypted and then reencrypted with the proper key and sent along to the other end.

            The recent spate of compromised keys and resulting attacks demonstrates that the SSL system is weak. It should not be relied upon for critical information.

             

            reply to this | link to this | view in chronology ]

            •  
              icon
              John Fenderson (profile), Dec 4th, 2012 @ 8:48am

              Re: Re: Re: Re: Re: #9

              It should not be relied upon for critical information.


              I should have said it should not blindly be relied upon. In a private, properly configured setup where you can actually trust the root CS, you can use it effectively.

              Even then, though, it's not unbreakable. It's also a good idea to use separate encryption for particularly sensitive data being transmitted in addition to the SSL.

               

              reply to this | link to this | view in chronology ]

            •  
              identicon
              Anonymous Coward, Dec 4th, 2012 @ 9:01am

              Re: Re: Re: Re: Re: #9

              And the ITU's little party here has done nothing to change this. It's literally done nothing to change anything. Nothing at all is any more or less vulnerable than it was a month ago.

               

              reply to this | link to this | view in chronology ]

              •  
                icon
                John Fenderson (profile), Dec 4th, 2012 @ 9:23am

                Re: Re: Re: Re: Re: Re: #9

                Since nothing's been decided yet, that's true. But the indications we've been seeing and things they've been saying are not reassuring.

                However, if they are talking about standardizing DPI, then what they are doing is legitimizing DPI and making it easier, both politically and technically, than it already is to be used by governments and other entities who want to engage in surveillance.

                In other words, they are weakening security. Now, a debate could be had as to whether or not this is justifiable (I don't think it is, but reasonable people may differ), but the ITU is not having a debate about this that involves the people who are the most impacted by it. They actively want the public to remain as ignorant of it as possible.

                That's the outrage.

                 

                reply to this | link to this | view in chronology ]

                •  
                  identicon
                  Anonymous Coward, Dec 4th, 2012 @ 10:36am

                  Re: Re: Re: Re: Re: Re: Re: #9

                  They're not weakening security though. They're pointing out where security is weak and how to exploit those existing weaknesses.

                   

                  reply to this | link to this | view in chronology ]

                  •  
                    icon
                    John Fenderson (profile), Dec 4th, 2012 @ 10:45am

                    Re: Re: Re: Re: Re: Re: Re: Re: #9

                    No, they are contemplating a standard. A standard says "if you're going to do something, do it like this to facilitate interoperability. In other words, they are determining a way to do it better and cheaper. In other words, they are endorsing and encouraging the practice.

                     

                    reply to this | link to this | view in chronology ]

                    •  
                      identicon
                      Anonymous Coward, Dec 4th, 2012 @ 11:26am

                      Re: Re: Re: Re: Re: Re: Re: Re: Re: #9

                      I fail to see how this creates any vulnerabilities that did not already exist.

                       

                      reply to this | link to this | view in chronology ]

    •  
      identicon
      anonymous, Dec 4th, 2012 @ 7:33am

      Response to: Anonymous Coward on Dec 4th, 2012 @ 6:42am

      ssl or encryption is pointless if u read,theyre talking about decrypting data u send securely

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      So insightful, Dec 4th, 2012 @ 8:32pm

      So insightful

      So insightful

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 4th, 2012 @ 6:55am

    basically, we can thank the USA for the meetings that are held in secrecy. they started them and now that others are doing the same, it isn't liked. a case of 'we can hold secret meetings that affect the rest of the world, but no one else can'. WRONG! this is now a result but i doubt if it will be the only one!

    i wonder now how this is going to be implemented, considering the opposition that the EU has already passed a resolution against the ITU.

    i wonder what actions will be taken to stop the implementation or the prevention of the DPI? allowed to carry out this action will undoubtedly result in some serious shit hitting fan!

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Chilly8, Dec 4th, 2012 @ 6:59am

    Just how are they going to crack and sniff VPN? That would be all but impossible

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Dec 4th, 2012 @ 7:13am

      Re:

      Why would you want that? assuming the owner of the VPN is the author is way enough for the masses. And for official VPN providers, force them to provide any thing they ask.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        John Fenderson (profile), Dec 4th, 2012 @ 9:31am

        Re: Re:

        Why would you want that?


        Because if you don't have that, you have nearly no information at all aside from what IPs have connected to the VPN and when.

        And for official VPN providers, force them to provide any thing they ask.


        A reputable and competent VPN provider wouldn't have any information that isn't obtainable from the ISP anyway. Certainly not access to the decrypted data stream.

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    David Lloyd, Dec 4th, 2012 @ 7:22am

    So what

    This standard doesn't give anyone any capabilities that they don't already have. I think this is just a bit of alarmism. What difference does it make if there's some government/criminal packet sniffer using standardized DPI versus non-standardized DPI?

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Dec 4th, 2012 @ 7:59am

      Re: So what

      You are correct when we are talking national security agencies, mostly having this power. Not police or other low tier law enforcement. Making an official standard for this technological brute force surviellance does add credibility to its use. It might encourage countries to escalate the priviledge structure and use it widespread instead of very specific as we see it today in the western world. Having a standard is a way to make it a lot easier to use this tool and that is dangerous.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      anonymous (for now), Dec 5th, 2012 @ 7:11pm

      Re: So what

      With a standard, one country can require access of another country, and offer the guaranteed exact same access in return. So treaties can be negotiated without running the risk of one country knowing more about the other than the other knows about it in return.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Gee, Dec 4th, 2012 @ 7:48am

    Why isn't SSL incorporated into every tcp/udp communication by default? Surely this would defeat state spying, would it not?

    I imagine a protocol where I could generate my own SSL certificates, then when someone wants to connect to my PC they would request my public key and then I send them it.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Bengie, Dec 4th, 2012 @ 8:00am

      Re:

      Because SSL runs on top of TCP, not part of TCP.

      TCP was made by engineers, so it has strict layering rules which allows it to be modular.

      If SSL was baked into TCP and a bug was found in SSL, you couldn't fix SSL without breaking TCP. By separating TCP, you allow different versions of SSL to run on top of it.

      Anyway, who would want SSL's overhead on a game server that is using UDP?

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Dec 4th, 2012 @ 8:38am

        Re: Re:

        I think Gee just wanted to see how many initialisms s/he could fit into one post.

        Seriously, though, I don't want people spying and learning my COD secrets.

         

        reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Dec 4th, 2012 @ 11:40am

        Re: Re:

        SSL was also created by engineers.

        SSL just occurs at the Application/Presentation layer (top layers) where as TCP is the transport layer (middle layer) of the OSI model.

        Also SSL is useless over UDP as it is a connectionless protocol.

         

        reply to this | link to this | view in chronology ]

    •  
      icon
      John Fenderson (profile), Dec 4th, 2012 @ 8:53am

      Re:

      I imagine a protocol where I could generate my own SSL certificates, then when someone wants to connect to my PC they would request my public key and then I send them it.


      That's how it works right now.

      The weakness is in the key authentication (how can I be sure that the public key I have is really yours?) In SSL, this is done through trusted certification agencies validating them, but those agencies turned out not to be quite trustworthy enough.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Androgynous Cowherd, Dec 4th, 2012 @ 7:52am

    Transparency school

    One of the big issues surrounding WCIT and the ITU has been the lack of transparency -- or even understanding what real transparency might be. So it will comes as no surprise that the new DPI standard was negotiated behind closed doors, with no drafts being made available.


    Seems like the ITU and the USTR went to the same transparency school.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Bengie, Dec 4th, 2012 @ 8:04am

    lawl

    ITU, meet IPv6+IPSec

    Mandating DPI increases costs for ISPs. Who pays for this? I assume the customers. Great, another tax, not only that, it is used *against* the citizens.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 4th, 2012 @ 8:24am

    The 9-11 planes hit the wrong new york target.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    gorehound (profile), Dec 4th, 2012 @ 8:33am

    Might add that seeing News on ITU/UN issues with Internet you see a Western Media Slant playing down the issues at hand and also reading thru the Comments show that there are mostly stupid and uneducated people claiming that the whole thing is nothing.They try to say people like me are a bunch of Conspiracy Freaks.Not So Idiots !!!
    I have been personally buiding Computers since 1995 and was on the Internet back when you used gopher and telnet sessions so F#ck Off people who only know how to hit the On/Off Button, use email, and go on google and facebook.
    People like me know quite a bit about Computers, IT, Internet, and we do understand the whole ITU/UN Thing.
    And it is a very bad thing indeed.Get Set for the New World Order !!!

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Dec 4th, 2012 @ 8:43am

      Re:

      I have been personally buiding Computers since 1995

      Well then. I'm certainly convinced as to your qualifications. Snapping tab A into slot B certainly tells me you're an interweb expert.

      and was on the Internet back when you used gopher and telnet sessions

      Expert indeed.

      F#ck Off people who only know how to hit the On/Off Button, use email, and go on google and facebook

      You're retarded, kid.

      People like me know quite a bit about Computers, IT, Internet

      Highly doubtful.

      we do understand the whole ITU/UN Thing

      Of course. You have a sixth grade writing level and the qualifications you're listing are something I could teach a housecat in a day, but you're much more in tune with these things than the rest of us.

      Get Set for the New World Order

      Oh FFS.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 4th, 2012 @ 9:38am

    If you don't own the wires, you have to assume the traffic is being collected. It probably is not, but you have no way of determining. Therefore, you must assume it is. Since that has to be the assumption, everyone should be capturing every packet entering or leaving their digital self (networks).

    Obviously, once you have read enough of your logs so that you know what is normal, you can filter the basic and generate your daily alert page. But you will always fall for this sort of cruft until you start reading your logs, and learning what your pencil does!

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 4th, 2012 @ 10:08am

    The ITU should deep inspect my AES-1024 bit encryption LoL

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Dec 4th, 2012 @ 10:38am

      Re:

      Careful what you wish for. Once the DHS gets involved, you might be up for some rubber-hose cryptanalysis.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 4th, 2012 @ 10:35am

    On a serious note though the size of secure keys is 256 bit for symmetrical keys and 15360 bits for asymmetrical keys.

    https://en.wikipedia.org/wiki/Key_size

    So everyone should be using AES-256, to encrypt all their communications, do not trust only in the encryption that your service provider gives you, encrypt your data too and be happy.

    You can also encrypt all your text in your profiles, emails and start using a key-manager.

    This rant is about something old, is about the wisdom of letting others do the work for you, in time you become a slave to those who did that work. Make no mistake about, if you let the security of your communications be a problem to be solved by others they will abuse that power.

    Do not let that happen and this ITU thing will not be of consequence, what is of consequence is that it shows how corrupt the system is and how it would be abused if we gave the ITU more power over the internet.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 4th, 2012 @ 10:45am

    I have a great idea: disband the ITU. It's proved it has outlived it's usefulness.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    MontyAnaconda, Dec 4th, 2012 @ 11:13am

    Fortunately the ITU has no enforcement authority or mechanism. That seems to get lost in these discussions.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      aldestrawk (profile), Dec 4th, 2012 @ 1:35pm

      Re:

      This is currently true which is why it is not so worrisome that they are working on such a standard. Standards have to be adopted and implemented and the ITU, or it's former moniker CCITT, does not have a good record on getting telecom initiated protocols standards adopted in the real internet world. A case in point, the Internet uses the TCP/IP protocol stack rather than a protocol stack based on the OSI Reference Model. The fact that a proposed DPI standard does not take privacy into account only makes it harder for the ITU to have any success in getting the standard adopted.
      What is worrisome is if global politics change enough so that ITU can mandate such standards. This is why what happens at the current WCIT meeting and the response of the world outside of their star chamber is so critical. However, I see the most likely path for adopting DPI standards is for individual countries to mandate this ability via laws such as an expanded CALEA in the US. This has to be done in a way that allows the protocol stack to still be interoperable with countries that respect privacy.

      I apologize in advance for all the techy acronyms but my time is limited today so I am being lazy in writing this.

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    ECA (profile), Dec 4th, 2012 @ 1:32pm

    Interesting

    Lets ask a few things first..

    How would all these people trying to regulate, LIKE their lives to be an open book?
    REALLY how would they like their lives invaded..

    Now for a better question. Wouldnt it be nice to FIND all the money that Corps ship out from the USA? without a Warrant? It would be fun to find this. If nothing else for blackmail and getting your 10% of it, BEFORe you reported it tot he gov.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Nick, Dec 4th, 2012 @ 2:01pm

    Your Title's Wrong.

    It should read "ITU Approves Deep Packet Inspection Standard Behind Closed Doors Embraces Huge Privacy Violations."

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 4th, 2012 @ 6:24pm

    UN in charge? oh yeah we are so SCREWED.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    mad.madrasi, Dec 4th, 2012 @ 9:44pm

    Confusing and Worrying

    Very confusing and worrisome. One hand they (The ITU) is recommending standards, which can be used to invade digital privacy. On other hand they are trying to take over control of something which has had few controls (the internet).

    Add in the global politics. Guess we will still be debating this till WCIT-16.
    :-)

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    toyotabedzrock (profile), Dec 4th, 2012 @ 10:32pm

    Name and Shame

    Just who are the engineers who helped write this new standard?

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 5th, 2012 @ 11:04am

    So what can we do about it?

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Ben Dover, Dec 5th, 2012 @ 7:48pm

    ultimately the internet will just become another marketing tool, once it has become rendered 'useless' for interpersonal communications and news sourcing (versus the SHILLS aka MSM)

    the only way draconian, totalitarian regimes can be overloards to the sheeple is that they must provide toys for the simpletons to be obsessed with, such as I-pads and I-phones and android 'spyware' apps for you to get all glaze eyed over while someone has their finger up your anus from the TSA checking for corn kernels.

    people are too stupid to just walk away from it, in time, there will be a whole generation of idiot children who won't have a clue what PRIVACY is, and to be blunt about it, they won't give a rat's dick either.

    de-evolved humans will eat their own feces rather than stand up and fight for personal freedom and liberty.

    and that, sadly, is a fact.

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This