ITU Approves Deep Packet Inspection Standard Behind Closed Doors, Ignores Huge Privacy Implications

from the and-they-want-us-to-trust-them? dept

Techdirt has run a number of articles about the ITU’s World Conference on International Telecommunications (WCIT) currently taking place in Dubai. One of the concerns is that decisions taken there may make the Internet less a medium that can be used to enhance personal freedom than a tool for state surveillance and oppression.

Against that background, a story published by the Center for Democracy & Technology about the ITU’s work in the area of standards takes on an extra significance:

The telecommunications standards arm of the U.N. has quietly endorsed the standardization of technologies that could give governments and companies the ability to sift through all of an Internet user’s traffic — including emails, banking transactions, and voice calls — without adequate privacy safeguards. The move suggests that some governments hope for a world where even encrypted communications may not be safe from prying eyes.

The new Y.2770 standard is entitled “Requirements for deep packet inspection in Next Generation Networks”, and seeks to define an international standard for deep packet inspection (DPI). As the Center for Democracy & Technology points out, it is thoroughgoing in its desire to specify technologies that can be used to spy on people:

The ITU-T DPI standard holds very little in reserve when it comes to privacy invasion. For example, the document optionally requires DPI systems to support inspection of encrypted traffic “in case of a local availability of the used encryption key(s).” It’s not entirely clear under what circumstances ISPs might have access to such keys, but in any event the very notion of decrypting the users’ traffic (quite possibly against their will) is antithetical to most norms, policies, and laws concerning privacy of communications.

One of the big issues surrounding WCIT and the ITU has been the lack of transparency — or even understanding what real transparency might be. So it will comes as no surprise that the new DPI standard was negotiated behind closed doors, with no drafts being made available.

But probably most worrying is the following aspect:

Several global standards bodies, including the IETF and W3C, have launched initiatives to incorporate privacy considerations into their work. In fact, the IETF has long had a policy of not considering technical requirements for wiretapping in its work, taking the seemingly opposite approach to the ITU-T DPI document, as Germany pointed out [doc] in voicing its opposition to the ITU-T standard earlier this year. The ITU-T standard barely acknowledges that DPI has privacy implications, let alone does it provide a thorough analysis of how the potential privacy threats associated with the technology might be mitigated.

This apparent indifference to the wider implications of its work is yet another reason why the ITU is unfit to determine any aspect of something with as much power to affect people’s lives as the Internet.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “ITU Approves Deep Packet Inspection Standard Behind Closed Doors, Ignores Huge Privacy Implications”

Subscribe: RSS Leave a comment
68 Comments
out_of_the_blue says:

Yeah, worries me too -- as does commercial spying.

“One of the concerns is that decisions taken there may make the Internet less a medium that can be used to enhance personal freedom than a tool for state surveillance and oppression.”

Problem with you and Mike is that you see only good in corporations spying. If any writer here has ever worried about that, I’ve missed it. But “commercial” spying becomes state spying simply by the state paying taxpayer money to access the data stored by corporations; they do that routinely on as-needed basis. There’s no real distinction between state and corporations, just different aspects of same monster.

Anonymous Coward says:

I don’t see the issue here. Any time you’re not using SSL, you’re asking for DPI. IF not from the government, the possibly another government or organized crime. And it probably already happens anyway.

If your online banking doesn’t use SSL, change banks. There’s no way your banking data should be prone to such attacks.

Anonymous Coward says:

basically, we can thank the USA for the meetings that are held in secrecy. they started them and now that others are doing the same, it isn’t liked. a case of ‘we can hold secret meetings that affect the rest of the world, but no one else can’. WRONG! this is now a result but i doubt if it will be the only one!

i wonder now how this is going to be implemented, considering the opposition that the EU has already passed a resolution against the ITU.

i wonder what actions will be taken to stop the implementation or the prevention of the DPI? allowed to carry out this action will undoubtedly result in some serious shit hitting fan!

John Fenderson (profile) says:

Re: Re:

Why would you want that?

Because if you don’t have that, you have nearly no information at all aside from what IPs have connected to the VPN and when.

And for official VPN providers, force them to provide any thing they ask.

A reputable and competent VPN provider wouldn’t have any information that isn’t obtainable from the ISP anyway. Certainly not access to the decrypted data stream.

John Fenderson (profile) says:

Re: #9

If you have a root cert, you can trivially perform a man-in-the-middle attack. That’s the problem.

Each SSL connection has a unique decryption key that is negotiated on session start.

Correct. But in a man-in-the-middle attack, the connection is being made, unknown to the end points, to the attacker’s machine instead of each other. You’ve actually negotiated that key with the attacker (you can’t tell because the public key he’s forged is signed by the root cert and therefore declared valid). All of your traffic goes through the attacker’s machine, is decrypted and then reencrypted with the proper key and sent along to the other end.

The recent spate of compromised keys and resulting attacks demonstrates that the SSL system is weak. It should not be relied upon for critical information.

John Fenderson (profile) says:

Re: Re: #9

It should not be relied upon for critical information.

I should have said it should not blindly be relied upon. In a private, properly configured setup where you can actually trust the root CS, you can use it effectively.

Even then, though, it’s not unbreakable. It’s also a good idea to use separate encryption for particularly sensitive data being transmitted in addition to the SSL.

John Fenderson (profile) says:

Re: Re: Re: #9

Since nothing’s been decided yet, that’s true. But the indications we’ve been seeing and things they’ve been saying are not reassuring.

However, if they are talking about standardizing DPI, then what they are doing is legitimizing DPI and making it easier, both politically and technically, than it already is to be used by governments and other entities who want to engage in surveillance.

In other words, they are weakening security. Now, a debate could be had as to whether or not this is justifiable (I don’t think it is, but reasonable people may differ), but the ITU is not having a debate about this that involves the people who are the most impacted by it. They actively want the public to remain as ignorant of it as possible.

That’s the outrage.

John Fenderson (profile) says:

Re: Re:

I imagine a protocol where I could generate my own SSL certificates, then when someone wants to connect to my PC they would request my public key and then I send them it.

That’s how it works right now.

The weakness is in the key authentication (how can I be sure that the public key I have is really yours?) In SSL, this is done through trusted certification agencies validating them, but those agencies turned out not to be quite trustworthy enough.

Androgynous Cowherd says:

Transparency school

One of the big issues surrounding WCIT and the ITU has been the lack of transparency — or even understanding what real transparency might be. So it will comes as no surprise that the new DPI standard was negotiated behind closed doors, with no drafts being made available.

Seems like the ITU and the USTR went to the same transparency school.

Anonymous Coward says:

So what

You are correct when we are talking national security agencies, mostly having this power. Not police or other low tier law enforcement. Making an official standard for this technological brute force surviellance does add credibility to its use. It might encourage countries to escalate the priviledge structure and use it widespread instead of very specific as we see it today in the western world. Having a standard is a way to make it a lot easier to use this tool and that is dangerous.

Bengie says:

Re:

Because SSL runs on top of TCP, not part of TCP.

TCP was made by engineers, so it has strict layering rules which allows it to be modular.

If SSL was baked into TCP and a bug was found in SSL, you couldn’t fix SSL without breaking TCP. By separating TCP, you allow different versions of SSL to run on top of it.

Anyway, who would want SSL’s overhead on a game server that is using UDP?

gorehound (profile) says:

Might add that seeing News on ITU/UN issues with Internet you see a Western Media Slant playing down the issues at hand and also reading thru the Comments show that there are mostly stupid and uneducated people claiming that the whole thing is nothing.They try to say people like me are a bunch of Conspiracy Freaks.Not So Idiots !!!
I have been personally buiding Computers since 1995 and was on the Internet back when you used gopher and telnet sessions so F#ck Off people who only know how to hit the On/Off Button, use email, and go on google and facebook.
People like me know quite a bit about Computers, IT, Internet, and we do understand the whole ITU/UN Thing.
And it is a very bad thing indeed.Get Set for the New World Order !!!

Anonymous Coward says:

Re: Re:

I have been personally buiding Computers since 1995

Well then. I’m certainly convinced as to your qualifications. Snapping tab A into slot B certainly tells me you’re an interweb expert.

and was on the Internet back when you used gopher and telnet sessions

Expert indeed.

F#ck Off people who only know how to hit the On/Off Button, use email, and go on google and facebook

You’re retarded, kid.

People like me know quite a bit about Computers, IT, Internet

Highly doubtful.

we do understand the whole ITU/UN Thing

Of course. You have a sixth grade writing level and the qualifications you’re listing are something I could teach a housecat in a day, but you’re much more in tune with these things than the rest of us.

Get Set for the New World Order

Oh FFS.

Anonymous Coward says:

If you don’t own the wires, you have to assume the traffic is being collected. It probably is not, but you have no way of determining. Therefore, you must assume it is. Since that has to be the assumption, everyone should be capturing every packet entering or leaving their digital self (networks).

Obviously, once you have read enough of your logs so that you know what is normal, you can filter the basic and generate your daily alert page. But you will always fall for this sort of cruft until you start reading your logs, and learning what your pencil does!

Anonymous Coward says:

On a serious note though the size of secure keys is 256 bit for symmetrical keys and 15360 bits for asymmetrical keys.

https://en.wikipedia.org/wiki/Key_size

So everyone should be using AES-256, to encrypt all their communications, do not trust only in the encryption that your service provider gives you, encrypt your data too and be happy.

You can also encrypt all your text in your profiles, emails and start using a key-manager.

This rant is about something old, is about the wisdom of letting others do the work for you, in time you become a slave to those who did that work. Make no mistake about, if you let the security of your communications be a problem to be solved by others they will abuse that power.

Do not let that happen and this ITU thing will not be of consequence, what is of consequence is that it shows how corrupt the system is and how it would be abused if we gave the ITU more power over the internet.

aldestrawk says:

Re: Re:

This is currently true which is why it is not so worrisome that they are working on such a standard. Standards have to be adopted and implemented and the ITU, or it’s former moniker CCITT, does not have a good record on getting telecom initiated protocols standards adopted in the real internet world. A case in point, the Internet uses the TCP/IP protocol stack rather than a protocol stack based on the OSI Reference Model. The fact that a proposed DPI standard does not take privacy into account only makes it harder for the ITU to have any success in getting the standard adopted.
What is worrisome is if global politics change enough so that ITU can mandate such standards. This is why what happens at the current WCIT meeting and the response of the world outside of their star chamber is so critical. However, I see the most likely path for adopting DPI standards is for individual countries to mandate this ability via laws such as an expanded CALEA in the US. This has to be done in a way that allows the protocol stack to still be interoperable with countries that respect privacy.

I apologize in advance for all the techy acronyms but my time is limited today so I am being lazy in writing this.

ECA (profile) says:

Interesting

Lets ask a few things first..

How would all these people trying to regulate, LIKE their lives to be an open book?
REALLY how would they like their lives invaded..

Now for a better question. Wouldnt it be nice to FIND all the money that Corps ship out from the USA? without a Warrant? It would be fun to find this. If nothing else for blackmail and getting your 10% of it, BEFORe you reported it tot he gov.

Ben Dover says:

ultimately the internet will just become another marketing tool, once it has become rendered ‘useless’ for interpersonal communications and news sourcing (versus the SHILLS aka MSM)

the only way draconian, totalitarian regimes can be overloards to the sheeple is that they must provide toys for the simpletons to be obsessed with, such as I-pads and I-phones and android ‘spyware’ apps for you to get all glaze eyed over while someone has their finger up your anus from the TSA checking for corn kernels.

people are too stupid to just walk away from it, in time, there will be a whole generation of idiot children who won’t have a clue what PRIVACY is, and to be blunt about it, they won’t give a rat’s dick either.

de-evolved humans will eat their own feces rather than stand up and fight for personal freedom and liberty.

and that, sadly, is a fact.

Tex Arcana (profile) says:

Re:

Nope: massive jails housing all the nasty unwashed infringers that couldn’t afford lawyers or bribe money to pay their way out of the bogus “infringement” charges (“Dear Mister Arcana: you are being served notice that you are in DMCA violation for your use of your name ‘Tex Arcana’. Please report to the nearest internment center for forcible emptying of your pockets, and a thorough beating, forthwith.”).

Welcome to world Leninism.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop ยป

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...