ITU Approves Deep Packet Inspection Standard Behind Closed Doors, Ignores Huge Privacy Implications

from the and-they-want-us-to-trust-them? dept

Techdirt has run a number of articles about the ITU’s World Conference on International Telecommunications (WCIT) currently taking place in Dubai. One of the concerns is that decisions taken there may make the Internet less a medium that can be used to enhance personal freedom than a tool for state surveillance and oppression.

Against that background, a story published by the Center for Democracy & Technology about the ITU’s work in the area of standards takes on an extra significance:

The telecommunications standards arm of the U.N. has quietly endorsed the standardization of technologies that could give governments and companies the ability to sift through all of an Internet user’s traffic — including emails, banking transactions, and voice calls — without adequate privacy safeguards. The move suggests that some governments hope for a world where even encrypted communications may not be safe from prying eyes.

The new Y.2770 standard is entitled “Requirements for deep packet inspection in Next Generation Networks”, and seeks to define an international standard for deep packet inspection (DPI). As the Center for Democracy & Technology points out, it is thoroughgoing in its desire to specify technologies that can be used to spy on people:

The ITU-T DPI standard holds very little in reserve when it comes to privacy invasion. For example, the document optionally requires DPI systems to support inspection of encrypted traffic “in case of a local availability of the used encryption key(s).” It’s not entirely clear under what circumstances ISPs might have access to such keys, but in any event the very notion of decrypting the users’ traffic (quite possibly against their will) is antithetical to most norms, policies, and laws concerning privacy of communications.

One of the big issues surrounding WCIT and the ITU has been the lack of transparency — or even understanding what real transparency might be. So it will comes as no surprise that the new DPI standard was negotiated behind closed doors, with no drafts being made available.

But probably most worrying is the following aspect:

Several global standards bodies, including the IETF and W3C, have launched initiatives to incorporate privacy considerations into their work. In fact, the IETF has long had a policy of not considering technical requirements for wiretapping in its work, taking the seemingly opposite approach to the ITU-T DPI document, as Germany pointed out [doc] in voicing its opposition to the ITU-T standard earlier this year. The ITU-T standard barely acknowledges that DPI has privacy implications, let alone does it provide a thorough analysis of how the potential privacy threats associated with the technology might be mitigated.

This apparent indifference to the wider implications of its work is yet another reason why the ITU is unfit to determine any aspect of something with as much power to affect people’s lives as the Internet.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “ITU Approves Deep Packet Inspection Standard Behind Closed Doors, Ignores Huge Privacy Implications”

Subscribe: RSS Leave a comment
68 Comments
out_of_the_bluesays:

Yeah, worries me too -- as does commercial spying.

“One of the concerns is that decisions taken there may make the Internet less a medium that can be used to enhance personal freedom than a tool for state surveillance and oppression.”

Problem with you and Mike is that you see only good in corporations spying. If any writer here has ever worried about that, I’ve missed it. But “commercial” spying becomes state spying simply by the state paying taxpayer money to access the data stored by corporations; they do that routinely on as-needed basis. There’s no real distinction between state and corporations, just different aspects of same monster.

Tex Arcanasays:

Re: Re:

Nope: massive jails housing all the nasty unwashed infringers that couldn’t afford lawyers or bribe money to pay their way out of the bogus “infringement” charges (“Dear Mister Arcana: you are being served notice that you are in DMCA violation for your use of your name ‘Tex Arcana’. Please report to the nearest internment center for forcible emptying of your pockets, and a thorough beating, forthwith.”).

Welcome to world Leninism.

Anonymoussays:

I don’t see the issue here. Any time you’re not using SSL, you’re asking for DPI. IF not from the government, the possibly another government or organized crime. And it probably already happens anyway.

If your online banking doesn’t use SSL, change banks. There’s no way your banking data should be prone to such attacks.

John Fendersonsays:

Re: Re: Re:2 Re: Re: Re: Re: #9

If you have a root cert, you can trivially perform a man-in-the-middle attack. That’s the problem.

Each SSL connection has a unique decryption key that is negotiated on session start.

Correct. But in a man-in-the-middle attack, the connection is being made, unknown to the end points, to the attacker’s machine instead of each other. You’ve actually negotiated that key with the attacker (you can’t tell because the public key he’s forged is signed by the root cert and therefore declared valid). All of your traffic goes through the attacker’s machine, is decrypted and then reencrypted with the proper key and sent along to the other end.

The recent spate of compromised keys and resulting attacks demonstrates that the SSL system is weak. It should not be relied upon for critical information.

John Fendersonsays:

Re: Re: Re:3 Re: Re: Re: Re: Re: #9

It should not be relied upon for critical information.

I should have said it should not blindly be relied upon. In a private, properly configured setup where you can actually trust the root CS, you can use it effectively.

Even then, though, it’s not unbreakable. It’s also a good idea to use separate encryption for particularly sensitive data being transmitted in addition to the SSL.

John Fendersonsays:

Re: Re: Re:4 Re: Re: Re: Re: Re: Re: #9

Since nothing’s been decided yet, that’s true. But the indications we’ve been seeing and things they’ve been saying are not reassuring.

However, if they are talking about standardizing DPI, then what they are doing is legitimizing DPI and making it easier, both politically and technically, than it already is to be used by governments and other entities who want to engage in surveillance.

In other words, they are weakening security. Now, a debate could be had as to whether or not this is justifiable (I don’t think it is, but reasonable people may differ), but the ITU is not having a debate about this that involves the people who are the most impacted by it. They actively want the public to remain as ignorant of it as possible.

That’s the outrage.

John Fendersonsays:

Re: Re: Re:6 Re: Re: Re: Re: Re: Re: Re: Re: #9

No, they are contemplating a standard. A standard says “if you’re going to do something, do it like this to facilitate interoperability. In other words, they are determining a way to do it better and cheaper. In other words, they are endorsing and encouraging the practice.

Anonymoussays:

basically, we can thank the USA for the meetings that are held in secrecy. they started them and now that others are doing the same, it isn’t liked. a case of ‘we can hold secret meetings that affect the rest of the world, but no one else can’. WRONG! this is now a result but i doubt if it will be the only one!

i wonder now how this is going to be implemented, considering the opposition that the EU has already passed a resolution against the ITU.

i wonder what actions will be taken to stop the implementation or the prevention of the DPI? allowed to carry out this action will undoubtedly result in some serious shit hitting fan!

John Fendersonsays:

Re: Re: Re: Re:

Why would you want that?

Because if you don’t have that, you have nearly no information at all aside from what IPs have connected to the VPN and when.

And for official VPN providers, force them to provide any thing they ask.

A reputable and competent VPN provider wouldn’t have any information that isn’t obtainable from the ISP anyway. Certainly not access to the decrypted data stream.

Anonymoussays:

Re: Re: So what

You are correct when we are talking national security agencies, mostly having this power. Not police or other low tier law enforcement. Making an official standard for this technological brute force surviellance does add credibility to its use. It might encourage countries to escalate the priviledge structure and use it widespread instead of very specific as we see it today in the western world. Having a standard is a way to make it a lot easier to use this tool and that is dangerous.

Bengiesays:

Re: Re:

Because SSL runs on top of TCP, not part of TCP.

TCP was made by engineers, so it has strict layering rules which allows it to be modular.

If SSL was baked into TCP and a bug was found in SSL, you couldn’t fix SSL without breaking TCP. By separating TCP, you allow different versions of SSL to run on top of it.

Anyway, who would want SSL’s overhead on a game server that is using UDP?

John Fendersonsays:

Re: Re:

I imagine a protocol where I could generate my own SSL certificates, then when someone wants to connect to my PC they would request my public key and then I send them it.

That’s how it works right now.

The weakness is in the key authentication (how can I be sure that the public key I have is really yours?) In SSL, this is done through trusted certification agencies validating them, but those agencies turned out not to be quite trustworthy enough.

Androgynous Cowherdsays:

Transparency school

One of the big issues surrounding WCIT and the ITU has been the lack of transparency — or even understanding what real transparency might be. So it will comes as no surprise that the new DPI standard was negotiated behind closed doors, with no drafts being made available.

Seems like the ITU and the USTR went to the same transparency school.

gorehoundsays:

Might add that seeing News on ITU/UN issues with Internet you see a Western Media Slant playing down the issues at hand and also reading thru the Comments show that there are mostly stupid and uneducated people claiming that the whole thing is nothing.They try to say people like me are a bunch of Conspiracy Freaks.Not So Idiots !!!
I have been personally buiding Computers since 1995 and was on the Internet back when you used gopher and telnet sessions so F#ck Off people who only know how to hit the On/Off Button, use email, and go on google and facebook.
People like me know quite a bit about Computers, IT, Internet, and we do understand the whole ITU/UN Thing.
And it is a very bad thing indeed.Get Set for the New World Order !!!

Anonymoussays:

Re: Re:

I have been personally buiding Computers since 1995

Well then. I’m certainly convinced as to your qualifications. Snapping tab A into slot B certainly tells me you’re an interweb expert.

and was on the Internet back when you used gopher and telnet sessions

Expert indeed.

F#ck Off people who only know how to hit the On/Off Button, use email, and go on google and facebook

You’re retarded, kid.

People like me know quite a bit about Computers, IT, Internet

Highly doubtful.

we do understand the whole ITU/UN Thing

Of course. You have a sixth grade writing level and the qualifications you’re listing are something I could teach a housecat in a day, but you’re much more in tune with these things than the rest of us.

Get Set for the New World Order

Oh FFS.

Anonymoussays:

If you don’t own the wires, you have to assume the traffic is being collected. It probably is not, but you have no way of determining. Therefore, you must assume it is. Since that has to be the assumption, everyone should be capturing every packet entering or leaving their digital self (networks).

Obviously, once you have read enough of your logs so that you know what is normal, you can filter the basic and generate your daily alert page. But you will always fall for this sort of cruft until you start reading your logs, and learning what your pencil does!

Anonymoussays:

On a serious note though the size of secure keys is 256 bit for symmetrical keys and 15360 bits for asymmetrical keys.

https://en.wikipedia.org/wiki/Key_size

So everyone should be using AES-256, to encrypt all their communications, do not trust only in the encryption that your service provider gives you, encrypt your data too and be happy.

You can also encrypt all your text in your profiles, emails and start using a key-manager.

This rant is about something old, is about the wisdom of letting others do the work for you, in time you become a slave to those who did that work. Make no mistake about, if you let the security of your communications be a problem to be solved by others they will abuse that power.

Do not let that happen and this ITU thing will not be of consequence, what is of consequence is that it shows how corrupt the system is and how it would be abused if we gave the ITU more power over the internet.

aldestrawksays:

Re: Re:

This is currently true which is why it is not so worrisome that they are working on such a standard. Standards have to be adopted and implemented and the ITU, or it’s former moniker CCITT, does not have a good record on getting telecom initiated protocols standards adopted in the real internet world. A case in point, the Internet uses the TCP/IP protocol stack rather than a protocol stack based on the OSI Reference Model. The fact that a proposed DPI standard does not take privacy into account only makes it harder for the ITU to have any success in getting the standard adopted.
What is worrisome is if global politics change enough so that ITU can mandate such standards. This is why what happens at the current WCIT meeting and the response of the world outside of their star chamber is so critical. However, I see the most likely path for adopting DPI standards is for individual countries to mandate this ability via laws such as an expanded CALEA in the US. This has to be done in a way that allows the protocol stack to still be interoperable with countries that respect privacy.

I apologize in advance for all the techy acronyms but my time is limited today so I am being lazy in writing this.

ECAsays:

Interesting

Lets ask a few things first..

How would all these people trying to regulate, LIKE their lives to be an open book?
REALLY how would they like their lives invaded..

Now for a better question. Wouldnt it be nice to FIND all the money that Corps ship out from the USA? without a Warrant? It would be fun to find this. If nothing else for blackmail and getting your 10% of it, BEFORe you reported it tot he gov.

Ben Doversays:

ultimately the internet will just become another marketing tool, once it has become rendered ‘useless’ for interpersonal communications and news sourcing (versus the SHILLS aka MSM)

the only way draconian, totalitarian regimes can be overloards to the sheeple is that they must provide toys for the simpletons to be obsessed with, such as I-pads and I-phones and android ‘spyware’ apps for you to get all glaze eyed over while someone has their finger up your anus from the TSA checking for corn kernels.

people are too stupid to just walk away from it, in time, there will be a whole generation of idiot children who won’t have a clue what PRIVACY is, and to be blunt about it, they won’t give a rat’s dick either.

de-evolved humans will eat their own feces rather than stand up and fight for personal freedom and liberty.

and that, sadly, is a fact.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop ยป

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Report this ad??|??Hide Techdirt ads
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...
Older Stuff
12:25 Australian Privacy Commissioner Says 7-Eleven Broke Privacy Laws By Scanning Customers' Faces At Survey Kiosks (6)
10:50 Missouri Governor Doubles Down On 'View Source' Hacking Claim; PAC Now Fundraising Over This Bizarrely Stupid Claim (45)
10:45 Daily Deal: The All-in-One Microsoft, Cybersecurity, And Python Exam Prep Training Bundle (0)
09:43 Want To Understand Why U.S. Broadband Sucks? Look At Frontier Communications In Wisconsin, West Virginia (8)
05:36 Massachusetts College Decides Criticizing The Chinese Government Is Hate Speech, Suspends Conservative Student Group (71)
19:57 Le Tigre Sues Barry Mann To Stop Copyright Threats Over Song, Lights Barry Mann On Fire As Well (21)
16:07 Court Says City Of Baltimore's 'Heckler's Veto' Of An Anti-Catholic Rally Violates The First Amendment (15)
13:37 Two Years Later, Judge Finally Realizes That A CDN Provider Is Not Liable For Copyright Infringement On Websites (21)
12:19 Chicago Court Gets Its Prior Restraint On, Tells Police Union Head To STFU About City's Vaccine Mandate (158)
10:55 Verizon 'Visible' Wireless Accounts Hacked, Exploited To Buy New iPhones (8)
10:50 Daily Deal: The MacOS 11 Course (0)
07:55 Suing Social Media Sites Over Acts Of Terrorism Continues To Be A Losing Bet, As 11th Circuit Dumps Another Flawed Lawsuit (11)
02:51 Trump Announces His Own Social Network, 'Truth Social,' Which Says It Can Kick Off Users For Any Reason (And Already Is) (100)
19:51 Facebook AI Moderation Continues To Suck Because Moderation At Scale Is Impossible (26)
16:12 Content Moderation Case Studies: Snapchat Disables GIPHY Integration After Racist 'Sticker' Is Discovered (2018) (11)
13:54 Arlo Makes Live Customer Service A Luxury Option (8)
12:05 Delta Proudly Announces Its Participation In The DHS's Expanded Biometric Collection Program (5)
11:03 LinkedIn (Mostly) Exits China, Citing Escalating Demands For Censorship (14)
10:57 Daily Deal: The Python, Git, And YAML Bundle (0)
09:37 British Telecom Wants Netflix To Pay A Tax Simply Because Squid Game Is Popular (32)
06:41 Report: Client-Side Scanning Is An Insecure Nightmare Just Waiting To Be Exploited By Governments (35)
20:38 MLB In Talks To Offer Streaming For All Teams' Home Games In-Market Even Without A Cable Subscription (10)
15:55 Appeals Court Says Couple's Lawsuit Over Bogus Vehicle Forfeiture Can Continue (15)
13:30 Techdirt Podcast Episode 301: Scarcity, Abundance & NFTs (0)
12:03 Hollywood Is Betting On Filtering Mandates, But Working Copyright Algorithms Simply Don't Exist (66)
10:45 Introducing The Techdirt Insider Discord (4)
10:40 Daily Deal: The Dynamic 2021 DevOps Training Bundle (0)
09:29 Criminalizing Teens' Google Searches Is Just How The UK's Anti-Cybercrime Programs Roll (19)
06:29 Canon Sued For Disabling Printer Scanners When Devices Run Out Of Ink (41)
20:51 Copyright Law Discriminating Against The Blind Finally Struck Down By Court In South Africa (7)
More arrow