Leaked: ITU's secret Internet surveillance standard discussion draft

Yesterday morning, I wrote about the closed-door International Telecommunications Union meeting where they were working on standardizing "deep packet inspection" -- a technology crucial to mass Internet surveillance. Other standards bodies have refused to touch DPI because of the risk to Internet users that arises from making it easier to spy on them. But not the ITU.

The ITU standardization effort has been conducted in secret, without public scrutiny. Now, Asher Wolf writes,

I publicly asked (via Twitter) if anyone could give me access to documents relating to the ITU's DPI recommendations, now endorsed by the U.N. The ITU's senior communications officer, Toby Johnson, emailed me a copy of their unpublished policy recommendations.


5 hours later, they emailed, asking me not to publish it, in part or in whole, and that it was for my eyes only.

Please publish it (credit me for sending it to you.)

Also note:

1. The recommendations *NEVER* discuss the impact of DPI.


"I.9.2 DPI engine use case: Simple fixed string matching for BitTorrent"
"II.3.4 Example “Forwarding copy right protected audio content”"
"II.3.6 Example “Detection of a specific transferred file from a particular user”"
"II.4.2 Example “Security check – Block SIP messages (across entire SIP traffic) with specific content types”"
"II.4.5 Example “Identify particular host by evaluating all RTCP SDES packets”"
"II.4.6 Example “Measure Spanish Jabber traffic”"
"II.4.7 Example “Blocking of dedicated games”"
"II.4.11 Example “Identify uploading BitTorrent users”"
"II.4.13 Example “Blocking Peer-to-Peer VoIP telephony
with proprietary end-to-end application control protocols”"
"II.5.1 Example “Detecting a specific Peer-to-Peer VoIP telephony with proprietary end-to-end application control protocols”"

Hit the jump for more of Asher's analysis and the download link:

3. Security threats against DPI entities is listed as:
- Destruction of DPI-related information;
- Corruption or modification of DPI-related information;
- Theft, removal or loss of DPI-related information;
- Disclosure of DPI-related information;
- Interruption of services (specifically mentions DoS.)



(Thanks, Asher!)


  1. Wow.
    What’s most amazing is the thought that these idiots could ever wield such a power, and that they could conceive of controlling it.

        1. Oh man, pre-coffee brain took the wrong take away from your comment! Though “only sometimes” as a sort of “_____ is the worst form of government except for all those others that have been tried” comment. Weird how, by the way, the discussion has moved from “democracy” to “capitalism,” huh? I guess because we’ve shifted pretty clearly toward plutocracy, but if you say that out loud everyone acts like you are a fringe lunatic.

          1. Aw.  Now I don’t get to be super snarky on you.  :-(  It’s no longer plutocracy.  The naked money and power grabs are all on the table for everyone to see. It’s corpratocracy or oligarchic at this stage.   

  2. As a computer security expert, with a bit of background in computer forensics, secure system development, secure remote communications, and rudimentary experience in espionage and counter-espionage related activities, I really love xml-based formats, for how easy they are to review…

    Which is why I am VERY interested to see the document is trying to pull a resource not just from the openxmlformats and microsoft, which I expect in any docx file, but also from MITRE, in their custom word relations, which I am not used to seeing!

    I HIGHLY recommend throw-away virtual machines when viewing this document, on a physically air-gapped host, or better yet, live-eval with no persistent storage in the system you use!!!!! (this should be standard policy for any document from any untrusted source, or downloaded without authentication over the open Internet!)

    1. I just downloaded it to my linux machine, unzipped it, uploaded it to ZohoViewer, deleted the extracted .docx, then set the .zip’s permissions to 000.

      That seems pretty safe to me.  What do you think?

      1. I like, just in case you are not using an encrypted file system, remember to overwrite the blocks with one, zero, or random, unless on a SSD, then use OEM tool for it, to counteract the write-leveling.

        1. I actually downloaded it to an encrypted thumbdrive, already did a slow format from ext3 to NTFS and back again.  I know, that’s not secure, but somebody would have to be thinking way outside the box if they wrote something into a document macro that is designed to rootkit a linux formatted thumbdrive.

          Hey at least I can’t get my eyes hacked, section9_bateau ;-]

          1. Well, I try to take good care of Gabriel, he likes his expensive dog food, and that was the only store that carried it.

          2. Heh, I’d forgotten about that.  I haven’t seen Innocence in at least a year.  I was referring to the eyehacking in GITS SAC 1st GiG, episode Eraser, where the laughing man hacks Bateau’s eyes in order to hand him the MHLW’s record book with the list of people who had taken the Murai Vaccine, then escape by walking away in plain “sight”

          3.  You might not be able to, but I have too many friends with books about chemtrails/HAARP/etc. on their shelves to believe it’s impossible (sigh).

    1. Based on the use cases, it also sounds like a few legacy telcos are really butthurt about VoIP…

  3. Dear ITU,
    1 – DIAF
    2 – you understand we can use this to access all of your communications and expose the hypocrisy of how much you were bought and paid for.

    Dear UN,
    Some assholes are signing your names to proposals that can expose your dirty secrets to the world.  You should do something about this.

  4. It is a waste of ITU time to standardise How To Snoop On Other People’s Traffic. Perhaps it is an interesting guide to the external architecture of DPI systems: a nice blueprint for an attacker to use against any DPI technology that complies with the standard. Not that there is anything new in it. It is all very well to attack a standards body but really the attention should be on governments that mis-use this technology and the companies that are complicit in these activities.

    1. Ain’t that the sad but sterling truth.

      We know this has been going on for quite some time via private sector (and in the gov’t secret service sector), with Narus and their DPI tech prevalent in China, Northern Africa, the Middle Eastern countries, etc. (Narus is a subsidiary of Boeing).  Then you have those variations, like Packet Forensics, etc.

      This more or less simply makes it the official standard, is all.

      Since Cory lives near the heart of the beast (City of London Corporation — and before any illiterates respond with the usual illiterate response of “conspiracy theory, conspiracy theory”  read up on its history, as well as its S.I.L.O. agreement purchase of the royalty back in the 1700s) he should by this time understand what’s transpiring.


  5. O.K. I get it. Bad stuff. Really bad stuff when done in secret. But…

    How about some analysis and context that explains for the uninitiated, exactly what the implications are? As in, specifically, what does standardization make possible that can’t be done today… I get that it promotes interoperability, and reduces the cost of implementation, but the NSA doesn’t give a flying frack about either of those things, not really, and I doubt the bastards manning the Great Firewall of China do either.

    I’ve read several layers deep, down to the CDT article, and I’m still baffled as to what the practical implications are, Yes, I get that embedding the capability in the network is bad, and I suppose that standardizing this would facilitate it, but I’m still not seeing how a non-standard, essentially ad hoc solution couldn’t be implemented and gain widespread use. I suppose the liability of a standard is that it is easier to legally mandate it be applied… but it would be nice if that was actually spelled out. All I see right now is a bunch of hand waving.

    1. Yup. ITU is a standards setting/defining body.  It is not inventing new ways to spy – just laying out the standards. 

      What we should be more worried about is not setting the standards, but on who is allowed to use those techniques.

      I mean people (including a dumba$$) like me have known for a couple of years now that BT traffic can be monitored, tracked and fined.

      I have been refusing people for last 4 to 5 years when they ask me to burn/copy (their) downloaded music into new CD/DVD/MP3/Mobiles, on my PC.

      As you say I wish more knowledgeable people would actually put out a “cheat sheet” on what to do with all these stuff floating around.  For one I can’t understand “live-eval with no persistent storage in the system”


  6. Living in China I deal with pretty intense internet scrutiny all the time. What pisses me off most about this sort of deep packet monitoring is actually not so much my privacy (although that is obviously a concern) but the impact this has on performance. International traffic from here can be a complete nightmare with sporadic slow downs, things accidentally being blocked, redirects and sites with embedded applets not working etc. For example, any site using Google API (including maps) can become almost unusable at times. Does anyone know just how much of this is caused by this sort of snooping?

    1. Toby, leak or not, DPI is a breach of MY privacy as well as yours. And, by the way, of all the people and companies, all around the globe.

      Do you seriously believe that ITU should build technical standards how do do it, properly? Seriously? Do you consider the implications? Your are presenting yourself as a “communications professional”. Take a step back from the techie perspective.


      1. Of course, I do like that software which monitors and warns of DPI taking place, then generates false data in response. 

        Uber cool….

    2. From your blog post: “The World Telecommunication Standardisation Assembly (WTSA) held in Dubai last November resolved some concerns regarding maintaining privacy after it was noted that the standard deals with the identification of the application used rather than the inspection of users content. The standard does not allow access to users’ private information and allows measures to ensure the secrecy of correspondence.”

      From the paper: “Forwarding copy right protected audio content by checking on embedded digital watermarks in MP3 data.”

      No inspection of user content? You, sir, are truly a “communications professional” aka professional liar.

    3. Is the “data deluge” similar to the “exaflood” that was going to destroy the internet back in 2007? Or Metcalf’s “gigalapses” back in 1995?

      Has there ever been a time when the looming demands for bandwidth are going to destroy the intertubes Real Soon Now unless bold measures(generally of the sort that ISPs like) are taken?

    4. From that same blog post:
      “…a new ITU standard on Deep Packet Inspection (DPI) which will enable Internet Service Providers (ISPs) to manage network traffic more efficiently”

      Waaaiiit: How exactly does reading my Internet traffic make the internet work more efficiently?”

      My communications are none of your effing business, and I would think that not reading them will save you a lot of time. You know, I sometimes use a lot more words than I would need to. Really, spare yourself the trouble.

      And save democracy in the process? How about that?

Comments are closed.