UN's International Telecommunications Union sets out to standardize bulk surveillance of Internet users by oppressive governments

The International Telecommunications Union, a UN agency dominated by veterans of incumbent telcoms who mistrust the Internet, and representatives of repressive governments who want to control it, have quietly begun the standardization process for a kind of invasive network spying called "deep packet inspection" (DPI). Other standards bodies have shied away from standardizing surveillance technology, but the ITU just dived in with both feet, and proposed a standard that includes not only garden-variety spying, but also spying "in case of a local availability of the used encryption key(s)" -- a situation that includes the kind of spying Iran's government is suspected of engaging in, when an Iranian hacker stole signing keys from the Dutch certificate authority DigiNotar, allowing for silent interception of Facebook and Gmail traffic by Iranian dissidents.

The ITU-T DPI standard holds very little in reserve when it comes to privacy invasion. For example, the document optionally requires DPI systems to support inspection of encrypted traffic “in case of a local availability of the used encryption key(s).” It’s not entirely clear under what circumstances ISPs might have access to such keys, but in any event the very notion of decrypting the users’ traffic (quite possibly against their will) is antithetical to most norms, policies, and laws concerning privacy of communications. In discussing IPSec, an end-to-end encryption technology that obscures all traffic content, the document notes that “aspects related to application identification are for further study” – as if some future work may be dedicated to somehow breaking or circumventing IPSec.

Several global standards bodies, including the IETF and W3C, have launched initiatives to incorporate privacy considerations into their work. In fact, the IETF has long had a policy of not considering technical requirements for wiretapping in its work, taking the seemingly opposite approach to the ITU-T DPI document, as Germany pointed out in voicing its opposition to the ITU-T standard earlier this year. The ITU-T standard barely acknowledges that DPI has privacy implications, let alone does it provide a thorough analysis of how the potential privacy threats associated with the technology might be mitigated.

These aspects of the ITU-T Recommendation are troubling in light of calls from Russia and a number of Middle Eastern countries to make ITU-T Recommendations mandatory for Internet technology companies and network operators to build into their products. Mandatory standards are a bad idea even when they are well designed. Forcing the world’s technology companies to adopt standards developed in a body that fails to conduct rigorous privacy analysis could have dire global consequences for online trust and users’ rights.

Adoption of Traffic Sniffing Standard Fans WCIT Flames [CDT]

8

  1. Despite there being much made of privacy concerns it is important to note that the standard (Recommendation ITU-T Y.2770) deals with the identification of application-specific properties rather than the inspection of user-owned application data. As such, Y.2770 does not provide for access to users’ private information and does not preclude use of measures to ensure the secrecy of correspondence.

    Essentially it’s a tool for Internet Service Providers (ISPs) to manage network traffic more efficiently. But let’s not let the facts get in the way of a good story eh.

    1. While it may be correct that the alleged intent is to better equip ISPs with tools for network management, I think the problem is that this document completely, entirely, and irresponsibly ignores the fact that DPI has serious privacy and censorship implications.  From the outset they’re developing, behind closed doors, standards with the potential to severely curtail freedom of expression, without once acknowledging this fact.

      You say that Y.2770 does not provide for access to users’ private information and does not preclude use of measures to ensure the secrecy of correspondence, and that’s true.  But the very nature of DPI provides access to users’ private information.  That’s why so many people are very concerned.

      As a note, I can’t see the actual document text, so I’m going off an earlier draft.

    2. So it’s the DPI-for-price-discrimination purposes kind of DPI, then? 

      Oh, also, is there anywhere us non-ITU-TIES unwashed rabble can take a look at Y.2770?

    3. Essentially it’s a tool for Internet Service Providers (ISPs) to manage network traffic more efficiently. But let’s not let the facts get in the way of a good story eh.

      More efficiently my ass. This is what Bell Canada and Rogers used to throttle traffic they decided was peer to peer. Bell even used it to throttle 3rd-party ISPs for anti-competitive reasons. It also slowed down VPN connections because those are encrypted and everything encrypted must be p2p traffic.

  2. Deep Packet Inspection is expensive.  It requires a lot more computing horsepower to look inside packets and see what the applications are doing, compared to the standard ISP job of looking only at the IP addresses and delivering the packet where it wants to go, and it’s usually done on CPU cores rather than cheap fast ASICs.

    There are times that it’s useful (such as firewalls and intrusion detection systems that provide security at the edge, or web caching systems for small ISPs), but typical government DPI proposals have been to force all ISPs to pay for the equipment so the government can spy on people, and so governments can enforce copyright restrictions on behalf of their corporate donors. 

  3. DPI is only as good as the processors you can throw at it , this will just push newer more powerful crypto like elliptic curve out into the mainstream and increase the cost of internet provision which in turn will create new markets which will enrich , oh , the members of the ITU , what a a surprise.

Comments are closed.