Yesterday morning, I wrote about the closed-door International Telecommunications Union meeting where they were working on standardizing "deep packet inspection" -- a technology crucial to mass Internet surveillance. Other standards bodies have refused to touch DPI because of the risk to Internet users that arises from making it easier to spy on them. But not the ITU.
The ITU standardization effort has been conducted in secret, without public scrutiny. Now, Asher Wolf writes,
I publicly asked (via Twitter) if anyone could give me access to
documents relating to the ITU's DPI recommendations, now endorsed by the
U.N. The ITU's senior communications officer, Toby Johnson, emailed me a
copy of their unpublished policy recommendations.
5 hours later, they emailed, asking me not to publish it, in part or in
whole, and that it was for my eyes only.
Please publish it (credit me for sending it to you.)
1. The recommendations *NEVER* discuss the impact of DPI.
2. A FEW EXAMPLES OF POTENTIAL DPI USE CITED BY THE ITU:
"I.9.2 DPI engine use case: Simple fixed string matching for
"II.3.4 Example “Forwarding copy right protected audio content”"
"II.3.6 Example “Detection of a specific transferred file from
a particular user”"
"II.4.2 Example “Security check – Block SIP messages (across
entire SIP traffic) with specific content types”"
"II.4.5 Example “Identify particular host by evaluating all
RTCP SDES packets”"
"II.4.6 Example “Measure Spanish Jabber traffic”"
"II.4.7 Example “Blocking of dedicated games”"
"II.4.11 Example “Identify uploading BitTorrent users”"
"II.4.13 Example “Blocking Peer-to-Peer VoIP telephony
with proprietary end-to-end application control protocols”"
"II.5.1 Example “Detecting a specific Peer-to-Peer VoIP
telephony with proprietary end-to-end application control
Hit the jump for more of Asher's analysis and the download link:
3. Security threats against DPI entities is listed as:
- Destruction of DPI-related information;
- Corruption or modification of DPI-related information;
- Theft, removal or loss of DPI-related information;
- Disclosure of DPI-related information;
- Interruption of services (specifically mentions DoS.)