RSS'Deep packet inspection' could become the target of legislation
By Scott M. Fulton, III | Published April 24, 2009, 6:14 PM
The two biggest threats to Internet users' privacy, from the point of view of Rep. Rick Boucher (D - Va.), come from behavioral advertising technology and from deep packet inspection (DPI) -- the ability for an ISP to scan the contents of IP packets, and make determinations as to their handling based on those contents. But the specter of another company using both of these technologies together, like liquid hydrogen and liquid oxygen, spelled out a more explosive danger. Chairing hearings of the House Subcommittee on Communications, Technology, and the Internet yesterday, Rep. Boucher made that clear:
"What services that consumers consider essential to the safe and efficient functioning of the Internet are advanced by DPI?" asked Boucher during his opening remarks yesterday. "Since the death of NebuAd's DPI-based behavioral advertising service last year, are other companies using DPI to deliver behavioral advertising? What, if any, safeguards are in place to ensure that consumers are giving meaningful consent to the tracking of their activities on the Internet?"
The nation's broadband providers would like to be able to use DPI as a method for implementing traffic control, especially for narrowing the bandwidth allowed for applications such as BitTorrent. In instances where they're involved in programming and content services, they'd also like to at least not be barred from implementing behavioral advertising, perhaps as a way of checking which clips viewers are watching online and targeting ads to parallel those clips.
But both weapons in the arsenal of the same companies could spell disaster, which is why NCTA President and CEO Kyle McSlarrow tread very carefully during his prepared opening remarks yesterday, acknowledging the existence of both but only exclusively and individually.
"Packet inspection serves a number of pro-consumer purposes," read McSlarrow (PDF available here). "First, it can be used to detect and prevent spam and malware, and protect subscribers against invasions of their home computers. It can identify packets that contain viruses or worms that will trigger denial of service attacks; and it can proactively prevent so-called Trojan horse infections from opening a user's PC to hackers and surreptitiously transmitting identity information to the sender of the virus. Packet inspection can also be used to help prevent phishing attacks from malicious e-mails that promote fake bank sites and other sites. And it can be used to prevent hackers from using infected customers' PCs as 'proxies,' a technique used by criminals, in which user PCs are taken over and used as jumping-off points to access the Internet, while the traffic appears to be generated by the subscriber's PC. As a result, the technology can be used in spam filters and firewalls."
Never mind, for the moment, that the whole concept of proxies was relegated to the realm of the malicious user. For Georgetown professor and Electronic Privacy Information Center Executive Director Mark Rotenberg, even if ISPs use DPI responsibly and not in concert with behavioral ad targeting, that doesn't make it right. From his perspective, breaching privacy bounds in the name of traffic control simply isn't ethical.
"In the communications context, service providers and their businesses partners also have an obligation not to intercept the content of a communication except for the purpose of providing the service, to comply with a court order or other similar legal obligation," read Rotenberg's prepared testimony (PDF available here). "It is possible that the techniques being developed by these firms may help in some ways to safeguard privacy if they are robust, scalable and shown to provably prevent the identification of Internet users. But the essential problem is that they simply do not have the right to access communications traffic for this purpose. Also, I would not recommend that you alter current law or enable consent schemes to make this permissible."
Though no new bill has been drafted, Rep. Boucher said up front it's his intent to draft one this year. He told the Subcommittee Thursday, "It's my intention for the Subcommittee this year to develop legislation extending to Internet users that assurance that their online experience is more secure. We see this measure as a driver of greater levels of Internet uses such as e-commerce, not as a hindrance to them."
...Hatter. While your pragmatic observation is indeed sadly true for this site...the issue has ramifications that indeed extend FAR beyond some/any rinky dink desktop platform - despite that being the extent of the awareness of so many of the f****** mouthbreathers on this site.
And Windows/OSX/Linux is the Least of the significant issues, even if one delights in bashing MS, Windows, or Apple, etc....
But as usual, the awareness of so many here barely extends beyond their low-fi MP3 player, or cell phone to the desktop - let alone beyond that! LOL!
Score: 0
|Did you notice that nearly ALL of the problems listed as the reason to do DPI only affect those poor bas****s running Windows. Us Mac and Linux users have no reason to want this sort of protection.
As for those poor bas****s still running Windows - I feel for you. If you are local to my house I will even come over and install Linux on your machine for free.
Score: 0
|And I would gladly allow you to do so, however I unfortunately have no use for it since both my laptop and desktops both have no wireless drivers that are operational because the chip sets still haven't been worked out. (This is on a 4 year old laptop and a 1 - 1.5 year old desktop). If they can't keep up with the market, I'm sorry but with Vista / Windows in general, I stay.
Score: 0
|This is going to potentially have a profound impact upon VOIP.
Score: 0
|why is it the government's responsibility to protect me from spam and viruses? i can do a better job myself.
Score: 0
|When a friend of mine, a federal agent, showed me how much of my internet use was so easily tracked, intercepted and read, it floored me. There is nothing that can not be intercepted and read, no matter what you have in the way of encryption or any other kind of protection software. It can all be cracked, period. So, any belief that what you send electronically to anyone anywhere can't or won't be read by someone else is one of the biggest falasies to ever be perpetuated on the public. There is so little that isn't read by a third party it isn't funny. The more draconian your local law enforcement agency is, like here in Broward county where all it takes is two or three days for the sheriff's department to tap your cell phone calls to make sure you aren't dealing the drugs they don't want on the streets and are dealing the one's they do want, the worse it gets. "Ongoing investigation", is all it takes for a judge to cave in on a search warrant for all things in your life.
Score: 1
|That is why the swooft dealers use pay as you go disposable and untraceable (to the owner) cell phones.
And why anyone who actually knows what they are doing encrypts their emails with a one time use key.
In fact, the government has gone after PGP for quite a while precisely over that issue.
Most locks simply keep the honest folks out (something any who has seen how Incredibly easy it is to 'pick/bump/etc' a lock will quickly discover.
But there are some very effective tools available to circumvent even the most powerful tools - some of which are very useful and good, as well as very nefarious. And this issue will effect them as well - including the use of good tools for good uses. The problem being that the honest people follow the rules, where the 'bad guys' do not. Thus such regulations will hardly hamper those whose goals are to circumvent legitimate usage.
Unfortunately, the really skilled bad guys know this already and are the ones using what others in government and business SHOULD be using but who are either too lazy or stupid and don't.
Score: 0
|I never read advertisements in email, from my ISP, or on Tivo, so I'm all for forever banning behaveior advertising or any unwarrented advertising. I'm not familiar with DPI as a protection against spam and walware, that's why I have my own software for that. Based on reader's comments, if I'm reporting spam then I expect some help from the ISP to find out who's sending it and shut down the company, PCs, and owners.
Score: 0
|I never read spam or any atachments from senders that I don't know...education to the masses should be given first priority on this. As for DPI, I don't know anything technical about it but from what some posters have said, how data is encrytped, it makes enough sense to me that DPI won't be as effective as advertised.
Score: 0
|A new way for government to seize more control over us in the name of "protecting the public" and then abuse it; not that it's ever happened before (and if you believe it hasn't you're either in denial or live in a cave somewhere). They call it one thing & say it's for our own good, but it's not long & it's turned against us.
I can't see any reason for the **AA's to want this pushed though, can you? (Yeah right) /sarcasm
Our Constitutional Rights are being systematically stripped away, and have been for decades.
They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. - Benjamin Franklin
What most people don't realize is that Liberty & Freedom are the same thing.
Merriam-Webster
Entry Word: liberty
Function: noun
Text: the state of being free from the control or power of another.
Score: 1
|Deep Packet Inspection (DPI) as tool against spam, trojans and phishing is bulls***.
DPI for spam is like the post office starting to open every single piece of mail to see what is inside, I don't think I need to point out the the amount of abuse possible in such a situation. To combat spam ISPs should block port 25 unless it is specifically routed through their e-mail servers.
Trojans developed these days send and receive encrypted data. This nails DPI since it can't make head nor tails from the contents. And it is not possible to say "ahah, encrypted data so it's a trojan" since the encrypted trojan communication cannot be distinguished from legal encrypted data (think e-commerce and online banking for good examples).
Against phishing DPI only works if the ISP can tie the data received by the victim to a specific range of IP addresses. Now it gets complicated; How much can the data received be different before the site is considered in the clear, seeing that DPI cannot determine if the information sent by the victim (especially if the return data is salted) might be credit card or other personal information.
Score: 0
|Freeware privoxy.org fixed all my beef with IN YOUR FACE junky web pages right 'out of the box'. For everything else there's encryption.
Oh, why don't our ISPs google 'average world internet speed' instead, and start from there?
Score: 0
|Really doesn't matter if they try to make advertising that fits my browsing habits. Even if I inadvertently look at an online ad, I will never buy anything. In my many years of internet use, I have never bought anything based on an ad. Doubt I will change that habit.
Score: 0
|It doesn't matter if it is for you or not. You have to make a stand as to what level of freedom you want, and not remain ignorant when you think it does not hurt your freedoms. You give a finger and they take the hand. Next step they decide what you may see or not. If you don't make a stand now, you have lost in the future.
Score: 0
|Hey, calm down.. We still have Tor and Freenet...
Score: 0
|Oh no. Politicians wading into this (and one who thinks THOSE glasses are a fashion statement at that!!!!!)
What is really scary is that some seem to think that deep packet analysis is simply a means to screw with personal data - and thus needs regulation to curb it.
But unfortunately, what has actually driven such research and development has been the need for more secure evaluation of often impervious data transmission across secure boundaries.
Thus, while it can be abused, it is also of critical value to security!
Why am I skeptical that politicians, many of whom are only becoming aware of this for the first time - and of whom many still think of the Internet as a plumbing system full of "pipes" - are not the ones to try to determine the optimal regulation of such technology?
Score: -11
|Wow, I'm not sure where to begin, or if it's even worth the time. Oh, what the hell..
Oh no. Politicians wading into this (and one who thinks THOSE glasses are a fashion statement at that!!!!!) Ha ha. I guess you're a model for Ford, right? A Ford station wagon, maybe.
But unfortunately, what has actually driven such research and development has been the need for more secure evaluation of often impervious data transmission across secure boundaries. Did you have to reach all the way to your small intestine for that one? OF COURSE the military and federal law enforcement is into cracking encryption - always have been, always will be. Your ISP, however, has no business whatsoever with this. I'm really starting to think you must work for Comcast.
Why am I skeptical that politicians, many of whom are only becoming aware of this for the first time - and of whom many still think of the Internet as a plumbing system full of "pipes" - are not the ones to try to determine the optimal regulation of such technology? Last I checked, the internet was a system of "pipes" and "valves" at its most fundamental level. But that's secondary to the real failure in your argument. So, you say we just let the private sector do whatever it likes with our personal data because the politicians can't configure a WAN. Forget the fact that they have numerous IT academics and industry professionals offering analysis. Laughable, dude..and a little disturbing. Forget Comcast, I think you may work for Obama.
Score: 0
|