Group Seeks Investigation of Deep Packet Inspection Use By ISPs (securityweek.com) 60
wiredmikey writes: European Digital Rights (EDRi), together with 45 NGOs, academics and companies across 15 countries, has sent an open letter to European policymakers and regulators, warning about widespread and potentially growing use of deep packet inspection (DPI) by internet service providers (ISPs). DPI is far more than is required by the ISP to perform its basic purpose, and by its nature privacy invasive, and not strictly legal within the EU. Nevertheless, many are concerned that its practice and use within Europe is growing, and that "some telecom regulators appear to be pushing for the legalization of DPI technology."
One of the drivers appears to be the growing use of 'zero-rating' by mobile operators. "A mapping of zero-rating offers in Europe conducted by EDRi member Epicenter.works identified 186 telecom services which potentially make use of DPI technology," writes EDRi. [PDF here]
One of the drivers appears to be the growing use of 'zero-rating' by mobile operators. "A mapping of zero-rating offers in Europe conducted by EDRi member Epicenter.works identified 186 telecom services which potentially make use of DPI technology," writes EDRi. [PDF here]
Re: (Score:2)
What year is this? 1998?
dpi looking at images (Score:1)
a good use of dpi is scanning for illegal images of kids. using googles ai toolkit for child abuse images and looking at web traffic is a goood use of dpi and i hope it is done one day
Re:dpi looking at images (Score:5, Informative)
Re: (Score:2)
Assuming that the information passed isn't encrypted that would work.
But today anyone doing something illegal or immoral would use encrypted channels anyway unless they are complete morons.
Doing deep packet inspection may however reveal certain data packing structures so that for example TOR traffic or other VPNs can be identified and possibly diverted or blocked.
You are not law enforcement. (Score:1)
You are common carriers!
It is not your right to perform vigilante law enforcement. That's what cops are for. They can walk the online beat just as well. And even they do not get to judge. The actual judgle does that.
You can go to prison for doing that offline.
Besides: Since we are not ruled by Catholibans (closeted child rapists projecting their perversions onto society) over here, it is perfectly fine to own pictures of your children on the bathtub or on the beach, being completely naked like nature intend
Re: (Score:2)
It is already done, hence why they know when you are torrenting or doing something against the state or other corporate interest. There is no money in politics to be made of child abuse enforcement, you generate some goodwill but there is no division so you won't gain votes and the victims don't have the means to lobby (bribe), hence nothing will ever be done about it.
Re: (Score:2)
You are funny, the government requires this to be done and they are the ones who get to define what "legal" is. Power and money grubbing scum in the pockets of large corporations define and enforce your laws. Don't you ever forget it.
Re: (Score:2)
"some telecom regulators appear to be pushing for the legalization of DPI technology."
Governments love making exceptions to the laws the rest of us must follow.
10 Years (Score:1)
Internet Security Professionals have been screaming about this for at least 10 years...
I know for sure Comcast uses DPI in multiple technologies including their modem's for LI, aka Lawful Intercept.
Honest question (Score:2)
Re: (Score:2)
Re: (Score:2)
They could be able to do a man in the middle attack, but they could use it just to track down your VPN and then maybe induce patterns that could be detected at the VPN exit node - like fiddling with the latency of the packets. That could be enough to connect you to a certain pattern.
Not many would really be able to see if there are appearantly random delays of the packets and rather file that under congested VPN server or internet link somewhere.
Re:Honest question (Score:5, Informative)
Honest question, doesn't use of a VPN service make all this moot? They can't deeply inspect encrypted packets can they?
no, however the ISP will typically have access to the data coming *from* the VPN, to the server on their network, and that's not going to be encrypted by the VPN service, is it?
i worked for a company that developed DPI, and it was basically necessary as part of a rush-botched EU "Data Retention" Law that required ISPs to keep accurate metadata records of all traffic going through their network for up to ONE YEAR.
can you even imagine how insane that is, and how much information needed to be collected? a big ISP would be looking at the order of what... several hundred thousand packets per second, where at least 20-30 separate and distinct "scripts" (what's the DNS name being requested, what's the src IP of this HTTPS request, is it a new connection or an old one?) need to be run on *each packet*.
the processing and storage requirements are just off the charts.
but let's be clear about this: the reason why the ISPs are collecting metadata is BECAUSE EU LAW REQUIRED THEM TO.
the thing is: there's not actually a lot that can actually be detected (usefully) about any given "individual". src IP, dest IP, src port, and given that a lot of traffic is encrypted it's not actually that useful to go into the actual data stream - that's even if it can be reconstructed (stateful connections we found particularly hard to reconstruct, given that this is *real-time* processing we're talking about).
what DPI *is* useful for is not the metadata collection about *people*, it's extremely useful to detect DDOS attacks, low-probability hacking attempts (repeated persistent below-the-radar logins over several months). that kind of information, particularly when coordinated globally from different points, is actually useful to keeping the infrastructure of the internet actually running and free from major DDOS and other attacks. that was the business that my client was in, and it was why (as an ethical software engineer) i was happy to help them.
DPI is looking inside the envelope to deliver mail (Score:3, Insightful)
It should simply be illegal. The only information you need is in the IP header (not even the TCP or UDP header).
Re: (Score:1)
Re: (Score:1)
Much of the problem with tracking isn't the sharing of cookies but the aggregation of data. If you consider CCTV, traditionally most stores have their own system. They can see you come in, go around the store,
Re: (Score:2)
Along these lines, IP6 should have been defined such that all connection were encrypted. IP4 should have been amended.
I could tolerate deep packet inspection better (in the US) if the ISPs doing it lost their Safe Harbor protections under the DMCA.
Encrypted connections? (Score:2)
So some ISP manages to crack encrypted connections and examine network traffic. Because of 'Muh kids' and CP. But they inadvertently get a peek at some classified communications.
Question: Who at the ISP in question gets thrown in the cell next to Chelsea Manning?
Qwest CEO (Score:4, Interesting)
Here's what happens when you don't play ball with Uncle Sam. https://www.eff.org/deeplinks/... [eff.org]
Re: (Score:1)
This kinda stuff is perfect for voir dire. Prosecutors hate it when you tell them you might not follow the law, and then cite past examples of law enforcement not following the law. SS illegally hard wired a phone tap to my line back in the 90's during Operation Sun Devil, and now I get to tell that story in court. It's perfect. Peremptory challenge, please, and thank you!
Re: (Score:2)
Home ISP's block ports 1-1024 to prevent hosting servers on a 'home' connection. They also (sometimes) block/firewall other protocols as a service so they don't get in trouble themselves (eg. a bare port 25 outgoing to non-commercial network ranges may be blocked)
Re: (Score:1)
They shouldn't look at ports. QoS is an excuse for not eliminating congestion. Without congestion, QoS is unnecessary. If you can keep "voip and interactive things" working despite congestion, then this makes it easier to not deliver the bandwidth you sold.
Deep packet inspection v. packet manipulation (Score:2)
Deep packet inspection is part and parcel to packet manipulation even packet editing.
Destination IP and MAC addresses can be edited.
URIs can be edited (yes check sums scrubbed clean).
Source and services can be routed through a SIP (serial line IP) 2400 baud network link if they like.
While hard to do them all ... traffic classification and shaping to good and bad ends are quite
possible.
The only reason to inspect packets is to make decisions and shape traffic.
Traffic shaping by ISPs that are also content pro
VPNs should become standard (Score:2)