{"id":210,"date":"2009-03-24T13:30:37","date_gmt":"2009-03-24T18:30:37","guid":{"rendered":"http:\/\/www.webadminblog.com\/?p=210"},"modified":"2009-04-01T10:53:14","modified_gmt":"2009-04-01T15:53:14","slug":"deep-packet-inspection-and-the-loss-of-privacy-and-security-on-the-internet","status":"publish","type":"post","link":"https:\/\/www.webadminblog.com\/index.php\/2009\/03\/24\/deep-packet-inspection-and-the-loss-of-privacy-and-security-on-the-internet\/","title":{"rendered":"Deep Packet Inspection and the Loss of Privacy and Security on the Internet"},"content":{"rendered":"<p>For my first session of the day on Tuesday of the TRISC 2009 conference I attended a presentation by Andrew MacFarlane from Data Foundry, Inc. on &#8220;Deep Packet Inspection and the Loss of Privacy and Security on the Internet&#8221;.\u00a0 While the concept of DPI is nothing new to me and I remember first hearing about it around the FBI&#8217;s Carnivore project, this particular use case was something that I hadn&#8217;t heard about.\u00a0 Apparently pretty much every Tier 1 ISP has hopped onboard the DPI bandwagon and is now using the technology for everything from traffic prioritization to targeted advertising.\u00a0 To make matters worse, you automatically agree to this type of monitoring by accepting your ISP&#8217;s terms of service.\u00a0 Data Foundry has been one of the few ISP&#8217;s who have spoken out against this practice, but unless more people (especially end-users) lobby their congressmen to remove this waiver of privacy rights as part of our terms of service acceptance, the future of privacy and security on the internet is awfully bleak.\u00a0 My notes from the session are below:<\/p>\n<p><!--more--><\/p>\n<ul>\n<li>ISPs\u2019 \u201cadvanced network management\u201d practices are changing the way that bits are transmitted across the internet<\/li>\n<li>Content of online communications is now inspected as it travels between endpoints<\/li>\n<li>ISP customer contracts require users to consent to the monitoring of their online activities<\/li>\n<li>ISPs claim increasing Internet traffic is leading to network congestion that requires new non-standard network mgmt practices<\/li>\n<li>Many ISPs are introducing network systems that identify traffic by type or application to delay \u201clow-priority\u201d bits<\/li>\n<li>One HD video download is roughly equivalent to visiting 35,000 web pages<\/li>\n<li>A few users account for most of the downstream traffic.\u00a0 Upstream disparity is even greater.<\/li>\n<li>Mandatory and non-negotiable ISP customer contracts authorize the wholesale inspection of user communications.<\/li>\n<li>As a condition of service, customers (individuals and businesses) must consent to this inspection<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Deep Packet Inspection<\/strong><\/span><\/p>\n<ul>\n<li>Network-level appliance that captures Internet traffic on ingress and egress.<\/li>\n<li>Examination of the packet\u2019s header information and payload (content).<\/li>\n<li>Analysis of (up to) all 7 layers of the OSI model<\/li>\n<li>Network-based parental controls, spam filtering, detection and protection against adware, spyware, malware, or viruses<\/li>\n<li>Network-based bandwidth prioritization<\/li>\n<li>Filtering of IP, child porn, and provider or government-determined \u201cunacceptable\u201d or \u201cillegal\u201d speech<\/li>\n<li>Targeted advertising through monitoring and data-mining<\/li>\n<li>Enforcement of \u201cNet Neutrality\u201d based \u201cnondiscrimination\u201d imperative<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Network-Level Targeted Advertising<\/strong><\/span><\/p>\n<ul>\n<li>In 2006 and 2007 Phorm and British Telecom began secretly monitoring 54,000 Internet users and testing DPI-facilitated targeted advertising<\/li>\n<li>By the end of 2009, all British Telecom Internet users will be monitored and presented with targeted ads<\/li>\n<li>In 2008, NebuAd partnered with 30 American ISPs to track users on the Internet and perform targeted advertising<\/li>\n<li>Network-level targeted advertising uses DPI to monitor everything that users transmit or receive over their Internet access connections\n<ul>\n<li>Web browsing<\/li>\n<li>E-mail<\/li>\n<li>IM<\/li>\n<li>Downloads<\/li>\n<li>Applications and Devices<\/li>\n<\/ul>\n<\/li>\n<li>Advertising systems generate a profile which is then sold<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>No Way to Opt-Out of DPI<\/strong><\/span><\/p>\n<ul>\n<li>ISPs claim that users can opt-out of targeted advertising by installing a cookie that will turn off the ads, but not the tracking\n<ul>\n<li>Purging cookies will re-opt-in users<\/li>\n<li>Disabling cookies will default to opt-in<\/li>\n<\/ul>\n<\/li>\n<li>ISPs provide now way for users to opt-out of the underlying DPI<\/li>\n<li>New DPI systems can block, segregate, or defeat user encryption<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>DPI: Privacy Implications<\/strong><\/span><\/p>\n<ul>\n<li>Consent to monitoring is a waiver of privacy rights\n<ul>\n<li>Including automated, non-human inspection<\/li>\n<\/ul>\n<\/li>\n<li>All privileges are waived on an inspection network<\/li>\n<li>Private communications will be available to others through a 3rd party subpoena to the ISP with a showing of mere relevance, and without user notice<\/li>\n<li>ISP TOS require businesses to consent to the monitoring of their online communications<\/li>\n<li>Information gleaned from inspection can be used for any and all purposes by the ISP<\/li>\n<li>Trade secrets, proprietary information, confidential communications, transaction records, customer lists, etc are all exposed<\/li>\n<li>Businesses risk violating customer privacy laws\n<ul>\n<li>Allowing third party access to medical, tax, financial, and credit records is often prohibited<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Solutions to Protect Privacy on the Internet<\/strong><\/span><\/p>\n<ul>\n<li>DPI has legitimate uses and need not be banned<\/li>\n<li>However, wiretapping without a warrant should require express, voluntary (opt-in) and informed user consent<\/li>\n<li>Full and complete disclosure of inspection practices and legal consequences to users<\/li>\n<li>Educated and voluntary consent is OK<\/li>\n<li>Requiring consent as a condition of receiving service is not voluntary<\/li>\n<li>Intrusive regulation by industry-captured regulators is the wrong way<\/li>\n<li>Need an administrative or legislative declaration of a public policy against internet access contracts that fail to disclose practices and privacy implications and\/or require waiver of privacy rights as a condition of service<\/li>\n<li>Privacy is preserved without regulation<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>For my first session of the day on Tuesday of the TRISC 2009 conference I attended a presentation by Andrew MacFarlane from Data Foundry, Inc. on &#8220;Deep Packet Inspection and the Loss of Privacy and Security on the Internet&#8221;.\u00a0 While the concept of DPI is nothing new to me and I remember first hearing about [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[222],"tags":[231,234,233,24,235,232,23,622],"class_list":["post-210","post","type-post","status-publish","format-standard","hentry","category-texas-regional-infrastructure-security-conference-2009","tag-deep","tag-dpi","tag-inspection","tag-internet","tag-loss","tag-packet","tag-privacy","tag-security"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-3o","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/210","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=210"}],"version-history":[{"count":1,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/210\/revisions"}],"predecessor-version":[{"id":211,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/210\/revisions\/211"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=210"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=210"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=210"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}