Slashdot Mirror

← Back to Stories (view on slashdot.org)

ISPs Using "Deep Packet Inspection" On 100,000 Users

Posted by CmdrTaco on from the something-to-think-about dept.

dstates writes "The Washington Post is reporting that some Internet Service Providers (ISP) have been using deep-packet inspection to spy on the communications of more than 100,000 US customers. Deep packet inspection allows the ISP to read the content of communications including every Web page visited, every e-mail sent and every search entered, in short every click and keystroke that comes down the line. The companies involved assert that customers' privacy is protected because no personally identifying details are released, but they make money from advertisers who use the information to target their online pitches. Deep packet inspection is a significant expansion over tools like cookies in the ability to track a user. Critics liken it to a phone company listening in on conversations."

9 of 309 comments (clear)

  1. Re:Good luck with that by mpaulsen · · Score: 5, Informative

    Never mind that it's evil, or that it's a great step to losing their common-carrier status.

    They don't have a common-carrier status to lose.

  2. Enough! by iamacat · · Score: 3, Informative

    Time has shown that nobody will protect your privacy besides yourself. It's time for ALL Internet traffic and ALL phone traffic to be encrypted with an option to get SSL keys for each machine or phone from trusted authorities in different countries. This way a particular person asserting privacy is not labeled a terrorist, Comcast can not selectively block bittorrent, Chinese firewall is out of business and phone companies do not need immunity for spying on subscribers. IPV6 will have to be adopted anyway in the next 10 years and it included encryption, so the time is right to make both switches at once with little extra IT overhead.

  3. People already do by mark_hill97 · · Score: 5, Informative

    its called tor.

  4. Re:Encrypt everything. by interiot · · Score: 4, Informative

    Wrong RFC. That would be RFC4366,

  5. Re:Encrypt everything. by mollymoo · · Score: 3, Informative

    Encryption doesn't stop people knowing who you're talking to, just what you're saying to them. And Slashdot does offer SSL to subscribers.

    --
    Chernobyl 'not a wildlife haven' - BBC News
  6. Re:Encrypt everything. by darkpixel2k · · Score: 4, Informative

    It's beyond me why this hasn't happened already.

    As far as I know, IIS and Apache don't quite support TLS yet (although it's in-progress) which means every SSL-enabled website would have to be on it's own unique IP/port...making the IP 'crunch' even more of an issue.

    --
    There's no place like ::1 (I've completed my transition to IPv6)
  7. Re:Up to 2 years imprisonment by Stevecrox · · Score: 4, Informative

    Phorm argues it doesn't break the law because they offer an "opt out" clause and so isn't effected by the RIPA act. BT's trial last year of Phorm against 10,000 users is being investigated as potentially illegal as users wern't given the chance to opt out. It should be a easily won case since BT by supplying 121media and not asking if they can share this information have broken the Data Protection Act. BT maintains plans to implement Phorm with the ability to opt out (through a cookie on your PC.)

    I've already sent a letter to my service provider (virgin media) informing them I want no part of Phorm and if they implement it (which they are considering) I will be prosecuting them under the Data Protection Act. I suggest all BT, Talk Talk and Virgin Media users do the same.

    The Data Protection Act in the UK is the best defense against this sort of thing, it defines how companies my handle personal data, the right a person has to that data and what responsibilities the organisations have with it. The biggest problem with it tends to be phone operators who've never read it trying to tell you the section you read to them is wrong.

    I believe someone is trying to prosecute Facebook because they were unable to remove their information from Facebook (when you leave a service you have a right to have all information on a companies database to be deleted) If I were to go into a police station and demand all the CCTV footage they have on me they would have to supply it (my right to see) finally if I don't agree that companies can share my information with 3rd parties then they aren't allowed to share it full stop if they do you can prosecute.

    121Media argue phorm doesn't violate the Data Protection Act because you are visiting public websites (it being akin to walking along a public highway and so no right to privacy) Hopefully the Information Commisson won't see it that way and will enforce the view that sending unencrypted http packets through port 80 is the same as making a phone call and so falls under the same protections.

  8. Not necessarily by davidwr · · Score: 3, Informative

    You could have 10,000 domains that share a common cert provided by the hosting provider. It does squat for authentication but it does prevent snooping.

    With ISPs starting to snoop, suddenly this has real value.

    Combine this with 3rd-party SSL-enabled DNS, and you've got some reasonable countermeasures.

    Your ISP will know you talked to dns.ssldnsprovider.com over an encrypted channel and then immediately carried on a series of conversations with 1.2.3.4 over port 443, but he won't know which of the thousands of web sites hosted by 1.2.3.4 you talked to.

    Dns.ssldnsprovider.com will know you looked up the address for www.freetibetnowdammit.com but not much else.

    You will be presented with a certificate for www.somebigwebhostingprovider.com that mismatches www.freetibetnowdammit.com, but freetibetnowdammit.com will explain why and say not to worry about it, as will all the other hosts residing on 1.2.3.4.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  9. Re:So what's the status on IPSec? by MadAhab · · Score: 3, Informative

    I think that GWB has been more destructive to America than we can really contemplate right now, but I have to give the credit to "the other side" on this one.

    There was a time when encryption-by-default could have become the norm for Internet communications. It was largely passed by because the Clinton administration treated encryption technology as if it were chemical weapons. Even though the math to do it was a genie out of the bottle, they forbade American companies from trafficking in encryption technology if it involved overseas clients. So either it wasn't pursued, or the companies went overseas (e.g. F-Secure) but the end result is that encryption did not become a fundamental part of Internet communications.

    Even weirder, one of the few to take a stand against this was John Ashcroft. Though, to his credit, he stood up to illegal wiretapping in the Dubya years as well. I don't agree with him on very much at all, but I have to give him credit for being a rare principled individual on this score.

    So, to sum up, had the Clinton admin not squashed crypto so badly, we might not have to worry about mass spying on the public. They'd still be able to get around the encryption when it really mattered; they do black bag jobs and put keyloggers in mafioso computers when they need to do that, and I think that's a good balance of civil liberties and legitimate law enforcement, assuming warrants are involved.

    Sadly, America has apparently decided that the First Amendment is tolerable, the Second is awesome, and fuck the rest of them. What an insult to our nation.

    My favorite amendment? The Ninth: any rights not explicitly delineated in the Bill of Rights probably exist. Of course, the current Supreme Court (and conservatives in general) shit on that amendment, for some weird reason.

    --
    Expanding a vast wasteland since 1996.