Slashdot Mirror

← Back to Stories (view on slashdot.org)

ISPs Using "Deep Packet Inspection" On 100,000 Users

Posted by CmdrTaco on from the something-to-think-about dept.

dstates writes "The Washington Post is reporting that some Internet Service Providers (ISP) have been using deep-packet inspection to spy on the communications of more than 100,000 US customers. Deep packet inspection allows the ISP to read the content of communications including every Web page visited, every e-mail sent and every search entered, in short every click and keystroke that comes down the line. The companies involved assert that customers' privacy is protected because no personally identifying details are released, but they make money from advertisers who use the information to target their online pitches. Deep packet inspection is a significant expansion over tools like cookies in the ability to track a user. Critics liken it to a phone company listening in on conversations."

32 of 309 comments (clear)

  1. So? Use https, ... by Anonymous Coward · · Score: 2, Insightful

    ..., ssh, pgp all the time!

    1. Re:So? Use https, ... by mabhatter654 · · Score: 3, Insightful

      Like the post said, so are voice phone calls, but we expect phone companies not to bug our phones. Hell, you could go to those little green boxes with a generic uniform on and listen all day and nobody would bother you. Of course they're be hell to pay if you were caught. Why is "internet" communications any different than normal ones, why should telcos be "listening in" to our conversations?

    2. Re:So? Use https, ... by ta+bu+shi+da+yu · · Score: 2, Insightful

      Yes, but of course the service you are using needs to be actually running SSL.

      --
      XML is like violence. If it doesn't solve the problem, use more.
  2. So what's the status on IPSec? by Anonymous Coward · · Score: 5, Insightful

    DNSSec and opportunistic IPSec should put an end to the snooping and throttling once and for all.

    1. Re:So what's the status on IPSec? by NeverVotedBush · · Score: 4, Insightful

      In response to another article, I said that we should start encrypting all of our traffic and asked for programmers to start adding that functionality and making it the default so that even unsophisticated users' trafic would be encrypted.

      But with the revelation the other day that the Bush administration believes the Fourth Amendment (right to privacy and protection from searches without cause), this becomes just another good reason to get cracking with all traffic encrypted.

      http://yro.slashdot.org/article.pl?sid=08/04/03/1219200

    2. Re:So what's the status on IPSec? by NeverVotedBush · · Score: 2, Insightful

      Yikes - What I meant to say was that the Bush administration believes the Fourth Amendment does not apply to them and that they have the right/power to monitor and wiretap at will.

      Also, another point about this is people have always said that users should understand that their activities on the Internet could be monitored by third parties. This, however, is different (at least to me) in that it is systematic snooping on the part of ISPs.

      The situation has somewhat changed in another way, too. It used to be that there was no practical way to store or monitor all of the traffic. The technology just wasn't there. Now it is. The FBI has "Carnivore" and who knows what else. Storage is cheap and computers are now very fast. Everything people do can be stored, sifted, inspected, categorized, and given a score as to how likely the person is to be a terrorist, commit a crime, etc.

      It is starting to get where people are putting themselves on the line just by posting to forums like these. Obviously that is a paranoid view, but it is also one that is now possible - if not probable - and all it takes is for the right (or wrong) person or organization to decide some site, person, or group should be monitored and it becomes reality.

  3. Encrypt everything. by ookabooka · · Score: 5, Insightful

    Thats it, I say webservers move to SSL only transactions. All other plaintext transmissions should get encrypted at the endpoints transparently. Then when the government whines about not being able to find the terrorists they can blame datamining companies that paid for their election campaign. Then they can make a law that forces a back-door, which would create a need for some nifty-ass steganography which would lead to massively excessive processor and network overhead (encryption and steganography respectively) for the most basic of transactions which would lead to NSA funded algorythms to find these hidden messages which would. . .holy shit it's almost 10AM, I need to hit the sack.

    --
    If you are about to mod me down, keep in mind that this post was most likely sarcastic.
    1. Re:Encrypt everything. by pla · · Score: 4, Insightful

      Thats it, I say webservers move to SSL only transactions.

      I agree completely, but keep in mind that even with encryption, ISPs can still collect quite enough information on us to put together a truly impressive profile. Sure, they won't know exactly what you read, but if you visit Erowid, I'd call it a good bet you don't want recommendations on a cheese to go with dinner.

      For targetted advertising purposes, the simple "where" counts for 90% of the "what".

    2. Re:Encrypt everything. by seneces · · Score: 2, Insightful

      SSL's general uptake is held back by two unfortunately major points. Firstly, it costs money to buy a SSL certificate, and you have to deal with all sorts of shit (or spend more money) if you use subdomains, alternate domains, etc. Something like CACert could fix this issue if it were widely accepted, but of course that would make the entire system less trustworthy..

      Secondly, there is no normally implemented way to do name-based virtual hosting with SSL, and most people don't want to or can't give each domain it's own IP. There is a TLS extension to solve this, but afaik browser and httpd support is minimal or nonexistant currently.

      These are issues the community really needs to be concentrating on, because all too often these days it does not make sense to communicate and let the rest of the world watch.

  4. Filesharing Responsibility? by Thruen · · Score: 3, Insightful

    If ISPs are monitoring traffic so closely, doesn't that make them more responsible for what people are using their service for? Namely piracy.

  5. time for some hactivism by jollyreaper · · Score: 5, Insightful

    Let's start turning over rocks in the private lives of telcom CEO's and see what scurries out. I'm sure they won't mind, it's in the interests of an open society and free debate, don'cha know.

    --
    Kwisatz Haderach
    Sell the spice to CHOAM
    This Mahdi took Shaddam's Throne
  6. Good luck with that by TheMohel · · Score: 5, Insightful

    Never mind that it's evil, or that it's a great step to losing their common-carrier status.

    Never mind that it's a true violation of privacy.

    Never mind that I block cookies pretty well and I run with NoScript most of the time and I don't see very many ads, and besides, half of the time I'm inside my employer's VPN.

    But even more than that, I have seven other users in my household, half of them teenagers. If they want to sniff all of my NAT-ed packets coming out, they're going to discover that I'm a geek who has four Facebook sites, likes art and hates it, plays Runescape incessantly (the 10-year-old), likes the Wiggles, and works as a beauty consultant. So go ahead and hand me the ad for the latest XBox game (I hate games). Offer my kids server hardware, and see if you can get my wife to click on fun games to play with the Backyardigans. Oh, wait, you already do. It's called "not targeting advertising", and it's free.

    So what we have is a thoroughly broken high-cost borderline-illegal absolutely-unethical service offered to advertisers in a difficult economic period. By people who we all hate a lot, and who will rapidly become targets for everything from blocking to legislative action to you name it.

    I knew there would be some kind of career move for spam kings in the future. I just thought it would pay better.

    I predict a less than stellar outcome for these idiots, and they deserve every painful moment.

    1. Re:Good luck with that by jmorris42 · · Score: 5, Insightful

      > If they want to sniff all of my NAT-ed packets coming out, they're
      >going to discover that I'm a geek who has four Facebook sites, likes
      > art and hates it, plays....

      Silly person, they are much smarter than that. Each of those PCs can be identified, see previous slashdot articles on the subject. Especially since each PC in a network serving a diverse family as you are describing will probably have obvious differences in OS and browser versions. Then there is detailed packet header inspection (DEEP INSPECTION, remember?) to seperate out OS subtle version differences, etc. And each PC/account will offerup different cookies to the same websites like Google.

      NAT won't stop them. SSL won't stop them. Laws might. This sort of snooping isn't 'like' listening in on phone conversations. It IS listening in on conversations.

      --
      Democrat delenda est
  7. Throttling bandwidth by element609 · · Score: 2, Insightful

    Isn't this the real issue with clogging 'tubes'? How can the government and ISPs keep up with the computational resources needed to continue this as we demand greater and greater amounts of bandwidth? OK, so they could only inspect http traffic, rather than say, bittorrent traffic, but OMG what happens when 'terrorists' start communicating with other protocols?

  8. How are they to deliver targeted advertising? by Skapare · · Score: 4, Insightful

    If these are the ISPs (as opposed to the visited web sites) doing the spying, then how are the advertising companies involved supposed to deliver the content? Are they going to use the same "deep packet" method to inject the advertising? If the advertising delivery is away from that deep packet inspection, then how do they identify which user was interested in penis enlargement products vs. which user was interested in replica watches? Or are the ISPs going to lock-in the IP address, now?

    --
    now we need to go OSS in diesel cars
  9. Listening in? Um, yeah. by Perp+Atuitie · · Score: 5, Insightful

    Critics liken it to a phone company listening in on conversations.
    Um, my ISP IS my phone company. If they can get away with reading my emails and stuff like this comment, what's to stop them from listening to my phone calls? We're really at a crossroads: either the law makes ISPs common carriers with no interest in, or control over, content like a real phone company, or we lose most of the potential of the communications tech revolution.
  10. What's the difference by Ernesto+Alvarez · · Score: 5, Insightful

    The difference is that in the first case, the data passes through a dumb machine that compresses, caches, etc. The result is cached like it is expected (RFC 2616 is pretty clear about that), even though it is done transparently. No need to keep logs about who downloaded what.

    In this case, the data is explicitly mined, by a company interested in building a profile of each user. It doesn't say it is limited to web traffic only, only that "Nor does NebuAd record a user's visits to pornography or gaming sites or a user's interests in sensitive subjects -- such as bankruptcy or a medical condition such as AIDS.", which I doubt both on technical grounds and because it is a market and someone will want to take advantage and "The company said it processes but does not look into packets of information that include e-mail or pictures." which I think is in contradiction with other parts of the article and even if they didn't, it's a matter of time before they do.

    Basically, it's the intent that counts. The ISP can intercept everything they want because they're in the middle. When they start doing so for reasons that are not part of maintaining the communications as specified (like forwarding, maybe firewalling and proxying depending on the conditions), alarms should go off.

    --
    GPG 0x1B479C78
  11. Regular postal mail... by NotQuiteReal · · Score: 3, Insightful
    After all, your ISP knows your street address.

    Search for info on heartburn... get some post cards advertising the latest antacid. Search for info about Lasik eye surgery... gee handy flyers about your local providers appear.

    You get the idea. If I were selling a service and an ISP offered to sell me names and addresses based on keyword searches, why wouldn't I buy that list?

    --
    This issue is a bit more complicated than you think.
  12. "Customer revolt" by frdmfghtr · · Score: 4, Insightful
    FTA:

    For all its promise, however, the service providers exploring and testing such services have largely kept quiet -- "for fear of customer revolt," according to one executive involved.
    Guess what pal..the word is now out.

    Ever get the feeling the the Internet just isn't worth it anymore?
    --
    Government's idea of a balanced budget: take money from the right pocket to balance...oh who am I kidding?
    1. Re:"Customer revolt" by Inda · · Score: 2, Insightful

      Was it ever worth it? Maybe the homepages of 1997 were worth it...

      --
      This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
  13. no, encryption is not the answer by Briden · · Score: 2, Insightful

    standing up for our rights is the answer. unfortunately, corporations listen only to once voice, money, so hit them where it hurts.

    Cancel your internet, refuse to pay your bills... boohoo, then you won't have internet? you won't have internet anyway, if they get their way.

  14. Re:There should be a law by nurb432 · · Score: 4, Insightful

    We *do* need fewer laws. However, the ones that remain need to be effective and of value, and actually enforced.

    The law to protect your right to privacy already exists, it just needs to be enforced. Creating more laws doesn't help with lack of enforcement of what is already there.

    --
    ---- Booth was a patriot ----
  15. Re:There should be a law by Anonymous Coward · · Score: 2, Insightful

    And if I hear one libertarian say we need less laws, I'll puke.

    Pesky semantics....

    While it may be true that the actual raw number of laws presently on the books is huge and unwieldy, and while it may be true that the removal of many of those laws would actually bring a good deal of efficiency while also eliminating some loopholes that are routinely exploited to the detriment of the majority, and while it may be true that a common knee-jerk response to any kind of exploitive behavior is to cry "pass a law that says you can't" even which there is actually no feasible way to construct or enforce a law that will accomplish that.....while all these things may be true...

    Sometimes, it is also true that in this specific circumstance, a new law is actually feasible, beneficial, and totally warranted.

    While I don't have a problem with far-reaching statements like "we need fewer laws," I DO have a problem with the thoughtless application of such statements to all circumstances equally. Not all circumstances are equal, and they must each be intelligently judged, on a case-by-case basis.

    I hope I didn't make you puke.

  16. Re:ssh tunnelling + squid by jmorris42 · · Score: 2, Insightful

    > I pay for a dedicated server (essentially colo but they provide
    > the hardware) from a company with a decent AUP. I put linux on
    > the server and run squid.....

    And you are a fool with more money and tech knowledge than you have the brains to use wisely.

    Exactly what are you hoping to accomplish by going to all of that bother? Your last mile ISP can't monitor you but the hosting company and THEIR ISP can so you have just shifted the point of attack.

    And the government (which is what you are afraid of, right?) can't monitor either (the spooks can but anything they find can't be used against you in a court... they would just have to kill ya) without a warrant. And with a warrant they can monitor you wherever. Doing the kind of crap you are doing makes you a likely target for governmnet snooping. So don't come whining to me whne ya find a keylogger on your machine.... buried inside your keyboard controller chip.

    --
    Democrat delenda est
  17. Re:There should be a law by chunk08 · · Score: 3, Insightful

    Brilliant post! The problem, though, is that the citizens will not stand up for their rights, because our current culture is taught to depend on the government to fix all of the problems. If citizens were to take a stand on the issue, government and corporations would see that it is not in their best interest to continue these practices. What needs to happen is (as has previously been posted) citizens encrypting their communications and taking other steps (Tor, Freenet, etc.) to prevent snooping, government, corporate, or otherwise.
    Liberty and capitalism don't solve problems, they just give us an opportunity to. That's why less government is good.

    --
    Do away with our corrupt tax code. Support the Fair Tax
  18. Re:There should be a law by dstates · · Score: 2, Insightful

    What ever happened to "A government of the people, by the people and for the people"? Get involved, and stay involved. As Adlai Stevenson (who??) said, "In a democracy, people get the government they deserve."

    --
    Statesman
  19. Re:Slashbot hypocrisy once again by dstates · · Score: 2, Insightful

    Some of us do not use Google mail or Google desktop search for exactly the reasons you give.

    --
    Statesman
  20. Re:Btw. is your ISP Knology? by Shakrai · · Score: 5, Insightful

    Fedex and UPS DO do this.

    Fedex and UPS open your packages to look at what you are shipping so they can sell that data to advertisers?

    rather they're searching through it looking for things that look suspicious

    Did you even bother to RTFA? Wait, dumb question around here. This has nothing to do with looking for 'suspicious activity'. The ISPs in question are allowing third-party companies to build profiles of their users by spying on their traffic in order to do targeted advertising.

    --
    I want peace on earth and goodwill toward man.
    We are the United States Government! We don't do that sort of thing.
  21. Who wins? by edmicman · · Score: 2, Insightful
    From the article:

    Advocates of deep-packet inspection see it as a boon for all involved. Advertisers can better target their pitches. Consumers will see more relevant ads. Service providers who hand over consumer data can share in advertising revenues. And Web sites can make more money from online advertising, a $20 billion industry that is growing rapidly.
    So the consumers' benefit is better targeted ads? Woohoo? Sounds like the only ones who are winning are the corps and that's it.
  22. Re:Slashbot hypocrisy once again by pinguwin · · Score: 1, Insightful

    I don't use gmail by choice because of this policy. Gmail isn't a free service, there is a cost to your privacy and if you make that choice, great. I have my own domain specifically for this reason that I'm not under the rules of another company. But for communications that I pay for, my isp thinks they can eavesdrop? Big difference between what google and the isp's are doing.

  23. Re:Slashbot hypocrisy once again by ccguy · · Score: 4, Insightful

    So, it's bad and evil and wrong if a computer at your ISP reads all your packets for marketing research purposes, but when Slashdot's favourite pet company Google does the exact same thing with all your messages in Gmail, it's perfectly fine and justified?
    Yes. You may use gmail or not, and if you do then you agree that they will use your email contents for advertisement.

    No one authorized ISPs to inspect packets for any purpose.

    However if they provided their service at the same price google offers gmail in exchange for authorization to inspect packets, I'm sure there would be lots of people willing to take the deal.

    I think Slashbots need to get their kneejerks straight.
    And I think whoever modded you insightful was on crack.
  24. Re:People already do by gsarnold · · Score: 3, Insightful

    Spiderlike, sure, but IIRC Tor only obfuscates your identity from the site operator via a maze of proxies - It doesn't do anything like create an encrypted tunnel for the traffic, so eavesdroppers at the phone company can still snoop all they want.

    Just sayin'.