ISPs Using "Deep Packet Inspection" On 100,000 Users

dstates writes "The Washington Post is reporting that some Internet Service Providers (ISP) have been using deep-packet inspection to spy on the communications of more than 100,000 US customers. Deep packet inspection allows the ISP to read the content of communications including every Web page visited, every e-mail sent and every search entered, in short every click and keystroke that comes down the line. The companies involved assert that customers' privacy is protected because no personally identifying details are released, but they make money from advertisers who use the information to target their online pitches. Deep packet inspection is a significant expansion over tools like cookies in the ability to track a user. Critics liken it to a phone company listening in on conversations."

So what's the status on IPSec?

DNSSec and opportunistic IPSec should put an end to the snooping and throttling once and for all.

Re:So what's the status on IPSec?

[NeverVotedBush]

In response to another article, I said that we should start encrypting all of our traffic and asked for programmers to start adding that functionality and making it the default so that even unsophisticated users' trafic would be encrypted.

But with the revelation the other day that the Bush administration believes the Fourth Amendment (right to privacy and protection from searches without cause), this becomes just another good reason to get cracking with all traffic encrypted.

http://yro.slashdot.org/article.pl?sid=08/04/03/1219200

Encrypt everything.

[ookabooka]

Thats it, I say webservers move to SSL only transactions. All other plaintext transmissions should get encrypted at the endpoints transparently. Then when the government whines about not being able to find the terrorists they can blame datamining companies that paid for their election campaign. Then they can make a law that forces a back-door, which would create a need for some nifty-ass steganography which would lead to massively excessive processor and network overhead (encryption and steganography respectively) for the most basic of transactions which would lead to NSA funded algorythms to find these hidden messages which would. . .holy shit it's almost 10AM, I need to hit the sack.

Re:Encrypt everything.

[pla]

Thats it, I say webservers move to SSL only transactions.

I agree completely, but keep in mind that even with encryption, ISPs can still collect quite enough information on us to put together a truly impressive profile. Sure, they won't know exactly what you read, but if you visit Erowid, I'd call it a good bet you don't want recommendations on a cheese to go with dinner.

For targetted advertising purposes, the simple "where" counts for 90% of the "what".

time for some hactivism

[jollyreaper]

Let's start turning over rocks in the private lives of telcom CEO's and see what scurries out. I'm sure they won't mind, it's in the interests of an open society and free debate, don'cha know.

Good luck with that

[TheMohel]

Never mind that it's evil, or that it's a great step to losing their common-carrier status.

Never mind that it's a true violation of privacy.

Never mind that I block cookies pretty well and I run with NoScript most of the time and I don't see very many ads, and besides, half of the time I'm inside my employer's VPN.

But even more than that, I have seven other users in my household, half of them teenagers. If they want to sniff all of my NAT-ed packets coming out, they're going to discover that I'm a geek who has four Facebook sites, likes art and hates it, plays Runescape incessantly (the 10-year-old), likes the Wiggles, and works as a beauty consultant. So go ahead and hand me the ad for the latest XBox game (I hate games). Offer my kids server hardware, and see if you can get my wife to click on fun games to play with the Backyardigans. Oh, wait, you already do. It's called "not targeting advertising", and it's free.

So what we have is a thoroughly broken high-cost borderline-illegal absolutely-unethical service offered to advertisers in a difficult economic period. By people who we all hate a lot, and who will rapidly become targets for everything from blocking to legislative action to you name it.

I knew there would be some kind of career move for spam kings in the future. I just thought it would pay better.

I predict a less than stellar outcome for these idiots, and they deserve every painful moment.

Re:Good luck with that

[jmorris42]

> If they want to sniff all of my NAT-ed packets coming out, they're
>going to discover that I'm a geek who has four Facebook sites, likes
> art and hates it, plays....

Silly person, they are much smarter than that. Each of those PCs can be identified, see previous slashdot articles on the subject. Especially since each PC in a network serving a diverse family as you are describing will probably have obvious differences in OS and browser versions. Then there is detailed packet header inspection (DEEP INSPECTION, remember?) to seperate out OS subtle version differences, etc. And each PC/account will offerup different cookies to the same websites like Google.

NAT won't stop them. SSL won't stop them. Laws might. This sort of snooping isn't 'like' listening in on phone conversations. It IS listening in on conversations.

How are they to deliver targeted advertising?

[Skapare]

If these are the ISPs (as opposed to the visited web sites) doing the spying, then how are the advertising companies involved supposed to deliver the content? Are they going to use the same "deep packet" method to inject the advertising? If the advertising delivery is away from that deep packet inspection, then how do they identify which user was interested in penis enlargement products vs. which user was interested in replica watches? Or are the ISPs going to lock-in the IP address, now?

Listening in? Um, yeah.

[Perp+Atuitie]

Critics liken it to a phone company listening in on conversations.

Um, my ISP IS my phone company. If they can get away with reading my emails and stuff like this comment, what's to stop them from listening to my phone calls? We're really at a crossroads: either the law makes ISPs common carriers with no interest in, or control over, content like a real phone company, or we lose most of the potential of the communications tech revolution.

What's the difference

[Ernesto+Alvarez]

The difference is that in the first case, the data passes through a dumb machine that compresses, caches, etc. The result is cached like it is expected (RFC 2616 is pretty clear about that), even though it is done transparently. No need to keep logs about who downloaded what.

In this case, the data is explicitly mined, by a company interested in building a profile of each user. It doesn't say it is limited to web traffic only, only that "Nor does NebuAd record a user's visits to pornography or gaming sites or a user's interests in sensitive subjects -- such as bankruptcy or a medical condition such as AIDS.", which I doubt both on technical grounds and because it is a market and someone will want to take advantage and "The company said it processes but does not look into packets of information that include e-mail or pictures." which I think is in contradiction with other parts of the article and even if they didn't, it's a matter of time before they do.

Basically, it's the intent that counts. The ISP can intercept everything they want because they're in the middle. When they start doing so for reasons that are not part of maintaining the communications as specified (like forwarding, maybe firewalling and proxying depending on the conditions), alarms should go off.

"Customer revolt"

[frdmfghtr]

FTA:

For all its promise, however, the service providers exploring and testing such services have largely kept quiet -- "for fear of customer revolt," according to one executive involved.

Guess what pal..the word is now out.

Ever get the feeling the the Internet just isn't worth it anymore?

Re:There should be a law

[nurb432]

We *do* need fewer laws. However, the ones that remain need to be effective and of value, and actually enforced.

The law to protect your right to privacy already exists, it just needs to be enforced. Creating more laws doesn't help with lack of enforcement of what is already there.

Re:Btw. is your ISP Knology?

[Shakrai]

Fedex and UPS DO do this.

Fedex and UPS open your packages to look at what you are shipping so they can sell that data to advertisers?

rather they're searching through it looking for things that look suspicious

Did you even bother to RTFA? Wait, dumb question around here. This has nothing to do with looking for 'suspicious activity'. The ISPs in question are allowing third-party companies to build profiles of their users by spying on their traffic in order to do targeted advertising.

Re:Slashbot hypocrisy once again

[ccguy]

So, it's bad and evil and wrong if a computer at your ISP reads all your packets for marketing research purposes, but when Slashdot's favourite pet company Google does the exact same thing with all your messages in Gmail, it's perfectly fine and justified?

Yes. You may use gmail or not, and if you do then you agree that they will use your email contents for advertisement.

No one authorized ISPs to inspect packets for any purpose.

However if they provided their service at the same price google offers gmail in exchange for authorization to inspect packets, I'm sure there would be lots of people willing to take the deal.

I think Slashbots need to get their kneejerks straight.

And I think whoever modded you insightful was on crack.