Slashdot Mirror
DPI and Net Neutrality's Overseas Weak Spot
Ian Lamont writes "An unnamed source at an American ISP says staff there briefly considered using Deep Packet Inspection to comply with an order from Argentina's Department of Justice to block access to a local gambling site. The ISP ended up not going that route, owing to the cost, but some engineers at the company worry that DPI will eventually be implemented on the ISP's overseas network, thereby positioning it for an easier US rollout should Net Neutrality lose out in Washington. Besides being used for traffic-shaping, DPI can also monitor the traffic of ISP subscribers to supply targeted advertising."
And say "No".
Even if it hurts in the short run. The loss of consumer bargaining power in these instances, where the contracts possibly allow for this, is the fault of the general consumer to begin with.
Besides being used for traffic-shaping, DPI can also monitor the traffic of ISP subscribers to supply targeted advertising."
I think there might be a few more issues than the innocuous sounding "traffic shaping" and targeted ads.
No comprende? Let me type that a little slower for you...
So, we'll all have to implement some form of packet encryption so that our packets can't be inspected. It is sad that there's so much interest in our communications, whether it be for marketing, or government control, that we can no longer trust our old internet which transmits everything in the clear.
When our name is on the back of your car, we're behind you all the way!
How much extra resources are used in delivering a page by HTTPS instead of HTTP?
IMHO Deep Packet Inspection will be rolled out to identify the protocols in use on connections, to support assigning the correct QoS to different protocols.
For instance: File transfers accelerate until they consume (and equally divide) all bandwidth at the most congested link in their path, but just slow down if they're artificially limited below that level. Meanwhile Streams are band limited but must go to the front of the line to meet their jitter and delivery reliability requirements, though delayed stream packets are useless and should be dropped to avoid also delaying their successors.
Unfortunately the tagging of the packet itself can't be trusted because there is an incentive to achieve improved service by cheating, requesting better service than necessary. (And a Microsoft IP stack, widely deployed, made just this "improvement".)
My take: The right solution is to write a contract for various rates of "premium" packets, then accept the labeling but demote the QoS on packets above the running limit. Then the incentive is on the user to obtain software that doesn't cheat, and the ISP doesn't need to deep inspect.
Unfortunately, the ISPs and equipment vendors seem to be going with the DPI identification approach. And that means deploying DPI, which can then be misused by the ISPs to do the bad kind of non-neutrality.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I always thought that "DPI" was Dots Per Inch but I guess it now means Deep Packet Inspection.
It no longer makes sense to have:
Before it is too late, before all governments make dpi as routine as China could ever hope for, the people need to get control of the governments.
Fortunately, the source of these issues also presents the solution: open source governance (and its cousin, radical transparency).
The only reason many invasive technologies are not used is because they are still too expensive. Once you can get spycams and hard drives at the dollar store, expect nothing less but the end of your private life.
"Deep Packet Inspection" is the information society counterpart of poisoning public water supplies with hormones.
....thereby positioning it for an easier US rollout should Net Neutrality lose out in Washington...
Net Neutrality already lost in Washington. Wake up and smell the shit.
Rogers and Bell throttle all non-HTTP traffic. If their DPI cannot recognize it, they throttle it.
Yeah this sucks for VPN users, but they are an oligopoly and don't care.
I think this is what you were trying to say, but the endpoints, not the ISP should tag packets for QoS. No DPI is required - except in the consumer routers with options like "minimize VOIP latency" or "accelerate large downloads". There should be an extra cost for low latency or high bandwidth packets - so there is nothing to gain by "cheating". (High bandwidth packets can take advantage of a longer but more capacious route, or get to keep their place in a deep queue.)
IPv6 was designed to be more secure and encryption is built in (IPsec). It seems that the best solution to the whole net neutrality issue is to encourage the transition to IPv6 as quickly as possible.
They throttle https? How have online banks and retailers reacted?
It's not user, it's everyone's fault. (includes google)
So you want a net with rules.. cool.. this will happen again, again, again.
If only USA waked up and write the rules for the internet, even bad ones as they usually do, we could some things. With these no rules policy over internet, how can you condemn these or china firewall... in the absence of rules, everyone create their ones.
http://blogs.buanzo.com.ar/2008/08/inspeccion-de-paquetes-por-isp-argentinos.html
Buanzo Consulting - 15 Years of GNU/Linux experience, for you.
they fine a MAJOR amount to the company, and $1 m euro or more for each day they dont comply with the ruling. straightens out die hard dirty player monopolists like microsoft even.
u.s. should adopt this.
Read radical news here
The worst we have here is a monopolising telecommunications company. We have data caps and high prices compared to other countries. Sometimes I find it really hard to treasure what we have, but it's articles like these that make it easier. Precious few ISPs here throttle data and I've never heard of any kind of push against p2p, let alone all the blocked/throttled/privacy-busting measures I've been hearing about what's going on in the US.
:)
Of course, I still have reason to worry. A lot of NZ traffic goes through the US.
Fool me once, shame on you. Fool me twice, watch it -- I'm huge!
Yes, there's DPI devices for traffic shaping (or throttling or management or whatever term you prefer), and there's DPI devices for ad insertion but those really wouldn't be the same devices, probably not even made by the same vendor. Plugging my own blog, here's a shortentry about this.
As for the article, I think - but I could well be called biased - that the unnamed sources may be overreacting a bit. Could you do the things described with a decent traffic shaping DPI enabled box? Sure. Do ISP's do this? With the exception of some high profile cases we're all aware about, not that I noticed. As it happens, I wrote about this as well fairly recently (the text is quite long, if you want only the relevant bits on DPI uses, scroll down to 'DPI uses' near the bottom)
(In all honesty, I could well see the point of very restricted and extremely cheap access though. The net is a resource you pretty much need access to in order to function well in society nowadays. If that's all you need it for, it might make a lot more sense to get a $10/mo line restricted to only web and mail than a $30-or-more/mo line unrestricted. I sure as heck wouldn't get a restricted one myself, but then again, I'm not really the target audience of that idea)
As for an american rollout, quite a few ISP's run the gear in the US already. Again, with a few (very notable) exceptions, you don't really notice it. Which is kind of the point of a good implementation, in my book.
This sort of DPI has been (arguably illegally) trialled here in the UK. British Telecom and Phorm being the guilty parties. We are talking about tens of thousands of subscribers unknowingly having their internet sessions snooped on. Which is illegal in the UK. Just so Phorm can substitute its 'focussed' ads into web pages. There has been something of an outcry about this.
The government has done nothing.
Now this authoritarian bunch want to set up a very expensive 'data silo' which will contain details of all calls, texts, emails, instant messenger conversations and websites accessed in the UK for up to two years.
Uh huh.
Their rationale for this is the usual "It's the terrorists" and "think of the children". The Reg has this article.
DPI fits into the government plans very nicely indeed.
Posting this AC as some lame attempt at keeping my communications private.
So fellow slashdotters, how can we spam the system?
I work for a company that builds Lawful Interception solutions and I can categorically confirm the deployment of nationwide DPI LI solutions in a well known mid-eastern country (leading exporter).
Excuses that governments may have nearly limitless resources, or that "I don't have anything to hide", are irrelevant if you care about an internet of communications that is as secure, as it can be, for everyone in the areas of commerce, privacy, and political free speech worldwide. If you value these things, then we need to start securing our comminications.
How and why do you trust those nodes? Unless it's a completely dark net there's an egress point, and that point can be coopted/coerced. At the very least all traffic going through that endpoint can be trivially sniffed by at least one person. If you're worried about the NSA or its cronies tapping your communications, why aren't you worried about someone exerting pressure on the weakest link in the chain?
If you're on a completely dark net, well, that's great... but won't the lack of content get boring after a while? (And again, the other humans will always be the weakest link)
Targetted advertising based on deep packet inspection is a very, very bad idea. As a business owner, I don't want my traffic inspected like that.
Let me toss this one back at you. How many times do you continually push high bandwidth traffic to or from your bank? You could easily throttle those pages down to 10% of "full speed" and very few people would notice, let alone figure out the pattern.
You're special forces then? That's great! I just love your olympics!
The moment my cable company starts adding ads to my traffic I'll start looking to switch to DSL. Not everybody has competition but given just how bad these guys are about buildouts those who do are still a decent enough chunk of the market that the ISP will take notice.
Rather slugglishly, I'm afraid.
You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.
"DPI can also monitor the traffic of ISP subscribers to supply targeted advertising."
It can also be used to monitor political, social economical and racial optinions - and in combination with filters to squash the ones which are currently not compatible with the current government or ISPs own policy.
Oh, you may replace the word "can" with "is", since we're already past 1984. (e.g.: Italy, China, US, UK, UAE ...)
time for a bin2html | gzip encoder.
They must allow content-transfer-encoding: gzip, which every site should use.
So what? So the ISP simply Have their DPI decompress the gzip'ed data and inspect that.
Well, you could try sending enormous blobs of HTML'ized gzip'ed binary data.
You could scramble your TCP/IP stack so it goes through weird contorted schemes of pseudo-random packet dropping, fragmentation, reassembly etc. to flush the DPI cache, etcetera, etcetera.
This will turn into YASAR (Yet Another Silly Arms Race)
The Hacker's Guide To The Kernel: Don't panic()!
No it wont because the current one hasn't ended yet so it's just another part of the ongoing one