DPI and Net Neutrality's Overseas Weak Spot

Ian Lamont writes "An unnamed source at an American ISP says staff there briefly considered using Deep Packet Inspection to comply with an order from Argentina's Department of Justice to block access to a local gambling site. The ISP ended up not going that route, owing to the cost, but some engineers at the company worry that DPI will eventually be implemented on the ISP's overseas network, thereby positioning it for an easier US rollout should Net Neutrality lose out in Washington. Besides being used for traffic-shaping, DPI can also monitor the traffic of ISP subscribers to supply targeted advertising."

This is where customers put their foot down.

[MindlessAutomata]

And say "No".

Even if it hurts in the short run. The loss of consumer bargaining power in these instances, where the contracts possibly allow for this, is the fault of the general consumer to begin with.

Re:This is where customers put their foot down.

[snl2587]

And say "No".

I ask, "to whom?". The ISPs are not the only ones who want (to use a generalization) the traffic of subscribers to be monitored. I think you overestimate the power of the consumers in this case.

Re:This is where customers put their foot down.

[pseudorand]

Don't be a tool. The Internet has always operated on the principle that traffic on the public network isn't private. Let them use Deep Packet Inspection. If you didn't encrypt your data, that's your fault.

And as for consumer bargaining power, we never had any. Residential broadband has always been without an SLA. Even if you network goes down or is slow for weeks, your only recourse is to cancel your service.

What we need are SLA's for consumer broadband that guarantee a minimum (not maximum) bandwidth. Then, let them inspect all they want, I'll encrypt what I need to be private. And let them block all they want within the SLA, I'll pay for the level of service I need.

Don't get me wrong, I'm all for Net Neutrality. The ISP I'm handing my money to should be routing anything I choose to send, illegal or no (since IPSs should just be carriers and not liable or responsible for how I choose to use their network), but just don't everyone go panicking that "they're looking at my data".

Re:This is where customers put their foot down.

[garett_spencley]

I'll encrypt what I need to be private. And let them block all they want within the SLA, I'll pay for the level of service I need.

What happens when ISPs start to throttle (or block all together) encrypted or binary data ?

I can already imagine the justifications: "binary data consists largely of pirated software and media!", "only terrorists, pedophiles and other criminals have something to hide and use encryption!" "yap yap yap!"

At the risk of sounding pretentious, I believe that the Internet is one of the greatest assets for human advancement and achievement since the printing press. It is far too important to us to allow certain groups with special interests to ruin it for everyone. One last resort is to force ISPs who succumb to government pressure out of business. In the meantime we have to use every single democratic and diplomatic means at our disposal to force government to make the decisions that serve the larger population's wishes, and not the small special interest groups that want to shut the rest of the world up.

Re:This is where customers put their foot down.

[theM_xl]

In the meantime we have to use every single democratic and diplomatic means at our disposal to force government to make the decisions that serve the larger population's wishes, and not the small special interest groups that want to shut the rest of the world up.

We're filthy rich business lobby groups that can throw money at the politicians? When did that happen?

Re:This is where customers put their foot down.

[PPH]

And say "Whaaa"?

The average customer has no clue as to what the implications of DPI are. Or care, for that matter. You give them a few percent off at the grocery store for tracking their purchases. And that's perfectly OK by them.

Heck, even our own intelligence agencies have allowed the sale and export of data that makes commercial, industrial and even political espionage by foreign powers easy. The NSA/CIA/FBI are probably a decade or more behind the state of the art in data mining and link analysis.

Re:This is where customers put their foot down.

What happens when ISPs start to throttle (or block all together) encrypted or binary data ?

Then those ISP's customers are shut out of commerce ("Whaddya mean I get a timeout when I try to send my credit card to amazon or log into my bank?") and the users decide to use some other ISP.

Re:This is where customers put their foot down.

[PopeRatzo]

I think you overestimate the power of the consumers in this case.

If the consumers go away, the corporation goes out of business.

Now how is the GP "overestimating" the power of consumers if the very life of the corporation in question hangs in the balance?

In the past decade, American consumers went trillions into debt to purchase foreign consumer goods and thus kept the funny-money US economy from crashing like the Hindenberg. I would say that's a mighty display of "power".

The only people who don't think consumers have "power" are mostly running banks and corporations. It might be time to give them a refresher course on the meaning of the word.

In a way, it's very similar to the situation between the people who have political power in this country and the citizens.

Re:This is where customers put their foot down.

[PopeRatzo]

If you didn't encrypt your data, that's your fault.

Don't think for a second that private use of encryption isn't under attack by the telecoms and the government that works for them.

Re:This is where customers put their foot down.

[PopeRatzo]

Tell you what: people are quickly learning about the means and meaning of the surveillance of our data and behavior.

Here in Chicago, tens of thousands of drivers have gotten little notes in the mail from the City of Chicago, telling them that they have to pay $100 or have their car seized, based on a picture taken at an intersection.

When a local, nationally prestigious university recently had a public symposium on the effect of electronic surveillance upon personal, public and political life, you would have been quite surprised at the number, and the variety, of the people who showed up. In fact, a lot of last-minute shuffling had to take place at the venue to accommodate the unexpected number of attendees. And a surprisingly small number of them were techies and geeks. A large number were under age 18.

Re:This is where customers put their foot down.

[corsec67]

What happens when ISPs start to throttle (or block all together) encrypted or binary data ?

You have data that isn't binary?
It would be cool to have a computer based on Balanced Ternary, but I don't think that would work on the internet without a translation to... binary.

Re:This is where customers put their foot down.

[philspear]

You convinced me. I'd like to get in on this boycott. Send me an e-mail when I need to cancel my internet, and then send me another email when the boycott is over and I can resume using the... internet...

I think I may see a problem here.

Re:This is where customers put their foot down.

[Ihmhi]

I don't need to encrypt my data. This DPI ad-injection stuff is a bunch of bullshit which can easily be cleaned up by the even more powerful Formula 409.

Re:This is where customers put their foot down.

[Drathos]

The only way for people to completely avoid DPI would be to cut themselves off from the internet. Even if their ISP doesn't use it, some other ISP will and any data that went that way will be subjected to it. Most traffic that I create goes through several networks on the way to its destination. For example, between my hotel's ISP and Google, my packets go through alter.net (a/k/a Verizon Business), Quest, and a few other routers that don't have reverse lookups. Third-party DPI, anyone?

Re:This is where customers put their foot down.

[Ichijo]

What happens when ISPs start to throttle (or block all together) encrypted or binary data ?

Then we'll Uuencode or BinHex the binary data so it looks like ASCII.

Re:This is where customers put their foot down.

[duckInferno]

The "average consumer" doesn't know what DPI is now. You are implying that they are incapable of knowing. Take them aside for a few minutes, show them what net neutrality is, what DPI is, and what it means for their privacy and ability to surf then net. Then ask them whether they care about the implications of DPI.

Re:This is where customers put their foot down.

[MindlessAutomata]

The truth is, the masses are either apathetic or don't mind this. Their alternative? More laws, to which people don't know much about and generally, don't care. They know this, and it's how they want to leverage control.

Re:This is where customers put their foot down.

[pseudorand]

> What happens when ISPs start to throttle (or block all together) encrypted or binary data ? Hence the SLA. If I pay for a guaranteed 512Kbps, they can throttle it down to that level, but no further. We would, of course, need some sort of consumer advocate group to help demonstrate that low bandwidth was an SLA violation by the ISP instead of slowness on the other end.

That's all it can do?

[iamhigh]

Besides being used for traffic-shaping, DPI can also monitor the traffic of ISP subscribers to supply targeted advertising."

I think there might be a few more issues than the innocuous sounding "traffic shaping" and targeted ads.

Packet Encryption

[camperdave]

So, we'll all have to implement some form of packet encryption so that our packets can't be inspected. It is sad that there's so much interest in our communications, whether it be for marketing, or government control, that we can no longer trust our old internet which transmits everything in the clear.

Re:Packet Encryption

[Intron]

The problem is that even if every website also did this, which they won't, your ISP could still sell your browsing history to advertisers or give it to the feds because they know what sites you visit even if they don't see the contents of the packets.

To avoid this you need something like Tor.

Re:Packet Encryption

[BountyX]

Ive been routing my internet through trusted nodes accross the net in encrypted form for a while now and have given up the "old internet". NSA has dpi level inspection at major fiber lines via light bending, especially with underwater fiber. They also use spoilia (spillage of communication signals caught by satalites due to the earths sphere shape) to intercept our activities on wireless communications. If your data is ever transmitted in the air, assume it is being watched. Fiber optics is harder to snoop in on since it requires a physical tap. I wouldn't worry about the US spying on its citizen. It dosn't need to. Under the UK-USA agreement, the NSA shares its intelligence info with the UK, Nz, and Aus and in return those countires share their info with us. The US does not engage in spying on citizens, instead, it usually asks one of its allies to spy on a specific person. By doing this, the US bypasses many laws on privacy. The NSA's largest establishment in the UK USA agreement is at menwith hills and fort mede, maryland. The two agencies (both controlled by the NSA) coordinate sigint. Bottom line, all of our traffic is monitored and run through thousands of different communication algorithms for data mining. Do not share any identifiable information online, to any one for anyreason. Even anonymous browsing is vulnerable to time analysis.

Re:Packet Encryption

[ColdWetDog]

Mr. Bin Laden? I didn't realize you joined Slashdot. Do you run Linux? Welcome.

Re:Packet Encryption

[BountyX]

Ironically, bin laden DID NOT encrypt his communications. Instead, he chose to plan is activities on the internet in sex chat rooms and other public locations on the internet. Bin laden, who had a relationship with the CIA before becoming a terrorist, knew that encrypting communication was one of the NSA's criteria that alerted the agency of an individuals suspicous activitiy. Encryption draws attention becuase its like feeding the NSA bad data. If enough people encrpyt their communications regularly, it will make it harder for the NSA to snoop...and yes, I do run linux :)

Re:Packet Encryption

[Braino420]

Dude, weren't you supposed to submit that anonymously or something?

Re:Packet Encryption

[anilg]

Ok, second question.. Do you always refer to yourself in the third person?

Out of interest

[sakdoctor]

How much extra resources are used in delivering a page by HTTPS instead of HTTP?

Re:Out of interest

Quite a lot when negotiating the crypto handshake (there's hardware for this and it scales pretty decently, even if it's not exactly cheap) - but you'd still be able to pick up what was being visited from the certificate if you wanted.

DIP will likely be rolled out to support QoS.

[Ungrounded+Lightning]

IMHO Deep Packet Inspection will be rolled out to identify the protocols in use on connections, to support assigning the correct QoS to different protocols.

For instance: File transfers accelerate until they consume (and equally divide) all bandwidth at the most congested link in their path, but just slow down if they're artificially limited below that level. Meanwhile Streams are band limited but must go to the front of the line to meet their jitter and delivery reliability requirements, though delayed stream packets are useless and should be dropped to avoid also delaying their successors.

Unfortunately the tagging of the packet itself can't be trusted because there is an incentive to achieve improved service by cheating, requesting better service than necessary. (And a Microsoft IP stack, widely deployed, made just this "improvement".)

My take: The right solution is to write a contract for various rates of "premium" packets, then accept the labeling but demote the QoS on packets above the running limit. Then the incentive is on the user to obtain software that doesn't cheat, and the ISP doesn't need to deep inspect.

Unfortunately, the ISPs and equipment vendors seem to be going with the DPI identification approach. And that means deploying DPI, which can then be misused by the ISPs to do the bad kind of non-neutrality.

Re:DIP will likely be rolled out to support QoS.

[PopeRatzo]

The right solution is to write a contract for various rates of "premium" packets.

Quite a few of us have run into problems with "contracts" for "unlimited" use.

What's going to make ISPs suddenly start honoring contracts?

A different form of government is needed

It no longer makes sense to have:

1. National governments in an global society
2. Governments which have privileged access to the internet, at the expense of the citizenry's freedom

Before it is too late, before all governments make dpi as routine as China could ever hope for, the people need to get control of the governments.

Fortunately, the source of these issues also presents the solution: open source governance (and its cousin, radical transparency).

For fuck's sakes..

[Rod+Beauvex]

....thereby positioning it for an easier US rollout should Net Neutrality lose out in Washington...

Net Neutrality already lost in Washington. Wake up and smell the shit.

ISPs in Canada already throttle encrypted traffic

Rogers and Bell throttle all non-HTTP traffic. If their DPI cannot recognize it, they throttle it.

Yeah this sucks for VPN users, but they are an oligopoly and don't care.

QoS labeling by endpoints

[CustomDesigned]

I think this is what you were trying to say, but the endpoints, not the ISP should tag packets for QoS. No DPI is required - except in the consumer routers with options like "minimize VOIP latency" or "accelerate large downloads". There should be an extra cost for low latency or high bandwidth packets - so there is nothing to gain by "cheating". (High bandwidth packets can take advantage of a longer but more capacious route, or get to keep their place in a deep queue.)

All the more reason to move to IPv6...

[albee01]

IPv6 was designed to be more secure and encryption is built in (IPsec). It seems that the best solution to the whole net neutrality issue is to encourage the transition to IPv6 as quickly as possible.

Re:All the more reason to move to IPv6...

[Broken+Toys]

Net neutrality isn't about Internet protocols.

It's about social and political neutrality on the Internet.

Re:All the more reason to move to IPv6...

[cbiltcliffe]

That actually makes me wonder if the whole reason IPv6 adoption is so miserably low is that the government and communication companies know that when they adopt it wholesale, they lose the ability to do easy DPI and other such shenanigans.

Re:All the more reason to move to IPv6...

[kriss]

I'd hand out a complimentary tinfoil hat if I had one.

IPv6 is on the radar and requested as a must-have, but normally only on a roadmap level ("Will your product support this some time in the future?"). In some parts of the world (there's more to it than the US), any device incapable of IPv6 won't get onto the network in the first place.

If you stop to think about the practical implications for a while, it's very unlikely that encryption will be that much more widespread than it is today (it's a processing power issue as well, not just one of protocol ease of implementation) while the whole NAT issue will be zapped. This means that DPI gear all of a sudden can pick out a whole lot more, since traffic that'd normally be aggregated by a NAT - won't be. Insta-higher-resolution.

There's no conspiracy here. Really.

Re:All the more reason to move to IPv6...

[albee01]

Correct. However, encryption is seen as a way around the net neutrality issue since the packet content is unknown. IPv6 adds encryption out of the box.

Re:ISPs in Canada already throttle encrypted traff

They throttle https? How have online banks and retailers reacted?

Translation to Spanish available

[buanzo]

http://blogs.buanzo.com.ar/2008/08/inspeccion-de-paquetes-por-isp-argentinos.html

Eu knows how to deal with that kind of shit

[unity100]

they fine a MAJOR amount to the company, and $1 m euro or more for each day they dont comply with the ruling. straightens out die hard dirty player monopolists like microsoft even.

u.s. should adopt this.

In NZ

[duckInferno]

The worst we have here is a monopolising telecommunications company. We have data caps and high prices compared to other countries. Sometimes I find it really hard to treasure what we have, but it's articles like these that make it easier. Precious few ISPs here throttle data and I've never heard of any kind of push against p2p, let alone all the blocked/throttled/privacy-busting measures I've been hearing about what's going on in the US.

Of course, I still have reason to worry. A lot of NZ traffic goes through the US. :)

There's DPI and there's DPI

[kriss]

Yes, there's DPI devices for traffic shaping (or throttling or management or whatever term you prefer), and there's DPI devices for ad insertion but those really wouldn't be the same devices, probably not even made by the same vendor. Plugging my own blog, here's a shortentry about this.

As for the article, I think - but I could well be called biased - that the unnamed sources may be overreacting a bit. Could you do the things described with a decent traffic shaping DPI enabled box? Sure. Do ISP's do this? With the exception of some high profile cases we're all aware about, not that I noticed. As it happens, I wrote about this as well fairly recently (the text is quite long, if you want only the relevant bits on DPI uses, scroll down to 'DPI uses' near the bottom)

(In all honesty, I could well see the point of very restricted and extremely cheap access though. The net is a resource you pretty much need access to in order to function well in society nowadays. If that's all you need it for, it might make a lot more sense to get a $10/mo line restricted to only web and mail than a $30-or-more/mo line unrestricted. I sure as heck wouldn't get a restricted one myself, but then again, I'm not really the target audience of that idea)

As for an american rollout, quite a few ISP's run the gear in the US already. Again, with a few (very notable) exceptions, you don't really notice it. Which is kind of the point of a good implementation, in my book.

Re:Cost has been the only reason for many things.

[PopeRatzo]

Once you can get spycams and hard drives at the dollar store, expect nothing less but the end of your private life.

I'm not so sure. People are pretty smart, and liberty can be a compelling incentive. People have even given their lives in order to achieve it for their communities.

All in all, I'm betting on liberty. It's going to take the collapse of our cushy consumer lifestyle before people wake up enough for it to happen, but that lifestyle has been financed by credit for a long time now and that credit is running out fast. We may yet live to see Americans doing what Americans were meant to do. The Founding Fathers left us a very nifty blueprint to follow.

Everything Should Be Secure-ish

[Nymz]

A lock doesn't need to be unbreakable in order to be of some value, it only needs to be good enough to deter some violators. Examples:

• Envelope - takes time and effort to hold up to a light, or reheating the seal with an iron
• Padlock - takes a large shearing tool, or a couple picking tools
• Car - takes a 'slim jim' door shim, or breaking a window noise
• ROT13 - takes a simple function to decrypt, which is a conscious action that can deter simple temptation

Excuses that governments may have nearly limitless resources, or that "I don't have anything to hide", are irrelevant if you care about an internet of communications that is as secure, as it can be, for everyone in the areas of commerce, privacy, and political free speech worldwide. If you value these things, then we need to start securing our comminications.

Even the strongest chain has a weak link...

[pathological+liar]

How and why do you trust those nodes? Unless it's a completely dark net there's an egress point, and that point can be coopted/coerced. At the very least all traffic going through that endpoint can be trivially sniffed by at least one person. If you're worried about the NSA or its cronies tapping your communications, why aren't you worried about someone exerting pressure on the weakest link in the chain?

If you're on a completely dark net, well, that's great... but won't the lack of content get boring after a while? (And again, the other humans will always be the weakest link)

Re:Even the strongest chain has a weak link...

[BountyX]

Long answer short, the exit node is the weakest link. But what if an individual owned a network of exit nodes colocated in facilities throughout the world? These nodes were hosted in secure locations without physical access. ;) time analysis still works :(

Really bad idea

[DaMattster]

Targetted advertising based on deep packet inspection is a very, very bad idea. As a business owner, I don't want my traffic inspected like that.

Re:ISPs in Canada already throttle encrypted traff

[rjstanford]

Let me toss this one back at you. How many times do you continually push high bandwidth traffic to or from your bank? You could easily throttle those pages down to 10% of "full speed" and very few people would notice, let alone figure out the pattern.

Re:Poisoning

[mikael]

Worse - it's like having a little guy who sits outside your front door all day, follows you into town, insists on opening and reading every newspaper, book, magazine, letter, circular and piece of junk mail that you read, then follows you back home again.

It may be coincidence but just recently I was shopping for T-shirts online, visited a website called 'over50', and the next day, I received junk mail for life insurance for the over 50's. I'm currently doing experiments where I visit my own university home page from my home PC, then check to see if the IP addresses match, or whether I receive a visit from a Phorm server.

Targeted ads for paying customers is really stupid

[davolfman]

The moment my cable company starts adding ads to my traffic I'll start looking to switch to DSL. Not everybody has competition but given just how bad these guys are about buildouts those who do are still a decent enough chunk of the market that the ISP will take notice.

Re:ISPs in Canada already throttle encrypted traff

[TheVelvetFlamebait]

They throttle https? How have online banks and retailers reacted?

Rather slugglishly, I'm afraid.

Re:ISPs in Canada already throttle encrypted traff

[CaptnMArk]

time for a bin2html | gzip encoder.

They must allow content-transfer-encoding: gzip, which every site should use.

Re:ISPs in Canada already throttle encrypted traff

[mikiN]

So what? So the ISP simply Have their DPI decompress the gzip'ed data and inspect that.
Well, you could try sending enormous blobs of HTML'ized gzip'ed binary data.
You could scramble your TCP/IP stack so it goes through weird contorted schemes of pseudo-random packet dropping, fragmentation, reassembly etc. to flush the DPI cache, etcetera, etcetera.

This will turn into YASAR (Yet Another Silly Arms Race)