ISPs Using "Deep Packet Inspection" On 100,000 Users 309
dstates writes "The Washington Post is reporting that some Internet Service Providers (ISP) have been using deep-packet inspection to spy on the communications of more than 100,000 US customers. Deep packet inspection allows the ISP to read the content of communications including every Web page visited, every e-mail sent and every search entered, in short every click and keystroke that comes down the line. The companies involved assert that customers' privacy is protected because no personally identifying details are released, but they make money from advertisers who use the information to target their online pitches. Deep packet inspection is a significant expansion over tools like cookies in the ability to track a user. Critics liken it to a phone company listening in on conversations."
Old news - proxies, compressors, etc (Score:2, Informative)
Re:Good luck with that (Score:5, Informative)
They don't have a common-carrier status to lose.
Re:So? Use https, ... (Score:3, Informative)
Available for Pidgin (aka GAIM), Adium X, mICQ, Kopete, Miranda, Trillian and as a proxy for people that use other clients. Works on any IM network.
(I've been using it on GAIM for some time and I recommend it)
Enough! (Score:4, Informative)
Re:Encrypt everything. (Score:1, Informative)
Re:How are they to deliver targeted advertising? (Score:3, Informative)
> the spying, then how are the advertising companies involved supposed
> to deliver the content?
Because the visited web sites already aren't the ones delivering the advertising. You go to CNN.com and view a page. The ads come from an outside site. That site partners with your ISP. They toss a packet with the IP and perhaps other info (like browser info so the ISP can determine which PC behind the home NAT is making the request and map that to a 'user number or email identity') and returns it. The ad server examines the previous history for that identity and the page being requested and picks an appropriate ad. And it all happens behind the scenes in the page load delay. Frightened yet?
VPN FTW (Score:2, Informative)
I expect nothing less from the despicable scam shop that is Rogers, but it's still kind of creepy.
For me, it's not a huge deal because I run a number of geographically diverse servers, I can VPN or proxy my traffic through any combination of them, should the need arise. Like any invasion of privacy, I'm not concerned about the marketing uses, it's the inevitable abuse that scares me, either by ISP staff sniffing passwords, or script kiddies rooting the monitoring systems (and/or the idiot sysadmin's PC).
The thing is, at this point I've given up on common sense. Things will continue to get more and more ridiculous until we reach a breaking point... the bubble will burst and there will be backlash against these invasions of privacy, but only when the common fool finally realizes their life is being tarnished by the practice.
Until then, we'll continue to be labeled as paranoids with our tinfoil hats.
People already do (Score:5, Informative)
Re:Encrypt everything. (Score:5, Informative)
Re:Encrypt everything. (Score:4, Informative)
Re:Btw. is your ISP Knology? (Score:2, Informative)
Its not like there is somebody at Qwsest sitting there reading each and every one of my emails, rather they're searching through it looking for things that look suspicious. Its the same thing that couriers do looking for people shipping drugs around.
Don't get me wrong, I think its asinine, just pointing out that its not something that is exclusive to the internets.
Re:Encrypt everything. (Score:5, Informative)
As far as I know, IIS and Apache don't quite support TLS yet (although it's in-progress) which means every SSL-enabled website would have to be on it's own unique IP/port...making the IP 'crunch' even more of an issue.
Re:Up to 2 years imprisonment (Score:5, Informative)
I've already sent a letter to my service provider (virgin media) informing them I want no part of Phorm and if they implement it (which they are considering) I will be prosecuting them under the Data Protection Act. I suggest all BT, Talk Talk and Virgin Media users do the same.
The Data Protection Act in the UK is the best defense against this sort of thing, it defines how companies my handle personal data, the right a person has to that data and what responsibilities the organisations have with it. The biggest problem with it tends to be phone operators who've never read it trying to tell you the section you read to them is wrong.
I believe someone is trying to prosecute Facebook because they were unable to remove their information from Facebook (when you leave a service you have a right to have all information on a companies database to be deleted) If I were to go into a police station and demand all the CCTV footage they have on me they would have to supply it (my right to see) finally if I don't agree that companies can share my information with 3rd parties then they aren't allowed to share it full stop if they do you can prosecute.
121Media argue phorm doesn't violate the Data Protection Act because you are visiting public websites (it being akin to walking along a public highway and so no right to privacy) Hopefully the Information Commisson won't see it that way and will enforce the view that sending unencrypted http packets through port 80 is the same as making a phone call and so falls under the same protections.
Re:So what's the status on IPSec? (Score:2, Informative)
The problem with opportunistic encryption is the key management. That's why DNSSec is important. Without trustworthy public keys, man in the middle attacks are trivial. But DNSSec isn't so simple with dynamic IP addresses and that is the real reason why residential users are going to be the last to get working IPSec.
Not necessarily (Score:3, Informative)
With ISPs starting to snoop, suddenly this has real value.
Combine this with 3rd-party SSL-enabled DNS, and you've got some reasonable countermeasures.
Your ISP will know you talked to dns.ssldnsprovider.com over an encrypted channel and then immediately carried on a series of conversations with 1.2.3.4 over port 443, but he won't know which of the thousands of web sites hosted by 1.2.3.4 you talked to.
Dns.ssldnsprovider.com will know you looked up the address for www.freetibetnowdammit.com but not much else.
You will be presented with a certificate for www.somebigwebhostingprovider.com that mismatches www.freetibetnowdammit.com, but freetibetnowdammit.com will explain why and say not to worry about it, as will all the other hosts residing on 1.2.3.4.
Re:ssh tunnelling + squid (Score:3, Informative)
My example is a case where if the AUP of the colo company explicitly states that they do not monitor traffic, and your ISP for the last mile does, you can avoid your ISP's deep packet sniffing.
The Quick Fix (Score:3, Informative)
Are you being Phormed? (Score:2, Informative)
Re:People already do (Score:2, Informative)
Re:People already do (Score:3, Informative)
Re:So what's the status on IPSec? (Score:4, Informative)
There was a time when encryption-by-default could have become the norm for Internet communications. It was largely passed by because the Clinton administration treated encryption technology as if it were chemical weapons. Even though the math to do it was a genie out of the bottle, they forbade American companies from trafficking in encryption technology if it involved overseas clients. So either it wasn't pursued, or the companies went overseas (e.g. F-Secure) but the end result is that encryption did not become a fundamental part of Internet communications.
Even weirder, one of the few to take a stand against this was John Ashcroft. Though, to his credit, he stood up to illegal wiretapping in the Dubya years as well. I don't agree with him on very much at all, but I have to give him credit for being a rare principled individual on this score.
So, to sum up, had the Clinton admin not squashed crypto so badly, we might not have to worry about mass spying on the public. They'd still be able to get around the encryption when it really mattered; they do black bag jobs and put keyloggers in mafioso computers when they need to do that, and I think that's a good balance of civil liberties and legitimate law enforcement, assuming warrants are involved.
Sadly, America has apparently decided that the First Amendment is tolerable, the Second is awesome, and fuck the rest of them. What an insult to our nation.
My favorite amendment? The Ninth: any rights not explicitly delineated in the Bill of Rights probably exist. Of course, the current Supreme Court (and conservatives in general) shit on that amendment, for some weird reason.
Re:Why not spider the web? (Score:3, Informative)
Citation needed. You're entitled to use reasonable force [cps.gov.uk] against an attacker in situations such as this. If for instance an intruder is attacking a family member, and you bash him over the head with some heavy blunt instrument, you're unlikely to be charged even if he later dies of the injury you dealt him.
If on the other hand an intruder has finished attacking a family member, and he leaves, and you pursue him down the street and beat him to death in revenge, you'll rightly be up on murder charges. Shooting intruders in the back while they're fleeing is also frowned upon, as is the practice of filling your house and grounds with booby-traps in expectation of intruders.
A great many specific weapons are illegal in the UK, but the principle of self-defence remains very much in force.