ISPs Using "Deep Packet Inspection" On 100,000 Users

dstates writes "The Washington Post is reporting that some Internet Service Providers (ISP) have been using deep-packet inspection to spy on the communications of more than 100,000 US customers. Deep packet inspection allows the ISP to read the content of communications including every Web page visited, every e-mail sent and every search entered, in short every click and keystroke that comes down the line. The companies involved assert that customers' privacy is protected because no personally identifying details are released, but they make money from advertisers who use the information to target their online pitches. Deep packet inspection is a significant expansion over tools like cookies in the ability to track a user. Critics liken it to a phone company listening in on conversations."

Old news - proxies, compressors, etc

[Gothmolly]

ISPs have always been notorious for secretly compressing your images, caching your traffic, proxying stuff, slipping their own content into your web pages, etc. They look at the contents of your mail, since you can't spoof from anyone to anyone via their servers. How is this different, other than some joker gave it an ominous sounding name like 'Deep Packet Inspection' ?

Re:Good luck with that

[mpaulsen]

Never mind that it's evil, or that it's a great step to losing their common-carrier status.

They don't have a common-carrier status to lose.

Re:So? Use https, ...

[Ernesto Alvarez]

Let me add OTR messaging [cypherpunks.ca] to the list.

Available for Pidgin (aka GAIM), Adium X, mICQ, Kopete, Miranda, Trillian and as a proxy for people that use other clients. Works on any IM network.

(I've been using it on GAIM for some time and I recommend it)

Enough!

[iamacat]

Time has shown that nobody will protect your privacy besides yourself. It's time for ALL Internet traffic and ALL phone traffic to be encrypted with an option to get SSL keys for each machine or phone from trusted authorities in different countries. This way a particular person asserting privacy is not labeled a terrorist, Comcast can not selectively block bittorrent, Chinese firewall is out of business and phone companies do not need immunity for spying on subscribers. IPV6 will have to be adopted anyway in the next 10 years and it included encryption, so the time is right to make both switches at once with little extra IT overhead.

Re:Encrypt everything.

[Anonymous Coward]

HTTPS is not used for one simple reason. IT addes HUGE overhead to a session and reduces the number of sessions a server can handle, thus a web host needs more investment into servers in order to service the same level of users it does now.

Re:How are they to deliver targeted advertising?

[jmorris42]

> If these are the ISPs (as opposed to the visited web sites) doing
> the spying, then how are the advertising companies involved supposed
> to deliver the content?

Because the visited web sites already aren't the ones delivering the advertising. You go to CNN.com and view a page. The ads come from an outside site. That site partners with your ISP. They toss a packet with the IP and perhaps other info (like browser info so the ISP can determine which PC behind the home NAT is making the request and map that to a 'user number or email identity') and returns it. The ad server examines the previous history for that identity and the page being requested and picks an appropriate ad. And it all happens behind the scenes in the page load delay. Frightened yet?

VPN FTW

[billcopc]

Funny, while loading this page I got a "bandwidth cap warning" from my ISP, stealthily inserted into the page (Rogers Cable).

I expect nothing less from the despicable scam shop that is Rogers, but it's still kind of creepy.

For me, it's not a huge deal because I run a number of geographically diverse servers, I can VPN or proxy my traffic through any combination of them, should the need arise. Like any invasion of privacy, I'm not concerned about the marketing uses, it's the inevitable abuse that scares me, either by ISP staff sniffing passwords, or script kiddies rooting the monitoring systems (and/or the idiot sysadmin's PC).

The thing is, at this point I've given up on common sense. Things will continue to get more and more ridiculous until we reach a breaking point... the bubble will burst and there will be backlash against these invasions of privacy, but only when the common fool finally realizes their life is being tarnished by the practice.

Until then, we'll continue to be labeled as paranoids with our tinfoil hats.

People already do

[mark_hill97]

its called tor [torproject.org].

Re:Encrypt everything.

[interiot]

Wrong RFC. That would be RFC4366 [rfc.net],

Re:Encrypt everything.

[mollymoo]

Encryption doesn't stop people knowing who you're talking to, just what you're saying to them. And Slashdot does offer SSL to subscribers.

Re:Btw. is your ISP Knology?

[blhack]

Fedex and UPS DO do this.

Its not like there is somebody at Qwsest sitting there reading each and every one of my emails, rather they're searching through it looking for things that look suspicious. Its the same thing that couriers do looking for people shipping drugs around.

Don't get me wrong, I think its asinine, just pointing out that its not something that is exclusive to the internets.

Re:Encrypt everything.

[darkpixel2k]

It's beyond me why this hasn't happened already.

As far as I know, IIS and Apache don't quite support TLS yet (although it's in-progress) which means every SSL-enabled website would have to be on it's own unique IP/port...making the IP 'crunch' even more of an issue.

Re:Up to 2 years imprisonment

[Stevecrox]

Phorm argues it doesn't break the law because they offer an "opt out" clause and so isn't effected by the RIPA act. BT's trial last year of Phorm against 10,000 users is being investigated as potentially illegal as users wern't given the chance to opt out. It should be a easily won case since BT by supplying 121media and not asking if they can share this information have broken the Data Protection Act. BT maintains plans to implement Phorm with the ability to opt out (through a cookie on your PC.)

I've already sent a letter to my service provider (virgin media) informing them I want no part of Phorm and if they implement it (which they are considering) I will be prosecuting them under the Data Protection Act. I suggest all BT, Talk Talk and Virgin Media users do the same.

The Data Protection Act in the UK is the best defense against this sort of thing, it defines how companies my handle personal data, the right a person has to that data and what responsibilities the organisations have with it. The biggest problem with it tends to be phone operators who've never read it trying to tell you the section you read to them is wrong.

I believe someone is trying to prosecute Facebook because they were unable to remove their information from Facebook (when you leave a service you have a right to have all information on a companies database to be deleted) If I were to go into a police station and demand all the CCTV footage they have on me they would have to supply it (my right to see) finally if I don't agree that companies can share my information with 3rd parties then they aren't allowed to share it full stop if they do you can prosecute.

121Media argue phorm doesn't violate the Data Protection Act because you are visiting public websites (it being akin to walking along a public highway and so no right to privacy) Hopefully the Information Commisson won't see it that way and will enforce the view that sending unencrypted http packets through port 80 is the same as making a phone call and so falls under the same protections.

Re:So what's the status on IPSec?

[Anonymous Coward]

NAT is not a problem since IPSec is host-level encryption, not application- or user-level. The network address translator can be an encrypting gateway. That's not a problem because it already mangles the packets in other ways. From the public network point of view, it is a leaf node, one end in end-to-end.

The problem with opportunistic encryption is the key management. That's why DNSSec is important. Without trustworthy public keys, man in the middle attacks are trivial. But DNSSec isn't so simple with dynamic IP addresses and that is the real reason why residential users are going to be the last to get working IPSec.

Not necessarily

[davidwr]

You could have 10,000 domains that share a common cert provided by the hosting provider. It does squat for authentication but it does prevent snooping.

With ISPs starting to snoop, suddenly this has real value.

Combine this with 3rd-party SSL-enabled DNS, and you've got some reasonable countermeasures.

Your ISP will know you talked to dns.ssldnsprovider.com over an encrypted channel and then immediately carried on a series of conversations with 1.2.3.4 over port 443, but he won't know which of the thousands of web sites hosted by 1.2.3.4 you talked to.

Dns.ssldnsprovider.com will know you looked up the address for www.freetibetnowdammit.com but not much else.

You will be presented with a certificate for www.somebigwebhostingprovider.com that mismatches www.freetibetnowdammit.com, but freetibetnowdammit.com will explain why and say not to worry about it, as will all the other hosts residing on 1.2.3.4.

Re:ssh tunnelling + squid

[Orp]

You presume I am doing anything illegal in the first place. And if using ssh raises red flags for the gov't then they are going to be very very busy as it's really the de facto remote login protocol for all Unix machines.

My example is a case where if the AUP of the colo company explicitly states that they do not monitor traffic, and your ISP for the last mile does, you can avoid your ISP's deep packet sniffing.

The Quick Fix

[Nom du Keyboard]

The quick fix to this is web-sites all allowing https, ssl, and vpn connections to them. That will end deep-packet inspection, leaving only a list of web-pages visited available. gMail already allows https, but you have to ask for it.

Are you being Phormed?

[ajb44]

The best way to generate a groundswell against these systems is for websites to warn their uers if they are on an ISP that does this. For those in the UK worried about the 'phorm' spying system, Richard Clayton has extracted some technical information from them here: http://www.lightbluetouchpaper.org/2008/04/04/the-phorm-webwise-system/ [lightbluetouchpaper.org] and Gavin Jamie already has a prototype Phorm detector here: http://www.mythic-beasts.com/~gjamie/ [mythic-beasts.com]

Re:People already do

[ksd1337]

You can always run Tor as a node if you open up the ports. It improves your own security, and makes the network faster.

Re:People already do

[Alereon]

Tor does NOT provide a secure or encrypted connection, it provides an ANONYMOUS connection, which is entirely different. Unless you encrypt the data you send over the network yourself, it will be sent in cleartext readable by anyone. If you don't want someone looking into your packets, sending them over Tor to bounce among a number of untrusted hosts is not a very good idea.

Re:So what's the status on IPSec?

[MadAhab]

I think that GWB has been more destructive to America than we can really contemplate right now, but I have to give the credit to "the other side" on this one.

There was a time when encryption-by-default could have become the norm for Internet communications. It was largely passed by because the Clinton administration treated encryption technology as if it were chemical weapons. Even though the math to do it was a genie out of the bottle, they forbade American companies from trafficking in encryption technology if it involved overseas clients. So either it wasn't pursued, or the companies went overseas (e.g. F-Secure) but the end result is that encryption did not become a fundamental part of Internet communications.

Even weirder, one of the few to take a stand against this was John Ashcroft. Though, to his credit, he stood up to illegal wiretapping in the Dubya years as well. I don't agree with him on very much at all, but I have to give him credit for being a rare principled individual on this score.

So, to sum up, had the Clinton admin not squashed crypto so badly, we might not have to worry about mass spying on the public. They'd still be able to get around the encryption when it really mattered; they do black bag jobs and put keyloggers in mafioso computers when they need to do that, and I think that's a good balance of civil liberties and legitimate law enforcement, assuming warrants are involved.

Sadly, America has apparently decided that the First Amendment is tolerable, the Second is awesome, and fuck the rest of them. What an insult to our nation.

My favorite amendment? The Ninth: any rights not explicitly delineated in the Bill of Rights probably exist. Of course, the current Supreme Court (and conservatives in general) shit on that amendment, for some weird reason.

Re:Why not spider the web?

[meringuoid]

Note that Britain as basiclly out lawed self defense even in your own home today. Even if your daughter is being raped, in your home, you can be brought to charges for having any kind of weapon used to defend her if the attackers die.

Citation needed. You're entitled to use reasonable force [cps.gov.uk] against an attacker in situations such as this. If for instance an intruder is attacking a family member, and you bash him over the head with some heavy blunt instrument, you're unlikely to be charged even if he later dies of the injury you dealt him.

If on the other hand an intruder has finished attacking a family member, and he leaves, and you pursue him down the street and beat him to death in revenge, you'll rightly be up on murder charges. Shooting intruders in the back while they're fleeing is also frowned upon, as is the practice of filling your house and grounds with booby-traps in expectation of intruders.

A great many specific weapons are illegal in the UK, but the principle of self-defence remains very much in force.