ISPs Using "Deep Packet Inspection" On 100,000 Users 309
dstates writes "The Washington Post is reporting that some Internet Service Providers (ISP) have been using deep-packet inspection to spy on the communications of more than 100,000 US customers. Deep packet inspection allows the ISP to read the content of communications including every Web page visited, every e-mail sent and every search entered, in short every click and keystroke that comes down the line. The companies involved assert that customers' privacy is protected because no personally identifying details are released, but they make money from advertisers who use the information to target their online pitches. Deep packet inspection is a significant expansion over tools like cookies in the ability to track a user. Critics liken it to a phone company listening in on conversations."
ssh tunnelling + squid (Score:5, Interesting)
ssh -f -N -L 1234:localhost:1234 -p 5678 my.squid.server.com
Configure firefox to use a proxy to localhost:1234 and all traffic is encrypted to the squid server.
Of course, I could just use Tor, which is great, but can be slow. In fact, you could run a tor server on your colo machine and have all tor traffic bounce off of the server, which would be pretty fast if you leave tor running as a daemon and dedicate a decent amount of bandwidth to the tor network.
There should be a law (Score:5, Interesting)
And if I hear one libertarian say we need less laws, I'll puke. It's as if they though they had a magic wand and all the troubles of the world would disappear by removing government. Unfortunately, the world hasn't worked that way since we left the caves 12,000 years ago.
Re:Filesharing Responsibility? (Score:3, Interesting)
Re:Good luck with that (Score:5, Interesting)
Any data at all on user trends more than their competitors will help advertising companies make money.
Up to 2 years imprisonment (Score:5, Interesting)
Re:Encrypt everything. (Score:5, Interesting)
How does the webserver know what to give you when foo.com and bar.com map to the same IP address, and the browser requests something like index.html that exists on both? This works only because when the browser makes the request it also tells the webserver which domain it was trying to access. The browser sends something like this: Now, this breaks for SSL, because SSL happens before the connection is established, so there's no way to decide which certificate to use based on the domain.
To fix to this is adding the support directly to SSL. rfc4336 contains a mechanism to do this with TLS.
Why not spider the web? (Score:3, Interesting)
Re:Btw. is your ISP Knology? (Score:5, Interesting)
7. Go directly to Federal-pound-me-in-the-ass-prison for postal fraud. Do not pass go, do not collect $200.
Seriously, if the USPS, UPS or Fedex started doing this can you imagine the outrage? Yet somehow it's ok to do it with electronic communications? WTF?
Encrypt everything! (Score:4, Interesting)
This was their goal, but hostility and forking ensued when most people really wanted to just have an IPsec implementation on Linux. OE is still a good idea, though, and that's what they're focusing on now.
The obvious design win would be if Linksys and Netgear built OE into their consumer grade firewall/routers. Then everyone would have it, not even know it, and when large site operators started deploying it on their network edges, massive amounts of crypto would start traversing the Internet, and no one would be bothered by it.
That's really the key to good system design: add complexity, but don't bother the end user -- it's not his problem.
NebuAd info, and a request for info (Score:4, Interesting)
I just checked NebuAd's Privacy policy [nebuad.com]:
NebuAd products do collect and use the following kinds of anonymous information:
Now that's way out of line for an ISP to collect, let alone send to an ad agency.
We may be able to do something about this.
We run SiteTruth AdRater [sitetruth.com], which rates advertisers. We have a Firefox extension which displays a rating icon for each ad served. When an ad link goes by, and it's not in the browser cache, the extension contacts our server for a rating of the advertiser. So we collect, over time, a list of advertisers for various ad systems. We're not collecting data about users; we're interested in advertiser behavior. (You can read the source code for the plug-in, so there's no mystery about what we're doing.)
We're not currently tracking NebuAd, Front Porch, or Phorm ads; we've been focusing on the bigger players. It looks like we need to be tracking this behavior. If anyone can find ad links from those services, please post the ad link here, or mail it to "info@sitetruth.com". We need some examples so we can modify the plug-in to recognize them.
If we can collect sufficient information about this class of advertisers, we may publish their customer list, which would be useful for boycott purposes. Thanks.
Re:Why not spider the web? (Score:3, Interesting)
The second amendment gives us all the right to the strongest encryption we can get our hands on.
Deep Packet Inspection Not For Ads (Score:5, Interesting)
It was, and is, always about the network profile. If they find out that 10% of the traffic on the network is VoIP traffic, they want to design the network shift this traffic to have lower latency.** If they find out that 50% of the traffic is BitTorrent, they may put rules in place around such services. In my opinion, the service providers that I have dealt with do not have the technology in place to target down to the user. Also, they do not appear to be developing this technology.
**Some can argue that providers are instinctively evil and want to destroy this traffic, but I'm not going to fight this here.
Re:VPN FTW (Score:3, Interesting)
Doesn't that violate the copyright on the page held by
DPI is for QoS, not marketing (Score:2, Interesting)
This way you can decide to route P2P traffic flows on best effort basis, but "over-the-top" video (eg. Youtube) flows you route through a higher quality connection. This improves user satisfaction.
That's the idea anyway, saying it's for targeted advertising sounds quite paranoid to me.
Only have more questions (Score:3, Interesting)
It'd be nice at least to know who's actually participating in this so we could know who to avoid.
Re:Filesharing Responsibility? (Score:3, Interesting)
Re:Why not spider the web? (Score:4, Interesting)
They knew exactly what they were writing. The frontier was subject to constant "terrorist" attacks from indians and french at the time. The British had specifically forbidden the smaller villages from maintaining arms caches to defend against attacks in the middle of the night. Instead they demanded British troops be stationed in people's homes ruled only by the crown and not by Colony or local rules. It was the right of you and your neighbors to defend yourselves without "asking permission" from any government and without reprisal for doing so. Note that Britain as basiclly out lawed self defense even in your own home today. Even if your daughter is being raped, in your home, you can be brought to charges for having any kind of weapon used to defend her if the attackers die.