ISPs Using "Deep Packet Inspection" On 100,000 Users

dstates writes "The Washington Post is reporting that some Internet Service Providers (ISP) have been using deep-packet inspection to spy on the communications of more than 100,000 US customers. Deep packet inspection allows the ISP to read the content of communications including every Web page visited, every e-mail sent and every search entered, in short every click and keystroke that comes down the line. The companies involved assert that customers' privacy is protected because no personally identifying details are released, but they make money from advertisers who use the information to target their online pitches. Deep packet inspection is a significant expansion over tools like cookies in the ability to track a user. Critics liken it to a phone company listening in on conversations."

ssh tunnelling + squid

[Orp]

I pay for a dedicated server (essentially colo but they provide the hardware) from a company with a decent AUP. I put linux on the server and run squid on a non-standard port, allowing connections from localhost only. Then from the machine I'm surfing from I tunnel into the squid server. Say squid is running on port 1234 and sshd is running on 4567:

ssh -f -N -L 1234:localhost:1234 -p 5678 my.squid.server.com

Configure firefox to use a proxy to localhost:1234 and all traffic is encrypted to the squid server.

Of course, I could just use Tor, which is great, but can be slow. In fact, you could run a tor server on your colo machine and have all tor traffic bounce off of the server, which would be pretty fast if you leave tor running as a daemon and dedicate a decent amount of bandwidth to the tor network.

There should be a law

[nysus]

It's illegal for anyone to open mail not intended for them. The same should be done for electronic communication.

And if I hear one libertarian say we need less laws, I'll puke. It's as if they though they had a magic wand and all the troubles of the world would disappear by removing government. Unfortunately, the world hasn't worked that way since we left the caves 12,000 years ago.

Re:Filesharing Responsibility?

[NeverVotedBush]

I do believe that one could make that point. Comcast already has ways to throttle Bittorrent. If they are doing deep packet inspection, I would think that they would know down to the data block what files were being transferred.

Re:Good luck with that

[ChowRiit]

However, you still get more accurate data on user trends as a whole - you no longer have the old problem of the fact that only the sort of people who fill in surveys will fill in your surveys, and they're not generally a representative sample.

Any data at all on user trends more than their competitors will help advertising companies make money.

Up to 2 years imprisonment

[gweihir]

If you do this in the EU. Packet pauyloads are off-limits without court order. You may not even store them.

Re:Encrypt everything.

[DaleGlass]

The problem is that SSL happens before any HTTP does, and SSL is a general mechanism that can be used for any kind of TCP connection.

How does the webserver know what to give you when foo.com and bar.com map to the same IP address, and the browser requests something like index.html that exists on both? This works only because when the browser makes the request it also tells the webserver which domain it was trying to access. The browser sends something like this:

GET /index.html HTTP/1.1
Host: foo.com

Now, this breaks for SSL, because SSL happens before the connection is established, so there's no way to decide which certificate to use based on the domain.

To fix to this is adding the support directly to SSL. rfc4336 contains a mechanism to do this with TLS.

Why not spider the web?

[budgenator]

You think these guys don't like BitTorrent, wait until everyone starts a process to spider the web to obfuscate where the fleshies are really browsing at and run that 24/7 to overload their deep-packet inspection devices.

Re:Btw. is your ISP Knology?

[Shakrai]

1. Find his adress 2. Intercept his snailmail (which later is returned). 3. Scan it and post it to our small group of Slashdotters. 4. Ask him if he thinks that this is a violation of his privacy? 5. ?? 6. Profit!

7. Go directly to Federal-pound-me-in-the-ass-prison for postal fraud. Do not pass go, do not collect $200.

Seriously, if the USPS, UPS or Fedex started doing this can you imagine the outrage? Yet somehow it's ok to do it with electronic communications? WTF?

Encrypt everything!

[IGnatius T Foobar]

The government may have the resources to break strong encryption in real time, but even the largest ISP's do not. So maybe now the FreeS/WAN project no longer sound like tinfoil-hatted paranoiacs when they push opportunistic encryption at every node [freeswan.org]. Everything gets encrypted automatically and transparently when talking between two OE nodes, regardless of the protocol.

This was their goal, but hostility and forking ensued when most people really wanted to just have an IPsec implementation on Linux. OE is still a good idea, though, and that's what they're focusing on now.

The obvious design win would be if Linksys and Netgear built OE into their consumer grade firewall/routers. Then everyone would have it, not even know it, and when large site operators started deploying it on their network edges, massive amounts of crypto would start traversing the Internet, and no one would be bothered by it.

That's really the key to good system design: add complexity, but don't bother the end user -- it's not his problem.

NebuAd info, and a request for info

[Animats]

I just checked NebuAd's Privacy policy [nebuad.com]:

NebuAd products do collect and use the following kinds of anonymous information:

• Web pages viewed and links clicked on
• Web search terms
• The amount of time spent at some Web sites
• Response to advertisements
• System settings, such as the browser used and speed of the connection
• ZIP code or postal code

Now that's way out of line for an ISP to collect, let alone send to an ad agency.

We may be able to do something about this.

We run SiteTruth AdRater [sitetruth.com], which rates advertisers. We have a Firefox extension which displays a rating icon for each ad served. When an ad link goes by, and it's not in the browser cache, the extension contacts our server for a rating of the advertiser. So we collect, over time, a list of advertisers for various ad systems. We're not collecting data about users; we're interested in advertiser behavior. (You can read the source code for the plug-in, so there's no mystery about what we're doing.)

We're not currently tracking NebuAd, Front Porch, or Phorm ads; we've been focusing on the bigger players. It looks like we need to be tracking this behavior. If anyone can find ad links from those services, please post the ad link here, or mail it to "info@sitetruth.com". We need some examples so we can modify the plug-in to recognize them.

If we can collect sufficient information about this class of advertisers, we may publish their customer list, which would be useful for boycott purposes. Thanks.

Re:Why not spider the web?

[PopeRatzo]

Strong Encryption. That's what we all need.

The second amendment gives us all the right to the strongest encryption we can get our hands on.

Deep Packet Inspection Not For Ads

[ffejie]

I have a bit of history with two large service providers in the US. While I have not been involved directly with the deep packet inspection teams, I have had direct contact with all of them and helped them design networks using this technology. The technology was never sold to upper management as a way to track our users and target ads to them. It was never intended to capture a web page hit that was directed at a specific company to see what that consumer was interested in. Instead, it was always meant to monitor users (and more importantly, user aggregates) and determine what kind of traffic they were sending.

It was, and is, always about the network profile. If they find out that 10% of the traffic on the network is VoIP traffic, they want to design the network shift this traffic to have lower latency.** If they find out that 50% of the traffic is BitTorrent, they may put rules in place around such services. In my opinion, the service providers that I have dealt with do not have the technology in place to target down to the user. Also, they do not appear to be developing this technology.

**Some can argue that providers are instinctively evil and want to destroy this traffic, but I'm not going to fight this here.

Re:VPN FTW

[corsec67]

Funny, while loading this page I got a "bandwidth cap warning" from my ISP, stealthily inserted into the page (Rogers Cable).

Doesn't that violate the copyright on the page held by /.? (Rogers made a derivative of the page, and distributed that to you)

DPI is for QoS, not marketing

[NicolaiBSD]

Every datacom box supplier is developing DPI features for their products. The main driver is not targeted marketing, but QoS. When you're able to identify traffic on the application layer, it gives you a lot of extra options in determining how to route the traffic.
This way you can decide to route P2P traffic flows on best effort basis, but "over-the-top" video (eg. Youtube) flows you route through a higher quality connection. This improves user satisfaction.
That's the idea anyway, saying it's for targeted advertising sounds quite paranoid to me.

Only have more questions

[edmicman]

So which ISPs are doing this? What can we do to protect our selves? It sounds like it's "enabled" by a cookie placed there by your ISP or NebuAd? Would Adblock and/or PeerGuardian be enough? Implementing blocking at the home router level? What can home users actually do?

It'd be nice at least to know who's actually participating in this so we could know who to avoid.

Re:Filesharing Responsibility?

[budgenator]

Not yet, but it seems that they are bound and determined to get there. I figure if they want to crawl that far up my ass, I'll just write a Perl script to spider every link on a page, and let it run recursively, give them enough data they start to buffer-overflow and fill up their hard-disks until they puke. Sure I probably can't do much to them, but ten thousand of us crawling the web can.

Re:Why not spider the web?

[mabhatter654]

The militia is of the STATES, so National Guard does not apply. In fact National Guard would generally be illegal as Quartering troops because the State Governors do not have control over their troops. The Army does not have legal right to operate in the States unless specifically asked by the state.

They knew exactly what they were writing. The frontier was subject to constant "terrorist" attacks from indians and french at the time. The British had specifically forbidden the smaller villages from maintaining arms caches to defend against attacks in the middle of the night. Instead they demanded British troops be stationed in people's homes ruled only by the crown and not by Colony or local rules. It was the right of you and your neighbors to defend yourselves without "asking permission" from any government and without reprisal for doing so. Note that Britain as basiclly out lawed self defense even in your own home today. Even if your daughter is being raped, in your home, you can be brought to charges for having any kind of weapon used to defend her if the attackers die.