Deep Packet Inspection Set To Return 125
siliconbits passes along this quote from a Wall Street Journal report:
"'... two US companies, Kindsight Inc. and Phorm Inc., are pitching deep packet inspection services as a way for Internet service providers to claim a share of the lucrative online ad market. Kindsight and Phorm say they protect people's privacy with steps that include obtaining their consent. They also say they don't use the full power of the technology, and refrain from reading email and analyzing sensitive online activities. Use of deep packet inspection this way would nonetheless give advertisers the ability to show ads to people based on extremely detailed profiles of their Internet activity. To persuade Internet users to opt in to be profiled, Kindsight will offer a free security service, while Phorm promises to provide customized web content such as news articles tailored to users' interests. Both would share ad revenue with the ISPs. Kindsight says its technology is sensitive enough to detect whether a particular person is online for work, or for fun, and can target ads accordingly."
Really? (Score:3, Insightful)
More like the identity theft market....
Re: (Score:1)
The better analogy is letting the USPS read our postcards and use information from that to create better advertisements to help pay for the service. You have a legitimate right to privacy with a sealed envelope (according to the law) and you have that same right to privacy if you seal your packets (i.e. encrypt them). In fact, your ability to protect your private packets is much stronger than your ability to protect your private mail.
Now, my personal opinion on the matter is that a decent company shouldn'
Re: (Score:1)
How so? The contents of paper-based mail can be encrypted with a public key too and additionally has a sticky envelope flap!
Re: (Score:2)
And Common Carriers are prohibited from intercepting your information without a warrant. Deep Packet Inspection requires "interception".
Re: (Score:2)
Oh, targeted spam? (Score:1)
How would I get those news stories that I'm so interested in? I'm not going to their website.
Maybe they'd like to clog up my inbox! Sure, what the hell. I always felt that having midget tranny anal fisting and nasty naked cilice-wrapped nuns were too hard to find. I'd love having that delivered right to me.
Re: (Score:2)
Sure, what the hell. I always felt that having midget tranny anal fisting and nasty naked cilice-wrapped nuns were too hard to find. I'd love having that delivered right to me.
Careful what you ask for. I wouldn't be so quick to be posting stuff like this these days. If you know what I mean.
Keep your hands out of my packets. (Score:2)
I repulsed by the very idea that they would violate of their common carrier status (we're Ma Bell, we connect everyone from presidents and kings to the scum of the earth - Ernestine the hone operator.)
If your ISP is doing that, thrown them off the 'net.
The day they announce some bone headed scheme like that is the day I use wide key PGP and 256 bit SSL to encrypt EVERYTHING I send.
(And I don't use Google mail for anything non-trivial.)
Re: (Score:2)
One of the chiefs of the FCC recently pushed to re-designate them as common carriers. That would solve a lot of problems (like this one). But so far it hasn't happened.
Re: (Score:3, Informative)
An ISP which controls DNS and access to certificates can transparently position itself in the middle of an encrypted link. Unless keys are exchanged off line, or through other networks, end to end encryption will not help.
Re: (Score:1)
That would be illegal in the UK. ISPs tend to avoid doing stuff that's going to get them fined; lose them customers etc.
Re: (Score:1)
Re: (Score:1)
Re: (Score:3, Informative)
Say you have an account with an ISP. The wider internet is accessed through the ISP network. Nothing stops the ISP from building a model of the internet within their network, so that when you think you are connecting to your bank, you actually connect to a proxy run by the ISP which forwards connections on to the bank.
This is how it works at my workplace. All SSL connections are proxied.
Re:Encryption (Score:4, Informative)
I disagree (Score:1)
if I'm the pipe that feeds you, and I provide your web pages
I can certainly answer with whatever I want to your request
and make it seem to come from the same IP address as you asked it from
Re: (Score:3, Informative)
Re: (Score:1)
In theory, yes, it would be impossible to spoof an ssl certificate. However, in practice there are numerous man-in-the-middle attacks on SSL implementations.
It would not be trivial, but there are ways for an ISP to spoof it's identity even with SSL.
Re: (Score:2)
the browser already has a secure certificate installed with which to verify your identity. They come on the Windows CD (For IE, the most popular browser still) and are thus beyond your power to control.
In many places the browser is entirely controlled by the ISP. Consider mobile phones for example. Additionally some people install software on their clients when they set up their internet connections.
Re: (Score:1)
Sculpture for sale [thesculpturepark.com] at [url=http://www.thesculpturepark.com]Sculpture park[/url]: bronze sculptures, metal sculptures, glass sculptures, wood sculptures, stone sculptures, sculpture parks!
Re: (Score:2)
It is trivial to redirect anything going out port 53 to your DNS servers, so if someone is using Google's DNS or OpenDNS, it would end up with the query being returned from the ISP's servers.
Returns? Did it ever go away? (Score:4, Insightful)
Deep Packet Inspection Set To Return
I didn't know Deep Packet Inspection ever went away. Did I miss something?
Re: (Score:2, Interesting)
No, it never went away. I used to work for a top5 cable ISP in the US... and all they did put their sandvines servers in 'shunt' mode. Also, they are corporately controlled, so they could be turned on ANYTIME for ANYTHING without the local network admins even being aware. Oh yeah, and I found access to them while i was still there, and still have access to them.... so I could turn them on for ANYTHING without anyone knowing also. Scary, huh? Firesheep anyone?
Re:Returns? Did it ever go away? (Score:5, Interesting)
No, as an ex-employee of a southeastern US ILEC I can tell you that they were doing deep packet inspection (and alteration) on all DSL lines from 2003 at latest. The equipment used was the Lucent BSN5000 switches. We weren't supposed to know about the packet alterations, but they made some problems impossible to fix.
Trust (Score:4, Insightful)
I'm happy to hear you won't read the mails. I take your word for this, ISP's, because you're trustworthy!
Thanks for giving me your word, and only reading other parts of my surfing habits!
Re:Trust (Score:5, Insightful)
Its a stupid thing for them to say that too...
They also say they don't use the full power of the technology, and refrain from reading email and analyzing sensitive online activities
Okay - so say my sensitive online activity includes compulsively looking up pornography. How exactly, are you going to determine that its the kind of activity I don't want you to be inspecting, WITHOUT INSPECTING IT?
Re:Trust (Score:5, Insightful)
Okay - so say my sensitive online activity includes compulsively looking up pornography. How exactly, are you going to determine that its the kind of activity I don't want you to be inspecting, WITHOUT INSPECTING IT?
Exactly the same way all the other trackers like google's doubleclick let people "opt-out" - they still collect all the information about you, they just defer from showing you advertising that would remind you that you are still being tracked. Seriously the industry's idea of "opt out" is never to opt out of data collection, its just to opt out of obviously skeeving you out.
Re: (Score:2)
I'm happy to hear you won't read the mails. I take your word for this, ISP's, because you're trustworthy! Thanks for giving me your word, and only reading other parts of my surfing habits!
They... refrain from reading the emails... I wonder if their software is under such restrictions.
Oh!!!! But they offered free adware software in the past... which would simply allow them to collect even more information (like all your offline information). Neato!
I trust them!!!! You should too!!![/sarcasm]
Just sell me internet access please (Score:5, Insightful)
And then consider it mine to do with as I please. If people thought of internet access like a rented apartment, they would recognize ISPs seeking revenue on the other end for the double dipping and theft for what it was. It would be like a landlord using your rented place as his storage area and requiring toll for any visitors.
Stop trying to make a 50 cents per user with everything else and be happy with my $20-50 per month. I stop frequenting other businesses that stop treating me less like a customer in my own right and more like a revenue stream to be exploited and maximized at all costs.
I know some people put up with this (buying the cheapest computers that have all manor or shitware on them) but I stopped that game long ago. Not worth my time.
I also drop any so-called friends that try to make me their lower step in any mlm scheme. It's all the same thinking and I want none of that.
Re: (Score:2)
Re: (Score:3, Insightful)
All analogies break down. If they didn't, it would be because all properties down the list would be equal meaning the situation is the exact same in every respect.
All that matters with an analogy is if it illustrates the point to the audience and whether it is truthful in doing so.
Re: (Score:3, Insightful)
You should read your lease. There are a large number of things you can't do in your apartment.
Re:Just sell me internet access please (Score:5, Informative)
You should read your lease. There are a large number of things you can't do in your apartment.
You should read your TOS. There are a large number of things you can't do with your ISP as well. The point is that as long as you are being a good customer, neither should be meddling into your life. There is already protection on the books for renters that vary from state to state, ie: the landlord has to give notice before an inspection, they can't just kick you to the curb for no reason with 1 days notice, etc. The problem is that there is NO consumer protections for customers of internet access. They just keep figuring out new ways to try to make money off of you, typically at your expense. In older consumer markets, they would be subject to fines and/or prosecution for similar actions.
The problem is that since it is the internet, they think that there are no rules that apply to them, and unfortunately, they are almost correct.
Re: (Score:2)
Actually, YOU should read YOUR TOS so you can see there are a large number of things that the ISPs can do, but haven't been doing up until this point. Much like how a certain OS manufacturer used to have a buncha services that the TOS stated they could use to sell anything you uploaded... and then later added an option in their picture service to do just that...
Most people never read the fine print in their TOS. I have.
Most people never stop long enough to try to determine what the term "business partner"
Re: (Score:3, Insightful)
You are missing the whole point: In your apartment, the landlord can't just put a clause that allows him to install hidden cameras or gets your first born child. It would be illegal regardless of whether it was in the fine print, as a general rule. (excepting reality shows...). Your ISP however, has the ability to chance the TOS any time without the housing authority oversight. You are stating the whole problem, that they can put shit in the TOS that should be illegal to begin with.
Re: (Score:2)
Where one lives is governed my a different set of rules because the circumstances are entirely different. Physical objects, expectation of being able to be totally naked without being spied on (ie: shower, bedroom, or anywhere else simply for the hell of it).
Also, housing is deemed for many legal purposes, as your own while it is being rented. You don't buy (in any legal sense) the Internet when you get a connection.
Also, one chooses what they put online, or what they do online. Which is far different fr
Re: (Score:2)
How about this then: Lets let Ma Bell listen to your phone calls using "deep packet inspection" so they can serve you up advertising. Both are communications channels.
Re: (Score:1)
How about this then: Lets let Ma Bell listen to your phone calls using "deep packet inspection" so they can serve you up advertising. Both are communications channels.
I didn't say it was right (though, AFAIR, Ma Bell already does that - sans the advertising part). I just said you made a very bad analogy, and that there are no laws that apply to prevent such from occurring, unlike (due to the differences in your analogy) the stuff you used in your renter's analogy.
So, again, I fully think this sucks, and should not happen. I was just pointing out that sadly, there is nothing to prohibit it that I can find, as long as the TOS allows it. I can't think of an analogy that f
Deja vu (Score:3, Insightful)
Re:Deja vu (Score:5, Interesting)
Re: (Score:2)
It's almost considered to be equivalent to wire-tapping. Intercepting someone's communications.
In the end the EU gave the UK government a big slap for letting it happen:
http://www.theregister.co.uk/2010/09/30/eu_phorm/ [theregister.co.uk]
National Do Not Advertise List!!! (Score:1, Insightful)
Just like the "national do not call list" we need a "National do not advertise list" .
Re: (Score:3, Insightful)
Re: (Score:1)
Advertisement is the motivation for collecting the data. We might be able to solve the collection problem by removing the monetary incentive.
Hmm... (Score:5, Insightful)
At present, most sites the public interacts with(outside of the very moment of a credit card transaction or banking login) tend to skip SSL, even when that is a terrible idea. Social networks, email, loads of other not-directly-financial-but-really-shouldn't-be-unencrypted stuff goes flying over the wire, in the clear, because the providers don't want the computational overhead of SSL. Even when they have the capability, it is rarely the default, and people who go to http://foo.whatever/ [foo.whatever] typically aren't kicked over to https://foo.whatever./ [foo.whatever.]
However, most of those sites depend on advertising and user profiling(either third party, as in the case of sites that run adsense or equivalent, first party, as with Gmail, or as a proprietary advantage, as with Amazon's customer recommendation engine). The advertisers will be, to put it in the mildest possible terms Unbelievably Fucking Ripshit when they hear that ISPs and their spook cronies will be horning in on their action. Not Happy. Very, Very, Not Happy. And if you think that they were not happy at that, just wait until the DPI crew starts injecting 3rd party ads and things into pages. Using your DPI evil to, say, inject 3rd party recommended products right into Amazon or any other online retailer's website would be eminently doable, technologically. That will really piss them off. Lawyers will be deployed, faces will turn purple. Shoes will be banged upon boardroom tables, Khrushchev style.
Since, as stated above, strangling their executives with the entrails of their own children isn't generally legal, they'll have to do something else. Specifically, pull their cheap heads out of their tightwad asses and start using SSL more seriously. Since your ISP is the ultimate man-in-the-middle, they won't be able to stop them from seeing where you are going; but they will be able to stop them, dead, from monkeying with, or even reading in any useful way, your traffic.
Ideally, Phorm and friends will do more than the EFF has, probably by a substantial margin, to drive mainstream SSL adoption, and then suffer a series of crippling workplace spree-killings.
Re: (Score:2)
It's interesting to note that if you try to visit Slashdot on 443, it immediately redirects you to 80...
Re: (Score:2)
It's interesting to note that if you try to visit Slashdot on 443, it immediately redirects you to 80...
Subscribe to disable this redirection.
Re: (Score:2)
So they want us to pay? So they might like this additional ad revenue stream. /. used to be cool
Re: (Score:2)
How dare they provide a free service, that doesn't do exactly what I want!
Re: (Score:2)
That is absurd, because modern hardware can establish 1500 sessions per core per second if using 1024-bit RSA keys[1]. While going to 2048 bits will take longer, you are claiming it will take over 16 times longer to establish a 2048 RSA session. That does not sound right to me.
[1] http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html [imperialviolet.org]
SSL can only be adopted if provided by websites (Score:3, Interesting)
Re: (Score:2)
The situation is actually quite analogous to net-non-neutrality. Some sites will likely play ball; but the overall effect of such a scheme is(quite evidently to any player paying attention) a net tra
Re: (Score:3, Insightful)
One small issue with moving everything to https is that you need one IP address per domain. That puts a pretty big wrinkle in the many, many servers out there that serve up multiple domains per IP. (Technically, you can do so if you utilize unique ports on the same IP for each served domain, but that breaks the "just works" aspect of port 443).
It's not insurmountable, but it does put more pressure on the already shrinking IPv4 pool. Another reason to hasten the adoption of IPv6, I suppose...
Re: (Score:1)
Name based virtual hosting with https is possible too.
http://en.wikipedia.org/wiki/Server_Name_Indication [wikipedia.org]
I think this is... (Score:3, Insightful)
Re: (Score:1, Insightful)
For how many more years do you think that will be legal, outside of https for your credit card numbers and such which they can't really get rid of?
Encryption causes all kinds of "problems" for those who would be our masters. I'm starting to surf through an encrypted VPN tunnel for anonymity, and use GPG for emails to and from friends. I expect inside 10 years there will be laws letting governments shut that kind of thing down. Only terrorist need privacy.
Re: (Score:2)
Re: (Score:2)
That works only in a few situations.
Encrypted e-mail maybe, encrypted storage in general will work.
But not your https connection. Or ssl connection. For those there are no keys stored: they are created time and again, and dropped when done. "Listened" in to an encrypted VoIP conversation? Well good luck getting keys to decrypt that.
Re: (Score:2)
You make it sound... (Score:2)
Your Honor (Score:4, Insightful)
Your Honor, my client was irreparably harmed by a Comcast customer's emails and web traffic, which they now have the technical abiltiy to monitor and are in fact doing so on a regular basis to their financial advantage. Comcast's failure to use this technology to stop the harm done to my client is the basis for our claim of one bazillion dollars in damages.
The real problem (Score:2)
The real problem with this kind of technology is that it works often enough to make it worth for them. I for one blame, first and foremost, the people who buy from this kind of advertisement (including spam).
Re: (Score:2)
Incentive (Score:5, Informative)
The companies now offering ad services based on deep packet inspection believe they have learned how to make the services acceptable to privacy advocates and Internet users. This includes asking for permission up front and offering people incentives to receive targeted ads, such as Kindsight's free security service, which includes identity-theft protection. Customers can pay a monthly fee to receive no ads.
Wow, that's just fucking fantastic. So according to their model, you're going to have to pay your ISP to not receive ads..? Great, now my ISP is going to start a protection racket - "hey, for a small monthly fee, we won't bombard you with ads and snoop your data!".
Re:Incentive (Score:4, Funny)
Yeah, you sees, if you pay da money to us, your bakery won't, y'know, burn down, see?
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Bad marketing.
They should raise the fees by that amount, and then offer a discount for the version with extra ads. And then the discounted version is the same cost as the old price. And of course advertise the hell out of the "discounted" price as if that's the new "enhanced" service.
Re: (Score:1)
Protecting Privacy (Score:1)
Don't touch my packet! (Score:3, Funny)
I read the headline and assumed this would be another story about the TSA's screening procedures...
Re:Don't touch my packet! (Score:5, Funny)
The difference is subtle. The TSA scanners scan your penis, Phorm's scanners scan you scanning other peoples' penises.
Re: (Score:3, Funny)
Phorm phights phoul phreedom phighters (Score:3, Funny)
Beleaguered Internet advertising phirm Phorm is hitting back at critics with StopPhoulPlay.com, in an attempt to lure Internet activists into herniating from laughter.
"It is clear that the campaign against Phorm originates in the sinister manipulations of Alex Hanff and Marcus Williamson," said Kent Ertegun, CEO of Phorm, "who have used mind control lasers and the killer robot armies of the Open Rights Group and FIPR to deceive millions of Britons into a Communistic fervor of hatred against the engines of the free market and customer demand, the salesmen and marketers, the true creators and enablers of objective value."
The website, designed in Microsoft Word, uses the infallible public relations format so successfully put into play by the ReligiousFreedomWatch.org site of the Church of Scientology, an upstanding community institution of similarly flawless repute. StopPhoulPlay.com reveals how:
"Given the persistence with which they propagate incorrect information, we cannot rule out the possibility that a competitor is involved," he said. "The competitor goes under the name 'reality.' Needless to say, we have no tolerance for an entity of such limited possibilities.
"These people are privacy pirates — people who steal privacy online, off the coast of Somalia. With Internet guns! And drugs! And child pornography!"
Mr Hanff and Mr Williamson said they were unsure whether to sue Phorm into atomic dust for gross defamation or just to let them continue with their infallible public relations work. Phorm shares have dropped from 405p to being rated a "serious infection risk" by the World Health Organization.
Picture: Targeted just for you. [newstechnica.com]
What if they did this with phone calls? (Score:5, Interesting)
Could anyone imagine the uproar if phone companies let telemarketers listen to your calls to find out what kind you products to market to you? This would give ISPs the ability to that to non-encrypted voip calls.
I couldn't imagine a cell phone or land-line phone company getting away with that.
Re: (Score:3, Interesting)
Don't they?
Not the content, at least for now, but there's money to be made selling the contact list, and not just to the gov't.
If you're regularly calling the local pharmacy, for example, don't the health insurance scammers have "a right to know that" (for a fee, of course) so they can stuff your mailbox (and email box, if you're lame enough to use your phone company as an ISP) with advertising?
Re: (Score:1)
Warrantless wiretapping isn't OK, even if it's just done by corporations.
Re: (Score:2)
"Opt out" of the Internet service altogether? (Score:4, Interesting)
HTTPS everywhere! (Score:1, Informative)
http://www.eff.org/https-everywhere
Inspect *this* !
I love PR articles (Score:2)
Oooo.. free "security".. Customized web experience (Score:1)
Polly want a fucking cracker?
I want money! That's what I want!. Peeking at my package.. er packets will cost you a pretty penny.
tis called https (Score:1)
quite effective at deep packet inspection and other man in middle attacks.
Now! (Score:3, Insightful)
Re: (Score:3, Insightful)
Everyone needs to get off their asses and enable https.
The https-everywhere plugin is great, but as a small website writer, am I supposed to $hell for a certificate or am I supposed to explain to my readers that, yes, the self-signed certificate is not a sign of viral attack onto their browser from my parts. Good luck with that.
Re: (Score:2, Interesting)
You should get one for free: http://www.startssl.com/?app=1 [startssl.com]
Re: (Score:3, Informative)
Then at least give the correct link: https://www.startssl.com/?app=1 [startssl.com]!
Re: (Score:2)
Re: (Score:2)
Many of the sites I run already have HTTPS.
I did, however, finally turn on a secured SOCKS proxy this morning, when I discovered my ISP's been doing DPI for over a year. No such thing as paranoia, I guess. :T
"Security" Service? Really? (Score:4, Interesting)
I love how they settled on the soft target of "identity theft protection" too. This is just a non-starter.
Let's see if we can boil down what a truthful ad for their spyware would look like.
"Hi! I want to provide you with a service we're going to say protects you from someone pretending to be you. Most likely we'll make sure you can't possibly sue us if someone does steal your identity or we'll just claim someone got your info offline or from a computer not covered by the service.
In return, you let is spy on you and use this to send ads to you. We promise not to look at certain types of info but this won't be transparent to you in any way. And realistically speaking, we can't possibly keep up with every site of the type we're saying we don't look at but we'll lie to you and say we won't look at email or sites with medical information anyway. By the way did we mention our EULA will immunize us from prosecution for doing it anyway?
In summary: We onwzorz your infos and you oggle our ads. We'll also make gratuitous statements about protecting your info but you won't be able to hold us to any of it. Have a good day! Big Brother is watching and he wants you (and your little wallet too)!
So, Advertisers/ISPs can (Score:1)
Re: (Score:1)
Even worse, this gives the police the ability to obtain the information without a warrant by just asking the ISPs to make it available to them.
Wiretapping laws would probably protect voice communications, but all other information would be fair game since the ISP isn't acting as an agent of the police but simply an entity willing to share information that it owns as a "public service".
Scum and Trash (Score:1)
More fucking bullshit lies, right to our faces. (Score:2)
The government is seizing websites en-masse as the tools of the MAFIAA that they are. Big telecoms are purchasing control of the internet. Advertising companies are datamining the living fuck out of us. So-called "social networking" sites suck in clueless people who don't have any clue that their privacy is precious and priceless, and these people willingly post their entire lives for all to see and for corporat
Network security for consumers (Score:1)
There are obviously a lot of problems with these ad services, but maybe there is some value to the Security-for-Ads business model.
The enterprise has an arsenal of security technology that, for the most part, has not made it to the consumer space. This makes consumer-owned computers very easy targets, and that has given rise to botnets.
Either ISPs can give away this kind of security (e.g. IPS, botnet detection) for free, or consumers can pay for it. But, consumers will not pay for it. Maybe supporting
Re: (Score:2)
That is probably the best solution we have... until ISPs wise up, go actively to war against their customers and start blocking ports.
The problem is what VPN services are worth using, versus the ones who would turn you in (or are already selling the user data) in a heartbeat? The guy who riffled through Palin's E-mail account was using a VPN.
I am sure someone would make a killing by having a VPN service that has a good reputation, with a fast connection and located offshore somewhere, perhaps with server f