ISPs Using "Deep Packet Inspection" On 100,000 Users

dstates writes "The Washington Post is reporting that some Internet Service Providers (ISP) have been using deep-packet inspection to spy on the communications of more than 100,000 US customers. Deep packet inspection allows the ISP to read the content of communications including every Web page visited, every e-mail sent and every search entered, in short every click and keystroke that comes down the line. The companies involved assert that customers' privacy is protected because no personally identifying details are released, but they make money from advertisers who use the information to target their online pitches. Deep packet inspection is a significant expansion over tools like cookies in the ability to track a user. Critics liken it to a phone company listening in on conversations."

So? Use https, ...

[Anonymous Coward]

..., ssh, pgp all the time!

Re:

[Ernesto Alvarez]

Let me add OTR messaging [cypherpunks.ca] to the list.

Available for Pidgin (aka GAIM), Adium X, mICQ, Kopete, Miranda, Trillian and as a proxy for people that use other clients. Works on any IM network.

(I've been using it on GAIM for some time and I recommend it)

Re:

[tomhudson]

First step: https instead of http.

Inspect THAT!

Re:

[ta bu shi da yu]

Yes, but of course the service you are using needs to be actually running SSL.

Re:So? Use https, ...

[mabhatter654]

Like the post said, so are voice phone calls, but we expect phone companies not to bug our phones. Hell, you could go to those little green boxes with a generic uniform on and listen all day and nobody would bother you. Of course they're be hell to pay if you were caught. Why is "internet" communications any different than normal ones, why should telcos be "listening in" to our conversations?

So what's the status on IPSec?

[Anonymous Coward]

DNSSec and opportunistic IPSec should put an end to the snooping and throttling once and for all.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

NAT is not a problem since IPSec is host-level encryption, not application- or user-level. The network address translator can be an encrypting gateway. That's not a problem because it already mangles the packets in other ways. From the public network point of view, it is a leaf node, one end in end-to-end.

The problem with opportunistic encryption is the key management. That's why DNSSec is important. Without trustworthy public keys, man in the middle attacks are trivial. But DNSSec isn't so simple with dyna

Re:So what's the status on IPSec?

[NeverVotedBush]

In response to another article, I said that we should start encrypting all of our traffic and asked for programmers to start adding that functionality and making it the default so that even unsophisticated users' trafic would be encrypted.

But with the revelation the other day that the Bush administration believes the Fourth Amendment (right to privacy and protection from searches without cause), this becomes just another good reason to get cracking with all traffic encrypted.

http://yro.slashdot.org/article.pl?sid=08/04/03/1219200 [slashdot.org]

Re:

[NeverVotedBush]

Yikes - What I meant to say was that the Bush administration believes the Fourth Amendment does not apply to them and that they have the right/power to monitor and wiretap at will.

Also, another point about this is people have always said that users should understand that their activities on the Internet could be monitored by third parties. This, however, is different (at least to me) in that it is systematic snooping on the part of ISPs.

The situation has somewhat changed in another way, too. It used t

Why not spider the web?

[budgenator]

You think these guys don't like BitTorrent, wait until everyone starts a process to spider the web to obfuscate where the fleshies are really browsing at and run that 24/7 to overload their deep-packet inspection devices.

People already do

[mark_hill97]

its called tor [torproject.org].

Re:

[gsarnold]

Spiderlike, sure, but IIRC Tor only obfuscates your identity from the site operator via a maze of proxies - It doesn't do anything like create an encrypted tunnel for the traffic, so eavesdroppers at the phone company can still snoop all they want.

Just sayin'.

Re:

[Alereon]

Tor does NOT provide a secure or encrypted connection, it provides an ANONYMOUS connection, which is entirely different. Unless you encrypt the data you send over the network yourself, it will be sent in cleartext readable by anyone. If you don't want someone looking into your packets, sending them over Tor to bounce among a number of untrusted hosts is not a very good idea.

Re:

[PopeRatzo]

Strong Encryption. That's what we all need.

The second amendment gives us all the right to the strongest encryption we can get our hands on.

Re:Why not spider the web?

[mabhatter654]

The militia is of the STATES, so National Guard does not apply. In fact National Guard would generally be illegal as Quartering troops because the State Governors do not have control over their troops. The Army does not have legal right to operate in the States unless specifically asked by the state.

They knew exactly what they were writing. The frontier was subject to constant "terrorist" attacks from indians and french at the time. The British had specifically forbidden the smaller villages from maintaining arms caches to defend against attacks in the middle of the night. Instead they demanded British troops be stationed in people's homes ruled only by the crown and not by Colony or local rules. It was the right of you and your neighbors to defend yourselves without "asking permission" from any government and without reprisal for doing so. Note that Britain as basiclly out lawed self defense even in your own home today. Even if your daughter is being raped, in your home, you can be brought to charges for having any kind of weapon used to defend her if the attackers die.

Re:

[meringuoid]

Note that Britain as basiclly out lawed self defense even in your own home today. Even if your daughter is being raped, in your home, you can be brought to charges for having any kind of weapon used to defend her if the attackers die.

Citation needed. You're entitled to use reasonable force [cps.gov.uk] against an attacker in situations such as this. If for instance an intruder is attacking a family member, and you bash him over the head with some heavy blunt instrument, you're unlikely to be charged even if he later d

Re:So what's the status on IPSec?

[MadAhab]

I think that GWB has been more destructive to America than we can really contemplate right now, but I have to give the credit to "the other side" on this one.

There was a time when encryption-by-default could have become the norm for Internet communications. It was largely passed by because the Clinton administration treated encryption technology as if it were chemical weapons. Even though the math to do it was a genie out of the bottle, they forbade American companies from trafficking in encryption technology if it involved overseas clients. So either it wasn't pursued, or the companies went overseas (e.g. F-Secure) but the end result is that encryption did not become a fundamental part of Internet communications.

Even weirder, one of the few to take a stand against this was John Ashcroft. Though, to his credit, he stood up to illegal wiretapping in the Dubya years as well. I don't agree with him on very much at all, but I have to give him credit for being a rare principled individual on this score.

So, to sum up, had the Clinton admin not squashed crypto so badly, we might not have to worry about mass spying on the public. They'd still be able to get around the encryption when it really mattered; they do black bag jobs and put keyloggers in mafioso computers when they need to do that, and I think that's a good balance of civil liberties and legitimate law enforcement, assuming warrants are involved.

Sadly, America has apparently decided that the First Amendment is tolerable, the Second is awesome, and fuck the rest of them. What an insult to our nation.

My favorite amendment? The Ninth: any rights not explicitly delineated in the Bill of Rights probably exist. Of course, the current Supreme Court (and conservatives in general) shit on that amendment, for some weird reason.

Encrypt everything.

[ookabooka]

Thats it, I say webservers move to SSL only transactions. All other plaintext transmissions should get encrypted at the endpoints transparently. Then when the government whines about not being able to find the terrorists they can blame datamining companies that paid for their election campaign. Then they can make a law that forces a back-door, which would create a need for some nifty-ass steganography [wikipedia.org] which would lead to massively excessive processor and network overhead (encryption and steganography respectively) for the most basic of transactions which would lead to NSA funded algorythms to find these hidden messages which would. . .holy shit it's almost 10AM, I need to hit the sack.

Re:

[cs02rm0]

Seconded. It's beyond me why this hasn't happened already. Google do it fairly well as an option with gmail and google reader for example but not with their searching?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[maxwell demon]

What about Slashdot? After all, you might not want your ISP to know that you read such subversive web sites! :-)

Re:Encrypt everything.

[mollymoo]

Encryption doesn't stop people knowing who you're talking to, just what you're saying to them. And Slashdot does offer SSL to subscribers.

Re:Encrypt everything.

[darkpixel2k]

It's beyond me why this hasn't happened already.

As far as I know, IIS and Apache don't quite support TLS yet (although it's in-progress) which means every SSL-enabled website would have to be on it's own unique IP/port...making the IP 'crunch' even more of an issue.

Not necessarily

[davidwr]

You could have 10,000 domains that share a common cert provided by the hosting provider. It does squat for authentication but it does prevent snooping.

With ISPs starting to snoop, suddenly this has real value.

Combine this with 3rd-party SSL-enabled DNS, and you've got some reasonable countermeasures.

Your ISP will know you talked to dns.ssldnsprovider.com over an encrypted channel and then immediately carried on a series of conversations with 1.2.3.4 over port 443, but he won't know which of the thousands o

Re:Encrypt everything.

[pla]

Thats it, I say webservers move to SSL only transactions.

I agree completely, but keep in mind that even with encryption, ISPs can still collect quite enough information on us to put together a truly impressive profile. Sure, they won't know exactly what you read, but if you visit Erowid, I'd call it a good bet you don't want recommendations on a cheese to go with dinner.

For targetted advertising purposes, the simple "where" counts for 90% of the "what".

Re:

[seneces]

SSL's general uptake is held back by two unfortunately major points. Firstly, it costs money to buy a SSL certificate, and you have to deal with all sorts of shit (or spend more money) if you use subdomains, alternate domains, etc. Something like CACert could fix this issue if it were widely accepted, but of course that would make the entire system less trustworthy..

Secondly, there is no normally implemented way to do name-based virtual hosting with SSL, and most people don't want to or can't give each d

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Encrypt everything.

[DaleGlass]

The problem is that SSL happens before any HTTP does, and SSL is a general mechanism that can be used for any kind of TCP connection.

How does the webserver know what to give you when foo.com and bar.com map to the same IP address, and the browser requests something like index.html that exists on both? This works only because when the browser makes the request it also tells the webserver which domain it was trying to access. The browser sends something like this:

GET /index.html HTTP/1.1
Host: foo.com

Now, this breaks for SSL, because SSL happens before the connection is established, so there's no way to decide which certificate to use based on the domain.

To fix to this is adding the support directly to SSL. rfc4336 contains a mechanism to do this with TLS.

Re:Encrypt everything.

[interiot]

Wrong RFC. That would be RFC4366 [rfc.net],

no, encryption is not the answer

[Briden]

standing up for our rights is the answer. unfortunately, corporations listen only to once voice, money, so hit them where it hurts.

Cancel your internet, refuse to pay your bills... boohoo, then you won't have internet? you won't have internet anyway, if they get their way.

Filesharing Responsibility?

[Thruen]

If ISPs are monitoring traffic so closely, doesn't that make them more responsible for what people are using their service for? Namely piracy.

Re:

[NeverVotedBush]

I do believe that one could make that point. Comcast already has ways to throttle Bittorrent. If they are doing deep packet inspection, I would think that they would know down to the data block what files were being transferred.

Re:

[budgenator]

Not yet, but it seems that they are bound and determined to get there. I figure if they want to crawl that far up my ass, I'll just write a Perl script to spider every link on a page, and let it run recursively, give them enough data they start to buffer-overflow and fill up their hard-disks until they puke. Sure I probably can't do much to them, but ten thousand of us crawling the web can.

Old news - proxies, compressors, etc

[Gothmolly]

ISPs have always been notorious for secretly compressing your images, caching your traffic, proxying stuff, slipping their own content into your web pages, etc. They look at the contents of your mail, since you can't spoof from anyone to anyone via their servers. How is this different, other than some joker gave it an ominous sounding name like 'Deep Packet Inspection' ?

What's the difference

[Ernesto Alvarez]

The difference is that in the first case, the data passes through a dumb machine that compresses, caches, etc. The result is cached like it is expected (RFC 2616 is pretty clear about that), even though it is done transparently. No need to keep logs about who downloaded what.

In this case, the data is explicitly mined, by a company interested in building a profile of each user. It doesn't say it is limited to web traffic only, only that "Nor does NebuAd record a user's visits to pornography or gaming sites or a user's interests in sensitive subjects -- such as bankruptcy or a medical condition such as AIDS.", which I doubt both on technical grounds and because it is a market and someone will want to take advantage and "The company said it processes but does not look into packets of information that include e-mail or pictures." which I think is in contradiction with other parts of the article and even if they didn't, it's a matter of time before they do.

Basically, it's the intent that counts. The ISP can intercept everything they want because they're in the middle. When they start doing so for reasons that are not part of maintaining the communications as specified (like forwarding, maybe firewalling and proxying depending on the conditions), alarms should go off.

time for some hactivism

[jollyreaper]

Let's start turning over rocks in the private lives of telcom CEO's and see what scurries out. I'm sure they won't mind, it's in the interests of an open society and free debate, don'cha know.

Re:

[Pancake Bandit]

zomg HACK THE PLANET

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[blhack]

Fedex and UPS DO do this.

Its not like there is somebody at Qwsest sitting there reading each and every one of my emails, rather they're searching through it looking for things that look suspicious. Its the same thing that couriers do looking for people shipping drugs around.

Don't get me wrong, I think its asinine, just pointing out that its not something that is exclusive to the internets.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Good luck with that

[TheMohel]

Never mind that it's evil, or that it's a great step to losing their common-carrier status.

Never mind that it's a true violation of privacy.

Never mind that I block cookies pretty well and I run with NoScript most of the time and I don't see very many ads, and besides, half of the time I'm inside my employer's VPN.

But even more than that, I have seven other users in my household, half of them teenagers. If they want to sniff all of my NAT-ed packets coming out, they're going to discover that I'm a geek who has four Facebook sites, likes art and hates it, plays Runescape incessantly (the 10-year-old), likes the Wiggles, and works as a beauty consultant. So go ahead and hand me the ad for the latest XBox game (I hate games). Offer my kids server hardware, and see if you can get my wife to click on fun games to play with the Backyardigans. Oh, wait, you already do. It's called "not targeting advertising", and it's free.

So what we have is a thoroughly broken high-cost borderline-illegal absolutely-unethical service offered to advertisers in a difficult economic period. By people who we all hate a lot, and who will rapidly become targets for everything from blocking to legislative action to you name it.

I knew there would be some kind of career move for spam kings in the future. I just thought it would pay better.

I predict a less than stellar outcome for these idiots, and they deserve every painful moment.

Re:Good luck with that

[ChowRiit]

However, you still get more accurate data on user trends as a whole - you no longer have the old problem of the fact that only the sort of people who fill in surveys will fill in your surveys, and they're not generally a representative sample.

Any data at all on user trends more than their competitors will help advertising companies make money.

Re:Good luck with that

[mpaulsen]

Never mind that it's evil, or that it's a great step to losing their common-carrier status.

They don't have a common-carrier status to lose.

Re:

[Nimey]

it's a great step to losing their common-carrier status.

HA HA HA! You underestimate the power of bought congressweasels. One will slip in an amendment into a big must-pass bill, and Bob's their uncle.

Re:

[nurb432]

Thats all and good when it just about 'targeting' advertisements to you.

But when it turns to the government doing profiling on your 'habits', its not so harmless. And we all know that is next.

Re:Good luck with that

[jmorris42]

> If they want to sniff all of my NAT-ed packets coming out, they're
>going to discover that I'm a geek who has four Facebook sites, likes
> art and hates it, plays....

Silly person, they are much smarter than that. Each of those PCs can be identified, see previous slashdot articles on the subject. Especially since each PC in a network serving a diverse family as you are describing will probably have obvious differences in OS and browser versions. Then there is detailed packet header inspection (DEEP INSPECTION, remember?) to seperate out OS subtle version differences, etc. And each PC/account will offerup different cookies to the same websites like Google.

NAT won't stop them. SSL won't stop them. Laws might. This sort of snooping isn't 'like' listening in on phone conversations. It IS listening in on conversations.

Re:

[ScrewMaster]

Never mind that it's evil, or that it's a great step to losing their common-carrier status.

Another common misperception. I don't know of any major United States Internet Service Provider that operates under common carrier regulation. The Telcos still do, but only for phone service. Their data services are considered exceptions to common-carrier regulation.

They obviously looked at the legal situation and decided the lack of immunity from lawsuits over the use of their equipment was a risk worth taking

Re:

[TheMohel]

Yeah, I know. They have a legal exemption from liability for the contents of the traffic they carry, subject to certain restrictions. Which isn't common-carrier status, although it acts a little like it.

But if they start to routinely "deeply inspect" traffic, a frisky plaintiff's attorney is going to see gravy in the "knew or should have known they were defaming my client" kind of stuff, and here we go.

Throttling bandwidth

[element609]

Isn't this the real issue with clogging 'tubes'? How can the government and ISPs keep up with the computational resources needed to continue this as we demand greater and greater amounts of bandwidth? OK, so they could only inspect http traffic, rather than say, bittorrent traffic, but OMG what happens when 'terrorists' start communicating with other protocols?

ssh tunnelling + squid

[Orp]

I pay for a dedicated server (essentially colo but they provide the hardware) from a company with a decent AUP. I put linux on the server and run squid on a non-standard port, allowing connections from localhost only. Then from the machine I'm surfing from I tunnel into the squid server. Say squid is running on port 1234 and sshd is running on 4567:

ssh -f -N -L 1234:localhost:1234 -p 5678 my.squid.server.com

Configure firefox to use a proxy to localhost:1234 and all traffic is encrypted to the squid server.

Of course, I could just use Tor, which is great, but can be slow. In fact, you could run a tor server on your colo machine and have all tor traffic bounce off of the server, which would be pretty fast if you leave tor running as a daemon and dedicate a decent amount of bandwidth to the tor network.

Re:

[jmorris42]

> I pay for a dedicated server (essentially colo but they provide
> the hardware) from a company with a decent AUP. I put linux on
> the server and run squid.....

And you are a fool with more money and tech knowledge than you have the brains to use wisely.

Exactly what are you hoping to accomplish by going to all of that bother? Your last mile ISP can't monitor you but the hosting company and THEIR ISP can so you have just shifted the point of attack.

And the government (which is what you are afraid

Re:

[nxtw]

Exactly what are you hoping to accomplish by going to all of that bother? Your last mile ISP can't monitor you but the hosting company and THEIR ISP can so you have just shifted the point of attack.

Well, his traffic is flowing through a datacenter that's normally used for hosting websites, not visiting sites. Why would anyone look at outgoing traffic?

And that hosting provider might have more than one ISP.

Re:

[Orp]

You presume I am doing anything illegal in the first place. And if using ssh raises red flags for the gov't then they are going to be very very busy as it's really the de facto remote login protocol for all Unix machines.

My example is a case where if the AUP of the colo company explicitly states that they do not monitor traffic, and your ISP for the last mile does, you can avoid your ISP's deep packet sniffing.

More Encrypted Webpages

[nurb432]

If everyone offered https, ( or only ) and all email is encrypted then this would become a moot point really quick.

All they would know then is where you went, not what you did. ( Tho in this country, just going there is enough to get you put in jail it seems )

Or we can all move to freenet and really stick it to them.

There should be a law

[nysus]

It's illegal for anyone to open mail not intended for them. The same should be done for electronic communication.

And if I hear one libertarian say we need less laws, I'll puke. It's as if they though they had a magic wand and all the troubles of the world would disappear by removing government. Unfortunately, the world hasn't worked that way since we left the caves 12,000 years ago.

Re:There should be a law

[nurb432]

We *do* need fewer laws. However, the ones that remain need to be effective and of value, and actually enforced.

The law to protect your right to privacy already exists, it just needs to be enforced. Creating more laws doesn't help with lack of enforcement of what is already there.

Re:

[chunk08]

Brilliant post! The problem, though, is that the citizens will not stand up for their rights, because our current culture is taught to depend on the government to fix all of the problems. If citizens were to take a stand on the issue, government and corporations would see that it is not in their best interest to continue these practices. What needs to happen is (as has previously been posted) citizens encrypting their communications and taking other steps (Tor, Freenet, etc.) to prevent snooping, governmen

re: Absolutely! But it's too hard to configure

[King_TJ]

Where are my mod points when I need them? This is *exactly* right!

The biggest barrier to getting everyone to use encryption, though, is the relative difficulty in configuring it. For example, I'm on a Mac running OS X right now. This is generally regarded as an "easy to use" OS, and one often recommended for people's parents, relatives, etc. Nonetheless, if I want to encrypt my outgoing email using the Mail.app included with the OS, what are my options? So far, the best I can do for my OS X Leopard 10.

Re:

[Anonymous Coward]

And if I hear one libertarian say we need less laws, I'll puke.

Pesky semantics....

While it may be true that the actual raw number of laws presently on the books is huge and unwieldy, and while it may be true that the removal of many of those laws would actually bring a good deal of efficiency while also eliminating some loopholes that are routinely exploited to the detriment of the majority, and while it may be true that a common knee-jerk response to any kind of exploitive behavior is to cry "pass a law th

Re:

[phantomcircuit]

It's illegal for anyone to open mail not intended for them. The same should be done for electronic communication.

And if I hear one libertarian say we need less laws, I'll puke. It's as if they though they had a magic wand and all the troubles of the world would disappear by removing government. Unfortunately, the world hasn't worked that way since we left the caves 12,000 years ago.

In fact it is already illegal to open USPS mail not intended for you. It's a federal crime. The problem is that the laws of the real world that have been in place and working for a very long time have not yet been interpreted to apply on the internet. I fail to see the difference between physical mail and electronic mail.

Re:

[corsec67]

It is just like all of the new patents related to the internet and computers:

Laws are different when it is "on the internet", or "using a computer"

Reading mail not intended for you isn't a problem, "on the internet"

I agree with you that it shouldn't be like that at all, though.

Re:

[dstates]

What ever happened to "A government of the people, by the people and for the people"? Get involved, and stay involved. As Adlai Stevenson (who??) said, "In a democracy, people get the government they deserve."

How are they to deliver targeted advertising?

[Skapare]

If these are the ISPs (as opposed to the visited web sites) doing the spying, then how are the advertising companies involved supposed to deliver the content? Are they going to use the same "deep packet" method to inject the advertising? If the advertising delivery is away from that deep packet inspection, then how do they identify which user was interested in penis enlargement products vs. which user was interested in replica watches? Or are the ISPs going to lock-in the IP address, now?

Regular postal mail...

[NotQuiteReal]

After all, your ISP knows your street address.

Search for info on heartburn... get some post cards advertising the latest antacid. Search for info about Lasik eye surgery... gee handy flyers about your local providers appear.

You get the idea. If I were selling a service and an ISP offered to sell me names and addresses based on keyword searches, why wouldn't I buy that list?

Re:

[jmorris42]

> If these are the ISPs (as opposed to the visited web sites) doing
> the spying, then how are the advertising companies involved supposed
> to deliver the content?

Because the visited web sites already aren't the ones delivering the advertising. You go to CNN.com and view a page. The ads come from an outside site. That site partners with your ISP. They toss a packet with the IP and perhaps other info (like browser info so the ISP can determine which PC behind the home NAT is making the request a

Re:

[rastoboy29]

It would have great value just for the demographic research and usage patterns.  That's probably what they're after--at this time.

I think this has another unintended consequence

[jskline]

Fact is that if there is packet inspection going on, this is slowing down traffic on that one connection. Imagine now that there is many users traffic who is being "scanned", redirected or filtered, et al.

Now; has anyone else noticed that the net is getting slower and slower recently?? We already know that sites such as FoxNews.com and other similar types, have special applets that download and attempt to arrange items on the page so that you are forced to see specific adds for a specific period of time bef

Re:

[Thing 1]

Time for those magical host lists again!!

I love synchronicity. I read "real" news at the Excite portal, and "tech" news here. Lately Excite has put interstitial ads in their pages, so you have to "Click here to skip this ad." Once you do so, though, the Back button is still disabled so you can't get back to the ad (which I sometimes want to, so pity for the idiot who architected this).

The issue is that sometimes due to this, a page will sit there spinning and no more pages will load. To "fix" this

Listening in? Um, yeah.

[Perp Atuitie]

Critics liken it to a phone company listening in on conversations.

Um, my ISP IS my phone company. If they can get away with reading my emails and stuff like this comment, what's to stop them from listening to my phone calls? We're really at a crossroads: either the law makes ISPs common carriers with no interest in, or control over, content like a real phone company, or we lose most of the potential of the communications tech revolution.

Re:

[mapkinase]

Technically, it is more difficult to parse out possible ad targets from the content of your phone calls. The information of where you are calling and when might be the only thing that is more or less useful for their evil advertising schemes.

Re:

[Reziac]

I was just wondering something like that myself: at what point does this sort of datamining overstep privacy to the point that it revokes common carrier status??

Also, AOL's little fiasco proved that you CAN identify individuals through their searches... what's to prevent this from being used similarly?

I also have to wonder about what if the ISP is "clean" but their backbone is datamining??

ISPS ARE NOT COMMON CARRIERS

[oyenstikker]

and they never have been.

Re:

[argent]

If they can get away with reading my emails and stuff like this comment, what's to stop them from listening to my phone calls?

Apart from the law, the fact that speech recognition is a much harder problem?

Encryption?

[ameline]

I expect that they will combine this snooping with throttling of all encrypted (or otherwise random) looking packets.

Up to 2 years imprisonment

[gweihir]

If you do this in the EU. Packet pauyloads are off-limits without court order. You may not even store them.

Re:

[yuna49]

From TFA:
In England, Phorm is expected in the coming weeks to launch its monitoring service with BT, Britain's largest Internet broadband provider.

Last I heard the United Kingdom was a member of the European Union. Perhaps BT's attorneys have a different interpretation of the laws than you?

Re:Up to 2 years imprisonment

[Stevecrox]

Phorm argues it doesn't break the law because they offer an "opt out" clause and so isn't effected by the RIPA act. BT's trial last year of Phorm against 10,000 users is being investigated as potentially illegal as users wern't given the chance to opt out. It should be a easily won case since BT by supplying 121media and not asking if they can share this information have broken the Data Protection Act. BT maintains plans to implement Phorm with the ability to opt out (through a cookie on your PC.)

I've already sent a letter to my service provider (virgin media) informing them I want no part of Phorm and if they implement it (which they are considering) I will be prosecuting them under the Data Protection Act. I suggest all BT, Talk Talk and Virgin Media users do the same.

The Data Protection Act in the UK is the best defense against this sort of thing, it defines how companies my handle personal data, the right a person has to that data and what responsibilities the organisations have with it. The biggest problem with it tends to be phone operators who've never read it trying to tell you the section you read to them is wrong.

I believe someone is trying to prosecute Facebook because they were unable to remove their information from Facebook (when you leave a service you have a right to have all information on a companies database to be deleted) If I were to go into a police station and demand all the CCTV footage they have on me they would have to supply it (my right to see) finally if I don't agree that companies can share my information with 3rd parties then they aren't allowed to share it full stop if they do you can prosecute.

121Media argue phorm doesn't violate the Data Protection Act because you are visiting public websites (it being akin to walking along a public highway and so no right to privacy) Hopefully the Information Commisson won't see it that way and will enforce the view that sending unencrypted http packets through port 80 is the same as making a phone call and so falls under the same protections.

Re:

[yuna49]

Thanks for that excellent reply! I'd mod you up if I could.

"Customer revolt"

[frdmfghtr]

FTA:

For all its promise, however, the service providers exploring and testing such services have largely kept quiet -- "for fear of customer revolt," according to one executive involved.

Guess what pal..the word is now out.

Ever get the feeling the the Internet just isn't worth it anymore?

Re:

[Inda]

Was it ever worth it? Maybe the homepages of 1997 were worth it...

Enough!

[iamacat]

Time has shown that nobody will protect your privacy besides yourself. It's time for ALL Internet traffic and ALL phone traffic to be encrypted with an option to get SSL keys for each machine or phone from trusted authorities in different countries. This way a particular person asserting privacy is not labeled a terrorist, Comcast can not selectively block bittorrent, Chinese firewall is out of business and phone companies do not need immunity for spying on subscribers. IPV6 will have to be adopted anyway in the next 10 years and it included encryption, so the time is right to make both switches at once with little extra IT overhead.

Encrypt everything!

[IGnatius T Foobar]

The government may have the resources to break strong encryption in real time, but even the largest ISP's do not. So maybe now the FreeS/WAN project no longer sound like tinfoil-hatted paranoiacs when they push opportunistic encryption at every node [freeswan.org]. Everything gets encrypted automatically and transparently when talking between two OE nodes, regardless of the protocol.

This was their goal, but hostility and forking ensued when most people really wanted to just have an IPsec implementation on Linux. OE is still a good idea, though, and that's what they're focusing on now.

The obvious design win would be if Linksys and Netgear built OE into their consumer grade firewall/routers. Then everyone would have it, not even know it, and when large site operators started deploying it on their network edges, massive amounts of crypto would start traversing the Internet, and no one would be bothered by it.

That's really the key to good system design: add complexity, but don't bother the end user -- it's not his problem.

VPN FTW

[billcopc]

Funny, while loading this page I got a "bandwidth cap warning" from my ISP, stealthily inserted into the page (Rogers Cable).

I expect nothing less from the despicable scam shop that is Rogers, but it's still kind of creepy.

For me, it's not a huge deal because I run a number of geographically diverse servers, I can VPN or proxy my traffic through any combination of them, should the need arise. Like any invasion of privacy, I'm not concerned about the marketing uses, it's the inevitable abuse that scares me,

Re:

[corsec67]

Funny, while loading this page I got a "bandwidth cap warning" from my ISP, stealthily inserted into the page (Rogers Cable).

Doesn't that violate the copyright on the page held by /.? (Rogers made a derivative of the page, and distributed that to you)

NebuAd info, and a request for info

[Animats]

I just checked NebuAd's Privacy policy [nebuad.com]:

NebuAd products do collect and use the following kinds of anonymous information:

• Web pages viewed and links clicked on
• Web search terms
• The amount of time spent at some Web sites
• Response to advertisements
• System settings, such as the browser used and speed of the connection
• ZIP code or postal code

Now that's way out of line for an ISP to collect, let alone send to an ad agency.

We may be able to do something about this.

We run SiteTruth AdRater [sitetruth.com], which rates advertisers. We have a Firefox extension which displays a rating icon for each ad served. When an ad link goes by, and it's not in the browser cache, the extension contacts our server for a rating of the advertiser. So we collect, over time, a list of advertisers for various ad systems. We're not collecting data about users; we're interested in advertiser behavior. (You can read the source code for the plug-in, so there's no mystery about what we're doing.)

We're not currently tracking NebuAd, Front Porch, or Phorm ads; we've been focusing on the bigger players. It looks like we need to be tracking this behavior. If anyone can find ad links from those services, please post the ad link here, or mail it to "info@sitetruth.com". We need some examples so we can modify the plug-in to recognize them.

If we can collect sufficient information about this class of advertisers, we may publish their customer list, which would be useful for boycott purposes. Thanks.

Deep Packet Inspection Not For Ads

[ffejie]

I have a bit of history with two large service providers in the US. While I have not been involved directly with the deep packet inspection teams, I have had direct contact with all of them and helped them design networks using this technology. The technology was never sold to upper management as a way to track our users and target ads to them. It was never intended to capture a web page hit that was directed at a specific company to see what that consumer was interested in. Instead, it was always meant to monitor users (and more importantly, user aggregates) and determine what kind of traffic they were sending.

It was, and is, always about the network profile. If they find out that 10% of the traffic on the network is VoIP traffic, they want to design the network shift this traffic to have lower latency.** If they find out that 50% of the traffic is BitTorrent, they may put rules in place around such services. In my opinion, the service providers that I have dealt with do not have the technology in place to target down to the user. Also, they do not appear to be developing this technology.

**Some can argue that providers are instinctively evil and want to destroy this traffic, but I'm not going to fight this here.

Who wins?

[edmicman]

From the article:

Advocates of deep-packet inspection see it as a boon for all involved. Advertisers can better target their pitches. Consumers will see more relevant ads. Service providers who hand over consumer data can share in advertising revenues. And Web sites can make more money from online advertising, a $20 billion industry that is growing rapidly.

So the consumers' benefit is better targeted ads? Woohoo? Sounds like the only ones who are winning are the corps and that's it.

DPI is for QoS, not marketing

[NicolaiBSD]

Every datacom box supplier is developing DPI features for their products. The main driver is not targeted marketing, but QoS. When you're able to identify traffic on the application layer, it gives you a lot of extra options in determining how to route the traffic.
This way you can decide to route P2P traffic flows on best effort basis, but "over-the-top" video (eg. Youtube) flows you route through a higher quality connection. This improves user satisfaction.
That's the idea anyway, saying it's for targeted a

Only have more questions

[edmicman]

So which ISPs are doing this? What can we do to protect our selves? It sounds like it's "enabled" by a cookie placed there by your ISP or NebuAd? Would Adblock and/or PeerGuardian be enough? Implementing blocking at the home router level? What can home users actually do?

It'd be nice at least to know who's actually participating in this so we could know who to avoid.

Privacy concerns, yes, but also the cost!

[Duncan Blackthorne]

I'm as concerned about third parties snooping into things that aren't their damned business, but there's another concern here too: if this is actually going on, then we're all paying for it, too! We're footing the bill for the technology that's being used to snoop into every freakin' packet sent or received. That's complete bullshit; I'm paying for bandwidth, not for motherfuckers at Comcast (or wherever) looking at what I'm buying online, or personal communications I'm sending to friends, or whatever I'm d

hrmmm

[spikedvodka]

Hrmmm... I never got the TOS/AUP for my ISP (then again it was just switched on me when Verizon sold it)

gotta contact them, and say "Hey, what's the deal"

The Quick Fix

[Nom du Keyboard]

The quick fix to this is web-sites all allowing https, ssl, and vpn connections to them. That will end deep-packet inspection, leaving only a list of web-pages visited available. gMail already allows https, but you have to ask for it.

Re:

[Overzeetop]

I'm sure part of it is to determine what is passing through the network and how to reduce the overall traffic flow - which would reduce the amount of physical plant needed. It's not all sunshine and light - they make money any way they can, and if snooping does it for them, they'll do it until it is illegal. I'm just pointing out that ignoring all traffic and building out physical plant isn't necessarily in the financial interest of the ISPs. Using what they have in the most "efficient" way is. Their effici

Re:

[nurb432]

Freenet adds another layer of security, for when they come for your data.

Re:

[corsec67]

Kind of hard to teach a company a lesson by leaving them when they are a monopoly.

Many people have exactly 2 options for ISPs: Cable and DSL.

What if both are evil? How do I switch to a better company in that case?

(My solution is to have the ISP/content provider be legally prevented from having a share of the "last-mile" stuff, so that you can have competition in the ISP space, and then last-mile provider has many requirements, like no filtering of any kind, upgrades every so often, a specified maximum fee s

Re:

[dstates]

Some of us do not use Google mail or Google desktop search for exactly the reasons you give.

Re:Slashbot hypocrisy once again

[ccguy]

So, it's bad and evil and wrong if a computer at your ISP reads all your packets for marketing research purposes, but when Slashdot's favourite pet company Google does the exact same thing with all your messages in Gmail, it's perfectly fine and justified?

Yes. You may use gmail or not, and if you do then you agree that they will use your email contents for advertisement.

No one authorized ISPs to inspect packets for any purpose.

However if they provided their service at the same price google offers gmail in exchange for authorization to inspect packets, I'm sure there would be lots of people willing to take the deal.

I think Slashbots need to get their kneejerks straight.

And I think whoever modded you insightful was on crack.

Re:

[Guido von Guido]

Sure, they don't use it for targeted advertising. Do you think that's because of ethical concerns, or because of technical limitations? Do you imagine that they'll always resist the urge to send their customers targeted advertising?

As an aside, I'm well aware that there are benign uses for this sort of technology. For instance, we had a customer that installed some kind of deep packet monitoring app to monitor and troubleshoot customer application issues on their web site (which were costing them a bundle).