For the last year, the Internet privacy community been abuzz with the news that deep packet inspection technology (DPI) is in active use. U.S. cable giant Comcast has turned to DPI in order to throttle file-sharing by its broadband customers, Phorm and NebuAd use DPI to peek into the web surfing habits of end users in order to serve targeted advertising and the National Security Agency has inserted sophisticated DPI equipment into the networks of major backbone providers so that it can sweep up huge volumes of domestic emails and Internet searches. While privacy activists and computer geeks are up in arms, the vast majority of Internet users either don’t seem to care or don’t fully understand what is happening.
The Internet is a dangerous place. Hackers roam cyberspace looking for vulnerable hosts to attack, phishers attempt to deceive users into revealing their bank account information and Nigerian 419 scammers offer riches to those gullible enough to send them money. However, while most of these threats are from people far away from the victim, users of wireless networks face a significant risk to their privacy from attackers just a few meters away. Logging into a webmail account using the free Wi-Fi at a coffee shop can be one of the most risky things that most people will do on the Internet.
Worst of all – it doesn’t have to be this way.
Without encryption, e-commerce wouldn’t be possible. It is because of the cryptographic technology built into every web browser that a customer’s credit card number can be transmitted to Amazon.com without the risk that hackers will steal it en route. Likewise, the security of every online bank depends upon end-users being able to conduct transactions over a confidential and authenticated channel. Unfortunately, while encryption is used by e-commerce sites and banks, it is not in widespread use elsewhere on the web. In particular, popular free email services, social networking sites, and photo sharing services all lack basic security protections by default. A few sites, such as Google’s Gmail, offer an encrypted version of their service to those users savvy enough to dig through complex configuration options, while most other sites, such as Microsoft’s Hotmail, Facebook, MySpace and Flickr only offer an insecure service.
The decision to not offer a secure browsing experience by default primarily comes down to money. Processing encrypted transactions requires more computing power than insecure requests, and so for a company like Google, switching every user to encrypted webmail and searches by default would require thousands of additional web servers. For corporations that give their services away for free and in a market where consumers are not educated about the privacy risks of non-encrypted web sessions (and thus do not demand encryption by default), it is pretty clear why product managers opt to forgo strong security.
The end result of this design choice is that web surfers who check their email, conduct web searches or send an instant message using a public wireless network risk being snooped on, or worse, having their account hijacked and stolen by miscreants. Evil-doers can use freely available software to“sniff” a wireless network and see the confidential information that flows over it. This past summer, a security researcher released a tool that automates the process of hijacking Web 2.0 accounts. The CookieMonster program allows an attacker to easily hijack Google, Yahoo or Facebook accounts with a single click. These pilfered accounts can be accessed at a later date, enabling a hacker to read through old email messages, or even send new ones in the victim’s name.
The tragedy here is not that the millions of users of these services are vulnerable to data theft and snooping. It is that the technology necessary to secure users’ web browsing is already part of both Firefox and Internet Explorer. Outside of the web arena, the situation is the same. Secure email and instant messaging technology has already been developed, debugged and made available for free by open source programmers and academics.
The failure to offer secure-by-default products is primarily an issue of consumer demand. Most end users do not realize how much of their information flows nakedly over the network, nor how easy it is for others to snoop on their web surfing. It is for this reason that I support and encourage the widespread adoption of deep packet inspection technology. My hope is that once privacy invasion becomes the norm, consumers will start to demand encryption. Web titans like Google, bowing to market pressure, will then roll out security by default.
The Internet is no longer a happy safe place, as it was in the 1960s when the first packets were sent between research institutions. We need to stop treating it as such, recognize that there are evil forces out there, be they hackers, spies, or unscrupulous ISPs and deploy technologies to protect the general public. Simply put, there is no longer a good reason to transmit anything of value over the network in plain text.
The solution to the problem of Internet privacy is not legislation making snooping illegal, but the industry-wide adoption of cryptography by default. If it first requires the widespread use of deep packet inspection technology in order to get us there, so be it.
RSS Comment Feed 8 Comments
8 Responses
Leave a Reply
Tags: Comcast, DPI, Inspection, Packet, Privacy, Technology
by 7 people
Christopher’s got it exactly right, the problem is not the ISPs succumbing to DPI, but that of end users underestimating the problem (which is simple human nature — we are notoriously bad in judging very low risks), and application developers failing to do precisely what Christopher calls for: build in encryption as a default (which is simple human nature, too: why offer more or assume liability if you don’t need to).
The observation about e-commerce and the rise of secure protocols is very apt, too. Where there is tangible assets involved, the market resolves the problem eventually; where there is only that evasive thing called “privacy” involved, it is for the end users and their agents to push through the due solutions.
There is no point in outlawing the tussles in cyberspace, there is only in getting the incentives right for and in favour of those hurt most by the risks that accrue on the internet. Why is it that everyone (well, almost all the other essays in this collection) keeps pointing at the law to remedy the problem (which may, from a harms based perspective, not even be so large, after all — see ssl protocols)?
Christopher is right, there is no point in trying to keep ISPs from doing DPI, only in trying to get app developers to build in encryption by default (and hold them liable for it) — after all, it did work with e-commerce and ssl.
Its worth asking why we have legislation against communication interception.
Its partly about personal democratic freedom, partly to protect commerce, and its partly about state security.
Privacy protects our freedom of speech, our freedom to associate, our freedom of thought.
For businesses privacy protects commercial intelligence, confidentiality, data integrity, intellectual propert.
Faced with a world of encryption, the role of the security services will become far more difficult. And we may be more at risk.
So privacy protection is in the interests of individuals, businesses, and the state. That’s why we have laws against interception, and why we need to enforce those laws.
There always will be states where surveillance is the norm; I don’t want my country reduced to the least common denominator.
Surveillance is and must remain completely illegal in a democratic country.
Does that mean encryption won’t proliferate? Sadly, no.
Weak and corrupt Governments may have already sacrificed the confidence of technologists and businesses. I have no doubt our children will look back at this moment in time and wonder how we could ever have been so short sighted.
While the idea that end users should be more aware of encryption is sound, the way to promote awareness is not to allow DPI hardware on the network, the let consumer backlash take care of the rest. DPI hardware is very taxing on a network. All those packets have to be delayed at the DPI device to allow the DPI device to categorize the packet and strip the info out of it. This slows down the network as a whole.
I agree with Ben. I work at a retail computer shop and if encription was needed, the consumer would have it. Also, the internet is not as dangerous as he explains. Yes their are “hackers” looking for vulnerable hosts however most if not all “e-commerece” is encripted using ssl with a 256bit encription. So no one can decipher the traffic except you and the host. Making DPI useless and just slows the network.
I agree with Christopher. We should be encrypting absolutely all traffic. (And we should be encrypting all data at rest, but that subject is off topic here)
Pete: The first group that should be locked out of sniffing traffic is the security services. Allowing any organization to snoop the traffic of the entire country is a bigger threat than anything they claim to protect us from. So far the evidence that any of their claims are true is very questionable.
Locking regular law enforcement agencies out is more of a loss. I’m talking about local police officers investigating common, mundane crimes. It’s true that if crypto was everywhere some of the truely guilty might not be caught or convicted as a result. But people are getting away with things all the time anyway, for all kinds of reasons. And encryption can’t shield criminals from all police attempts to stop them. There are always at least 2 endpoints in any communication. One of them can always involve the police if it’s appropriate. Traffic analysis is also a very effective investigative method. And don’t forget about all the data people make public by choice on social networks. These days police are routinely succeeding without the need to sniff traffic at all.
Universal encryption is a good idea. It would increase our overall security. It’s not a good trade-off to allow the massive vulnerability of widespread cleartext communication to remain just to catch a few more petty criminals.
No human activity or space is risk free. Neither is cyberspace. Can we deploy more technology to bring it to risk zero? I’d be surprised if risk zero were a reasonable goal-since it’s never been achieved anywhere else, ever. So we’re actually talking of a “lowering” of risk — which is already, I believe, relatively low. I’m not sure if there’s a way to actually quantify it, but I’m fairly certain the difference would be a lot less than we hope for.
Ben: packets can be *modified* at wire speed these days on at least gigabit ethernet. I don’t have direct experience with DPI-capable hardware, but I doubt it introduces any delay. Besides, if you’re deploying on routers the packet has to traverse the router anyway, which will be way more time than merely cataloging it. I would imagine that real traffic-shaping systems introduce some delay.
Anyway…if widespread DPI is the ass-kick we need to get more widespread encryption, then I guess it’s not a total loss.