Home / Blogs

Deep Packet Inspection: When the Man-In-The-Middle Wants Money

Say you’re walking down the sidewalk having a talk with your best friend about all kinds of things. What if you found out later that the sidewalk you were using wasn’t really a sidewalk—but instead a kind of false-front giant copying machine, unobstrusively vacuuming up what you were saying and adding to its database of information about you? Or, say you send a letter to a client of yours (to the extent you still do this), and it turns out later that your letter was intercepted, steamed open, and the contents were read. Or, say you are having a telephone conversation with someone named Peter Brown and it turns out later that the voice you heard on the other end of the line wasn’t Peter Brown at all but instead some sounds aimed at convincing you that Peter Brown was still on the line.

All of these hypothetical situations have certain key elements in common: you’re communicating, and some intermediary that you thought was mutely, helpfully standing by to assist (the sidewalk, the postal system, the telephone line provider) turns out to have something else in mind. That intermediary may want to copy your datastream so it can target ads or different levels of pricing at you, or it may want to inject information into the datastream you’re seeing or hearing for its own purposes (that’s the phone example, analogous to what Comcast was caught doing late last year).

The ongoing flap about Deep Packet Inspection (DPI) has been triggered by just this kind of activity (or planned activity) by ISPs…

I drafted a related post today for InternetEvolution that they edited and is available here.

By Susan Crawford, Professor, Cardozo Law School in New York City

Filed Under

Comments

Privacy is Dead J Iannone  –  Jul 29, 2008 3:10 PM

We get fussy about the erosion of our privacy, but compromise it time and time again for the sake of communication.  As we gain connectivity, we compromise our privacy.  It’s a very similar to the internet security situation.  If security is the highest priority, disconnect the data.  Obviously, it’s more important for the data to be accessible to the exclusive few who’s jobs/well-being depends on it. 

The compromise exists and we must prioritize appropriately.  DPI is a sensible, though potentially infuriating, evolutionary technology.  Yes, it erodes our privacy.  Yes, we will continue to utilize privately owned circuits to access the internet, because the cost of communication loss outweighs loss of personal privacy.

Upcoming generations embrace diminished privacy.  The rise of social networks is a pretty good indicator of that, I think.  Anecdotally, this reminds me of a story about a snow day incident.  A high school or jr. high school student called the dean of his school at home asking why the school wasn’t closed.  His wife called the child back, leaving him a voice mail scolding him about privacy which he promptly posted to his facebook/myspace page.  Incidentally, he got their number from the phone book.  Privacy is dead.

And it's been dead... Dan Campbell  –  Jul 30, 2008 2:36 PM

It’s hard for me to understand why DPI is generating news now.  It’s been around for a long time and is inherent in most networks in many different kinds of devices.  There are many devices that inspect traffic and act on it for a variety of reasons.  DPI is generating news now because of the Comcast / BitTorrent issue.  But there are so many things on the Internet that in some way proxy for traffic or users.  Take NAT/PAT for instance.  As far as the web site is concerned, it’s not really seeing a request from the actual user but a NAT device and the IP address in front of it.  Is this a fraudulant act by the ISP that has not acquired enough public IP addresses to cover its service and has chosen to use private addresses and NAT?  Should they be scolded and forced to go to public addressing (a whole other issue)?  Another example is a cache engine, which delivers content that is not exactly from the web site directly but an “old” copy (“old” depends on when the cache was refreshed, but you could certainly be getting stale content that has since been updated.)  These things are common, but are they too somehow interfering with traffic, or sending what could be perceived as counterfeit traffic, or hijacking a session, or masquerading illegally as the actual user?  We can go on with other examples including firewalls, intrusion detection / prevention systems, content filters and yes, bandwidth management devices that perform traffic prioritization and peer-to-peer traffic throttling.  They’ve been there a while, they are necessary for many reasons, and they won’t go away even if how they are implemented changes.  It’s not a privacy thing.  They are tools to make sure the Internet can not only work better, but that services can be created and sold to residential consumers at low retail prices.

Hopefully... Jmil1  –  Jul 31, 2008 8:02 PM

Hopefully the backlash that’s emerging against Comcast will encourage ISPs to start looking at other options than DPI. I buy that in some cases bandwidth needs to be conserved, but that isn’t a free pass to do whatever the ISP wants to achieve this. There are other ways to accomplish the same goal without having to resort to DPI (see netequalizer). DPI seems like it will be hard to defend from the standpoint of the ISP if these alternate options start to catch on and get developed on a larger scale.

Not Just ISPs Chris Snyder  –  Aug 3, 2008 11:33 AM

DPI is not just a danger with ISPs. Wi-fi providers (Hotels, Cafes, Airports, Parks) are also going to be increasingly tempted to generate revenue by tracking viewing habits, tweaking Google results, and inserting or replacing advertisements. I’m sure we’ll also start to see this behavior on compromised routers and wireless access points.

Some of the problems can be mitigated with SSL, but the man-in-the-middle can still track URIs and silently redirect sub-requests (like images or ads embedded in the requested page) to other secure domains, without alerting the user.

DPI is a tool Suresh Ramasubramanian  –  Aug 4, 2008 12:11 PM

And a very useful tool for security. Feel free to blame its abuse if you wish. But dont knock DPI for that.

The DPI Analogy Game Kyle Rosenthal  –  Oct 21, 2008 11:13 PM

Hi Susan,

Thanks for bringing light to the privacy concerns related to DPI.  While privacy is a legitimate concern, I hope it is one that will be overcome and minimized through innovation. 

The analogy game is always a fun one. 

What if the US Postal Service offered:
- no options for priority delivery
- no capability to inspect packages other than the address and return address
- policies that restricted commercial innovation in the postal arena (UPS, FedEx)

https://www.dpacket.org is a good resource to learn more about deep packet inspection.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix

Cybersecurity

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

DNS

Sponsored byDNIB.com