DPI and expectations of privacy

[David Farber <dave () farber net>]

________________________________________
From: Brett Glass [brett () lariat net]
Sent: Thursday, July 17, 2008 10:07 PM
To: David Farber; ip
Subject: DPI and expectations of privacy

[Dave: Please post this to IP. It's important -- in fact, fundamental --
and should evoke some good conversation. -BG]

At 05:44 PM 7/17/2008, David Reed wrote:

> As I note in my blog entry, the use of Deep Packet Inspection is
> apparently a really hot area  of investment.  This distresses me a great
> deal.  It may concern your readers as well. What gives the ISPs
> (Charter, Embarq, BT, ...) the right to read every packet that every one
> of their users sends, analyze the data, modify the responses, etc.?

As an ISP, I fiercely defend my users' privacy. However, it must be
recognized that my ability to do this ends where the public
Internet begins. I always warn my users that there is NO reasonable
expectation of privacy in an unencrypted packet on the public Internet.

Let me say that again, because I have to keep drumming it into my
users' heads: There is NO reasonable expectation of privacy in an
unencrypted packet that traverses the public Internet.

Those who preach the horrors of "deep packet inspection" often
assert that packets are like letters in envelopes -- and that the
addressing information is somehow less sacrosanct or less visible
than the payload. In fact, Internet packets are really analogous to
postcards in that there is no difference between the readability of
the addressing information and that of the data. All of it is
readable by dozens -- maybe hundreds -- of complete strangers on
its way to its destination.

Whether or not your local ISP's equipment examines them (and there
is good reason for them to do SOME looking -- for example, to see
if they are Voice over IP and give them priority to keep the call
clear), they will pass through dozens -- maybe hundreds -- of
machines that might. Some of that equipment may belong to private
parties or corporations and not an ISP or telecommunications
provider. Some may not even be in this country (and so may not be
subject to ANY restriction the US government might impose upon
one's behavior with respect to them). They may also pass over the
air via unencrypted wireless networks (or ones with encryption that
is trivial to break, such as WEP). In short, this is not the
telephone system. It's a cooperative, somewhat anarchistic "network
of networks," held together by weak and changing contracts,
agreements, and conventions. There's no central control center that
can guarantee your privacy.

Therefore, as I always tell my customers, if you want to send
something that's really confidential over the Net, make darned sure
that you are using encryption. Otherwise, no matter what your ISP
does, it's subject to sniffing and snooping in so many places that
you simply cannot expect it to be private -- and no court that
truly understands how the Internet works would rule otherwise.

As an ISP, we do our best to educate our users about this, but it
always bears repeating. Deep packet inspection? "Shallow" packet
inspection? Makes no difference. Expect your Internet packets to be
looked at, and you will not be disappointed when it happens.

--Brett Glass




-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com