Peeking into packets may darken the Internet!

by Pekka on September 1st, 2008 in Comment.

As people move an increasing part of their lives into global and local networks, the development of privacy intrusion techniques and technologies faces exponential growth. The will to eavesdrop on other's private communication is reaching new heights. As this occurs,  the concept of privacy is being obliterated. Privacy is under attack, giving birth to the current situation where consumer's private information is commonly considered to be an approved target. The constantly increasing demand to acquire personal and confidential information has boosted the supply of eavesdropping techniques and technology.

Government authorities are in the process of enlarging the ears and eyes of Big Brother, and their tactics have spread to other levels of the society where captured personal information can be transformed to money. Let's take a closer look at how and why some of this eavesdropping is done and the availability of existing or upcoming countermeasures against it.  To do this,  a basic understanding of packet capture and Deep Packet Inspection (DPI) is needed.

Internet and/or network traffic can be filtered in many ways and at many levels, just as a water tap can be installed anywhere in a water line. Deep Packet Inspection is a way to examine or parse entire captured packets of data that are passing the point of the network where the filter is set up. To keep it in simple terms, data is sent over a network in the form of packets.  Each packet has a header that includes information on the packet's content. You can think of a header as an address or similar written information on a "snail mail" envelope. The packet content, the actual letter or information inside an envelope, is called packet payload. When the packet capture is set up to capture the whole DataStream at a certain point of the network, all passing packet headers and/or their payloads could be inspected for certain criteria. Government surveillance may be set up to capture packets at the Internet Service Provider level, who are bound by government laws to comply. For example, in Sweden, the FRA (the National Defense Radio Establishment) recently obtained the rights to set up such surveillance according to the newly adopted FRA law (see earlier blogs).

In the same manner, though on a smaller scale, it is possible to set up packet capture and DPI in networks ranging from enterprise level to smaller local networks (for example in schools, Internet cafes and home networks.) This kind of eavesdropping can be fully automated in order to process the captured data efficiently according to the special criteria that is set up by the service owner. There are, however, other ways to deploy this type of filtering without the need of installing and managing hardware and software at certain points of an enterprise network.  Zscaler, a SaaS security provider, offers a service that has the ability to scan Web traffic leaving a company's firewall. The traffic is then redirected to Zscalers servers where it is filtered according to the wishes of the service subscriber.  Almost all of the traffic can be filtered in this manner, including traffic associated with messaging, webmail and blogging (http://www.gcn.com/print/27_20/46924-1.html).

Government authorities usually justify the need of such surveillance stating that it is done in order to protect the inhabitants of a society against certain dangers, like terrorism.  It may also be justified by stating that it is conducted in order to prevent industrial espionage, or in order to fight crime. Packet capture and DPI at an enterprise level may be justified as a way to fight different types of denial of service attacks (where attackers flood a service with requests in order to make it unresponsive.) DPI may also be used in order to block malicious code, viruses, worms and spyware that could be harmful for the enterprises systems.  In this case, DPI is commonly used in conjunction with other protection systems, such as firewalls. Another possible usage for this technology is to monitor the web browsing habits of the users within the network, essentially tracking their network and web behavior during work hours. One might argue that it is obsolete to watch employees in this manner nowadays, as the boundaries separating company work and spare time are often woven together. One might also argue that creativity suffers, resulting in a situation where employees are not able to bloom into their full potential.

A relatively new business model now exists where DPI is used to collect data about users in order to provide tailored ads. The deep packet inspection is conducted by Internet Service Providers or different network operators. The ISP´s and network operators can access all of the traffic flowing through their networks and can therefore create different user profiles depending on the Web pages visited and services used. This could serve as an example of how the acquired personal information can be transformed into money. Some may argue that user-tailored ads are not a big deal but, in terms of revenue, they are! Serving user profiles based on personal interests, likes, and dislikes could generate big money. But at the same time, user privacy will without a doubt suffer. Take, for example, the fact that the user profile could also be colored by information about health, faith and sexual preferences. The packet payload could reveal a lot of information for the government, and different vendors on the market (insurance companies, for example.)

What's the remedy for all of this? It's a hard question to answer. Surveillance done by government authorities may be hard to influence, especially because the undistorted truth is hidden in the sphere of secrecy that surrounds these kind of agencies. The commercially driven eavesdropping services are, however, directly affected by the consumers' demands.   Concerned users may choose to only use services that are offered by companies that safeguard user privacy and companies that do not support buying user information in order to provide tailored advertising. It is therefore critical to thoroughly read the privacy policies of companies, services and applications in order to spot obscurities and to avoid pitfalls. I cannot stress that enough!

Encrypting data may be another way to fight back. The Finnish company Staselog states that large encrypted "Darknets" may render Deep Packet Inspection harmless (http://sakerhet.idg.se/2.1070/1.62364). Only the future will tell if the illumination of packet payload is in fact darkened by large encrypted networks where people may live their virtual lives without the fear of being eavesdropped on. If programmers were to create and follow honor codes in order to lift user privacy into the foreground when developing software, it could be helpful in keeping  the "peeping Tom" trend from becoming a reality where people are forced to tiptoe in their virtual lives - lives that are, in the end, just an extension of their offline counterparts.

Pekka

Lavasoft Research