The Perils of Deep Packet Inspection
by ANTOINE CHAMPAGNE
When The Wall Street Journal reporter Margaret Coker visited the Libyan government’s surveillance centre in Tripoli after the city’s fall, she saw that the authorities had been monitoring everything: the internet, mobile phones, satellite phone and internet connections. Some files included emails and online conversations between Gaddafi’s opponents. Notices on the walls revealed that the company which had installed the equipment was Amesys, a subsidiary of French firm Bull (1). The French satirical weekly Le Canard Enchainé later reported that France’s military intelligence directorate had been solicited to help train Libya’s internal spies (2).
In Syria, US equipment helps Bashar al-Assad’s regime censor the internet, and retrieve logins and passwords to access people’s emails or Facebook and Twitter pages. This tool is particularly useful for tracking the communications of opponents with internal or foreign connections.
The technology is innocuously named “deep packet inspection” (DPI). When someone sends an email, a series of servers relays it to its destination. Each server sends the message on to the next, looking only at the recipient’s address, and not at the contents. An expert on internet law, Jonathan Zittrain, explained: “It’s a bit like being at a party with polite friends. If you’re too far from the bar, or there are too many people in the way, you ask the person next to you to get you a beer. They ask the person next to them, who is a bit closer to the bar, and so on. Eventually your order reaches the bar and your beer arrives via the same route back. Since everyone is polite, no one will have drunk your beer along the way.”
But DPI is less polite. How would you feel if the person next to you analysed your order, and started lecturing you about it? Or if they tampered with your drink, adding water or something stronger? This is exactly what DPI technology can do: it allows people to read the content of internet traffic, modify it, and even send it to someone else.
Amesys is not alone in this market. US press agency Bloomberg recently reported that another French company, Qosmos, had provided DPI technology to a consortium equipping Syria to the same standard as Gaddafi’s Libya (3). DPI is also at the heart of China’s firewall, which allows the government to censor internet traffic and spy on its citizens.
‘Secret new industry’
The recent Wikileaks publication of numerous internal documents from these companies shows that monitoring communication networks is “a secret new industry spanning 25 countries … In traditional spy stories, intelligence agencies like MI5 bug the phone of one or two people of interest. In the last 10 years systems of indiscriminate, mass surveillance have become the norm” (4). A little earlier The Wall Street Journal had published more than 200 marketing documents from 36 companies offering the US anti-terrorist agency various surveillance and computer hacking tools (5).
DPI entered the spotlight in May 2006 when Mark Klein, a former technician with US internet provider AT&T, leaked the fact that the company had installed DPI technology at the heart of the county’s internet network, in cooperation with the US National Security Agency (which invented the Echelon system in the 1980s and 1990s). The technology was provided by internet surveillance company Narus (slogan “See Clearly, Act Swiftly”). Narus was set up in 1997, has 150 employees, earned $30m in 2006, and was bought up by Boeing in 2010. The Mubarak regime was reported to have installed Narus equipment in Egypt (6).
The flow of information over the internet includes the web, emails, synchronous exchanges (instant messaging) and asynchronous exchanges (blogs, discussion forums), phone conversations, video, raw data, etc. Most of this communication is not encrypted, so it is easy for both the casual hacker and state security services to monitor it.
Constraints or profits?
But some private companies are also seeing a financial advantage in this technology. Telecoms operators such as Free, SFR and Orange have started to complain that large amounts of information are being conveyed on their networks without the producer paying. Internet service providers (ISPs) are not happy about paying to transmit YouTube videos, which they are obliged to provide to their subscribers. So they came up with the idea of charging a supplement to the information’s producer or its final user, or slowing down some traffic in favour of others. But to do that they have to be able to measure precisely what is passing through their networks.
In the same way, mobile phone operators have tried to limit their infrastructure costs by restricting their customers’ access to the internet. So they prohibit smart phone users from peer-to-peer file sharing, or using vocal or video communication like Skype.
Here too, DPI allows them to monitor and manage the traffic, and allocate higher bandwidths to certain services, such as those they provide. This contradicts the notion of “network neutrality”, whereby service providers are meant to convey all requested information without discrimination.
When DPI is applied to web browsing, it can record every move a person makes online. Marketing professionals are desperate to exploit such information. Orange recently launched Orange Shots, which uses DPI technology to analyse the websites a subscriber uses (with their consent), in order to offer them ultra-targeted products. That could make ISPs as profitable as Facebook and Google, as long as these programmes attracted subscribers; it would be enough to claim that the data was anonymous to make it a perfectly marketable product.
The curious reader could check the Data Privacy page on the website of GFK, an international market research group and Qosmos shareholder: while it casually mentions web “cookies”, it fails to explain that it also tracks visitors to websites using a DPI technology which is supposedly anonymous because GFK alone knows the formula. GFK is present in more than 150 countries.
DPI is also attracting intellectual property rights and copyright holders who are trying to fight “illegal” file sharing on peer-to-peer networks (BitTorrent), or sites for uploading and downloading files directly, like Megaupload. Knowing exactly who is trying to download what film or music file, and blocking that person’s access, can only be done with “deep” surveillance infrastructure shared across all the data exchange points that the ISPs represent.
Legal surveillance
Another natural market for DPI technology is legal surveillance. In France police sometimes monitor a suspect’s communications as part of a judicial investigation, authorised by a judge and the National Committee for the Control of Security Interceptions. But this is a niche market, concerning a very small proportion of the population. Unless they were counting on another huge rise in the anti-terrorist budget, it would make sense for businesses in this sector to look for other commercial outlets.
That is where the governments of police states, which want to listen to their entire populations, come in. Surveillance software can be tested in these countries under real conditions. That is why Ben Ali’s Tunisia received a discount on systems that still had bugs. Libya provided Amesys with a real life experiment of what Eagle software could or could not do. Alcatel is doing the same in Burma. The information gathered by DPI inevitably leads to arrests. (Torture, using tried and tested methods, can do the rest.)
Puzzled, no doubt, by the high number of European companies in this sector, the European parliament has passed a resolution to ban the sale abroad of systems monitoring phone calls and text messages, or providing targeted internet surveillance, if this information is used to violate democratic principles, human rights or freedom of expression. On 1 December 2011 the EU Council tightened restrictions on Syria and banned “exports of equipment and software intended for use in the monitoring of internet and telephone communications by the Syrian regime”.
Despite this, there is little legal control over the global export of surveillance equipment. Manufacturers find it easy to slip through the net (especially since there is such a diversity of legislation), governments do not publish their permits, and this type of software is not strictly considered a weapon.
When The Wall Street Journal reporter Margaret Coker visited the Libyan government’s surveillance centre in Tripoli after the city’s fall, she saw that the authorities had been monitoring everything: the internet, mobile phones, satellite phone and internet connections. Some files included emails and online conversations between Gaddafi’s opponents. Notices on the walls revealed that the company which had installed the equipment was Amesys, a subsidiary of French firm Bull (1). The French satirical weekly Le Canard Enchainé later reported that France’s military intelligence directorate had been solicited to help train Libya’s internal spies (2).
In Syria, US equipment helps Bashar al-Assad’s regime censor the internet, and retrieve logins and passwords to access people’s emails or Facebook and Twitter pages. This tool is particularly useful for tracking the communications of opponents with internal or foreign connections.
The technology is innocuously named “deep packet inspection” (DPI). When someone sends an email, a series of servers relays it to its destination. Each server sends the message on to the next, looking only at the recipient’s address, and not at the contents. An expert on internet law, Jonathan Zittrain, explained: “It’s a bit like being at a party with polite friends. If you’re too far from the bar, or there are too many people in the way, you ask the person next to you to get you a beer. They ask the person next to them, who is a bit closer to the bar, and so on. Eventually your order reaches the bar and your beer arrives via the same route back. Since everyone is polite, no one will have drunk your beer along the way.”
But DPI is less polite. How would you feel if the person next to you analysed your order, and started lecturing you about it? Or if they tampered with your drink, adding water or something stronger? This is exactly what DPI technology can do: it allows people to read the content of internet traffic, modify it, and even send it to someone else.
Amesys is not alone in this market. US press agency Bloomberg recently reported that another French company, Qosmos, had provided DPI technology to a consortium equipping Syria to the same standard as Gaddafi’s Libya (3). DPI is also at the heart of China’s firewall, which allows the government to censor internet traffic and spy on its citizens.
‘Secret new industry’
The recent Wikileaks publication of numerous internal documents from these companies shows that monitoring communication networks is “a secret new industry spanning 25 countries … In traditional spy stories, intelligence agencies like MI5 bug the phone of one or two people of interest. In the last 10 years systems of indiscriminate, mass surveillance have become the norm” (4). A little earlier The Wall Street Journal had published more than 200 marketing documents from 36 companies offering the US anti-terrorist agency various surveillance and computer hacking tools (5).
DPI entered the spotlight in May 2006 when Mark Klein, a former technician with US internet provider AT&T, leaked the fact that the company had installed DPI technology at the heart of the county’s internet network, in cooperation with the US National Security Agency (which invented the Echelon system in the 1980s and 1990s). The technology was provided by internet surveillance company Narus (slogan “See Clearly, Act Swiftly”). Narus was set up in 1997, has 150 employees, earned $30m in 2006, and was bought up by Boeing in 2010. The Mubarak regime was reported to have installed Narus equipment in Egypt (6).
The flow of information over the internet includes the web, emails, synchronous exchanges (instant messaging) and asynchronous exchanges (blogs, discussion forums), phone conversations, video, raw data, etc. Most of this communication is not encrypted, so it is easy for both the casual hacker and state security services to monitor it.
Constraints or profits?
But some private companies are also seeing a financial advantage in this technology. Telecoms operators such as Free, SFR and Orange have started to complain that large amounts of information are being conveyed on their networks without the producer paying. Internet service providers (ISPs) are not happy about paying to transmit YouTube videos, which they are obliged to provide to their subscribers. So they came up with the idea of charging a supplement to the information’s producer or its final user, or slowing down some traffic in favour of others. But to do that they have to be able to measure precisely what is passing through their networks.
In the same way, mobile phone operators have tried to limit their infrastructure costs by restricting their customers’ access to the internet. So they prohibit smart phone users from peer-to-peer file sharing, or using vocal or video communication like Skype.
Here too, DPI allows them to monitor and manage the traffic, and allocate higher bandwidths to certain services, such as those they provide. This contradicts the notion of “network neutrality”, whereby service providers are meant to convey all requested information without discrimination.
When DPI is applied to web browsing, it can record every move a person makes online. Marketing professionals are desperate to exploit such information. Orange recently launched Orange Shots, which uses DPI technology to analyse the websites a subscriber uses (with their consent), in order to offer them ultra-targeted products. That could make ISPs as profitable as Facebook and Google, as long as these programmes attracted subscribers; it would be enough to claim that the data was anonymous to make it a perfectly marketable product.
The curious reader could check the Data Privacy page on the website of GFK, an international market research group and Qosmos shareholder: while it casually mentions web “cookies”, it fails to explain that it also tracks visitors to websites using a DPI technology which is supposedly anonymous because GFK alone knows the formula. GFK is present in more than 150 countries.
DPI is also attracting intellectual property rights and copyright holders who are trying to fight “illegal” file sharing on peer-to-peer networks (BitTorrent), or sites for uploading and downloading files directly, like Megaupload. Knowing exactly who is trying to download what film or music file, and blocking that person’s access, can only be done with “deep” surveillance infrastructure shared across all the data exchange points that the ISPs represent.
Legal surveillance
Another natural market for DPI technology is legal surveillance. In France police sometimes monitor a suspect’s communications as part of a judicial investigation, authorised by a judge and the National Committee for the Control of Security Interceptions. But this is a niche market, concerning a very small proportion of the population. Unless they were counting on another huge rise in the anti-terrorist budget, it would make sense for businesses in this sector to look for other commercial outlets.
That is where the governments of police states, which want to listen to their entire populations, come in. Surveillance software can be tested in these countries under real conditions. That is why Ben Ali’s Tunisia received a discount on systems that still had bugs. Libya provided Amesys with a real life experiment of what Eagle software could or could not do. Alcatel is doing the same in Burma. The information gathered by DPI inevitably leads to arrests. (Torture, using tried and tested methods, can do the rest.)
Puzzled, no doubt, by the high number of European companies in this sector, the European parliament has passed a resolution to ban the sale abroad of systems monitoring phone calls and text messages, or providing targeted internet surveillance, if this information is used to violate democratic principles, human rights or freedom of expression. On 1 December 2011 the EU Council tightened restrictions on Syria and banned “exports of equipment and software intended for use in the monitoring of internet and telephone communications by the Syrian regime”.
Despite this, there is little legal control over the global export of surveillance equipment. Manufacturers find it easy to slip through the net (especially since there is such a diversity of legislation), governments do not publish their permits, and this type of software is not strictly considered a weapon.
Notes.1) Paul Sonne and Margaret Coker, “Firms Aided Libyan Spies”, The Wall Street Journal, New York, 30 August 2011.
(2) “Des experts des services secrets francais ont aidé Kadhafi à espionner les Libyens” and “Secret militaire sur le soutien à Kadhafi”, Le Canard Enchainé, Paris, 7 September and 12 October 2011.
(3) “Syria Crackdown Gets Italy Firm’s Aid with US-Europe Spy Gear”, Bloomberg, 3 November 2011.
(4) WikiLeaks, “The Spy Files”, 1 December 2011.
(5) Agreement between France’s education minister Jack Lang and Max Cloupet, representing Catholic schools under contract to the state, 15 June 1992.
(6) Timothy Karr, “One US Corporation’s Role in Egypt’s Brutal Crackdown”, The Huffington Post,28 January 2011.
No comments:
Post a Comment