Chris Kranky

Recent Posts

Deep packet inspection: What gives them the right?

Chris KoehnckeChris Koehncke

As I write this entry, my local ISP could easily know that my computer is talking to the California servers which hosts this blog. In just a minute I may look at a youtube video. In 5 minutes time I could be looking at websites that explain how to hack a website. I may make have an IM chat session with a friend and just after that a 10 minute Skype video call with my family. Do I think my ISP is keeping track of all this? On the surface, the sheer enormity of keeping track of millions of subscribers would seem impossible. It would seem that we could comfortably  hide in the massive amount of data which rides around on the Internet.

But yet it’s possible, quite real and in fact probably happening today with the advent of Deep Packet Inspection (DPI) systems from companies such as Cisco & Ericsson as well as specialty players like Sandvine and Procera.  These companies have created systems which are effectively vampires installed on the ISP network which literally monitor every IP session from every user. It would seem impossible, but advances in technology allows these systems to quite literally sniff at every packet going by. Worse, these systems have heuristic algorithms that attempt to take data they don’t understand and try to figure out what you’re actually doing.

Starting to get a little scary isn’t it?

These DPI systems construct massive databases of the information they’ve culled and attempt to provide the “service provider” with various statistical information. On a whole system basis, this might be helpful to their network planners — “most of your traffic is going to“. For the slow folks over at Verizon this type of obvious information would be enlightening. But make a few more clicks on these system and  it just as easy for them to create a profile “A day in the Internet life of Chris Kranky” right down to what kinds of youtube videos I like to watch.

Imagine the marketing folks at Verizon having my profile to see the types of websites and Internet activity I have and decide to send me a custom marketing message promoting something they think is useful based upon how I use the Internet. Now really scared? You agreed to this by the way, somewhere in those 10 pages of Terms and Condition that you clicked “OK” is a paragraph indicating you were fine with this type of sniffing activity.  Course you couldn’t opt out of it and still get the service.

Now this isn’t really new, for years the telephone company knew full well what telephone numbers you were calling (they sent you a detailed list after all and billed you for the calls). But we didn’t think they were trying to figure out I was calling Texas all the time and send me a promo message advertising Tex-Mex food. We also didn’t think they were reverse looking up the numbers I was dialing to try and create a profile on what type of caller I was. In years past, this type of computing power simply wasn’t available.  They might have known I was calling a Susan Blake in Omaha, but they wouldn’t have known what we talked about.

With these DPI systems, your service provider knows what you’re talking about.

It’s no big surprise that ISP’s are NOT advertising they’ve been installing these systems. When they’ve been questioned about it, they indicate they’re using them to holistically manage their data traffic such that no group of users take control. But what they’re not telling you is the extent of the information they’re collecting on you and I. Initially, you or I may not care. But the looming 1984 Orwellian theme music seems ready to start playing. In the midst of this, consumer advocacy and privacy groups are going to start making noise. Lawmakers will start to have committee hearings and news groups will have a field day reporting on it. But what is the answer?

The reality is the bulk of what you do on the Internet is readily accessible to any service provider whose network you cross. If you are transmitting information in the “clear” (meaning not encrypted) anyone along the way has the ability to “see” what you’re doing.  No amount of laws or pledges from my service provider is going to convince me that my data is safe and not being snooped, either casually by some wayward employee, an over eager marketing dept or some government entity.

The obvious answer is that encryption & security are going to be taken to a whole new level by consumers and business. Websites that previously transmitted in the clear will move to secured formats of communications, not because they want to, but because I will demand it. In the midst of this, these DPI systems will start to see more encrypted data they don’t hopefully understand. You’ll probably be willing to pay for this security, it may be embedded into your new Linksys router or it could be a new security service you subscribe to (which ironically enough may be offered to you by the very people who were snooping on you to begin with). It’s likely to be a multi-billion $$$ industry.

In the short term though, recognize that whatever you do on the Internet is accessible at a very granular level by your service provider, right down to the very last <CLICK>.