DPI can be misused – so can a hammer

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Chris Lewis

May 2009

Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.

Note: This essay was contributed by the author to the Office of the Privacy Commissioner of Canada's Deep Packet Inspection Project


Coming a bit late to the party as I am, I think the other essays on DPI capture most of the issues that I would want to talk about. So I won’t, especially since I agree with most of the essayists on the issues surrounding network neutrality, spying and privacy.

However, there’s one critical aspect missing from all of the other essays which at first surprised me completely. On second thought, perhaps it wasn’t so surprising, because none of the other writers seem to be in the front line of Internet Security with a handle on current and ongoing threats.

This issue is that of malware, spambots, viruses, phishing, trojans, keyloggers, denial of service, malicious downloaders, “DNS attacks” and so on.

On a daily basis we track tens of millions of infected computers (mostly home computers) participating in the sending of billions of email spams per day, resulting in distributed denial of service attacks, identity/credit card/credential theft, money laundering, keystroke logging and so on. Also we see legitimate web sites and other services being “hacked” so as to leave malicious software to drop on the unwary.

Attacks on DNS (the name service that maps the name of where you want to go to its Internet location) is one of the newer and most dangerous threats. You think you’re on your bank’s site managing your account? No, you’re not, you have someone eavesdropping (man-in-the-middle attack via perversion of your DNS lookups) on your conversation, and they will deplete your account shortly thereafter. Encryption (eg: https/SSL) can help, but not always because there are attacks that can subvert that or confuse the user too.

The sheer magnitude of the problem is staggering – and getting worse. This isn’t visible to people not specializing in the field because for the most part organized crime is very good at hiding (some can fool even the experts at times), and ISPs have been struggling to shield their users from it.

Still, it is becoming increasingly dangerous to your bank balance and your privacy to use the Internet. The criminals are getting better at their attacks with new tools and techniques, and network security has to keep pace.

The reality is also that law enforcement’s efforts to catch and prosecute such criminals has been spotty at best, and at least for the medium term, it’s an ineffective weapon for dealing with this. We’re doing our best, and we do have successes, but the overall effects have been minimal so far.

Another unpleasant reality is that anti-virus/spyware packages are becoming increasingly ineffective. Less than 23% of all new infectors are caught by any anti-virus solution, and are seldom useful in preventing current infectors taking hold.

When it really comes down to it, discussions about privacy, network neutrality and the other issues brought up in the other essays here won’t mean anything if users can no longer trust the services they use, nor indeed even their own computers. Even full encryption isn’t a panacea. As more and more people distrust the Internet, the Internet will suffer, and perhaps even die with catastrophic economic consequences.

It’s true that many ISPs are looking into Deep Packet Inspection (DPI) in ways that we may not like (non-network-neutral bandwidth shaping decisions, “phorm-like” marketing intelligence gathering, or even outright “spying” et cetera). Those were possible without DPI and will remain so, whether or not DPI exists.

However, perhaps the biggest incentive for DPI within Internet providers and businesses is the detection and interception of malicious traffic undesirable by any user, and identifying which user has these infections so as to assist them getting the infection removed.

In other words, providers are trying to protect their customers from organized crime attacking them.

DPI can detect when the popular social networking site you just visited had been hacked and tried to download a virus onto your computer, or when an email sent to you contains something malicious and stop it. It can detect when the virus activates and tries to operate. It can detect where the attacks originate from. And so on.

DPI can be misused. So can a hammer. We don’t ban hammers. We do ban the bad things you can do with a hammer.

We need to consider DPI as just another tool. DPI is a very powerful one that can be miss-used, but it’s still just a tool.

Rather than talk about DPI in terms of the things we don’t want DPI to do, we as a society have to decide what things we do/don’t want done, regardless of what technology is used to do it. If we want network neutrality, than that’s what we should regulate, not a particular tool that may or may not be used for it.

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: