Deep Packet Inspection – Bring It On

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Christopher Soghoian

March 2009

Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.

Note: This essay was contributed by the author to the Office of the Privacy Commissioner of Canada's Deep Packet Inspection Project

For the last year, the Internet privacy community been abuzz with the news that deep packet inspection technology (DPI) is in active use. U.S. cable giant Comcast has turned to DPI in order to throttle file-sharing by its broadband customers, Phorm and NebuAd use DPI to peek into the web surfing habits of end users in order to serve targeted advertising and the National Security Agency has inserted sophisticated DPI equipment into the networks of major backbone providers so that it can sweep up huge volumes of domestic emails and Internet searches. While privacy activists and computer geeks are up in arms, the vast majority of Internet users either don’t seem to care or don’t fully understand what is happening.

The Internet is a dangerous place. Hackers roam cyberspace looking for vulnerable hosts to attack, phishers attempt to deceive users into revealing their bank account information and Nigerian 419 scammers offer riches to those gullible enough to send them money. However, while most of these threats are from people far away from the victim, users of wireless networks face a significant risk to their privacy from attackers just a few meters away. Logging into a webmail account using the free Wi-Fi at a coffee shop can be one of the most risky things that most people will do on the Internet.

Worst of all – it doesn’t have to be this way.

Without encryption, e-commerce wouldn’t be possible. It is because of the cryptographic technology built into every web browser that a customer’s credit card number can be transmitted to without the risk that hackers will steal it en route. Likewise, the security of every online bank depends upon end-users being able to conduct transactions over a confidential and authenticated channel. Unfortunately, while encryption is used by e-commerce sites and banks, it is not in widespread use elsewhere on the web. In particular, popular free email services, social networking sites, and photo sharing services all lack basic security protections by default. A few sites, such as Google’s Gmail, offer an encrypted version of their service to those users savvy enough to dig through complex configuration options, while most other sites, such as Microsoft’s Hotmail, Facebook, MySpace and Flickr only offer an insecure service.

The decision to not offer a secure browsing experience by default primarily comes down to money. Processing encrypted transactions requires more computing power than insecure requests, and so for a company like Google, switching every user to encrypted webmail and searches by default would require thousands of additional web servers. For corporations that give their services away for free and in a market where consumers are not educated about the privacy risks of non-encrypted web sessions (and thus do not demand encryption by default), it is pretty clear why product managers opt to forgo strong security.

The end result of this design choice is that web surfers who check their email, conduct web searches or send an instant message using a public wireless network risk being snooped on, or worse, having their account hijacked and stolen by miscreants. Evil-doers can use freely available software to“sniff” a wireless network and see the confidential information that flows over it. This past summer, a security researcher released a tool that automates the process of hijacking Web 2.0 accounts. The CookieMonster program allows an attacker to easily hijack Google, Yahoo or Facebook accounts with a single click. These pilfered accounts can be accessed at a later date, enabling a hacker to read through old email messages, or even send new ones in the victim’s name.

The tragedy here is not that the millions of users of these services are vulnerable to data theft and snooping. It is that the technology necessary to secure users’ web browsing is already part of both Firefox and Internet Explorer. Outside of the web arena, the situation is the same. Secure email and instant messaging technology has already been developed, debugged and made available for free by open source programmers and academics. The failure to offer secure-by-default products is primarily an issue of consumer demand. Most end users do not realize how much of their information flows nakedly over the network, nor how easy it is for others to snoop on their web surfing. It is for this reason that I support and encourage the widespread adoption of deep packet inspection technology. My hope is that once privacy invasion becomes the norm, consumers will start to demand encryption. Web titans like Google, bowing to market pressure, will then roll out security by default.

The Internet is no longer a happy safe place, as it was in the 1960s when the first packets were sent between research institutions. We need to stop treating it as such, recognize that there are evil forces out there, be they hackers, spies, or unscrupulous ISPs and deploy technologies to protect the general public. Simply put, there is no longer a good reason to transmit anything of value over the network in plain text.

The solution to the problem of Internet privacy is not legislation making snooping illegal, but the industry-wide adoption of cryptography by default. If it first requires the widespread use of deep packet inspection technology in order to get us there, so be it.

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.


Date modified: