Deep Packet Inspection: A Legal Liability?
Deep packet inspection is not a new concept. It is, in fact, quite mature and takes advantages of the best of IDS (intrusion detection solutions), IPS (Intrusion Prevention Solutions), and Stateful Inspection Firewalls. The technology is extremely effective in combating malicious code and content attacks and in enforcing policy to a variety of ends. Additionally, the technology is quite good at providing detailed intelligence with respect to application behavior and patterns as they appear within a given infrastructure. In modern enterprise and carrier networks this technology is both common and integral in ensuring operational efficiency while managing and minimizing risk.
Recently it has come under fire however and in at least one case, been dubbed a measure by which the privacy rights of end users can and will no doubt be violated. The case in question is that of the recent announcement by Virgin Media to utilize and deploy a DPI like technology package called CView within its network environment in order to better understand the prevalence and associated patterns of use seen in peer-to-peer networking sessions. The tool would be in effect, capable of tracking sessions associated with peer-to-peer networks such as Gnutella, Bit Torrent or eDonkey which has created a negative buzz amongst organizations such as Privacy International who appealed to the EU to step in and review the package proposed by Virgin Media. Virgin’s intentions seem straightforward to me but perhaps that is due to my being an information security professional:
- Gain an understanding of the usage and patterns of associated usage with these P2P networks and clients
- Analyze instability presented by them within the network in terms of inordinate resource consumption
- Analyze content for purposes of legality (avoid in the trafficking of either copy righted material of illicit illegal material)
- Implement throttling if necessary
- Implement policy control if found to be necessary by law or by virtue of Virgin Policy
- Mitigate risk posed to the Virgin Media network environment and its user community
- Prevent malicious code and content propagation to and including the propagation of advanced malcode kits and bot nets
I have to believe the goal of using a tool such as CView (if you look the tool up you will see it does not tie individual identity information to information harvested) is pretty straightforward and reflects much, if not all of what is seen above. I find it hard to believe that this is a case where privacy should be an issue though I am aware that in the UK under the Regulation of Investigatory Powers Act (RIPA), intercepting communications is a criminal offense regardless of what is being done with the data. While I am no expert in British Parliamentary process or law, it would seem that this act would be prohibitive, if not crippling in providing advanced security solutions while potentially curtailing illicit, illegal activity. Deep packet inspection is not the problem here, the problem is perception as it relates to the lengths to which personal ‘freedom’ extends and illegal activity begins.
Comments
Leave a Reply
Tweets that mention New Blog Post: Deep Packet Inspection: A Legal Liability? -- Topsy.com on 05.10.2010
[...] This post was mentioned on Twitter by Cassandra Security. Cassandra Security said: New Blog Post: Deep Packet Inspection: A Legal Liability? http://cassandrasecurity.com/?p=1360 [...]
Ed Mahoney on 05.11.2010
No argument. Except that perception is reality. Or I have a better one, if you’re explaining, you’re losing. So even though I don’t want to disagree, I have to go with the masses. The fundamental issue here is that privacy is at odds with security. And that’s too deep a topic for a comment. But marketing departments should know better. Don’t scare people with your products. DPI would be a good thing to pitch on a home consumer product where the Dad wants to protect his family. But you want to down play it to large audiences where they are concerned more for their privacy than the organization’s fiduciary responsibility to protect their systems from malware, employee PII theft and copyright infringement from illegal downloads.
Will Gragido on 05.11.2010
Hi Ed!
Thanks for the comment. It’s an interesting issue as I have to believe that people are simply not aware of the number devices with DPI capability countries such as the UK already. You made a really key point in that people default (it’s in our nature), to perceptions and to a greater or lesser extent, find truth and reality within their perceptions even when they are not present. I agree with the marketing angle; it’s certainly a challenge however what I found interesting was the belief or assumption that DPI tools were not previously used (I truly find that hard to believe), in the capacity (primary or secondary), in which they are described in this case.
Ed Mahoney on 05.11.2010
Back in my technical days, I was a certified expert Sniffer. The original network General Sniffer. One day on a customer site, the VP of Sales is calling in from home, ripping apart the I/T Director on the remote access solution being too slow. So they asked me to sniff his login session with him on the phone. Turned out his browser home page was to a porn site. I show this to the I/T Director with the VP on the phone, hinting that the heavy graphics might take awhile to load. This was maybe ‘96 or ‘97 – before big pipes. We finally told him exactly what we could see of his session but he remained in denial. Apparently he didn’t think it was technically possible.