Stop the Secrecy

ITU: Packet Sniffing Proposals are Creating a Stink

Thu, 12/06/2012 - 20:18 -- Catherine Hart
Image from kennymatic on Flickr

Our coation partners over at the Centre for Democracy and Technology (CDT) have raised concerns over some developments in the International Telecommunications Union (ITU) negotiations currently going on in Dubai. These negotiations will expand the power of the ITU, and as we’ve noted in the past, their secrecy is being used by some nations to push undemocratic rules that will legitimize the censorship and surveillance of its citizens. The CDT has now discovered that this goal has been brought one step closer to reality, through new rules for the standards-setting body of the ITU in advance of the official negotiations.

The new rules standardize deep packet inspection - or ‘packet sniffing’ - raising concerns over the possibility that  “once a standard is established, authoritarian regimes could push to make [these] capabilities mandatory for telecommunications equipment”. As the CDT points out, there is still some question over how these new standards will work in practice. However there are clear causes for concern.
Firstly, the CDT asserts that the new standards barely acknowledge the privacy implications of deep packet inspection, let alone suggest how the impact could be mitigated:
“The [new standard] holds very little in reserve when it comes to privacy invasion... It’s not entirely clear under what circumstances ISPs might have access to [decryption] keys, but in any event the very notion of decrypting the users’ traffic (quite possibly against their will) is antithetical to most norms, policies, and laws concerning privacy of communications.”
The CDT is also worried about the fact that these new rules will be mandatory for all telecommunications companies:
“Forcing the world’s technology companies to adopt standards developed in a body that fails to conduct rigorous privacy analysis could have dire global consequences for online trust and users’ rights.”
The new rules also don’t appear to acknowledge, let alone account for, the fact that introducing methods for monitoring also creates security risks:
“The idea that adding [deep packet inspection] to a network creates a potential security risk for users – not just for network operators – is utterly absent... Adding [deep packet inspection] to a network creates a significant new attack vector; thorough threat modelling and mitigation at the standardization phase are more than appropriate – they’re absolutely necessary.”
Finally, the CDT worries that the lack of awareness displayed by the ITU around the basic impacts this standard will have on users just confirms that it is not well-suited to tackling bigger issues like cybersecurity:
“it further highlights the grave problems with trying to address cybersecurity through a closed, centralized body where ultimate authority rests with regulators and where technical experts and advocates cannot even access draft specifications.”
The new rules are still in draft form and therefore not available to the public - we will only get to know the specifics when the final standard is agreed upon. However the CDT has flagged what appears to be an earlier draft, so we have an idea of what’s coming, and as the CDT shows, it’s  not pretty.
These packet sniffing standards just smell off. We need to speak out now to ensure they aren’t used to legitimize surveillance and censorship online.
Support transparency and participation for the ITU negotiations at
Check out the Access and Fight For the Future resource: What to Watch at the ITU