U.N. Telecom Standardization Body Approves 'Deep Packet Inspection' That Could Be 'Extremely Privacy-Invasive

(Image: Shutterstock.com)

Although proposed international Internet regulations -- and some groups' opposition to it --  might be gaining the most attention as the U.N.'s International Telecommunications Union (ITU) world conference currently underway, the ITU's standardization body is being called out for developing and approving an international standard that could to spying on private communications.

News of the standard -- "Requirements for Deep Packet Inspection in Next Generation Networks" -- slowly began circulating in November but has been picking up steam since. Last week, the Center for Democracy and Technology wrote on its blog that the standard has the "potential to be extremely privacy-invasive, to defy user expectations, and to facilitate wiretapping."

PC World's Alex Wawro wrote earlier this year about what "deep packet inspection" is and how it works. Basically, it is when an Internet Service Provider uses software to scan data packets -- how all the information you send and receive online is packaged -- choosing to block or correctly route them. Wawro writes this is sometimes to your benefit, like when it blocks spam it identifies as virus or illegal downloads.

"But deep packet inspection has a dark side, and in the absence of strict legal restrictions, your ISP is free to root through all the information you exchange online and use it as they see fit," Wawro wrote.

The deep packet inspection standard approved at the World Telecommunication Standardization Assembly in November ahead of the World Conference on International Telecommunications supports inspecting encrypted traffic. CDT calls this "antithetical to most norms, policies and laws concerning privacy of communications." Boing Boing explained further:

Other standards bodies have shied away from standardizing surveillance technology, but the ITU just dived in with both feet, and proposed a standard that includes not only garden-variety spying, but also spying "in case of a local availability of the used encryption key(s)" -- a situation that includes the kind of spying Iran's government is suspected of engaging in, when an Iranian hacker stole signing keys from the Dutch certificate authority DigiNotar, allowing for silent interception of Facebook and Gmail traffic by Iranian dissidents.

Where things become "a real cause for concern," as CTD put it, is that some proposals in the World Conference on International Telecommunications would make recommendations made by the ITU mandatory.

This standard was created without participants deciding how DPI systems will work. CDT stated that it's unclear whether companies adopting the recommendation will build new DPI equipment to meet the standard. It also notes that the standard "barely acknowledges that DPI has privacy implications, let alone does it provide a thorough analysis of how the potential privacy threats associated with the technology might be mitigated."

This, TechDirt's Glyn Moody wrote, shows an "apparent indifference to the wider implications of its work [and] is yet another reason why the ITU is unfit to determine any aspect of something with as much power to affect people's lives as the Internet.

Featured image via Shutterstock.com.