Let's rewind. Phorm, the brainchild of BritishTelecom (BT), examined not the source or the destination of packets sent from a person's PC to a server or back, but the contents of those packets. To remove the Geek-speek from that, imagine you're Googling, oh, I don't know, me. You send information to Google telling them that you want websites with content that I've created, or content that has my name. Now, say one of my several other Andrew's Pernick (yes, that is how it becomes a plueral...), lets say one of my other cousins, say the one who is with the Fed's as a Photographer, decides he's jealous of my popularity on t3h intertoobs and he wants a quick way to make him the more popular one. He could, yes, this is now proven, intercept and inspect all data sent from Google to you and insert ads into the information Google sends back to you.
It's called DPI, or Deep Packet Inspection, and according to Tim Berners-Lee (bow before him you all shall -- he quite literally invented the Internet. Look it up), DPI, or Deep Packet Inspection, is a "bad thing."
Sayeth TBL,
He's not saying it for the sake of saying it. In the States, a company called NeBuAd called for a Congressional investigation since NeBuAd did not explain that NeBuAd would be spying on their searches and hits. Their privacy policy was so vague that of the 26,000 broadband customers involved, only 15 were able to decode the legalese well enough to know that they should opt-out. Representative Gene Green (D-TX) called the practice "contemtible," to which Rep. Mike Doyle, (D-PA) added, "[it] goes against everything the country's been founded on."
Rep. Bart Stupak (D-MI) wins the "Comment I've Hoped Be Law" award for saying, "Why do I have to opt out? Why should the burden be on the American consumer?" Opt-outs should be outlawed. Opt-ins, I'm sure, would produce more, well, everything. Choice, personal choice, opting in influences markets much more than spambombs. Do I really, really need numbers or stats or anything to make that point more? I can get 'em...
But DPI is scary in a much deeper, fundamental way. Remember what our good, good friends at TBL's former home, DARPA, gave us (probably, actually definitely, to TBL's dismay)? TIA?
The Total Information Awareness project at DARPA, now defunct (it doesn't even have its site on the DARPAnet servers. It's dead, folks. You can stop PGPing your jokes and gossip email...go back to breaking AES with a 386 because it's 'cool') was aimed at having a heuristic method to sieve through corporate, government, personal, you name it--every email, every everything you do online, it knows.
It's dead. But another one is possible. One run by an advertising agency. How? DPI.
Yep. It's out of the military's hands and into those of organizations far more ruthless, Madison Avenue (i.e. the home for every worthy advertising firm worth mentioning). The systems involved are actually available for what're called "Man-in-the-middle" attacks, which means that every Microsoft WindowsUpdate session you run? You have no real way of knowing that the updates are genuine, WindowsGenuineAdvantage be damned. Someone could just run some DPI between you and your ISP and come up with the fact that you're asking Microsoft for some updates, and voila, they install the update, but modified to come with mal- or adware. Or worse.
Of course, when governments condemn things by not funding them under one administration, it doesn't mean they won't under another.
And when Congress has an investigation into a spyware advertising firm and it shuts down, we all know that ten gazillion pop up, just like their ads, in its wake.
Getting back to Berners-Lee on Deep Packet Inspection, he's got it right--corporate use of DPI for nefarious situations.
he said to the BBC. He went on to say, of his data,
He's right. The scary thing is, even after investigation after investigation, companies are actually debating whether or not to use opt in or opt out! BT and Virgin are up in the air.
And of course he's right about what we put online in the first place, DPI or no...
It's called DPI, or Deep Packet Inspection, and according to Tim Berners-Lee (bow before him you all shall -- he quite literally invented the Internet. Look it up), DPI, or Deep Packet Inspection, is a "bad thing."
"This is very important to me, as what is at stake is the integrity of the internet as a communications medium, [as] clearly we must not interfere with the internet, and we must not snoop on the internet. If we snoop on clicks and data, we can find out a lot more information about people than if we listen to their conversations."If you are unfortunate enough to live on the other side of the Pond, then there's a chance that this has been, not your future, but your past. See, BT's 'Phorm' project did this for a couple of months, and that was all 2-and-a-half years, years ago.
Sayeth TBL,
"If [third parties] are using the data for political ends or commercial interest, there we have to draw the line," Berners-Lee said. "There's a gap between running a successful internet service and looking inside data packets."
He's not saying it for the sake of saying it. In the States, a company called NeBuAd called for a Congressional investigation since NeBuAd did not explain that NeBuAd would be spying on their searches and hits. Their privacy policy was so vague that of the 26,000 broadband customers involved, only 15 were able to decode the legalese well enough to know that they should opt-out. Representative Gene Green (D-TX) called the practice "contemtible," to which Rep. Mike Doyle, (D-PA) added, "[it] goes against everything the country's been founded on."
Rep. Bart Stupak (D-MI) wins the "Comment I've Hoped Be Law" award for saying, "Why do I have to opt out? Why should the burden be on the American consumer?" Opt-outs should be outlawed. Opt-ins, I'm sure, would produce more, well, everything. Choice, personal choice, opting in influences markets much more than spambombs. Do I really, really need numbers or stats or anything to make that point more? I can get 'em...
But DPI is scary in a much deeper, fundamental way. Remember what our good, good friends at TBL's former home, DARPA, gave us (probably, actually definitely, to TBL's dismay)? TIA?
The Total Information Awareness project at DARPA, now defunct (it doesn't even have its site on the DARPAnet servers. It's dead, folks. You can stop PGPing your jokes and gossip email...go back to breaking AES with a 386 because it's 'cool') was aimed at having a heuristic method to sieve through corporate, government, personal, you name it--every email, every everything you do online, it knows.
It's dead. But another one is possible. One run by an advertising agency. How? DPI.
Yep. It's out of the military's hands and into those of organizations far more ruthless, Madison Avenue (i.e. the home for every worthy advertising firm worth mentioning). The systems involved are actually available for what're called "Man-in-the-middle" attacks, which means that every Microsoft WindowsUpdate session you run? You have no real way of knowing that the updates are genuine, WindowsGenuineAdvantage be damned. Someone could just run some DPI between you and your ISP and come up with the fact that you're asking Microsoft for some updates, and voila, they install the update, but modified to come with mal- or adware. Or worse.
Of course, when governments condemn things by not funding them under one administration, it doesn't mean they won't under another.
And when Congress has an investigation into a spyware advertising firm and it shuts down, we all know that ten gazillion pop up, just like their ads, in its wake.
Getting back to Berners-Lee on Deep Packet Inspection, he's got it right--corporate use of DPI for nefarious situations.
"I want to know if I look up a whole lot of books about some form of cancer that that's not going to get to my insurance company and I'm going to find my insurance premium is going to go up by 5% because they've figured I'm looking at those books,"
he said to the BBC. He went on to say, of his data,
"It's mine - you can't have it. If you want to use it for something, then you have to negotiate with me. I have to agree, I have to understand what I'm getting in return."
He's right. The scary thing is, even after investigation after investigation, companies are actually debating whether or not to use opt in or opt out! BT and Virgin are up in the air.
And of course he's right about what we put online in the first place, DPI or no...
"Imagine that everything you are typing is being read by the person you are applying to for your first job. Imagine that it's all going to be seen by your parents and your grandparents and your grandchildren as well."
Posts
Windows updates are supposedly digitally signed, so a man-in-the-middle attack shouldn't let you subvert them. That doesn't make the use of DPI any less horrendous, though.
ReplyDelete