ITU Adopts Controversial Packet Inspection Measures

surveillance cyber crime, cyber intelligence

ITU has adopted controversial international standards for deep packet inspection

The International Telecommunications Union (ITU), the UN’s telecommunications standards body, has approved a standard for deep packet inspection (DPI) that has drawn criticism for civil liberties groups, which argue it will encourage surveillance as well as more commercially oriented uses such as service differentiation.

DPI is a form of network packet filtering that examines packets and determines whether they should be allowed to pass or should be routed to another destination, based on criteria such as the contents of the content of the packet’s data or its header.

Surveillance and censorship

The technology is used in firewalls and antivirus products, as well as for load balancing and, as critics have noted, is also used by governments, including the US, UK and others in Europe, the Middle East and Asia, for purposes such as censorship and surveillance.

The approval of the standard, known as Recommendation ITU-T Y.2770, Requirements for Deep Packet Inspection in Next Generation Networks, will allow DPI to be developed in a more coordinated and standardised way for use in future networks, ITU said.

“ISPs have in the past used ‘over-provisioning’ of bandwidth to meet the requirements of network applications,” said ITU spokesman Toby Johnson in a blog post announcing the move. “However, as new high-bandwidth Internet applications emerge, over-provisioning has been detrimental to sustainable network evolution. DPI thus presents a fine-grained, long-term traffic management solution to aid ISPs in contending with volumes of traffic rising at an exponential rate.”

He noted that DPI plays an important role in a number of the intelligent traffic management architectures currently under development by standards bodies such as 3GPP, IETF, ETSI and ITU for the more efficient handling of data, meaning the standardisation of the technology helps push those development efforts forward.

Privacy measures

ITU has maintained that issues related to the regulation of how technologies are used do not fall under its remit, being controlled by the regulatory bodies of member countries. However, Johnson said the standard does include a specific requirement that implementers “comply with all applicable national and regional laws, regulations and policies”, as well as allowing measures to ensure secrecy.

The standard was developed at the World Telecommunication Standardisation Assembly (WTSA) meeting held in Dubai in November and adopted during the ITU-coordinated World Conference on International Telecommunications 2012 (WCIT-12), also in Dubai, last week. It will be made available on ITU’s website, according to Johnson.

The US-based Centre for Democracy and Technology (CDT) argued that ITU could have taken a more active approach toward specifying how DPI should be used, for instance specifying how privacy threats could be mitigated, rather than simply coordinating a technical standard based on existing technology.

“The ITU-T standard barely acknowledges that DPI has privacy implications, let alone does it provide a thorough analysis of how the potential privacy threats associated with the technology might be mitigated,” said the CDT’s Alissa Cooper and Emma Llansó in an analysis.

The group also criticised ITU for including only “very generic” security specifications.

“In general, the security requirements appear to be very generic, specifying what information needs to be protected without specifying the standards to be used for authentication, confidentiality, or integrity protection,” Cooper and Llansó wrote.

Controversy

WCIT attendees have until this Friday, 14 December, to decide on what proposals will be accepted. Over 900 proposals have been put forward so far.

The conference has attracted plenty of negative press, as major organisations like the European Union and Google have launched campaigns raising concern over increased government control over the Web.

Last week, reports claimed the ITU website had come under attack, with more hits planned in the coming days. Hacktivist collective Anonymous has been vocal about its qualms with the meeting.

Do you know all about public sector IT – the triumph and the tragedy? Take our quiz!