Beyond Fear and Deep Packet Inspection

securitybooksOver the past few days I’ve been able to attend to non-essential reading, which has given me the opportunity to start chewing through Bruce Schneier’s Beyond Fear. The book, in general, is an effort on Bruce’s part to get people thinking critically about security measures. It’s incredibly accessible and easy to read – I’d highly recommend it.

Early on in the text, Schneier provides a set of questions that ought to be asked before deploying a security system. I want to very briefly think through those questions as they relate to Deep Packet Inspection (DPI) in Canada to begin narrowing a security-derived understanding of the technology in Canada. My hope is that through critically engaging with this technology that a model to capture concerns and worries can start to emerge.

Question 1: What assets are you trying to protect?

  • Network infrastructure from being overwhelmed by data traffic.

Question 2: What are the risks to these assets?

  • Synchronous bandwidth-heavy applications running 24/7 that generate congestion and thus broadly degrade consumer experiences.

Question 3: How well does security mitigate those risks?

  • Variably effective. To date, only Internet Evolution has published public apples-to-apples comparisons of DPI appliances, and their reports are showing that DPI manufacturers are getting better and better at identifying and throttling/blocking particular applications/protocols. This said, DPI evasion techniques are increasingly sophisticated, using various proxies to anonymize traffic, more advanced encryption systems are being deployed, and so forth. Moreover, where the problem is to limit bandwidth intensive uses from generating congestion, targeted throttling can lead to missing emerging traffic-types (e.g. uploads of large HD-quality video to YouTube) and overthrottling some traffic based on abnormal evaluation standards (e.g. Bell claiming that throttling all P2P, regardless of congestion status, for almost 1/2 a day is ‘fair’).

Question 4: What other risks does the security solution cause?

  • Diffie and Landau have noted that the core danger with DPI-like appliances sitting in the major networking hubs is that a new point of vulnerability is introduced into the networking environment. There is also the risk that non-attacker type applications and protocols are mistakenly identified, which generates an active failure. Importantly, Bruce recognizes that with the range of powers accorded to law enforcement, that they themselves must be regarded as ‘attackers’ when it comes to telecom services. As a result, what risks for overzealous policing emerge as these devices are introduced into networking topologies?

Question 5: What costs and trade-offs does the security solution impose?

  • I’ll first address costs and trade-offs from a citizen’s point of view. The key ‘cost’ is that data traffic is subject to increasing degrees of surveillance and classification, with the potential for such surveillance to be used to develop secretive consumer profiles, monitor for particular data being sent (e.g. copywritten files, child porn images, etc.), and broadly subject Canadians to widespread surveillance. This has the effect of continuing the shift from the welfare/constitutional nation-state to a risk society. In a recent discussion with an intelligence office over law enforcement uses of DPI, it hadn’t ever occurred to this person that Canadians would object to this kind of algorithmic surveillance on privacy or constitutional grounds (though recognized this as a real issue when I raised it, and didn’t just brush it off).
  • DPI-appliances, because many of them can be reconfigured, have incredibly broad capabilities and are comparatively inexpensive to massively upgrading bandwidth capacity towards the last mile. Financial costs are thus acceptable to many ISPs, though the negative PR attention may a medium-serious cost in some cases (e.g. where ISPs have adopted DPI for behavioral advertising purposes).
  • Because of the configurability of these devices, the initial set of assets that the DPI appliances are meant to secure can grow – is copyright, rather than bandwidth intensive P2P sessions, really the asset to be protected (perhaps record industries could ‘buy in’ to a DPI-as-service model)? Will law enforcement demands identify new assets? Will certain modes of communication be seen as needing protection (e.g. VoIP, video on demand, etc.) at the ‘cost’ of non-asset communication types?

A real worry that is regularly brought out by public advocates is that the vendors and the ISPs themselves are notoriously closemouthed about very real questions such as:

  1. How doesn’t the system work?
  2. How does it react when it fails?
  3. How can it be made to fail?

While it might appear to be counter-intuitive to release this information because it would reveal security deficiencies, transparent security has been proven to work in complicated OS and security environments (see: Linux and Apache web servers as just two good examples). Detailed technical information isn’t necessarily required, but given that private companies are now, in effect, providing a public service by maintaining the dominant public communications systems it is imperative that the public is shown that companies are thinking of the issues surrounding these technologies. Encouraging public analysis and input can lead to collaborative processes that secure communications infrastructure in fair and just ways, whereas in closing these processes to the public vendors and corporations risk public fear and outrage. As a motivator for the private sector, this fear and rage (when successfully amplified by public rights advocates) can lead to legislation and policy being imposed on ISPs and vendors. To mitigate/avoid this, transparency should be encouraged and whenever the public recognizes efforts are actual transparency the public should congratulate such efforts.