Let me start with this: I am woefully ignorant and Iranian politics, and have no expertise to comment on it. I’ll save my personal thoughts on the matter for private conversations rather than embarrass myself by making bold and ignorant statements here. Instead, I want to briefly note and comment on how the Wall Street Journal (WSJ) is talking about Deep Packet Inspection (DPI) and the data traffic that is flowing in and out of Iran.
The WSJ has recently disclosed that Iranian network engineers are using DPI to examine, assess, and regulate content that is entering and exiting Iran. They note that the monitoring capacity was, at least in part, facilitated by infrastructure that was sold by Nokia-Simens. The article proceeds, stating that traffic analysis processes have been experimented with before, though this is the first major deployment of these processes that has captured the attention of the world/Western public. This is where things start getting interesting.
The article notes that;
The Iranian government had experimented with the equipment for brief periods in recent months, but it had not been used extensively, and therefore its capabilities weren’t fully displayed – until during the recent unrest, the Internet experts interviewed said.
“We didn’t know they could do this much,” said a network engineer in Tehran. “Now we know they have powerful things that allow them to do very complex tracking on the network.”
From a statement of ‘complex tracking’, we get to a talk about DPI. It’s at this point that we can say that Iran is either using DPI in incredibly complex and sophisticated ways that push the technology to its limits, or the WSJ is blowing smoke. The authors of the article state that, “[e]very digitized packet of online data is deconstructed, examined for keywords and reconstructed within milliseconds. In Iran’s case, this is done for the entire country at a single choke point, according to networking engineers familiar with the country’s system.” Moreover, “Iran is “now drilling into what the population is trying to say,” said Bradley Anstis, director of technical strategy with Marshal8e6 Inc., an Internet security company in Orange, Calif. He and other experts interviewed have examined Internet traffic flows in and out of Iran that show characteristics of content inspection, among other measures.”
I truly wonder just how accurate the story from the WSJ is on the technical capabilities of the DPI devices that are deployed, and am also incredibly interested to know what the tests are to see if DPI is being used. I’m not saying that such tests don’t exist, but I’m not certain what, exactly, you’d be looking for. A network engineer would have a better grasp, but I haven’t found any product that Marshal8e6 offers that would give them particular insight into this. Now, if we were talking about spam or phishing I wouldn’t doubt their competencies. I also have to note that the data Marshal8e6 fed to the WSJ isn’t available on their website anywhere that I could find it.
Further, I don’t know that DPI is necessarily required to perform the level of surveillance discussed in the Iranian network environment. There is a lot of digital networking equipment that can easily be used for interception; you don’t need DPI appliances to intercept and analyze traffic, given that a large amount of network equipment can be configured to ‘dump’ data flows to secondary storage for subsequent analysis (and this is perhaps more sensible – capture tons of data now, and then scan it, and then derive rules from it that can be applied to subscriber connections). Now, to totally pull together packet flows, examine them for content, and then send them on their merry way to the destination in real time seems a bit of a stretch. Sure, it is theoretically possible for this to be done, but it would be a truly massive undertaking in practice – one that might exceed capacities of equipment on the market. Such practical limitations and impossibilities are what we keep hearing from North American ISPs as a way of allaying privacy worries, and such limitations have been reaffirmed by independent network engineers. This leaves me doubting that total content analysis is possible, let alone occurring. It is more likely that something like this is happening:
The DPI device looks at the first 5-100 packets in a packet stream. These packets are then evaluated against a rule list – are the packets going somewhere that is impermissible? is a disallowed application or application-type trying to send packets? – and then allowed to continue to their destination (or not) depending on what the rule set dictates. In the case of images/movies/songs, it is possible for some DPI devices to quickly look at the first packets of a .mov, .jpeg, etc file’s packet flow and correlate that particular file and flow with a particular digital ‘fingerprint’. That fingerprint can then be examined against all disallowed files/flows and, if a match is found, the packet stream terminated. This method of analyzing content is not perfect, though it does have high degrees of accuracy in many cases. This is what copyright-oriented devices presently do, and can be used to prevent the dissemination of ‘fingerprinted’ pictures, movies, sounds, documents, and so forth.
In essence, I worry that the WSJ is claiming that DPI is more effective in screening communications than it is in reality, much like we hear claims that CCTV is more effective than studies show. This isn’t discounting that DPI could, potentially, in an ideal world do what the WSJ is suggesting, but networking environments where admins are trying to regulate gigabytes of traffic each second are hardly these ideal environments for mass surveillance and content regulation using DPI appliances. Hopefully the pressure gets Nokia-Siemens or other network manufacturer to fess up about what they sold, but I’m not holding my breath.