[LINK] Fwd: [PRIVACY] [apfma] Adoption of Traffic Sniffing Standard Fans WCIT Flames

Sun Dec 9 14:03:02 AEDT 2012

May be of interest to linkers as well, given past 
discussions about ITU involvement with 'regulation' of the internet.
Jan

>https://www.cdt.org/blogs/cdt/2811adoption-traffic-sniffing-standard-fans-wcit-flames
>
>by Alissa Cooper, Emma Llansó
> > November 28, 2012
> >
> > The telecommunications standards arm of the U.N. has quietly endorsed the
> > standardization of technologies that could give governments and companies
> > the ability to sift through all of an Internet user’s traffic  including
> > emails, banking transactions, and voice calls  without adequate privacy
> > safeguards.  The move suggests that some governments hope for a world where
> > even encrypted communications may not be safe from prying eyes.
> >
> > At the core of this development is the adoption of a proposed
> > international standard that outlines requirements for a technology known as
> > "Deep Packet Inspection" (DPI).  As we’ve 
> noted 
> several<http://www.cdt.org/blogs/alissa-cooper/privacy-risks-isps-using-deep-packet-inspection>
> > 
> times<http://www.alissacooper.com/wp-content/uploads/2011/10/DPIchapter.pdf>before, 
> depending on how it is used, DPI has the potential to be extremely
> > privacy-invasive, to defy user expectations, and to facilitate wiretapping.
> >
> > The adoption of this standard, officially known as "Requirements for Deep
> > Packet Inspection in Next Generation 
> Networks," or 
> "Y.2770"<http://www.itu.int/ITU-T/workprog/wp_item.aspx?isn=7082>came 
> to light last week during the World Telecommunication Standardization
> > Assembly (WTSA), an international meeting held every four years in which
> > the standards-setting body of the U.N.'s International Telecommunication
> > Union, known as the ITU-T, charts the course of its work.  Like most ITU
> > working documents, drafts of the standard are locked behind a password wall
> > and not available to the public. While the final standard will eventually
> > be published, the fact that no draft versions are made publicly available
> > at any point in the process illustrates the lack of transparency of the
> > ITU-T in contrast to other leading global 
> standards organizations<http://open-stand.org/>
> > .
> >
> > Although the upcoming WCIT has been garnering all the attention lately,
> > the global telecom confab in Dubai actually began last week at WTSA. The
> > approval of the DPI standard provides new evidence of the dangers of WCIT
> > proposals related to mandatory standards and cybersecurity.
> >
> > *Standard Procedure?*
> >
> > The ITU-T DPI standard represents a fairly typical early step in the
> > process of standardizing a technology: the standards participants first
> > agree on what the technology should do before they decide how the
> > technology should work. As such, the ITU-T DPI standard doesn’t specify
> > exactly how DPI systems should function. But even so, several of the
> > requirements create a real cause for concern, especially in light of WCIT
> > proposals that would make some ITU-T 
> Recommendations 
> mandatory<https://www.cdt.org/blogs/alissa-cooper/2908openstand-underscores-commitment-voluntary-internet-standards-process>,
> > or transfer authority over cybersecurity 
> matters<https://www.cdt.org/blogs/emma-llanso/0609itu-ill-suited-regulate-cybersecurity>to 
> the ITU.
> >
> > The ITU-T DPI standard holds very little in reserve when it comes to
> > privacy invasion. For example, the document optionally requires DPI systems
> > to support inspection of encrypted traffic “in case of a local availability
> > of the used encryption key(s).” It’s not entirely clear under what
> > circumstances ISPs might have access to such keys, but in any event the
> > very notion of decrypting the users’ traffic (quite possibly against their
> > will) is antithetical to most norms, policies, and laws concerning privacy
> > of communications. In discussing IPSec, an end-to-end encryption technology
> > that obscures all traffic content, the document notes that “aspects related
> > to application identification are for further study”  as if some future
> > work may be dedicated to somehow breaking or circumventing IPSec.
> >
> > Several global standards bodies, including 
> the IETF <http://tools.ietf.org/html/draft-iab-privacy-considerations-03>and
> > W3C <http://www.w3.org/standards/webdesign/privacy>, have launched
> > initiatives to incorporate privacy considerations into their work. In fact,
> > the IETF has long had a policy <http://tools.ietf.org/html/rfc2804> of
> > not considering technical requirements for wiretapping in its work, taking
> > the seemingly opposite approach to the ITU-T DPI document, as Germany
> > pointed 
> out<http://www.cept.org/Documents/com-itu/7551/%2812%29115_Comments-on-recommendation-Y2270-Germany>in 
> voicing its opposition to the ITU-T standard earlier this year. The
> > ITU-T standard barely acknowledges that DPI has privacy implications, let
> > alone does it provide a thorough analysis of how the potential privacy
> > threats associated with the technology might be mitigated.
> >
> > These aspects of the ITU-T Recommendation are troubling in light of calls
> > from Russia and a number of Middle Eastern countries to make ITU-T
> > Recommendations mandatory for Internet technology companies and network
> > operators to build into their products. 
> Mandatory standards are a bad 
> idea<https://www.cdt.org/files/pdfs/Importance%20of%20Voluntary%20Technical%20Standards.pdf>even 
> when they are well designed. Forcing the world’s technology companies
> > to adopt standards developed in a body that fails to conduct rigorous
> > privacy analysis could have dire global consequences for online trust and
> > users’ rights.
> >
> > Ironically, although the document contemplates that network operators
> > would decrypt user traffic in order to inspect it, the document’s security
> > considerations specify that information extracted via DPI “is required to
> > be protected,” and that modification, theft, or loss of such information
> > “may make it unusable for the DPI operations.” The idea that adding DPI to
> > a network creates a potential security risk for users  not just for
> > network operators  is utterly absent. In general, the security
> > requirements appear to be very generic, specifying what information needs
> > to be protected without specifying the standards to be used for
> > authentication, confidentiality, or integrity protection. Adding DPI to a
> > network creates a significant new attack vector; thorough threat modelling
> > and mitigation at the standardization phase are more than appropriate 
> > they’re absolutely necessary.
> >
> > WCIT proposals from the Arab States and Africa would seek to create new
> > authority over cybersecurity matters within the ITU, and we’ve previously
> > explained the drawbacks of this 
> approach<https://www.cdt.org/files/pdfs/Cybersecurity_ITU_WCIT_Proposals.pdf>.
> > If the technical work produced by the ITU-T fails to acknowledge basic user
> > interests in network security  and to specify comprehensive, robust
> > mitigations against security threats  it further highlights the grave
> > problems with trying to address cybersecurity through a closed, centralized
> > body where ultimate authority rests with regulators and where technical
> > experts and advocates cannot even access draft specifications.
> >
> > It’s not clear whether companies will build new DPI equipment to meet the
> > ITU-T requirements or what further DPI standards the ITU-T will approve.
> > Regardless, the standard approved at WTSA provides further evidence of why
> > proposals for mandatory standards and new cybersecurity authority should be
> > struck down next week in Dubai.
> >
> >
> > *Update:* While the official draft of the final Recommendation has yet to
> > be posted (check 
> here<http://www.itu.int/en/ITU-T/publications/Pages/latest.aspx>for 
> the latest updates), what appears to be an earlier
> > 
> draft<http://committee.tta.or.kr/include/Download.jsp?filename=choan%2F%5B2012-1357%5DY.2770.pdf>is 
> available on the Korean Telecommunications Technology Association site.
> > (Note that this draft contains dozens of pages of appendices, which we
> > understand may have been cut.)
> >
>____________________

Melbourne, Victoria, Australia
jwhit at janwhitaker.com
blog: http://janwhitaker.com/jansblog/
business: http://www.janwhitaker.com

Our truest response to the irrationality of the 
world is to paint or sing or write, for only in such response do we find truth.
~Madeline L'Engle, writer

_ __________________ _