The International Telecommunications Union has approved the adoption of a technical standard for deep packet inspection (DPI) technology, arousing concerns about the potential effects of standardizing invasive technology that can be used for censorship and surveillance.
What is DPI?
As described in our blog post on Russia’s new internet bill, information over the internet is sent in packets. Just like letters dropped in the mail, each packet contains a header indicating the destinations. Routing the packet to its destination requires only that the network look at the header of the packet. DPI, however, is more invasive, examining the content of the packet as well. In other words, DPI enables ISPs or other network operators to peek at the letter inside the envelope.
Networks operators can use DPI for innocuous and useful applications such as network security and malware detection. However, ISPs have also used DPI for more invasive applications, such as blocking competitors’ products, bandwidth shaping, and targeted advertising. Additionally, governments have found DPI to be an effective means for both censorship or surveillance. It is known that China, Iran, and Russia currently use DPI; it has been alleged that the United States has also used DPI for warrantless surveillance.
The ITU Standard
The ITU, or International Telecommunications Union, is a United Nations agency whose mission to help coordinate international cooperation in information and communication technology. Whereas the International Telecommunication Regulations is a binding treaty overseen by the ITU, ITU standards and recommendations are non-binding.
The new ITU standard, titled “Requirements for Deep Packet Inspection in Next Generation Networks,” is still under development and has not been officially made public, although a draft version was inadvertently released earlier this month. The standard proposes requirements for DPI capabilities in networks but does not describe how those capabilities are to be implemented.
The existence of a standard for DPI is not inherently harmful; as noted, DPI has applications beyond censorship and surveillance. But the ITU’s development of this particular DPI standard is problematic for several reasons. First, as a political rather than purely technical body, the ITU’s proposal of a standard for DPI may legitimize and facilitate government use of that technology for censorship and surveillance. Germany, for example, argued that the ITU should “not standardize any technical means that would increase the exercise of control over telecommunications content, could be used to empower any censorship of content, or could impede the free flow of information and ideas.” Second, because DPI is highly invasive– not even properly encrypted web traffic is completely secure–a technical standard for DPI ought to be accompanied, at the very least, by a discussion of how to safeguard communications privacy. The ITU’s draft standard, on the other hand, is not at all attentive to DPI’s troubling privacy implications.
The ITU’s non-public development of a DPI standard is alarming given that the ITU is providing a standard for a technology that can and has been used for extensive fine-grained censorship and surveillance. Moreover, it is doing so without any accompanying discussion of how to preserve internet freedom. Perhaps this is unsurprising given how several countries recently tried to use the ITU as a vehicle for increasing filtering and government control of the Internet. Although these proposals were not implemented, it seems that the ITU may still be a vehicle for standardizing censorship through other means.