By Declan McCullagh
A United Nations summit has adopted confidential recommendations proposed by China that will help network providers target BitTorrent uploaders, detect trading of copyrighted MP3 files, and, critics say, accelerate Internet censorship in repressive nations.
Approval by the U.N.’s International Telecommunications Union came despite objections from Germany, which warned the organization must “not standardize any technical means that would increase the exercise of control over telecommunications content, could be used to empower any censorship of content, or could impede the free flow of information and ideas.”
The ITU adopted the confidential Y.2770 standard for deep packet inspection — only members, not the public, currently have access to the document — last month during a meeting in Dubai. A related ITU meeting in Dubai, which has drawn sharp criticism from the U.S. government and many Internet companies, began this week.
Because Y.2770 is confidential, many details remain opaque. But a document (PDF) posted by a Korean standards body describes how network operators will be able to identify “embedded digital watermarks in MP3 data,” discover “copyright protected audio content,” find “Jabber messages with Spanish text,” or “identify uploading BitTorrent users.” Jabber is also known as XMPP, an instant messaging protocol.
In a joint blog post, Alissa Cooper and Emma Llansó from the Center for Democracy and Technology say that the U.N. agency “barely acknowledges that DPI has privacy implications, let alone does it provide a thorough analysis of how the potential privacy threats associated with the technology might be mitigated.”
DPI is, of course, deep packet inspection, a technology that serves many useful purposes, including fending off network attacks, detecting malware, and prioritizing critical applications over ones that are less time-sensitive. But it’s controversial when used for legal and extra-legal government surveillance, and some network operators — including Verizon Wireless — have edged in this direction for advertising-related purposes as well.
Cooper and Llansó add: “Mandatory standards are a bad idea even when they are well designed. Forcing the world’s technology companies to adopt standards developed in a body that fails to conduct rigorous privacy analysis could have dire global consequences for online trust and users’ rights.”
Germany had asked a European telecommunications body called CEPT, which includes 48 member nations, to “take a stand” against the ITU proposal, which was advanced by China’s Fiberhome network provider. Germany’s concerns about Y.2770, which is formally titled “Requirements for Deep Packet Inspection in Next Generation Networks,” appear in a document (MS Word) made available by CEPT.
After discussions, CEPT decided that its member “countries consider that they cannot oppose” Y.2770, according to a report (MS Word) from its October meeting in Istanbul, meaning that no Europe-wide position would be taken against the ITU proposal.
ITU representatives did not immediately respond to requests for comment this morning from CNET (we’ll update the article if they do). But an ITU study group describes its mission as developing recommendations for “requirements, architectures, mechanisms, and functionalities” used in deep packet inspection: “This includes study on flexible and effective DPI mechanisms that allow network devices to look at the packet header and payload.”
Another controversial section of Y.2770 is that it contemplates having network operators decrypt their customers’ Internet traffic so it can be inspected.
A partial early draft (PDF) of Y.2770, called Y.dpireq at the time, that was made public in 2009 does not mention encryption, BitTorrent, or inspecting the contents of instant message communications.
One reason why deep packet inspection is so controversial is that it has been used by repressive regimes — dozens of which are members of the ITU — to conduct extensive surveillance against their own citizens.
A Wall Street Journal report last year described how Amesys, a unit of French technology firm Bull SA, helped Moammar Gadhafi spy on his people. Boeing’s Narus unit was in talks with Libya about controlling Skype, censoring YouTube, and blocking proxy servers, the Journal reported. In August, The New York Times reported that malware known as FinSpy, sold by a British company called the Gamma Group, could activate computer cameras and microphones and had been linked to repressive governments including Turkmenistan, Brunei, and Bahrain.
This isn’t the first time that an ITU proposal has been criticized for its implications for Internet censorship. In 2008, CNET disclosed that the ITU was quietly drafting technical standards, proposed by the Chinese government, to define methods of tracing the original source of Internet communications and potentially curbing the ability of users to remain anonymous.
A leaked document showed the trace-back mechanism was designed to be used by a government that “tries to identify the source of the negative articles” published by an anonymous author.