Wednesday, 9 February 2011

Lies, Damned Lies and Marketing

I may have to drop Chris Parsons off of my Twitter feed... Today he tweeted a link to an article about DPI technology.  Yet again, another misinformed post decrying the evils of Deep Packet Inspection technology and my blood pressure quickly started to rise again.  If I want to maintain my health and sanity I'll have to stop reading these posts; posts which Chris is damned good at finding!

This particular article is written by Art Reisman, Chief Technology Officer of APConnections, which is a manufacturer of network management appliances.  In this article, Art warns of the evils of DPI, and his company's claim is that "APconnections removed all Deep Packet Inspection technology from their NetEqualizer product over 2 years ago." So the implicit claim is that APConnections is less evil than their DPI using competitors. We'll get to that in a minute.

Quick refresher.  Every network packet has two parts, a header and a data portion.  The header contains the routing information, and the data packet has the actual data to be delivered.  The information in the header is what none-DPI (i.e. "regular") network equipment uses to get the data where it is supposed to go.  DPI network equipment will look at the whole network packet, and take action on what it finds in any part of the packet.

So what does this difference mean?  For network management purposes, you can derive a lot of useful information from the header.  Where the data came from, where it is going, what application type was used, etc.  From this information a network manager can prioritize (or control) how much bandwidth is allocated based on source or destination IP address and also the type of traffic (e-mail, web surfing, P2P, etc.).  Sometimes though the header information doesn't tell the whole story and it can be hard to tell one type of traffic from another.  So a DPI appliance looks at the data packet and based on algorithms and signatures can more finely tune those controls.  This is a very important point, you do not need DPI to control network traffic, it just allows for more accurate matching of rules to data types.

So lets move on to demolishing Art's claims:
Art claims that Internet Providers use DPI technology to allow Targeted Advertising, Reducing "unwanted" traffic or Offensive Material, and Government Spying.

You do not need DPI technology to do targeted advertising.  Without inspecting the data packet an ISP can determine if you spend a lot of time at children's clothes websites, just by inspecting the IP addresses of the sites you go to.  That information is all in the header.  Again, DPI may allow for more accurate analysis, but an ISP is not helpless without it.  So an ISP can serve up ads from clothing suppliers every time you connect to the Internet.  But it isn't evil DPI provided advertising!

You also do not need DPI technology to reduce "unwanted" traffic.  DPI technology allows for accurate classification of unwanted traffic.  If you subcribe  to the "if you are going to do something, do it right the first time!" line of thinking, DPI technology can improve the classifications, reducing the instances when "wanted" traffic is classified as "unwanted" traffic.  ISPs are going to control your traffic; we can outlaw DPI technology, but it will not stop them from controlling traffic.  Case in point: APConnections NetEqualizer products do not use DPI, but they are sold as network management appliances that can filter unwanted Peer to Peer file sharing programs.  Less evil network shaping!  Because it is not DPI!  Do you feel better now?

DPI can also be used for government spying!!!! Actually that is mostly bullshit. You do not spy using DPI technology, you spy by capturing entire data streams and analyzing it later with software. In other words, wiretapping. And the United States passed a law, the Communications Assistance for Law Enforcement Act, which requires ISPs to provide real-time access to consumer internet traffic. And look, NetEqualizers are CALEA compliant! So with a NetEqualizer, you can do none-evil, none-DPI wiretapping!

I should really thank Art for his post.  By trying to whip up hysteria over DPI (and gain sales for his company as the not evil option) he proves 100% that you do not need DPI to rate shape traffic, block content and wiretap your data.

The lesson once again is, it is not the technology that is evil, it is how you use it.

3 comments:

Christopher Parsons said...

Hehe - I'm good at causing boiling blood these days!

A few points:

(1) DPI is associated with modifying data packets in real time for advertising purposes, so that what would normally be seen as third-party cookies (if the 'rules' were followed') masquerade as first-party cookies. This is not a minor point. Possible with other technologies? Sure. Intentionally designed into varying DPI appliances? Yes. You can track in a lot of ways, but forcing 1st party cookies on traffic going through an ISP gateway is particularly egregious. It's questionably legal, and certainly a gross practice for an ISP to be involved with.

(2) Traffic analysis/shaping/blocking. Of course, we both know that tons of software that is on the market today enables this, as does 'non-DPI' equipment. This said, various regimes around the world are actively deploying DPI (or DPI-like) equipment to massively mediate the communications of citizens in a manner otherwise unmanageable.

(3) Government spying. The NSA is widely believed to be in bed with Narus equipment, and other governments are actively engaging in mass levels of surveillance of the population. Key is that CALEA complaint doesn't mean monitoring the entire subscriber base associated with a node of a network (well, I guess it does, but the legislation is intended for more targeted analysis...) whereas DPI is being sold by vendors as capable of simultaneously monitoring and taking action on packet flows of a massive number of clients simultaneously; this is one of the advantages of their equipment over earlier CALEA compliant equipment. I would also note that, in relation to mass surveillance, the LSE recently put out a report discussing the UK government's intention to use DPI for mass surveillance and analysis of UK data traffic for lawful access/retention/likely perpetual surveillance, given it's the UK...

Now: I'm not trying to suggest that DPI is necessarily an evil technology. We've spoken enough that we both know this. DPI is, however, highly fungible, insofar as it potentially enables new or updated approaches to identifying and managing data traffic, especially when it's integrated with related policy and subscription servers. The actions taken on data traffic, when tied to human bodies, can be significant depending on the jurisdiction that the analysis is taking place. Key is while the technology can have an impact on society (by enabling a degree of previously unavailable fungibility), society has a responsive/prior mediation of the technology itself, identifying acceptable and unacceptable uses, legal and normative constraints, and so forth. This said: a *massive* amount of the technology was designed in the West, with engineers and technicians operating under the assumption/background notion that Western norms were going to be applied to how the system was going to be implemented. Most engineers that I've spoken with that design the technology are less inclined to think of the political applications of the appliances than the technical challenges that are being faced. I am, of course, willing to grant that talking to a few isn't the equivalent of performing a quantitative study of engineers working DPI and DPI-related projects, so just read that as an anecdote!

Christopher Parsons said...

That there are parties who are concerned with the applications of the technology, both within and beyond the borders of the West, seems patently reasonable. I think that it's equally reasonable to be concerned about the sale of particular kinds of weapons, potentially harmful natural resources, and so forth. These are issues that *should* be publicly discussed, rather than suppressed based on the stances of epistemic experts who may (and often do...) disagree about important nuances. Similarly, it doesn't seem unreasonable to talk about a particularly fungible technology, whilst also being critical of less fungible/more unidirectional systems of packet control and network monitoring and monetization (i.e. I can be pissed about DPI being used to [effectively] forge 1st party cookies while also being bothered by how Google tracks me around the web).

All this said: your point about the particular financial investments of Art are extremely well taken, and important. Also: DPI isn't a demon, isn't inherently evil. This said, it's also not inherently neutral; it's a product of a particular technological environment, with particular understandings of how things should or ought to function, understandings that can run amok under the wrong/bizzarre/unexpected situations. There isn't anything particularly wrong about worrying about those situations, especially when they're not just theoretical but practically evidenced issues in the contemporary sphere of Internet governance in national and international levels.

(sorry for the two comments; blogger cut me off at a character limit!)

Catelli said...

This is where I am leery of what is being classified as DPI. Inserting "cookies" into a data packet violates the "Inspection" definition of DPI. That is now Packet Modification, a horse of a different colour (hell, species!).

Also sniffing entire data streams by government agencies is either Whole Packet Inspection or Data Stream Inspection depending on how you define these things.

Now if I'm willing to debate what is and isn't DPI, imagine the lengths companies and governments are willing to go to to weasel out of DPI limiting policies or legislation. More on this in a follow up post.