Thursday, 7 July 2011

A Time to Spy, A Time to Pry

Top ISPs agree to become copyright cops

This is a frightening development with serious long-term implications for Internet users. At first glance, it does make sense for ISPs to monitor for "copyright" content and to alert for violations. But...

With technology what is assumed to be happening and what actually has to take place are two different kettles of fish. Just monitor for copyright materials and alert on that, right?

Well no. As powerful as computers are, they are not omniscient. They don't "know" what is legit and what is not. So we must ask, "How will ISPs monitor for copyright material violations?" That my friends is the $60 question. If all they do is monitor connections to and like sites, it wouldn't that big a deal. But this would not be an effective way to monitor for copyright violations.

Since there are multiple ways to distribute data on the Internet, to be truly effective an ISP would have to analyze every single data packet that travels on their network to search for violations. The difference between the two procedures is that the first is akin to a cop (or a random stranger) sitting in a parking lot monitoring who is entering and leaving a grocery store. Creepy, but not illegal. The second method has the cop (or a random stranger) strip-searching every person and searching everything they carry each time they enter and leaving the store. Think TSA type airport security everywhere you go. That's the difference we have to consider.

Well fine, it is only software, it isn't a human actually doing the evaluations, it will all be automated, and they're only looking for specific traffic patterns right? No one is actually reading my data right? Well.....

The trouble with software is that it can trip on false positives. This type of data analysis is not an exact science with simple if file = this do that type logic. Human type analysis will still be needed to sort out the wheat from the chaff. But worse, once the infrastructure for one type of search is in place, it becomes relatively simple to add on others. If ISPs are monitoring for copyright violations, they might as well look for child porn, terrorist plots, students cheating on exams, spouses cheating on each other, who says unflattering things about politicians, etc. etc.

If you think I exaggerate on those examples, well we're talking about the potential deployment of technology TO CATCH COPYRIGHT VIOLATIONS!!!! That already is in the benign WTF category, and it is potentially the key to the Pandora's box of the wholesale invasion of our privacy.

We may not think of it this way, but ISPs are already using this type of technology, but to protect their customers. This type of data capture and analysis is exactly what your ISPs Virus/Malware and Anti-Spam solutions do. They copy your data streams, and analyze it for software or e-mail with malicious intent. The process is the same, technologically speaking, but the intent or purpose behind the technology is completely different.

What is changing is the intent behind analyzing your data. When we shift from protection of customers to analyzing customer's personal behaviour for violations of an arbitrary moral code, then we have stepped over a very fine line with nasty implications.

Data Inspection (or DPI) is a tool to be used, wisely or unwisely. Like fire it can be incredibly helpful (our society wouldn't exist without fire) but it can also be destructive on a horrific scale. I hate to think that the downfall of our privacy on the Internet started because someone lifted a copy of Katy Perry's latest album.


ADHR said...

Isn't it completely pointless, anyway? If one were to use a proxy or VPN (or both), the ISP would be incapable of telling whether the data was violating this moral code or not. Right?

Catelli said...

Proxies are useless for privacy. they only redirect traffic, but they don't hide your requests for data nor do they hide the data itself. file.mp3 will look the same no matter the source it comes through. in the end all of your data still has to go through your isp to get to you and there isn't any way around that.

VPNs, or rather encryption, is the answer ( a VPN is a point to point tunnel that encrypts only the traffic between the two points, like from say your home to your work office) but for encryption to work, the source of your download has to support the same protocol as you do. people hosting data have to want to protect you as mu9h as you want to protect yourself. now you can combine the two and use a proxy and encrypt or setup a VPN to the proxy, but then a lot of data will be going through a single point on the internet, and the ISPs will block the communication.

encryption makes things a lot harder, but ISPs own the network. that gives them a tremendous advantage. they can use behavioural analysis and man-in-the-middle encryption interception if they really want to. it becomes a war of attrition and who has the deepest pockets wins.

You would think this would be an unlikely scenario, but if every ISP does it because the government makes them and the media companies fund it, trying to maintain privacy will be pretty damed hard.

ADHR said...

Why would the ISPs block the connection to the proxy, though? From what you're saying, all they'd be able to see (if one were to VPN to the proxy) is that I'm connecting to the proxy.

I'm not sure how behavioural analysis or encryption interception would help the ISP figure out if I was doing one of the limited list of activities they decided was forbidden. I can't find anything on a relevant sense of behavioural analysis to help me figure out how that would work; help would be appreciated. :)

On my understanding of man in the middle interception, this would require that the ISP is intercepting every connection I make. They couldn't just pick and choose the "right" ones because I'm using some form of encryption. (And doesn't it assume that the proxy I'm VPN-ing to is incapable of detecting that it's communicating through a middle party?)

I guess this is all technically feasible, but it's legally seriously problematic. An analogy to phones would be one way to make trouble for an ISP that tried this: allowing it would permit the phone company to eavesdrop on every conversation you have.

Furthermore, what ISP would stay in business if it were known they were watching every packet, regardless of its content? It'd certainly open up a nice space for a start-up that wasn't watching everything....

Catelli said...

Your Internet activity leaves a lot of fingerprints, even encrypted traffic. The only part that is encrypted is the data packet, so other information can be gleaned. Also, if you routed all your traffic through a single proxy, that stands out as unusual traffic as 99% of users do not do that. It is a matter of correlating all your activity and what other users are doing to establish baselines and look for the deviations and what they mean based on the information available. Data Mining. (And no, you cannot detect if someone is reading your encrypted traffic, it is a seamless and invisible activity.)

Why would an ISP do all this? Normally they wouldn't, what I am talking about is not cheap, and very much cuts into their bottom line. That should be enough to deter them right there, it may well be the line they are not willing to cross as it affects their profits to do this. (Not even including the negative press aspects.)

But media companies have a disproportionate amount of power, way more than poverty and labour activists. If they leverage that power through coercion of ISPs and ensuring draconian Intellectual Property laws are passed, well I don't know what a "normal" capitalist ISP would do. If the media companies are willing to fund the equipment necessary to trap the evil file sharers, well, who knows how far they'll try to go?

Based on the coverage I have read so far, it appears that the media companies will do the monitoring, the ISPs are only agreeing to act on what the media companies report to them. The evidence gathered through this approach is quite shaky and very questionable. It is a guilty until proven innocent type approach. The fact that ISPs are agreeing to disable paying customers access to the Internet based on this shaky evidence provided by a third party is not a good sign. It is not a logical (or a moral) step, and since that line has been crossed, I really do not see any impediments (other than cost) to even further invasions of people's privacy.

Catelli said...

I will add that diminishing returns does factor into this. If most users download through unencrypted channels, then big brother will be busy enough, and likely sated enough, to not bother with the sophisticated sharers that fully encrypt their communications.

But that applies the other way too. The more work you have to put into making your downloading private increases your effort, causes slower performance, and will therefore discourage file sharing. Fewer people will be willing to invest that time and effort (and will have the knowledge to do it properly).