A United Nations summit has adopted confidential recommendations proposed by China that will help network providers target BitTorrent uploaders, detect trading of copyrighted MP3 files and, critics say, accelerate internet censorship in repressive nations.
(Credit: United Nations)
Approval by the UN's International Telecommunications Union (ITU) came despite objections from Germany, which warned that the organisation must "not standardise any technical means that would increase the exercise of control over telecommunications content, could be used to empower any censorship of content or could impede the free flow of information and ideas."
The ITU adopted the confidential Y.2770 standard for deep packet inspection — only members, not the public, currently have access to the document — last month during a meeting in Dubai. A related ITU meeting in Dubai, which has drawn sharp criticism from the US Government and many internet companies, began this week.
Because Y.2770 is confidential, many details remain opaque. But a document (PDF) posted by a Korean standards body describes how network operators will be able to identify "embedded digital watermarks in MP3 data", discover "copyright protected audio content", find "Jabber messages with Spanish text" or "identify uploading BitTorrent users". Jabber is also known as XMPP, an instant messaging protocol, a technology also used in Google Talk.
In a joint blog post, Alissa Cooper and Emma Llansó from the Center for Democracy and Technology said that the UN agency "barely acknowledges that DPI has privacy implications, let alone does it provide a thorough analysis of how the potential privacy threats associated with the technology might be mitigated".
DPI is, of course, deep packet inspection, a technology that serves many useful purposes, including fending off network attacks, detecting malware and prioritising critical applications over ones that are less time-sensitive. But it's controversial when used for legal and extra-legal government surveillance, and some network operators have edged in this direction for advertising-related purposes as well.
Cooper and Llansó added: "Mandatory standards are a bad idea, even when they are well designed. Forcing the world's technology companies to adopt standards developed in a body that fails to conduct rigorous privacy analysis could have dire global consequences for online trust and users' rights".
Germany had asked a European telecommunications body called CEPT, which includes 48 member nations, to "take a stand" against the ITU's proposal, which was advanced by China's Fiberhome network provider. Germany's concerns about Y.2770, which is formally titled "Requirements for Deep Packet Inspection in Next Generation Networks", appear in a document (MS Word) made available by CEPT.
After discussions, CEPT decided that its member "countries consider that they cannot oppose" Y.2770, according to a report (MS Word) from its October meeting in Istanbul, meaning that no Europe-wide position would be taken against the ITU proposal.
An ITU study group describes its mission as developing recommendations for "requirements, architectures, mechanisms and functionalities" used in deep packet inspection: "This includes study on flexible and effective DPI mechanisms that allow network devices to look at the packet header and payload."
Another controversial section of Y.2770 is that it contemplates having network operators decrypt their customers' internet traffic so that it can be inspected.
A partial early draft (PDF) of Y.2770, called Y.dpireq at the time and was made public in 2009, does not mention encryption, BitTorrent or inspecting the contents of instant message communications.
One reason why deep packet inspection is so controversial is that it has been used by repressive regimes — dozens of which are members of the ITU — to conduct extensive surveillance against their own citizens.
A Wall Street Journal report last year described how Amesys, a unit of French technology firm Bull SA, helped Libya's Muammar Gadhafi spy on his people. Boeing's Narus unit was in talks with Libya about controlling Skype, censoring YouTube and blocking proxy servers, the Journal reported. In August, The New York Times reported that malware, known as FinSpy and sold by a British company called the Gamma Group, could activate computer cameras and microphones, and had been linked to repressive governments, including Turkmenistan, Brunei and Bahrain.
This isn't the first time that an ITU proposal has been criticised for its implication s of internet censorship. In 2008, CNET's US counterpart disclosed that the ITU was quietly drafting technical standards, proposed by the Chinese government, to define methods of tracing the original source of internet communications and potentially curbing the ability for users to remain anonymous.
A leaked document showed that the trace-back mechanism was designed to be used by a government that "tries to identify the source of the negative articles" published by an anonymous author.