http://blogs.nokiasiemensnetworks.com/news

I’ll begin with the depressing: total anonymization of data traffic is incredibly challenging if you’re up against a dedicated and well-prepared foe. Fortunately, you’re up against a government, which suggests that there will almost certainly be gaps, holes, and errors in any content analysis system that you can use to your advantage. I don’t know what DPI appliances have been sold to Iran (it’s typically a challenge to get this sort of information from companies, even here in Canada), but there are typical modes of ‘resisting’ full content analysis.

(1) Encrypt your data traffic using a TOR node, or something similar. Alternately, use https://proximize.me/ or some other proxy service that also encrypts traffic and you can browse with SSL encryption. DPI cannot penetrate packets that are encrypted – the content is secure when it passes through the devices. The devices *will* still be able to look at header information, but because you would be using a proxy service would not offer accurate destination/origin information to the device.
(2) Wherever possible, use communications systems that are designed to obfuscate what they are; examples of VoIP would be Skype, which attempts to ‘fake out’ heuristic analyses of data traffic. At the same time, I don’t know whether DPI engineers have caught up to the most recent ways that Skype initiates a call, which can indicate the program that is being used.

The challenge that you get into is that, should DPI be deployed effectively, even when it cannot identify the content of the message it can identify what application-type is likely in use (e.g. a web browser, P2P, etc). If you use a series of proxies, however, you will obfuscate the origin of packets (i.e. your location) as well as the destination that you are going to (e.g. hotmail.com, facebook, twitter, etc); this can limit your exposure to particularly obtrusive government surveillance and its effects.

Now, having written this, I truly wonder just how accurate the story from the WSJ is on the technical capabilities of the DPI devices that are deployed. I would agree with Rooke, who is referenced in the WSJ article, that when you sell digital networking equipment you are also selling items that can easily be used for interception – you don’t need DPI appliances to do this, given that a large amount of network equipment can be configured to ‘dump’ data flows to secondary storage for subsequent analysis (and this is far more sensible – capture tons of data now, and then scan it, and then derive rules from it that can be applied to subscriber connections). Now, to totally pull together packet flows, examine them for content, and then send them on their merry way to the destination in real time seems a bit of a stretch. Sure, it is possible for this to be done, but it would be a truly massive undertaking. More likely what is happening is something like this:

The DPI device looks at the first 5-100 packets in a packet stream. These packets are then evaluated against a rule list – are the packets going somewhere that is impermissible? is an application being used that we are disallowing? – and then allowed to continue to their destination or not depending on what the rule set dictates. In the case of images/movies/songs it is possible, in the case of some devices, to quickly look at the first packets of a .mov, .jpeg, etc file and correlate that particular file with a particular digital ‘fingerprint’. That fingerprint can then be examined against all disallowed files and, if a match is found, the packet stream terminated. This method of analyzing content is not perfect, though it does have high degrees of accuracy in most cases. This is what copyright-oriented devices presently do.

In essence, I worry that the WSJ is claiming that DPI is being more effective than it is in reality, must like we hear claims that CCTV is more effective than studies show. This isn’t discounting that DPI *could, potentially, in an ideal world* do what the WSJ is suggesting, but networking environments, where you’re trying to regulate gigabytes of traffic each second, are hardly these ideal environments for mass surveillance using DPI appliances. Hopefully the pressure gets Nokia-Siemens to fess up about what they sold, but I’m not holding my breath…

The WSJ says, “with the assistance of European telecommunications companies, one of the world’s most sophisticated mechanisms for controlling and censoring the Internet, allowing it to examine the content of individual online communications on a massive scale”.

But I wonder how “massive” that really is.

Cheers!

Even if they know the IP and DNS, if the content of the packets (such as IM’s or eMail packet content) is encrypted, they can’t read what data is being sent, it could be “Hi mom, happy birthday” or “They are shooting into the crowds” and it won’t be known to the DPI people.

Is this not correct?

DPI can read everything it is only completely useless is all the data is encrypted including DNS & the IP address!

Surfer, please correct me if I am wrong.