Is Iran DPI censorship story wrong?
p2pnet news view Freedom | P2P:- “I am from iran ,inside iran , anyone tell me how to secure my privecy ,surffnig the web, pls,” says bar in a Reader’s Write.
His plea comes in a p2pnet story quoting Rupert Murdoch’s Wall Street Journal as saying the Iranian regime, “has developed, with the assistance of European telecommunications companies, one of the world’s most sophisticated mechanisms for controlling and censoring the Internet, allowing it to examine the content of individual online communications on a massive scale.”
The method? DPI — DPI (deep packet inspection or, sometimes, deep privacy invasion). The company? Nokia Siemens Networks, a joint venture of Siemens AG, the German conglomerate, and Nokia.
The impression given is Iran president Mahmoud Ahmadinejad’s government has virtual control of the Internet and is using DPI to watch everything that’s happening online.
That’s what he’d like, certainly, but what’s the reality? Just how massive can the coverage be? – we wondered. Or by publishing the shock-horror story, was the WSJ effectively playing into the hands of a repressive regime that would like nothing better than to convince its people nothing they say or do escapes its attention?
Says the WSJ »»»
Interviews with technology experts in Iran and outside the country say Iranian efforts at monitoring Internet information go well beyond blocking access to Web sites or severing Internet connections.
Instead, in confronting the political turmoil that has consumed the country this past week, the Iranian government appears to be engaging in a practice often called deep packet inspection, which enables authorities to not only block communication but to monitor it to gather information about individuals, as well as alter it for disinformation purposes, according to these experts.
The monitoring capability was provided, at least in part, by a joint venture of Siemens AG, the German conglomerate, and Nokia Corp., the Finnish cellphone company, in the second half of 2008, Ben Roome, a spokesman for the joint venture, confirmed.
The “monitoring center,” installed within the government’s telecom monopoly, was part of a larger contract with Iran that included mobile-phone networking technology, Mr. Roome said.
“If you sell networks, you also, intrinsically, sell the capability to intercept any communication that runs over them,” said Mr. Roome.
But in a press statement, Nokia Siemens Networks says flatly and categorically »»»
Recent media reports have speculated about Nokia Siemens Networks’ role in providing monitoring capability to Iran. Nokia Siemens Networks has provided Lawful Intercept capability solely for the monitoring of local voice calls in Iran. Nokia Siemens Networks has not provided any deep packet inspection, web censorship or Internet filtering capability to Iran.
And yesterday, “I truly wonder just how accurate the story from the WSJ is on the technical capabilities of the DPI devices that are deployed,” said Christopher Parsons, a PhD student in the department of political science at the University of Victoria on Vancouver Island in BC, Canada.
His research interests focus on how privacy (particularly informational privacy, expressive privacy and accessibility privacy) is affected by digitally mediated surveillance, and the normative implications such surveillance has in (and on) contemporary Western political systems.
In his reply to bar, he went on »»»
I’ll begin with the depressing: total anonymization of data traffic is incredibly challenging if you’re up against a dedicated and well-prepared foe. Fortunately, you’re up against a government, which suggests that there will almost certainly be gaps, holes, and errors in any content analysis system that you can use to your advantage. I don’t know what DPI appliances have been sold to Iran (it’s typically a challenge to get this sort of information from companies, even here in Canada), but there are typical modes of ‘resisting’ full content analysis.
(1) Encrypt your data traffic using a TOR node, or something similar. Alternately, use https://proximize.me/ or some other proxy service that also encrypts traffic and you can browse with SSL encryption. DPI cannot penetrate packets that are encrypted – the content is secure when it passes through the devices. The devices *will* still be able to look at header information, but because you would be using a proxy service would not offer accurate destination/origin information to the device.
(2) Wherever possible, use communications systems that are designed to obfuscate what they are; examples of VoIP would be Skype, which attempts to ‘fake out’ heuristic analyses of data traffic. At the same time, I don’t know whether DPI engineers have caught up to the most recent ways that Skype initiates a call, which can indicate the program that is being used.
The challenge that you get into is that, should DPI be deployed effectively, even when it cannot identify the content of the message it can identify what application-type is likely in use (e.g. a web browser, P2P, etc). If you use a series of proxies, however, you will obfuscate the origin of packets (i.e. your location) as well as the destination that you are going to (e.g. hotmail.com, facebook, twitter, etc); this can limit your exposure to particularly obtrusive government surveillance and its effects.
Now, having written this, I truly wonder just how accurate the story from the WSJ is on the technical capabilities of the DPI devices that are deployed. I would agree with Rooke, who is referenced in the WSJ article, that when you sell digital networking equipment you are also selling items that can easily be used for interception – you don’t need DPI appliances to do this, given that a large amount of network equipment can be configured to ‘dump’ data flows to secondary storage for subsequent analysis (and this is far more sensible – capture tons of data now, and then scan it, and then derive rules from it that can be applied to subscriber connections). Now, to totally pull together packet flows, examine them for content, and then send them on their merry way to the destination in real time seems a bit of a stretch. Sure, it is possible for this to be done, but it would be a truly massive undertaking. More likely what is happening is something like this:
The DPI device looks at the first 5-100 packets in a packet stream. These packets are then evaluated against a rule list – are the packets going somewhere that is impermissible? is an application being used that we are disallowing? – and then allowed to continue to their destination or not depending on what the rule set dictates. In the case of images/movies/songs it is possible, in the case of some devices, to quickly look at the first packets of a .mov, .jpeg, etc file and correlate that particular file with a particular digital ‘fingerprint’. That fingerprint can then be examined against all disallowed files and, if a match is found, the packet stream terminated. This method of analyzing content is not perfect, though it does have high degrees of accuracy in most cases. This is what copyright-oriented devices presently do.
In essence, I worry that the WSJ is claiming that DPI is being more effective than it is in reality, must like we hear claims that CCTV is more effective than studies show. This isn’t discounting that DPI *could, potentially, in an ideal world* do what the WSJ is suggesting, but networking environments, where you’re trying to regulate gigabytes of traffic each second, are hardly these ideal environments for mass surveillance using DPI appliances. Hopefully the pressure gets Nokia-Siemens to fess up about what they sold, but I’m not holding my breath…
‘I truly wonder …’
On his Technology, Thoughts, and Trinkets blog, the WSJ has recently disclosed, “Iranian network engineers are using DPI to examine, assess, and regulate content that is entering and exiting Iran,” says Christopher, continuing
They note that the monitoring capacity was, at least in part, facilitated by infrastructure that was sold by Nokia-Simens. The article proceeds, stating that traffic analysis processes have been experimented with before, though this is the first major deployment of these processes that has captured the attention of the world/Western public. This is where things start getting interesting.
The article notes that;
The Iranian government had experimented with the equipment for brief periods in recent months, but it had not been used extensively, and therefore its capabilities weren’t fully displayed – until during the recent unrest, the Internet experts interviewed said.
“We didn’t know they could do this much,” said a network engineer in Tehran. “Now we know they have powerful things that allow them to do very complex tracking on the network.”
From a statement of ‘complex tracking’, we get to a talk about DPI. It’s at this point that we can say that Iran is either using DPI in incredibly complex and sophisticated ways that push the technology to its limits, or the WSJ is blowing smoke. The authors of the article state that, “[e]very digitized packet of online data is deconstructed, examined for keywords and reconstructed within milliseconds. In Iran’s case, this is done for the entire country at a single choke point, according to networking engineers familiar with the country’s system.” Moreover, ”Iran is “now drilling into what the population is trying to say,” said Bradley Anstis, director of technical strategy with Marshal8e6 Inc., an Internet security company in Orange, Calif. He and other experts interviewed have examined Internet traffic flows in and out of Iran that show characteristics of content inspection, among other measures.”
I truly wonder just how accurate the story from the WSJ is on the technical capabilities of the DPI devices that are deployed, and am also incredibly interested to know what the tests are to see if DPI is being used. I’m not saying that such tests don’t exist, but I’m not certain what, exactly, you’d be looking for. A network engineer would have a better grasp, but I haven’t found any product that Marshal8e6 offers that would give them particular insight into this. Now, if we were talking about spam or phishing I wouldn’t doubt their competencies. I also have to note that the data Marshal8e6 fed to the WSJ isn’t available on their website anywhere that I could find it.
Further, I don’t know that DPI is necessarily required to perform the level of surveillance discussed in the Iranian network environment. There is a lot of digital networking equipment that can easily be used for interception; you don’t need DPI appliances to intercept and analyze traffic, given that a large amount of network equipment can be configured to ‘dump’ data flows to secondary storage for subsequent analysis (and this is perhaps more sensible – capture tons of data now, and then scan it, and then derive rules from it that can be applied to subscriber connections). Now, to totally pull together packet flows, examine them for content, and then send them on their merry way to the destination in real time seems a bit of a stretch. Sure, it is theoretically possible for this to be done, but it would be a truly massive undertaking in practice – one that might exceed capacities of equipment on the market. Such practical limitations and impossibilities are what we keep hearing from North American ISPs as a way of allaying privacy worries, and such limitations have been reaffirmed by independent network engineers. This leaves me doubting that total content analysis is possible, let alone occurring. It is more likely that something like this is happening:
The DPI device looks at the first 5-100 packets in a packet stream. These packets are then evaluated against a rule list – are the packets going somewhere that is impermissible? is a disallowed application or application-type trying to send packets? – and then allowed to continue to their destination (or not) depending on what the rule set dictates. In the case of images/movies/songs, it is possible for some DPI devices to quickly look at the first packets of a .mov, .jpeg, etc file’s packet flow and correlate that particular file and flow with a particular digital ‘fingerprint’. That fingerprint can then be examined against all disallowed files/flows and, if a match is found, the packet stream terminated. This method of analyzing content is not perfect, though it does have high degrees of accuracy in many cases. This is what copyright-oriented devices presently do, and can be used to prevent the dissemination of ‘fingerprinted’ pictures, movies, sounds, documents, and so forth.
In essence, I worry that the WSJ is claiming that DPI is more effective in screening communications than it is in reality, much like we hear claims that CCTV is more effective than studies show. This isn’t discounting that DPI could, potentially, in an ideal world do what the WSJ is suggesting, but networking environments where admins are trying to regulate gigabytes of traffic each second are hardly these ideal environments for mass surveillance and content regulation using DPI appliances.
Hopefully the pressure gets Nokia-Siemens or other network manufacturer to fess up about what they sold, but I’m not holding my breath.
Stay tuned.
(Cheers, Chris)
First they ignore you, then they laugh at you, then they fight you, then you win ~ Mahatma Gandhi
p2pnet story – Countrywide Iran DPI spy system, June 22, 2009
Wall Street Journal – Iran’s Web Spying Aided By Western Technology, June 22, 2009
Nokia Siemens Networks – Provision of Lawful Intercept capability in Iran, June 22, 2009
Use free p2pnet newsfeeds for your site. It’s really easy!
Subscribe to p2pnet.net | | rss feed: http://p2pnet.net/p2p.rss | | Mobile – http://p2pnet.net/index-wml.php
Net access blocked by government restrictions? Use Psiphon from the Citizen Lab at the University of Toronto. Go here for details.
June 23rd, 2009 at 12:20 pm
Good catch