ITU packet inspection standard raises privacy concerns, says CDT

The standard shows a lack of concern for user privacy and security, according to the organization

The UN's telecommunications standards organization has approved a standard for deep packet inspection (DPI) that raises serious concerns about privacy, the Center for Democracy and Technology said.

That ITU-T, is showing an interest in deep packet inspection suggests some governments hope for a world where even encrypted communications may not be safe from prying eyes, according to the CDT.

The adoption of the standard -- officially known as "Requirements for Deep Packet Inspection in Next Generation Networks" or "Y.2770" -- happened last week during the World Telecommunication Standardization Assembly (WTSA), which is held every four years and defines what the ITU-T should focus on.

The biggest concern is that the standard holds very little in reserve when it comes to privacy invasion, the CDT wrote on its website/a> Wednesday.

"There is a general lack of attention to design considerations we think are important to Internet users, namely privacy and security. Obviously DPI has the potential to be an extremely invasive technology," said Alissa Cooper, chief computer scientist at the CDT.

The standard barely even acknowledges that there is a privacy risk at all, according to Cooper.

"What we like to see, at the very least, is a thorough analysis of what the pros and cons are, and how you can build in mitigation for some of the more invasive aspects of the technology. But this has none of that," Cooper said.

For example, the standard document optionally requires DPI systems to support inspection of encrypted traffic, which is "antithetical to most norms, policies, and laws concerning privacy of communications," the CDT wrote.

The CDT's concerns are backed by European digital rights group EDRi.

"The problem with the ITU is that it is a large bureaucracy that doesn't have enough to do, and rather than sitting quietly in their office counting paper clips, they are trying to find things to do that generally aren't helpful," Joe McNamee, executive director at EDRi, said.

In the Western world, there is an urgent need to make decisions about deep packet inspection, because it is extremely invasive and is being rolled out without any particular thought, according to McNamee.

Some involved in the standardization work have also indicated concerns -- earlier this year Germany delayed the approval process because it had objections to a draft version of the standard.

For example, Germany believes that the ITU-T should not standardize any technical means that would increase the exercise of control over telecommunications content, according to a Word document published on the CEPT website. The CEPT consists of European state telecommunications and postal organizations.

What the ITU's powers should be and if its standards, or recommendations as they are officially called, should in some cases become mandatory will be up for discussion at next week's World Conference on International Telecommunications (WCIT) conference in Dubai.

It's not clear whether companies will build new DPI equipment to meet the ITU-T requirements or what further DPI standards the ITU-T will approve, according to CDT. But the standard approved at WTSA provides further evidence of why proposals for mandatory standards should be struck down during WCIT, the CDT said.

The ITU-T did not respond to a request for comment.

Send news tips and comments to mikael_ricknas@idg.com

This story, "ITU packet inspection standard raises privacy concerns, says CDT" was originally published by IDG News Service .

Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies