The UN’s International Telecommunications Union continues its in-camera campaign to wrest control of the internet from all other organizations with a new policy designed to please intrusive and authoritarian governments worldwide:
The telecommunications standards arm of the U.N. has quietly endorsed the standardization of technologies that could give governments and companies the ability to sift through all of an Internet user’s traffic – including emails, banking transactions, and voice calls – without adequate privacy safeguards. The move suggests that some governments hope for a world where even encrypted communications may not be safe from prying eyes.
At the core of this development is the adoption of a proposed international standard that outlines requirements for a technology known as “Deep Packet Inspection” (DPI). As we’ve noted several times before, depending on how it is used, DPI has the potential to be extremely privacy-invasive, to defy user expectations, and to facilitate wiretapping.
[. . .]
The ITU-T DPI standard holds very little in reserve when it comes to privacy invasion. For example, the document optionally requires DPI systems to support inspection of encrypted traffic “in case of a local availability of the used encryption key(s).” It’s not entirely clear under what circumstances ISPs might have access to such keys, but in any event the very notion of decrypting the users’ traffic (quite possibly against their will) is antithetical to most norms, policies, and laws concerning privacy of communications. In discussing IPSec, an end-to-end encryption technology that obscures all traffic content, the document notes that “aspects related to application identification are for further study” – as if some future work may be dedicated to somehow breaking or circumventing IPSec.
Several global standards bodies, including the IETF and W3C, have launched initiatives to incorporate privacy considerations into their work. In fact, the IETF has long had a policy of not considering technical requirements for wiretapping in its work, taking the seemingly opposite approach to the ITU-T DPI document, as Germany pointed out in voicing its opposition to the ITU-T standard earlier this year. The ITU-T standard barely acknowledges that DPI has privacy implications, let alone does it provide a thorough analysis of how the potential privacy threats associated with the technology might be mitigated.
These aspects of the ITU-T Recommendation are troubling in light of calls from Russia and a number of Middle Eastern countries to make ITU-T Recommendations mandatory for Internet technology companies and network operators to build into their products. Mandatory standards are a bad idea even when they are well designed. Forcing the world’s technology companies to adopt standards developed in a body that fails to conduct rigorous privacy analysis could have dire global consequences for online trust and users’ rights.