«

»

The UN has adopted China’s global snooping plan. It’s time for civil society to abandon the Internet Governance Forum and grow some teeth

By Simon Davies

Last month, the UN International Telecommunications Union (ITU) summit in Dubai adopted confidential recommendations proposed by China that are intended to set onerous surveillance standards across the Internet. The move highlights the ITU’s increasingly blatant hostility to civil liberties, privacy and human rights.

From any perspective of rights and freedoms, the World Summit on the Information Society and the Internet Governance Forum are now a dangerous joke.

Recently published documents establish an overwhelming argument that NGO’s and civil society organisations – which for years have supported in good faith the ITU’s global Internet reform agenda – should now walk away en masse. From any perspective of rights and freedoms, the World Summit on the Information Society and the Internet Governance Forum are now a dangerous joke.

Yes, it could be argued that this is the very moment for civil society to focus more energy on the global process, but another perspective is that this whole saga has been a stitch-up between national governments and the ITU.

CNET commentator Declan Mccullagh observes that the proposed measures – known as the Y.2770 standard – will help network providers use Deep Packet Inspection (DPI) to target BitTorrent uploaders and detect trading of copyrighted MP3 files. This standard will also accelerate Internet censorship in repressive nations.

DPI is a technology that serves many useful purposes, including fending off network attacks, detecting malware, and prioritizing critical applications over ones that are less time-sensitive. But it is controversial when used for legal and extra-legal government surveillance, and some network operators — including Verizon Wireless — have edged in this direction for advertising-related purposes as well.

Y.2770 is confidential and so many details remain opaque. However a document posted by a Korean standards body describes how network operators will be able to identify “embedded digital watermarks in MP3 data,” discover “copyright protected audio content,” find “Jabber messages with Spanish text,” or “identify uploading BitTorrent users.” Jabber is also known as XMPP, an instant messaging protocol.

network operators will be able to identify “embedded digital watermarks in MP3 data,” discover “copyright protected audio content,” find “Jabber messages with Spanish text,” or “identify uploading BitTorrent users.”

Perhaps predictably, Germany stood firm against the proposals, warning that organization must “not standardize any technical means that would increase the exercise of control over telecommunications content, could be used to empower any censorship of content, or could impede the free flow of information and ideas.”

CNET notes that only ITU members currently have access to the document. A related ITU meeting in Dubai, which has drawn sharp criticism from the U.S. government and many Internet companies, began this week.

In a joint blog post, Alissa Cooper and Emma Llansó from the Center for Democracy and Technology say that the U.N. agency “barely acknowledges that DPI has privacy implications, let alone does it provide a thorough analysis of how the potential privacy threats associated with the technology might be mitigated.”

Cooper and Llansó add: “Mandatory standards are a bad idea even when they are well designed. Forcing the world’s technology companies to adopt standards developed in a body that fails to conduct rigorous privacy analysis could have dire global consequences for online trust and users’ rights.”

Germany had asked a European telecommunications body called CEPT, which includes 48 member nations, to “take a stand” against the ITU proposal, which was advanced by China’s Fiberhome network provider. Germany’s concerns about Y.2770, which is formally titled “Requirements for Deep Packet Inspection in Next Generation Networks,” appear in a document made available by CEPT.

No Europe-wide position would be taken against the ITU proposal.

After discussions, CEPT decided that its member “countries consider that they cannot oppose” Y.2770, according to a report  from its October meeting in Istanbul, meaning that no Europe-wide position would be taken against the ITU proposal.

An ITU study group describes its mission as developing recommendations for “requirements, architectures, mechanisms, and functionalities” used in deep packet inspection: “This includes study on flexible and effective DPI mechanisms that allow network devices to look at the packet header and payload.”

Another controversial section of Y.2770 is that it contemplates having network operators decrypt their customers’ Internet traffic so it can be inspected.

One reason why deep packet inspection is so controversial is that it has been used by repressive regimes — dozens of which are members of the ITU — to conduct extensive surveillance against their own citizens.

A Wall Street Journal report last year described how Amesys, a unit of French technology firm Bull SA, helped Moammar Gadhafi spy on his people. Boeing’s Narus unit was in talks with Libya about controlling Skype, censoring YouTube, and blocking proxy servers, the Journal reported. In August, The New York Times reported that malware known as FinSpy, sold by a British company called the Gamma Group, could activate computer cameras and microphones and had been linked to repressive governments including Turkmenistan, Brunei, and Bahrain.

Another controversial section of Y.2770 is that it contemplates having network operators decrypt their customers’ Internet traffic so it can be inspected.

This isn’t the first time that an ITU proposal has been criticized for its implications for Internet censorship. In 2008, CNET disclosed that the ITU was quietly drafting technical standards, proposed by the Chinese government, to define methods of tracing the original source of Internet communications and potentially curbing the ability of users to remain anonymous.

A leaked document showed the trace-back mechanism was designed to be used by a government that “tries to identify the source of the negative articles” published by an anonymous author.

Like so many other advocates, this situation leaves me sick to the stomach. I was invited to give a plenary address to the Tunisian IGF – sandwiched between the Egyptian president and the Chinese foreign minister – and I boycotted the event in anticipation of the mealy mouthed proclamations by such regimes (think… cultural relativity). I later caved in to my colleagues’ plea to give IGF a second chance and so the following year I accepted an invitation to become the closing plenary moderator in the Egyptian IGF.

I am ashamed now that I didn’t read the signs and walk out when I had the chance.