On Dec 12, 2012, at 6:47 AM, Scott Brim wrote: > Encrypting content only provides privacy of the content. It doesn't protect > your traffic behavior, who you communicate with, from where etc. DPI can > sniff out a lot of this kind of information.
It doesn't take DPI to do that. All it takes is IPFIX for the first hop, and web/mail/etc logs for more detailed information. https://tools.ietf.org/html/rfc3924 3924 Cisco Architecture for Lawful Intercept in IP Networks. F. Baker, B. Foster, C. Sharp. October 2004. (Format: TXT=40826 bytes) (Status: INFORMATIONAL) AFAIK this or something like it is used by every police force on the planet. It is more-or-less mandated in the EU, by the Data Retention Initiative, and periodically comes up in one form or another in the US. Count the signatories to the Council of Europe Convention on CyberCrime, which covers data retention, content intercept, and direct investigation of stored computer data (read "cloud"). http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm Yes, someone will mention RFC 2804. That document says two things: the IETF doesn't want to get involved, and it encourages anyone who does get involved to publicly post their specifications for review. Hence RFC 3924. Head in the sand doesn't prevent things from happening. Getting involved gives you a voice in getting it right. The original ETSI spec for LAES, per the guy that was the editor at the time, called for ISPs to split their fiber and push one end under their friendly LEA's door. The argument: "it's secure; they take what they want, and they don't need to tell anyone." Well, take a look at the failures of LI at the LAPD in the late 1990's (there were two, one an overzealous cop and the other a mafia plant in LAPD) and the fact that circa 2003 the Greek PM discovered that 100 of his minister's phones were tapped and Vodaphone couldn't tell him who was getting the information. I got involved and called for auditability in the spec we published. Tell me that was the w rong thing to do. _______________________________________________ ietf-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-privacy
