Monday
Jan112010
Iran & Twitter: Myth v. Reality of Security and "Deep Packet Inspection"
Monday, January 11, 2010 at 5:49 
The minor storm over Telegraph journalist and blogger Will Heaven's recent posts on social media and the ongoing unrest in Iran, has brought much discussion of the pros and cons of reposting Iranian activists' comments on Twitter and Facebook. To get to the heart of the issue, however, one needs to take a look at Heaven's assumptions regarding Deep Packet Inspection.On his blog post of 29 December Heaven stated:
It is now thought that the Iranian Revolutionary Guard is using Deep Packet Inspection to check Facebook messages and tweets for “anti-regime” keywords. Once this is done, they are able to pinpont the location of online protesters using their IP addresses. Then it’s just a knock on the door and a confiscated laptop for evidence.
But is the use of DPI to punish dissent really this simple?
- Firstly, Heaven bases his comments about the IRG's use of Deep Packet Inspection --- provided by Nokia Siemens Networks --- on a Wall Street Journal article which actually says (possibly after amendment), "It couldn't be determined whether the equipment from Nokia Siemens Networks is used specifically for deep packet inspection".
- In a press release issued in response to the article, Nokia Siemens Networks stated that they have "not provided any deep packet inspection, web censorship, or Internet filtering capability to Iran."
- Nokia Siemens Networks' head of media relations Ben Roome has followed up, for example with this comment in The Huffington Post in which he says that the WSJ "clarified its original report" and re-asserts, "We have not provided any Internet technology, let alone DPI to Iran".
- Further research turns up a blog post which points out that, with Roome's denial of the original claim, the WSJ article is left to rely on an anonymous Iranian engineer who says, "We didn't know they could do this much ... Now we know they have powerful things that allow them to do very complex tracking on the network" and Bradley Anstis, CEO of an internet security company, who says "Iran is now drilling into what the population is trying to say ... This looks like a step beyond what any other country is doing, including China." Neither of these comments are anywhere near as specific or certain as Heaven's contention that IRG can search for keywords then "pinpont the location of online protesters using their IP addresses. Then it’s just a knock on the door and a confiscated laptop for evidence." (The blog post raises many other interesting questions and is well worth a read.)
So the question for me is: what does Will Heaven know about Deep Packet Inspection that we don't? He states in his Telegraph article of 29 December:
Using a state-of-the-art method called "Deep Packet Inspection", data packages sent between protesters are now automatically broken down, checked for keywords, and reconstructed within milliseconds. Every Tweet and Facebook message, in other words, is firmly on the regime's radar.
This dramatic conclusion is now based on a single article which was corrected over six months ago after refutation by one of the key actors. Even if this wasn't the case, there is nothing in the article which indicates that Deep Packet Inspection provides the "knock on the door" capability that Heaven portrays.
On Friday Heaven described the Iranian regime's use of DPI as "prolific" but linked only to his article of 29 December, which in turn linked to his blog post of December 29, which linked to the WSJ. Perhaps Heaven knows far more about Iranian use of DPI than he has up to now revealed, but so far he is repeating a a single, hazy assertion as fact.
Reader Comments (7)
translation anyone?
Claimed regime documents regarding the 22nd of Bahman
http://onlymehdi.tumblr.com/
Thanks, Mike.
Couldn't have said it better.
Beside all that, to do DPI on the whole country or even just say the universities requires massive amounts of computer muscle just to find the 'needles'. You have to do that in near real time too. Then, once you've got your interesting 'needles' you've got to have the manpower to sort through all that raw data to determine what is important enough to send someone out to locate that individual etc etc. This all assumes that the people that are being looked for aren't doing something smart like using encryption (Tor and similar) to fly under the regimes' radar.
Thank you so much, Mike, for adjusting the facts.
Thanks also to Joe. I started a bilingual blog in 2008, far before the elections, and nearly 30 percent of my visitors have this specific address: "EU # Country is really world wide". Already then a colleague in Tehran told me that he has to use Tor, because many sites are blocked for Iranian IP's, and he is well in his fifties. Iranians are technology aficionados, as Josh stated, so you can imagine the range of possibilities available to the twentysomethings...
Joe- good points, and as a colleague pointed out to me when I ran this by him, even if you did find all of the 'needles' you'd still need someone or something (probably the former as computers don't do this as well as humans) to decide whether each 'needle' was being used in a positive, negative or neutral way.
Arshama- thanks. Your comments reminded me of a very early EA post:
http://enduringamerica.com/2008/12/03/iran-a-nation-of-bloggers/
Mike, I still wonder how you managed the invisible server migration. Thanks again for keeping up my favourite site!
Nice video, which reminds me much of Marjane Satrapi's Persepolis. As to the Iranian blogosphere, Kelly & Ettlin were not able to quantify the number of blogs blocked during the past four years in their excellent study: http://cyber.law.harvard.edu/publications/2008/Mapping_Irans_Online_Public (Attention! Forbidden organisation!)
But I remember that a large quantity of Iranian blogs disappeared, found earlier during entirely unpolitical researches. This humorous obituary on the "deceased" gives an idea of heavy restrictions, even on unpolitical blogs, as early as summer 2005: http://itiran.net/archives/001837.php
Regarding the Iranian cyber-mania, even kids are not spared:
http://persiankids.persianblog.ir/
Arshama, that was all handled by our hosting company- they actually did the worst of it before I even realised they had started. The only problem was that DNS issues (which I won't pretend to understand) meant some people in different parts of the world saw an old version of our site for a few hours. It's just a shame that something completely different went wrong and took our site down the next day...