Net Neutrality, GPL, Packets and Privacy

Just read the net neutrality article on Comcast. I have mixed feelings about this and wanted to find out what you thought. There seems to be a fine line when data becomes information and directly affects corporations and fellow humans. What I don’t know when looking at packets traversing the network as little bits of information, where exactly that boundary lies.

GPL

Personally, I’m not a huge fan of GPL. My thoughts on this are either you ship open source that’s truly open/free and live on ads [sic!] or you try and build a product to make a living and hope that people don’t leech on it. In all of the Mu products, we avoid GPL code like it’s the plague and we take this pretty seriously. On the other hand we also believe in contributing to the community and we do this by releasing code either with the BEER license or something that’s not as stringent as the GPL.

There are some tools out there that are not only GPL, but the data they produce is also GPL. So the action-at-a-distance Quantum rule (process boundaries, unix pipes, sockets, etc) that normally applies to GPL don’t apply to these. Finally, there’s also a history of tools that started out as GPL just to find out that people were commercially embedding these and then switched to closed source.

Like I said, it’s free as in beer or you build a product and sell it. I’m yet to find GPL code that also GPL’s the packets it generates. Now there’s the crux right there!

Which brings me to packets…

On pcapr, there are lots of packets. Last count it was like 59,718,948 of them. There’ve been a few occasions where people reported copyrighted material and we immediately investigate these cases and removed the pcaps where appropriate.

Now to quote Dr. Albert Lanning from iRobot:

There have always been ghosts in the machine. Random segments of code, that have grouped together to form unexpected protocols…[snip]…When does a personality simulation become the bitter mote… of a soul?

So here’s my question to you:

When does a packet violate confidentiality/privacy rules?

This is somewhat a loaded question, but cuts to the bottom of when data becomes information. Think about these situations where packets are captured at some location and shared with the broader community:

  • Packets at layer2 (ARP, LLDP, etc). These contain the MAC addresses, which identify the NIC card maker (OUI). LLDP in particular has variants like CDP, EDP, etc and they are meant to discover what else is on the network. Is this revealing too much?
  • How about the IP layer? If the IP address is internal, does it matter? What if the IP is a public one, in which case you can whois your way to find out what company it’s been assigned to. Is that bad?
  • Think about the TCP layer with just the FTP data transfer. By using tools like p0f, you can infer/fingerprint the Operating System of the user.
  • Moving on to higher order services, the specific sequence of bits in an NFS transaction can be used to fingerprint if the server is made by NetApp or EMC or a vanilla Linux implementation. Is that a privacy issue?
  • With services like SIP, you also have extensions, email addresses in the packets. Is that violating privacy?
  • Finally when we get to the human layer, we see usernames and passwords in packets. Is this the tipping point where data becomes information?
  • If I made a phone call using Skinny against a Cisco phone and captured the packets, is that the property of Cisco? Does this mean interoperability tests violate privacy concerns?
  • If I’m at a security conference and I have a tap on a switch and capture all the traffic and post it publicly, is that violating privacy? (My gut reaction is yes, it’s big brother and that’s so not lawful interception)
  • Finally, instead of reading emails, I capture SMTP packets on the wire and reconstruct the emails, is that a privacy issue? Again, my gut reaction is yes, but some might say you have to encrypt your email to avoid snooping.

So my questions to you:

  • When does a packet become a privacy concern?
  • Are the packets generated by a closed-source product belong to the product/company?
  • What is it about a packet that changes it from being data to becoming a privacy violation?
    • Would love to know.

Bookmark and Share