One More Time: Iran Isn’t Using Deep Packet Inspection

image Thanks to the Wall Street Journal last week, it’s become common knowledge that Iran is using deep packet inspection technology to track down dissenters online and imprison or even kill them. When such heinous acts are happening in full view of the world, everyone’s looking for a suspect to hang the crime on.  In this instance, the culprit is Nokia.

This scenario shares a lot in common with the movie Conspiracy Theory – including the fact that it’s a work of fiction.

I’ve seen it crop up in a feature at Slate today, the UK.Telegraph mentioned it as well, and dozens of publications parroted last week the WSJ’s claims that Iran’s clampdown was fueled by technology sold to them by Nokia-Siemens.

We talked about this precise thing last week and debunked it definitively on more than one occasion.

In “Iran Probably Isn’t Using Deep Packet Inspection [#iranElection]”:

Based on our analysis last week, and the conversations we had with Craig Sirkin, we still believe Iran’s DPI capabilities are limited at best, and more than likely non-existent.  The whole of the WSJ’s assertions lay in the confirmed fact that Nokia Siemens sold Iran, as a part of a larger telephony package, some “monitoring equipment.”

In “More Details Emerge on Iran’s Internet Censorship”:

It seems that the parts of the rest of the blogosphere weighed in on our analysis on the Iranian IT situation, picking their pet theories we presented late last night.
Arbor Networks thinks that the networks were taken offline and migrated to low-capacity proxy servers.
GigaOm’s Stacey Higginbotham agrees, saying that “some unscrupulous equipment vendor who wants to interest the Iranian government in better deep packet inspection equipment” may come along later.

In “How Iran is Blocking the Internet Suggests They Weren’t Prepared for an Election Backlash [#iranElection]”:

“It sounds like they’re just entering domains into a blacklist in a gateway at the country level,” said Sirkin. “They’re just blocking certain domains. It doesn’t sound like they are blocking all web traffic, or else web proxies still using the same port number wouldn’t help.”

In our discussion, Sirkin said something that seemed to fit more with the mindset of the Iranian government than any other theories I’d heard up to that point.

“It’s funny, because this is the cheap and dirty way to do it,” said Sirkin. He went on to explain: “If you were planning on doing this you’d use deep packet inspection to look into the payload of each packet for something that could be identified as a tweet, chat or whatever the traffic type might be. You’d need to have planned your hardware to do that on a national scale, something that would take significant preparation beforehand.”

Essentially, this confirmed the sense that I had started to form when I first started researching the story: that either the government of Iran isn’t that technically savvy, or that they had no idea at all that the citizens of Iran would react with the ingenuity and velocity with which they’ve pursued the ability to communicate their plight.

We hope that this puts the issue to bed. There are some horrible and atrocious acts of oppression taking place in Iran right now, and there’s no reason to hang that around the neck of a telecom firm.

Update: Nokia-Siemens put out a blog post explaining the technology they sold to Iran:

Recent media reports have speculated about Nokia Siemens Networks’ role in providing monitoring capability to Iran. To clarify: Nokia Siemens Networks has provided Lawful Intercept capability solely for the monitoring of local voice calls in Iran. Nokia Siemens Networks has not provided any deep packet inspection, web censorship or Internet filtering capability to Iran.

In most countries around the world, including all EU member states and the U.S., telecommunications networks are legally required to have the capability for Lawful Intercept and this is also the case in Iran. Lawful Intercept is specified in standards defined by ETSI (European Telecommunications Standards Institute) and the 3GPP (3rd Generation Partnership Project).

To fulfill this Lawful Intercept requirement as part of an expansion to provide further mobile connectivity to Iran in the second half of 2008, Nokia Siemens Networks provided TCI, the Iranian national operator, with the capability to conduct voice monitoring of local calls on its fixed and mobile network.

The restricted functionality monitoring center provided by Nokia Siemens Networks in Iran cannot provide data monitoring, internet monitoring, deep packet inspection, international call monitoring or speech recognition. Therefore, contrary to speculation in the media, the technology supplied by Nokia Siemens Networks cannot be used for the monitoring or censorship of internet traffic.

On March 31st, 2009 Nokia Siemens Networks and Perusa Partners Fund I L.P., a private investment firm advised by Munich based Perusa GmbH, successfully closed the sale of Nokia Siemens Networks’ Intelligence Solutions business to Perusa. Nokia Siemens Networks made the decision to exit this business as it primarily addresses customer segments which differ from telecom service providers and is therefore not part of Nokia Siemens Networks core business.

In all countries where it operates the company does business strictly in accordance with the Nokia Siemens Networks Code of Conduct and in full compliance with UN and EU export control regulations and other applicable laws and regulations.

Nokia Siemens Networks provides the mobile technology for millions of people in Iran to communicate with each other and the outside world. Nokia Siemens Networks firmly believes that providing people, wherever they are, with the ability to communicate ultimately benefits societies and brings greater prosperity.

This confirms our suspicions earlier in the week – that the DPI was for the purposes of telephony only.

Update 2: A Friendfeed conversation has broken out on one of John Furrier’s threads.

Mark 'Rizzn' Hopkins

Mark “Rizzn” Hopkins is the Founding Editor of SiliconANGLE, as well as the creator of and Executive Producer for theCUBE. He’s aBitcoin early adopter, as well as a blogging, podcasting and social media pioneer. Prior the founding of SiliconANGLE, Hopkins worked as Associate Editor at Mashable during its formative years. Prior to his career in startups and media, he worked as a developer for large corporations like Nokia, IBM, Apple and Cox Communications. Hopkins lives in Dallas, Texas with his wife and two children.

10 Comments

  1. Amazing job tracking this down and beating the WSJ to a big story Mark!

  2. Next thing you know – Rizzn will be heading up the tech division at WSJ/Reuters! Good job Rizzn!

  3. We'll see. :-)
    A good rule of thumb in reporting that's prevented me from making these
    sorts of faux pax's as I've matured as a writer:

    1) If the story sounds too good to be true, research research research.

    2) Don't always be out for blood.

  4. Comments on Friendfeed where more insight is being shed on this subject. Specifically John Craft has data to share.

  5. this is not true. may of the people who have been arrested in the past few weeks including human rights activists, when arrested and interogated have had print out of online chat conversations or emails placed in front of them as evidence.

    so if there is no DPI for net traffic how are they geting this data and if this is true then how are facebook, and twitter users being arrested and taken from their homes. please explain.

  6. There are a variety of ways to tap into chat conversations, including server
    side monitoring, Trojans, or keylogging.
    The fact that they're using firewalling techniques to filter out connections
    to Facebook, Twitter and Youtube rather than DPI techniques points to the
    fact that they don't have the technology

  7. Also, a number of other methods of government hacking occur to me:

    SMS intercept, which *could* be covered by the Lawful Intercept technologies, and packet sniffing on wired and wireless networks.

    As one of John's FB friends noted, encrypting connections is your best bet – even if there *were* DPI, most encryption routines will defeat them.

  8. It's pretty trivial to put a sniffer on at traffic aggregation points. from there it's pretty easy to track any interesting plain text tcp conversation. most emails and chats and even web get/post routines are tranmitted in plain text.

    Sniffing traffic isn't the same as making routing decisions based on the DPI.

  9. Amazing post, Mark. You are doing some really important work here! Keep up the great research and conversation on such a high level.

  10. im iranian and i love iran and its people!!iran is not that thing that you are thinking about it!!!
    we have freedom.

Submit a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>