What I dislike intensly is the “fob off” when it comes to the technical details so that anonymity can actually be assessed.

For instance I’m acutely aware (apparently unlike many who should know better) that,

“IP addresses are anonymized at the source/DPI device using a pseudo-random replacement algorithm, which also entails ignoring the external IP addresses. The key generation system is managed automatically by the device (and thus an ISP can’t muck around with the system), and keys are periodically cycled and redistributed. The keys are never made available outside of the device, and once a set of keys for a given time period are discarded they cannot be recovered – the process is irreversible.”

Is a compleat load that you would expect to be emitted from an oraface not to distant from a pony tail…

If you work it backwards you will see why,

1, The claim that keys “cannot be recovered – the process is irreversible”.

Might well be true but is also irrelevant. There are two ways to get to the key used for the “pseudo-random replacement algorithm”. The “determanistic”? forwards direction and the “irreversible” reverse direction.

If I know how the “key” is generated in the “forwards” direction what is to stop me “recreating” the key in the forwards direction as opposed to (the supposaly) impossible reverse direction?

The simple answer is “If I designed the system and there is no TRUE randomness with sufficient ENTROPY” then the answer is nothing…

Likewise even if there is a TRNG with sufficient energy how do I know that the value to make the key is not encoded in the first records after the key change (See work by Adam Young and Moti Yung on cleptography).

Further how do I know the key generating value is not “spread spectrum modulated onto the time stamps.

Or any of many other covert channels.

Even if not done deliberatly by the system designers how do I know that their implementation does not allow either the key or it’s generation values to be found by a CPU cache attack etc?

That is the “keys” may not be reversable, also “The keys are never made available outside of the device” and thus be unavailable to Virgin. But is it realy unavailable to the system designers or knowledgable attackers?

2, Saying “and once a set of keys for a given time period are discarded” is not realy saying much.

Are the keys kept in unpaged memory?

Are they securely deleted/overwritten?

How is memory “garbage collection” etc carried out?

All of these can criticaly effect if the key is realy unrecoverable or not.

3, As for “The key generation system is managed automatically by the device… …and keys are periodically cycled and redistributed”

This makes the short hairs on my neck rise faster than a bolt of lightning.

What on earth does “keys are periodically cycled and redistributed” mean?

Does this actually mean that the developers load the “master keys” in to be used like an OTP or that the keys are dependnet on some value such as the unit’s serial number etc etc.

And what if any relationship does this actually have with the “pseudo-random replacement algorithm”?

Likewise what about, “The key generation system is managed automatically by the device”.

Does it simply mean a “cron” type system generates a new key set?

If so to what level how are active connections delt with etc etc?

4, The quote says “IP addresses are anonymized” and “which also entails ignoring the external IP addresses”.

I’m assuming the anonymized IP addresses are those of the P2P transaction that is currently in progress.

However what are the “external IP addresses” are they an ‘encrypted’ version of the P2P transaction IP addressess and if so where do they go and what other information accompanies them.

For instance it they are output with a sufficiently accurate time stamp then Virgin may be able to identify the real IP address simply by looking it up in it’s “traffic managment” logs that obviously are “not covered by RIPA” due to that hughmungeous exsemption for managing the network…

5, Finaly we arive at “IP addresses are anonymized at the source/DPI device using a pseudo-random replacement algorithm”.

What is the “pseudo-random replacement algorithm”?

It sounds hand wavingly good but is it say 3DES in ECB mode?

How about an ARC4 stream generator?

Or just a “developers cludge” that has not been analysed by anybody with the degree of skill required to give others confidence?

The devil is in the details and this is all prior to any discussion about if examining the P2P data…

As it stands, of course, it’s a partnership between Virgin and Detica that is performing hash-based inspections of content – identifying unique signatures to determine whether packets are involved in transmitting copyright infringing work. I have big issues with this – I think that it could provoke subsequent political approaches to ‘resolving’ copyright infringement that I see as dangerous for society – and that the issue ought to be framed in either a constitutional-rights based approach, or from a consumer advocacy/copyright position. I do not, however, think that a privacy approach on its own is sufficient to critique what Virgin and Detica are engaging in.

It’s this granular distinction of issues that are raised by the technology that I think is important to maintain. As previously stated, I’m less aware of UK law, but if DPI is ruled as unlawful then there is a substantial impact for broad consumer network provisioning that would follow. Now, whether this impact is seen as acceptable in the face of modes of network intelligence is an interesting question, but one that would need to be addressed were packet inspection technologies to be banned (something that I really can’t see as happening, truth be told).

I don’t care what the purposes are. I don’t care what the motivation is. I don’t care how subtle the filtering sophistry is.

Virgin should not be examining the *content* of private/confidential communication traffic without a warrant. People are innocent until proven guilty, a minority use P2P protocols, a subset of those people engage in sharing copyright infringing media, and those that do commit civil not criminal offences.

Therefore Virgin customers should not be subjected to intrusive communication surveillance. It is simply completely disproportionate, and utterly illegal.