The new standards outline requirements for Deep Packet Inspection (DPI) technology in future systems — a technique for snooping into the web content with legitimate uses all too often used by repressive regimes to identify and punish dissenters or preemptively censor online communication through fear of reprisal. However, while setting technical standards, ITU made practically no mention of the user implications of the technology, nor did it outline guidelines for appropriate use. The Center for Democracy and Technology outlines the issues:
The ITU-T DPI standard holds very little in reserve when it comes to privacy invasion. For example, the document optionally requires DPI systems to support inspection of encrypted traffic “in case of a local availability of the used encryption key(s).” It’s not entirely clear under what circumstances ISPs might have access to such keys, but in any event the very notion of decrypting the users’ traffic (quite possibly against their will) is antithetical to most norms, policies, and laws concerning privacy of communications.
By adopting these standards, ITU is essentially supporting a future where all networks have an infrastructure in place for internet service providers and governments to go in and snoop on any web traffic, but not giving clear guidance on when that invasion of privacy is acceptable and what safeguards the average user should expect for their personal communications. This is especially troubling because of DPI’s potential for and history of use as a tool of oppression.
ITU-T standards are not binding, and although some states have proposed changing that, it is unlikely to happen — especially without U.S. support. But while the media rails against the bogeyman of a U.N. internet take over, ITU-T has given tacit approval to technological standards that could have a very real, detrimental effect on long-term internet privacy without so much as giving lip service to the freedom of information online ITU claims to champion.