What IP Can ee Clarifing the technical landcape of the roadand privac deate March 2016 Verion 1.0 © 2016 Upturn. Licened under a Creative Common Attriution 4.0 International Licene. Tale of Content 1 Introduction 2 Four Ke Technical Clarification 1. Trul pervaive encrption on the Internet i till a long wa off. 2. ven with HTTP, IP can till ee the domain that their ucrier viit. 3. ncrpted Internet traffic itelf can e urpriingl revealing. 4. VPN are poorl adopted, and can provide incomplete protection. 3 Concluion 4 Aout Thi Report Aout the Author Introduction In 2015, the Federal Communication Commiion (FCC) reclaified roadand Internet ervice provider (IP) a common carrier under Title II of the Communication Act. 1 Thi hift triggered a tatutor mandate for the FCC to protect the privac of roadand Internet ucrier’ information. 2 The FCC i now conidering how to craft new rule to clarif the privac oligation of roadand provider. 3 Lat week, the Intitute for Information ecurit & Privac at Georgia Tech releaed a working paper whoe enior author i Profeor Peter wire, entitled “Online Privac and IP.” 4 The paper decrie itelf a a “factual and decriptive foundation” for the FCC a the Commiion conider how to approach roadand privac. 5 The paper ugget that certain technical factor limit IP’ viiilit into their ucrier’ online activitie. It alo highlight the data collection practice of other (non-IP) plaer in the Internet ecotem. 6 We elieve that the wire paper, although technicall accurate in mot of it particular, could leave reader with ome mitaken impreion aout what roadand IP can ee. We offer thi report a a complement to the wire paper, and an alternative, technicall expert aement of the preent and potential future monitoring capailitie availale to IP. We oerve that: 1. Trul pervaive encrption on the Internet i till a long wa off. The fraction of total Internet traffic that’ encrpted i a poor prox for the privac interet of a tpical uer. Man ite till don’t encrpt: for example, in each of three ke categorie that we examined (health, new, and hopping), more than 85% of the top 50 ite till fail to encrpt rowing default. Thi long tail of unencrpted we traffic allow IP to ee when their uer reearch medical condition, eek advice aout det, or hop for an of a wide gamut of conumer product. 2. ven with HTTP, IP can till ee the domain that their ucrier viit. Thi tpe of metadata can e ver revealing, epeciall over time. And IP are alread known to look at thi data — for example, ome IP analze DN quer information for jutified network management purpoe, including identifing which of their uer are acceing domain name indicative of malware infection. 3. ncrpted Internet traffic itelf can e urpriingl revealing. In recent ear, computer cience reearcher have demontrated that network operator can learn a urpriing amount aout the content of encrpted traffic without reaking or 1 weakening encrption. examining the feature of network traffic — like the ize, timing and detination of the encrpted packet — it i poile to uniquel identif certain we page viit or otherwie otain information aout what the traffic contain. 4. VPN are poorl adopted, and can provide incomplete protection. VPN have een commerciall availale for ear, ut the are ued parel in the United tate, for a range of reaon we decrie elow. We agree that pulic polic need to e uilt on an accurate technical foundation, and we elieve that thoughtful policie, epeciall thoe related to Internet technologie, hould e reaonal rout to foreeeale technical development. We intend for thi report to ait policmaker, advocate, and the general pulic a the conider the technical capailitie of roadand IP, and the roader technical context within which thi polic deate i happening. Thi paper doe not, however, take a poition on an quetion of pulic polic. 2 Four Ke Technical Clarification 1. Trul pervaive encrption on the Internet i till a long wa off. Toda, a ignificant portion of Internet activit remain unencrpted. When a we ite ue the unencrpted Hpertext Tranfer Protocol (HTTP), an IP can ee the full Uniform Reource Locator (URL) and the content for an we page requeted the uer. Although man popular, high-traffic we ite have adopted encrption default, 7 a “long tail” of we ite have not. The fraction of total traffic that i encrpted on the Internet i a poor guide to the privac interet of a tpical uer. The wire paper argue that “the norm ha ecome that deep link and content are encrpted on the Internet,” aing it claim on the true oervation that “an etimated 70 percent of traffic will e encrpted the end of 2016.” 8 However, thi numer include traffic from ite like Netflix, which itelf account for aout 35% of all downtream Internet traffic in North America. 9 enitivit doen’t depend on volume. For intance, watching the full Ultra HD tream of The Amazing pider-Man could generate more than 40G of traffic, while retrieving the WeMD page for “pancreatic cancer” generate le than 2M. The page i 20,000 time le data volume, ut likel far more enitive than the movie. (WeMD ha et to offer uer the option of ecure HTTP connection, much le to make that option the ole or default choice.) We conducted a rief urve of the 50 mot popular we ite in the each of three categorie — health, new and hopping — a ranked Alexa. 10 The Long Tail of Unencrpted We Traffic Alexa Top 50 ite, Categor Categor Percent of ite that Do Not ncrpt rowing Default xample URL for Unencrpted We ite http://wemd.com/hiv-aid/guide/… http://maoclinic.org/…cancer… Health 86% http://medicinenet.org/…eczema… http://health.com/exual-health http://who.int/…childhood-hearing-lo… 3 http://ntime.com/…tax-tip… http://huffingtonpot.com/divorce New 90% http://video.foxnew.com/…ex-after-50… http://time.com/…ga-right… http://ankrate.com/det-management… http://ikea.com/…athroom… http://target.com/…tud-ile… hopping 86% http://mac.com/…maternit-clothe… http://edathandeond.com/…acne-wah… http://toru.com/…Toddler-To… We found that the vat majorit of thee we ite — more than 85% of ite in each of the three area — till do not full upport encrpted rowing default. 11 Thee ite included reference on a full range of medical condition, advice aout det management, and product liting for hundred of million of conumer product. For thee unencrpted page, IP can ee oth the full we ite URL and the pecific content on each we page. Man ite are mall in data volume, ut high in privac enitivit. The can paint a revealing picture of the uer’ online and offline life, even within a hort period of time. ite truggle to adopt encrption. From the perpective of one of thee unencrpted we ite, it can e ver challenging to migrate to HTTP, epeciall when the ite relie on a wide range of third-part partner for ervice including advertiing, analtic, tracking, or emedded video. In order for a ite to migrate to HTTP without triggering warning in it uer’ rower, each one of the third-part partner that ite ue on it page mut upport HTTP. 12 4 Ad tracker HTTP upport rate on the Alexa top 100 new ite (via Citizenla) Getting third-part partner to upport HTTP i a eriou hurdle, even for ite that want to make the witch. 13 For example, in a 2015 urve of 2,156 online advertiing ervice, more than 85% did not upport HTTP. 14 Moreover, a of earl 2015, onl 38% of the 123 ervice in the Digital Advertiing Alliance’ own dataae upported HTTP. 15 In the figure aove, decriing the top 100 new ite, each unit of red or urgund indicate a third-part partner that doe not upport HTTP. In order for an one of thee new ite to provide it content to uer ecurel (without creating warning or error meage) the puliher mut either wait for all of it red and urgund partner to turn green, or ele aandon thoe partner on an ecure part of it ite. The online advertiing indutr i working to improve it ecurit poture, 16 ut clearl there remain a long road ahead. Internet of Thing device often tranmit data without encrption. It’ not onl we ite that fail to encrpt traffic tranmitted over roadand connection. Man Internet of Thing (IoT) device, uch a mart thermotat, home voice integration tem, and other appliance, fail to encrpt at leat ome of the traffic that the end and receive. 17 For example, reearcher at the Center for Information Technolog Polic at Princeton recentl found a range of popular device — from the Net thermotat to the Ui voice tem, to the Pixtar photo frame — tranmitting unencrpted data acro the network. 18 “Invetigating the traffic to and from thee device turned out to e much eaier than expected,” oerved Profeor Nick 19 5 Feamter. 19 A more uer adopt moile device, the communicate with a greater numer of IP. Ue of moile device i growing rapidl a a portion of uer’ overall Internet activit. The wire paper oerve that toda’ IP face a more “fractured world” in which the have a “le comprehenive view of a uer’ Internet activit.” 20 It i true that toda, man conumer’ peronal Internet activitie are pread out over everal connection: a home provider, a workplace provider, and a moile provider. However, a uer often ha repeated, ongoing, long-term interaction with oth her moile and her wireline provider. Over time, each IP can ee a utantial amount of that uer’ Internet traffic. There’ plent of activit to go around: The amount of time U.. conumer pend on connected device ha increaed ever ear ince 2008. 21 2. ven with HTTP, IP can till ee the domain that their ucrier viit. The increaed ue of encrption on the We i a utantial privac improvement for uer. When a we ite doe ue HTTP, an IP cannot ee URL and content in unencrpted form. However, IP can till almot alwa ee the domain name that their ucrier viit. DN querie are almot never encrpted. 22 IP can ee the viited domain for each ucrier monitoring requet to the Domain Name tem (DN). DN i a pulic director that tranlate a domain name (like Ŝ ) into a correponding IP addree (like ɨɮɨŜɨɭɨŜɨɫɯŜɨɬɥ). efore the uer viit Ŝ for the firt time, the uer’ computer mut firt learn the ite’ IP addre, o the computer automaticall end a ackground DN quer aout Ŝ . ven if connection to Ŝ are encrpted, DN querie aout Ŝ are not. In fact, DN querie are almot never encrpted. IP could impl monitor what querie it uer are making over the network. Collection and ue of DN querie IP i practical, i cot effective, and happen toda on IP network. ecaue the uer’ computer i aigned default to ue the IP’ DN erver, the IP i generall capale of retaining and analzing record of the querie, which the uer themelve end to the IP in the normal coure of their rowing. The wire paper aert that it “appear to e impractical and cot-prohiitive” to collect and ue DN querie, ut cite no technical or other authorit for that aement. 23 Our technical experience indicate that logging i oth feaile and relativel cheap to do: Modern networking equipment can eail log thee requet for later anali. Moreover, even if the uer’ computer i peciall configured to ue an external DN erver (not operated the uer’ IP), the DN querie mut till reach that external erver unencrpted, and thoe querie mut till travel over the IP’ network, creating the opportunit to inpect them. In fact, IP alread do monitor uer DN querie for valid network management purpoe, including to detect potential infection of maliciou oftware on uer device. 24 Certain domain name are ued olel maliciou oftware tool, and real uer traffic can e analzed to identif and lock uch domain. 25 Moreover, when an individual uer viit a compromied domain, thi i a trong ign that one or more of 6 that uer’ device i infected, and commerciall availale tool allow IP to notif the uer aout the potential infection. 26 According to literature from a network equipment vendor, Comcat currentl deplo thi ecurit-focued, per-ucrier DN monitoring functionalit on it network. 27 Reearcher in 2011 alo found that everal mall IP were alread leveraging their role a DN provider to not onl monitor, ut activel interfere with, DN reolution for their uer. 28 To e clear, we are not aware of an evidence that large IP have et egun to ue DN querie in privac-invaive wa, much le to interfere with ucrier’ querie along the line detected in 2011. We oerve here onl that it i technologicall feaile toda for IP oth to monitor and to interfere with DN querie. Although network ecurit i not utantiall impacted a modet to moderate amount of VPN uage, there are meaningful engineering downide to a future in which mot or all DN querie are crptographicall concealed from the end uer’ IP. (uch a future could, for example, make it more difficult for IP to provide earl and detection and wift repone for ome kind of malware attack.) At the ame time, a long a the uer’ DN querie are viile to the IP for network management purpoe, the IP will alo have a technologicall feaile option to analze thoe querie in wa that would compromie uer privac. ven a hort erie of viited domain from one ucrier can e enitive. A pivotal moment in a uer’ life, for example, could generate the following log at the uer’ IP (auming the uer han’t inveted in pecial privac tool): ƃɩɥɨɬŵɥɪŵɥɰɨɯśɪɫśɫɫƄ Ŝ ƃɩɥɨɬŵɥɪŵɥɰɨɯśɪɬśɩɪƄŜ ƃɩɥɨɬŵɥɪŵɥɰɨɯśɫɩśɩɰƄ Ŝ ƃɩɥɨɬŵɥɪŵɥɰɨɰśɥɩśɨɩƄŜŜ Over a longer period of time, metadata can paint a revealing picture aout a ucrier’ hait and interet. A other polic dicuion have made clear in recent ear, metadata i ver revealing over time. 29 For example, in the context of telephon metadata, the Preident’ Review Group on Intelligence and Communication Technologie found that “the record of ever telephone call an individual make or receive over the coure of everal ear can reveal an enormou amount aout that individual’ private life.” 30 The Group went on to note that “[i]n a world of ever more complex technolog, it i increaingl unclear whether the ditinction etween ‘meta-data’ and other information carrie much weight.” 31 Thi reaoning applie with equal trength to domain name, which we elieve are likel to e even more revealing than telephone record. uch a lit of domain could alo indicate the preence of variou “mart” device in the ucrier’ home, aed on the known domain that thee device automaticall connect to. 32 3. ncrpted Internet traffic itelf can e urpriingl revealing. ncrption top IP from impl reading content and URL information directl off the wire. However, it i important to undertand that encrption till leave open a wide variet of other, le direct method for IP to monitor their uer if the 7 choe. A growing od of computer cience reearch demontrate that a network operator can learn a urpriing amount aout the content of encrpted traffic without reaking or weakening encrption. examining the feature of the traffic — like the ize, timing and detination of the encrpted packet — it i poile to uniquel identif certain we page viit or otherwie reveal information aout what thoe packet likel contain. In the technical literature, inference reached in thi wa are called “ide channel” information. ome of thee method are alread in ue in the field toda: in countrie that cenor the Internet, government authoritie are ale to identif and dirupt targeted data acce aed on it econdar trait even when acce i encrpted. Concerningl, uch nation often rel on Wetern technolog vendor, whoe advanced product allow cenor increaingl to analze and act on traffic at “line peed” (that i, in real time, a the data pae through a network). 33 The ide channel method that we decrie elow are likel not ued (or at leat not widel ued) IP toda. ut a encrption pread, thee technique might ecome much more compelling. Policmaker hould have a clear undertanding of what’ poile for IP to learn, oth now and in the future. Identifing pecific ite and page. We ite fingerprinting i a well-known technique that allow an IP to potentiall identif the pecific encrpted we page that a uer i viiting. 34 Thi technique leverage the fact that different we ite have different feature: the end differing amount of content, and the load different third-part reource, from different location, in different order. examining thee feature, it’ often poile to uniquel identif the pecific we page that the uer i acceing, depite the ue of trong encrption when the we ite i in tranit. Reearcher have pulihed numerou tudie on the topic of we ite fingerprinting. In one earl tud uing a relativel aic technique, reearcher found that approximatel 60% of the we page the tudied were uniquel identifiale aed on uch unconcealed feature. 35 Later tudie have introduced more advanced technique, a well a poile countermeaure. ut even with variou defene in place, reearcher were till ale to ditinguih preciel which out of a hundred different ite a uer wa viiting, more than 50% of the time. 36 Thi od of reearch illutrate that decrpting a communication in’t necearil the onl wa to “ee” it. The wire paper aert that “[w]ith encrpted content, IP cannot ee detailed URL and content even if the tr.” 37 To e full accurate, however, that claim require qualification: IP generall cannot decrpt detailed URL and content. ut, thi cla of reearch demontrate that with ome amount of effort, it would indeed e feaile for IP to learn detailed URL (and through thoe URL, in ome intance, the actual content of we page) in a range of real-world ituation. 8 The autocomplete feature on Google’ earch engine. Deriving earch querie. Popular earch engine — like Google, Yahoo and ing — provide a uer-friendl feature called auto-ugget: after the uer enter each character, the earch engine ugget a lit of popular earch querie that match the current prefix, in an attempt to gue what the uer i earching for. analzing the ditinctive ize of thee encrpted uggetion lit that are tranmitted after each ke pre, reearcher were ale to deduce the individual character that the uer tped into the earch ox, which together reveal the uer’ entire earch quer. 38 Inferring other “hidden” content. Reearcher have applied imilar method to infer the medical condition of uer of a peronal health we ite, and the annual famil income and invetment choice of uer of a leading financial we ite — even though oth of thoe ite are onl reachale via encrpted, HTTP connection. 39 (Again, the reearcher otained thee reult without decrpting the encrpted traffic.) Other reearcher of ide-channel method have een ale to recontruct portion of encrpted VoIP converation, 40 and uer action from within encrpted Android app. 41 uch example have led reearcher to conclude that ide-channel information leak on the we are “a realitic and eriou threat to uer privac.” 42 Thee tpe of leak are often difficult or expenive to prevent. There ha een ignificant computer cience reearch into practical defene to defeat thee ide-channel method. ut a one group of reearcher concluded, “in the context of weite identification, it i unlikel that andwidth-efficient, general-purpoe [traffic anali] countermeaure can ever provide the tpe of ecurit targeted in prior work.” 43 Thee method are in the la toda — not et in the field, a far a we know. ut the path from computer cience reearch to widepread deploment of a new technolog can e hort. 4. VPN are poorl adopted, and can provide incomplete protection. One wa that ucrier can protect their Internet traffic in tranit i to ue a virtual private network (VPN). VPN are often found in uine etting, enaling emploee who are awa from the office to connect ecurel over the Internet to their compan’ internal network (often with etup help from the emploer’ IT department). When uing a VPN, the uer’ computer etalihe an encrpted tunnel to the VPN erver (a, the one operated the emploee’ compan) and then, depending on the VPN configuration, end ome or all of the uer’ Internet traffic through the encrpted tunnel. The wire paper preent VPN (and other encrpted prox ervice) a an up-andcoming ource of protection for ucrier. 44 However, there are reaon to quetion whether VPN will in fact have a ignificant impact on peronal Internet ue 9 in the United tate. U.. ucrier rarel make peronal ue of VPN. VPN have een commerciall availale for ear, ut the are ued parel in the United tate. According to a 2014 urve cited the wire paper, onl 16% of North American uer have ued a VPN (or a prox ervice) to connect to the Internet. 45 Thi figure decrie the percent of uer who have ever ued a VPN or a prox efore — not thoe who ue uch ervice on a conitent or dail ai, which i what protection from peritent IP monitoring would actuall require. Moreover, man of the 16% of uer who have ued a VPN are likel uine uer, rather than peronal uer looking to protect their privac. It i fair to conclude that onl a ver mall numer of U.. uer actuall ue a VPN or prox ervice on a conitent ai for peronal privac purpoe. Moreover, everal adoption hurdle are likel to deter unophiticated uer. Reliale VPN can e cotl, requiring an additional paid monthl ucription on top of the uer’ Internet ervice. The alo low down the uer’ Internet peed, ince the route traffic through an intermediate erver. (There are free VPN ervice availale, ut ucrier generall get what the pa for. 46 ) Relative to other countrie, the rate of VPN ue in the U.. i among the lowet in the world. 47 VPN ue i much more pronounced in other countrie like Indoneia, Thailand and China, where Internet uer turn to VPN a wa to circumvent online cenorhip, and to activel gain acce to retricted content. 48 VPN are not a privac ilver ullet. The ue of VPN and encrpted proxie merel hift uer trut from one intermediar (the IP) to another (the VPN or prox operator). In order to more thoroughl protect their traffic from their IP, a ucrier mut entrut that ame traffic to another network operator. Furthermore, VPN ma not protect uer a well a the wire paper might lead reader to elieve. The paper tate that “Where VPN are in place, the IP are locked from eeing . . . the domain name the uer viit.” 49 ut thi i not alwa true: whether IP can ee the domain name that uer viit depend entirel on the uer’ VPN configuration — and it would e quite difficult for non-expert to tell whether their configuration i properl tunneling their DN querie, let alone to know that thi i a quetion that need to e aked. Thi i particularl common for Window uer. 50 10 Concluion Toda, IP can ee a ignificant amount of their ucrier’ Internet activit, and have the ailit to infer utantial amount of enitive information from it. Thi i epeciall true when that traffic i unencrpted. However, even when Internet traffic i encrpted uing HTTP, IP generall retain viiilit into their ucrier’ DN querie. Detailed anali of DN quer information on a per-ucrier ai i not onl technicall feaile and cot-effective, ut actuall take place in the field toda. Moreover, IP and the vendor that erve them have clear opportunitie to develop method of inferring important information even from encrpted data flow. VPN are one tool that ucrier can ue to protect their online activitie, ut VPN are poorl adopted, can e difficult to ue, and often provide incomplete protection. We hope that thi report will contriute to a more complete undertanding of the technical capailitie of roadand IP, and the roader technical context within which the roadand privac deate i happening. 11 Aout Thi Report Thi report i deigned to provide technical grounding for policmaker and other intereted partie, regarding the extent of IP viiilit into the activitie of their ucrier. The report aim to provide technical information onl, and i not intended to take a poition on an matter of pulic polic. Reader who identif an factual error in thi report, or who have other feedack regarding it content, are warml invited to contact u at [email protected]. Thi report wa upported the Media Democrac Fund. Aout the Author Aaron Rieke i a Principal at Upturn. Previoul, he erved a an attorne in the Federal Trade Commiion’ Diviion of Privac and Identit Protection and a a Ron Pleer Fellow at the Center for Democrac & Technolog. He earned hi J.D. at erkele Law. David Roinon i a Principal at Upturn, with a hrid ackground in law and technolog polic. David hold a J.D. from Yale Law chool, and previoul erved a the inaugural Aociate Director of Princeton Univerit’ Center for Information Technolog Polic. Harlan Yu i a Principal at Upturn. He hold a Ph.D. in computer cience from Princeton Univerit and ha extenive hand-on experience working on technolog polic iue. He received hi .. in electrical engineering and computer cience from UC erkele. 12 ndnote 1 Federal Communication Commiion, Protecting and Promoting the Open Internet, No. 14-28, 30 FCC Rcd. 5601, 2015 WL 1120110 (FCC Fe. 26, 2015) (reclaifing roadand Internet ervice provider a common carrier under Title II of the Communication Act). 2 ee generall 47 U..C. § 222 (concerning the privac of cutomer information in the context of telecommunication ervice). ee alo H.R. Rep. No. 104- 458, at 204 (1996) (Conf. Rep.). 3 ee generall Federal Communication Commiion, “Pulic Workhop on roadand Conumer Privac” (Apr. 2015), http://www.fcc.gov/newevent/event/2015/04/pulic-workhop-on-roadand-conumer-privac. 4 Peter wire et al., “Online Privac and IP: IP Acce to Conumer Data i Limited and Often Le than Acce Other” (Fe. 29, 2016), http://www.iip.gatech.edu/ite/default/file/image/online_privac_and_ip.pdf (hereinafter “wire paper”). Throughout thi report, we refer to the Feruar 29, 2016 verion of the wire paper, which ma change in the future. 5 wire paper, at 6. 6 ee generall wire paper, at 6-14. 7 wire paper, at 36-37. 8 wire paper, at 3. 9 andvine, “Gloal Internet Phenomena potlight: ncrpted Internet Traffic” at 4 (2015), http://www.andvine.com/download/general/gloal-internetphenomena/2015/encrpted-internet-traffic.pdf (hereinafter “andvine 2015 report”). 10 Alexa, Top ite Categor, http://www.alexa.com/topite/categor (lat viited March 5, 2016). 11 To compile the figure in the tale aove, we viited each ite lited in Alexa’ “Top ite Categor” liting for the categorie of Health, New, and hopping uing the Google Chrome we rower on March 5, 2016. We counted a we ite a having “ncrpted rowing naled Default” if the ite ued an HTTP connection after clicking through the we ite (e.g., looking up a particular medical condition, reading new torie, or rowing product liting). Man hopping we ite, including Amazon.com, witch to HTTP onl after a uer initiate a checkout proce or acce a private account page. However, ecaue uch we ite till tranmitted lot of “hopping” ehavior over HTTP connection, we did not claif them a “ncrpted rowing naled Default.” 12 itan Koningurg, Rajiv Pant & lena Kvochko, “mracing HTTP,” N.Y. Time 13 - OPN log (Nov. 13, 2015), http://open.log.ntime.com/2014/11/13/emracing-http. (“To uccefull move to HTTP, all requet to page aet need to e made over a ecure channel. It’ a daunting challenge, and there are a lot of moving part. We have to conider reource that are currentl eing loaded from inecure domain — everthing from Javacript to advertiement aet.”) (hereinafter “mracing HTTP”). 13 mracing HTTP (“Conidering the importance of advertiement, thi i ver likel to e a ignificant hurdle to man media organization’ implementation of HTTP.”). 14 Andrew Hilt, "ome impreion on Internet advertier ecurit," The Citizen La (Mar. 30, 2015), http://citizenla.org/2015/03/ome-impreion-on-internetadvertier-ecurit. 15 Id. 16 rendan Riordan-utterworth, “Adopting ncrption: The Need for HTTP,” IA (Mar. 25, 2015), http://www.ia.com/adopting-encrption-the-need-for-http. 17 Nick Feamter, "Who Will ecure the Internet of Thing?," Freedom to Tinker (Jan. 29, 2016), http://freedom-to-tinker.com/log/feamter/who-will-ecure-theinternet-of-thing. 18 Id. 19 Id. 20 wire paper, at 24. 21 Danl oomworth, "Moile Marketing tatitic compilation," mart Inight (Jul. 22, 2015), http://www.martinight.com/moile-marketing/moile-marketinganaltic/moile-marketing-tatitic. 22 . ortzmeer, DN Privac Conideration, Internet ngineering Tak Force, Augut 2015, http://tool.ietf.org/html/rfc7626 ("Almot all thi DN traffic i currentl ent in clear (unencrpted)."). In addition, aide from DN, an encrpted connection ometime expoe it own domain name deign, in the header of the encrpted packet. Thi i called erver Name Indication (NI). We won’t get into the technical weed here aout NI, ut uffice it to a that there are multiple wa for IP to collect thi information. 23 wire paper, at 15 (claiming that “it appear to e impractical and cotprohiitive” for IP to collect and ue DN lookup data). 24 ee, e.g., Xerocole Partner with Damalla for otnet Detection on Carrier Network, Pre Releae (Aug. 6, 2012), http://www.reuter.com/article/idU129911+06-Aug-2012+W20120806 (explaining that “Damalla CP protect ome of the larget cale and wirele IP network in the world. monitoring DN activit to detect infected ucrier, Damalla CP i a ‘light weight,’ highl calale and powerful olution for identifing network aue and infected ucrier.”) (emphai added.) 25 ee, e.g., Mano Antonakaki, Roerto Perdici, David Dagon, Wenke Lee & Nick Feamter, “uilding a Dnamic Reputation tem for DN,” 19th UNIX ecurit mpoium, Wahington D.C. (Aug. 11, 2010), availale at http://www.uenix.org/legac/event/ec10/tech/full_paper/Antonakaki.pdf (decriing a ecurit tem that “ue paive DN quer data[,] uild model of known legitimate domain and maliciou domain, and ue thee model to compute a reputation core for a new domain indicative of whether the domain i maliciou or 14 legitimate,” noting that the author “have evaluated [the tem] in a large IP’ network with DN traffic from 1.4 million uer,” and oerving that the tem “can identif maliciou domain with high accurac (true poitive rate of 96.8%) and low fale poitive rate (0.38%), and can identif thee domain week or even month efore the appear in pulic lacklit.”). 26 ee, e.g., Damalla CP: Advanced Threat Protection for Communication ervice Provider (product rochure), availale at http://www.damalla.com/wpcontent/upload/2014/08/Damalla-CP.pdf (explaining that the compan’ tem “monitor DN traffic [of] million of ucrier” with “[z]ero impact to network performance,” “[a]utomaticall detect compromied ucrier IP addree,” “[c]apture maliciou querie and correlate finding to generate infection report,” and “[e]nale ucrier notification” o that ucrier can diinfect their machine). 27 Id. (quoting an unnamed Comcat executive a aing that “Comcat i uing otnet detection ervice from Damalla to recognize the command-and-control erver and will notif cutomer whoe computer are found to e communicating with thoe erver.”). 28 Chao Zhang et al., “Inflight Modification of Content: Who Are the Culprit?,” LT (2011), http://www.uenix.org/legac/event/leet11/tech/full_paper/Zhang.pdf. ee alo Nate Anderon, “mall IP ue 'maliciou' DN erver to watch We earche, earn cah,” Ar Technica (Aug. 5, 2011), http://artechnica.com/techpolic/new/2011/08/mall-ip-turn-to-maliciou-dn-erver-to-make-extracah.ar. 29 ee generall The Preident’ Review Group on Intelligence and Communication Technologie, “Liert and ecurit in a Changing World” (Dec. 12, 2014), availale at http://www.whitehoue.gov/ite/default/file/doc/2013-1212_rg_final_report.pdf (hereinafter “Preident’ Intelligence Review”); ee alo Tetimon of dward W. Felten, “enate Hearing on Continued Overight of the Foreign Intelligence urveillance Act” (Oct. 2, 2013) at 8, availale at http://www.c.princeton.edu/~felten/tetimon-2013-10-02.pdf (“Although thi metadata might, on firt impreion, eem to e little more than “information concerning the numer dialed,” anali of telephon metadata often reveal information that could traditionall onl e otained examining the content of communication. That i, metadata i often a prox for content.”); ee alo Jonathan Maer, “MetaPhone: The enitivit of Telephone Metadata” (Mar. 12, 2014), http://wepolic.org/2014/03/12/metaphone-the-enitivit-of-telephonemetadata. 30 Preident’ Intelligence Review, at 116-117. 31 Preident’ Intelligence Review, at 120-121. 32 Nick Feamter, "Who Will ecure the Internet of Thing?," Freedom to Tinker (Jan. 29, 2016), http://freedom-to-tinker.com/log/feamter/who-will-ecure-theinternet-of-thing. 33 ee e.g., Citizenla, “ehind lue Coat: Invetigation of commercial filtering in ria and urma” (Nov. 9, 2011), http://citizenla.org/2011/11/ehind-lue-coat. 34 ee e.g., huo Chen, Rui Wang, XiaoFeng Wang & Kehuan Zhang, “ide-Channel Leak in We Application: a Realit Toda, a Challenge Tomorrow,” at 3 (2010), availale at http://reearch.microoft.com/pu/119060/WeAppideChannel- 15 final.pdf (hereinafter “We ide Channel”). 35 ee Qixiang un, Daniel R. imon, Yi-Min Wang, Wilf Ruell, Venkata N. Padmanahan & Lili Qiu, “tatitical Identification of ncrpted We rowing Traffic” (2002), availale at http://reearch.microoft.com/app/pu/default.apx?id=69918. 36 ee Xiang Cai, Xin Cheng Zhang, rijeh Johi & Ro Johnon, “Touching from a Ditance: Weite Fingerprinting Attack and Defene” (2012), availale at http://www3.c.tonrook.edu/~xcai/fp.pdf. 37 wire paper, at 23. 38 We ide Channel, at 6. (“Interetingl, the auto-uggetion in fact caue a catatrophic leak of uer input, ecaue the attacker can effectivel diamiguate the uer’ actual input after ever ketroke matching the ize of the repone carring the uggetion lit.”). The wire paper aert that “[w]hen the earch i performed over an HTTP connection, a ha ecome the norm, the IP can onl ee which earch engine wa ued . . . ut not the earch quer . . . .” However, while it i true that IP can no longer directl oerve the earch quer in plaintext on the wire, that i not the IP’ onl option. An IP that mimic the technique demontrated thee reearcher might till learn the earch querie that uer entered. 39 ee We ide Channel. 40 ee Andrew M. White, Autin R. Matthew, Kevin Z. now & Faian Monroe, “Phonotactic Recontruction of ncrpted VoIP Converation: Hookt on fon-ik,” in Proceeding of the I mpoium on ecurit and Privac, at 3-18 (Ma 2011), availale at http://www.c.unc.edu/~faian/paper/fonik-oak11.pdf. 41 ee Mauro Conti, Luigi V. Mancini, Riccardo polaor & Nino V. Verde, “Can’t You Hear Me Knocking: Identification of Uer action on Android App via Traffic Anali” (Jul. 2014), availale at http://arxiv.org/pdf/1407.7844.pdf. 42 We ide Channel, at 1. 43 Kevin P. Der, cott . Coull, Thoma Ritenpart & Thoma hrimpton, “Peeka-oo, I till ee You: Wh fficient Traffic Anali Countermeaure Fail,” at 1 (2012), availale at http://ieeexplore.ieee.org/tamp/tamp.jp? tp=&arnumer=6234422. 44 wire paper, at 34 (“At leat 30 million people in the U.. ue a VPN or other prox ervice . . . Thi numer likel will clim harpl in coming ear.”). 45 Thi tatitic i actuall larger than the fraction of uer that are relevant to thi dicuion, ince man prox ervice are not encrpted. Jaon Mander, “GWI Infographic: VPN Uer,” GloalWeIndex (Oct. 24, 2014), http://www.gloalweindex.net/log/vpn-infographic. 46 William Van Winkle, “The Pro and Con Of Uing A VPN Or Prox ervice,” Tom’ Hardware (Mar. 28, 2015), http://www.tomhardware.com/review/vpn-vprox-ervice,4087.html (“You do get what ou pa for.”). 47 GloalWeIndex, “The Miing illion,” at 9 (2014), http://inight.gloalweindex.net/h-f/hu/304927/file-1631708567pdf/GWI_The_Miing_illion_2014.pdf?t=1441899050488 (“It’ aundantl clear that VPN uage i mot pronounced in fat-growth nation. . . . In contrat, uage i conideral le common in the mot mature internet market – with the UA, Canada, France, the UK, Autralia and Japan coming at the ver ottom of the tale.”); Chri mith, “erioul Dark Traffic: 500 Mil. People Gloall Hide Their IP Addree,” Digida (Nov. 18, 2013), http://digida.com/puliher/vpn-hide-ip- 16 addre-ditort-analtic (“Fift percent of thee 410 million VPN uer a the jut want acce to etter entertainment content, according to a GloalWeIndex urve of 170,000 individual pread acro 32 countrie. Twent-eight percent a the do o for acce to new and ocial networking ite, and to remain anonmou.”). 48 Id. 49 wire paper, at 31. (“Where VPN are in place, the IP are locked from eeing the deep link and content (a with other encrption), and alo the domain name the uer viit.”). 50 Vaile C. Perta, Marco V. arera, Gareth Ton, Hamed Haddadi & Aleandro Mei, “A Glance through the VPN Looking Gla: IPv6 Leakage and DN Hijacking in Commercial VPN client”, 1 Proc. Privac nhancing Technologie 84 (2015), availale at http://petmpoium.org/2015/paper/02_Perta.pdf (“In particular, Window doe not have the concept of gloal DN etting, rather, each network interface can pecif it own DN. Due to the wa Window procee a DN reolution, an dela in a repone from the VPN tunnel ma trigger another DN quer from a different interface, thu reulting in a leak. . . . Under certain configuration, ome VPN client do not change the DN etting, leaving the hot’ exiting DN erver a the default. For intance, we oerved that the dektop verion of HideMA (v1.17) doe not et a cutom DN when uing OpenVPN.”). 17