I have a mobile subscription with 1 GB of data every month. But my provider has a promotion where facebook and twitter traffic is free, so I can use facebook and twitter and not use up my 1 gb of data.
I just wonder how they know when I am using facebook? And if they are scanning for facebook usage what else can they scan and how can I prevent them to know I use a facebook (or any other site).
Without going into deep detail about how Internet Protocol routing and the Domain Name System work, it's actually quite easy for your ISP (and in this case, your provider is your ISP) to know what domains you visit.
To answer your question, the provider maintains a list of all the IP addresses registered to Facebook. When your phone requests Internet data via its cellular connection, it addresses the request to a specific IP address. That request gets routed through the Internet gateway at your provider. The gateway (or other hardware between it and the tower) can record this usage, and check the source and destination addresses. If the destination address (for a request) or source address (for a response or push notification) is from an IP address registered to Facebook, your provider simply doesn't count that usage against your plan's data limit.
They can't necessarily read the traffic - even using Deep Packet Inspection (DPI) they won't be able to read encrypted traffic - but they can see how big it is, where it comes from, and where it goes. Be aware that mobile operators often do use DPI, though; it lets them detect people doing things like using tethered data without (or in excess of) their tethering limit. Also, while the traffic between your phone and the tower is encrypted (with not-very-good crypto on older-generation protocols, though I don't think 4g is broken yet), the operator obviously needs to be able to decrypt that layer of traffic so they can route the data. The data could be encrypted at a higher level as well, using things like SSL/TLS, but anything above the Internet Protocol level will reveal the sender and recipient of each packet.
Any ISP can do this monitoring of your connections for anything that accesses the Internet through them, by the way. This kind of "metadata" is one of the things the NSA and similar agencies around the world is so intent on slurping up. China's "Great Firewall" places filters on IP addresses that it doesn't want you to reach, though I think it also uses DPI to block specific content on otherwise-permitted sites. This kind of thing is one of the reasons anonymizing proxy servers and anonymous networks (such as TOR) exist; your ISP can tell you are connecting to a proxy / TOR entry node, but can't tell where your request goes after that unless they control the node. By bouncing the request a few times to random machines, it's possible to be pretty sure that anybody trying to track the path of the request has lost it. The actual final destination is encrypted within the data sent to the proxy, so it's never visible to a network attacker.
But my provider has a promotion where facebook and twitter traffic is free, so I can use facebook and twitter and not use up my 1 gb of data.
These are negotiated deals where Facebook and Twitter will provide the wireless provider with a list of IP addresses that will be used to provide data to their clients. FB and Twitter are usually required to give at least 6 weeks of notice before making new IP ranges active so that the wireless providers have enough time to code them into the accounting exceptions along with any technical firewall-like rules.
The wireless providers pay close attention to utilization numbers of the services to decide if offering them is increasing overall revenue. The service is often viewed as a loss-leader type affair where providing some part of internet access promotes subscribers to pay for full access.
How can I prevent them to know I use a facebook (or any other site).
If you want to prevent traffic analysis via DNS queries and IP address ranges, you'll need to make use of a VPN.
Deep Packet Inspection allows Telecom companies analyse the traffic of the subscribers. They can easily see the applications in use in real time. This also includes RTT,QoE(if available), Throughput per application and many others. Main idea of having a DPI at a Telecom infrastructure is to increase the Quality of Experience of a subscriber, lets say; you have a provided tv decoder by your ISP and couple of computers at home. You would not like a lagging TV experience when someone at the same time uses Internet on computers. By having DPI, they can guarantee a minimum bandwidth for their device so that you enjoy watching a movie. OR imagine a congested cell tower because everyone watches (or better trying because it is congested already) video on their phones. DPI again can split the available bandwidth equally among the end subscribers(or in any way you want).
Anyway, this is a huge topic, but yes with Deep Packet Inspection they can see what apps are in use, how much data is spent per app and subscribers' phone models, or even if you are roaming(and if yes which partner do you use in another country).(all in real time no matter if app is Skype or something else). While having a DPI can give infinite possibilities of use cases to deploy, (such as free app usage for a certain time) Many telco company uses this to provide a better Internet service for their customers and collect data so the can send you the right advertisements ;)
P.S. cannot put a comment to another post yet, so , What CBHacking says is not entirely true as DPI(assuming there is one behind) does not classify the service based on the IP address in many cases(including your free app usage use case) as IP and port numbers are not trustworthy and can be different after a while and this may cause an application to be misclassified, which can eventually be a revenue leak for an ISP.
