Image by Steve Rhode

Each year Canada’s leaders in telecommunications gather at the Canadian Telecommunications Summit to talk about ongoing policy issues, articulate their concerns about Canada’s status in the world of telecommunications, and share lessons and experiences with one another. This years Summit was no exception. While some commentators have accused this year’s event of just rehashing previous years’ content – it is true that each Summit does see similar topics on the conference agenda, with common positions taken each year – there are some interesting points that emerged this year.

Specifically, discussions about the valuation of telecom services regularly arose, discussions of supply and demand in the Canadian ISP space, as well as some interesting tidbits about the CRTC. For many people in the industry what I’ll be talking about isn’t exactly new; those not inside the industry’s fold, however, may find elements of this interesting. After outlining some of the discussions that took place I will point to something that was particularly striking throughout the Summit events I attended: Open Media loomed like a spectre throughout, shaping many of the discussions and talking points despite not having a single formal representative in attendance.

Value Propositions

Throughout the Summit speakers regaled the audience with just how much Canadians take advantage of the Internet; we are the most prolific users of YouTube, heavy users of Facebook, and are online for longer periods of time than many other countries’ citizens. Thus, from the telecommunications perspective, current pricing models and bandwidth allowance conditions are set so that consumers still enjoy high value from their services. Interestingly, while Canadians my be online for greater periods of time Europeans are actually consuming twice as much bandwidth as North Americans. To clarify, customer value propositions almost uniformly adhere to the following equation:

Value to customers = Benefits received by customers – cost of service/good

Given that prices for broadband are typically lower in Europe, and that members of the EU are even more prolific users of broadband (presumably also receiving at least equal benefits as Canadians) it would seem that the value to consumers provided by European carriers is actually higher than that provided to Canadians.

During the Summit, ISPs were informed by policy management vendors that the complementary products that compose a significant facet of ISPs’ revenue streams are in danger. Sandvine’s President and CEO, Dave Caputo, pointed to a report from Barclay’s capital equity research that found voice traffic was presently worth about 10,000 Euro/GB of traffic, text messages about 30,000 Euro/GB, and pure data transmissions only about 5 Euro/GB. Further, Mark Henderson (President and CEO of Ericsson Canada Inc.) asserted in his keynote that voice traffic was effectively noise on mobile networks on the basis that voice traffic accounts for almost single digital percentages of overall data transmissions. As a result, voice services are decreasingly seen as effective profit centers. Taken together, it would appear that the value proposition of offering all you can eat broadband services is diminishing from a carrier perspective whilst consumer value propositions from such models continue to increase as Internet experiences become richer and richer.

More generally, with the introduction of more and more services that are designed to use data, and that let people cut SMS and voice plans, core mobile profit centres are threatened. Of course, such centers are perhaps enhanced whenever customers exceed their data plans and receive incredibly high bills that price bandwidth capacity usesignificantly above the ‘bucket’ cost of data. While the ‘overage market’ might be seen as a potential site of revenue growth, carriers and vendors alike suggested that differentiated service offerings are a preferred means of enhancing customer value propositions. Generally, the argument was that customers want the experience of regular and predicable billing, and that the potential of overage charges are a limiting factor in driving data usage. In a differentiated service model customers might choose particular kinds of data-based services; perhaps they receive email and access to social networking sites but lack access to the web generally, or have to pay a certain amount to receive ‘so much’ web access over the course of a month. What remains unclear to me is that:

1. Users actually want a differentiated offering. Instead, they seem to want to avoid bill shock. Differentiated billing is not the solution to the problem facing consumers, though effective policy controls that stem the ability of users to massively exceed their monthly data caps would (in part) resolve the ‘pain point’ felt by consumers. Further, where overages occur prices should be fair; there is no clear reason why someone that uses an extra few gig of mobile data should have to mortgage their home to pay off a monthly cellular bill.
2. Service differentiation necessarily reduces the amount of bandwidth that users will consume. While this may be the case sometimes it seems as though the emphasis should be on data usage instead of service usage. In a ‘Facebook package’ can individuals click the links associated with people’s Walls? Watch embedded videos? Upload an infinite number of photos? If not, then are individuals receiving a ‘Facebook’ experience where that experience is dependent on the socialized nature of sharing and access to the greater web? Is someone who uploads hundreds or thousands of photos to Facebook a less prolific user of data as compared to someone who checks a few emails and browses the web a little bit every day?

This isn’t to say that I don’t understand carriers’ fear of the Over-the-Top services that are slamming their complementary products. At peaks times of the day Netflix is currently accounting for around 29-30% of all data traffic in North America, and accounts for 13.5% of Canadian traffic during peak periods. The rise of high-quality on-demand OTT content also changes the language of carriers: legitimate customers who are accessing well integrated and easy to use OTT services are driving growth, not ‘content thieves’. No longer are carriers’ portals competing with infringing content but legitimate content, and while carriers were quick to tout the ‘large’ number of online offerings they have through their portals what struck me was that in at least the case of Videotron I personally have more legitimate content on my home NAS than their company makes available to their consumer base. This is not the case when contrasting my personally stored media content against that of Netflix’s library! I recognize that part of the problem facing carriers today relates to rights clearing, but given just how vertically integrated many of the largest carriers are I cannot see consumers genuinely sympathizing with their ISPs and television providers. Instead, customers are ‘enjoying’ low data caps that punish excessive enjoyment of OTT, non-carrier provided, content: the pain point around costs of bandwidth capacity provision are driven by carrier scarcity of legitimate online content combined with high overage costs, not with ‘data hogs’ that are violating social norms by watching their movies and TV from the Internet.

Supply vs. Demand and Spectrum Framing

Throughout the Summit, attendees (and members of the various government regulatory bodies) heard that ‘supply isn’t the problem, demand is!’ In effect, Canada’s telecommunications companies were stating that they are meeting the expectations of Canadians and that the companies would continue to meet expectations in the future. Consumers themselves were seen as the problem in the supply/demand curve of Canadian telecommunications. Specifically, carriers can move large capacities of traffic but there are many Canadians that cannot access even basic computer services. Without access to computers, combined with high levels of literacy, consumers cannot understand the benefit of broadband.

Mark Goldberg, one of the two primary organizers of the Summit, began his address on the first day with this point and it was reiterated throughout the event. Interestingly, Rob Bruce (President of Rogers Communications) recognized that his company had to do a better job in making access to devices, and their daily use, a simpler experience. He also recognized that Canadians needed to be able to control their ‘digital consumption’. While on the one hand I agree with this sentiment (because of the horrendously high overage fees potentially facing mobile and wireline consumers of Canadian providers) I worry that this is really an indirect way of asserting that managed networks and differentiated access types to the Internet are ‘needed’ by today’s consumers. Further, if such a managed and differentiated product offering is required to avoid high overage fees and afford some sense of monthly financial security, then one has to wonder how effectively the ‘supply’ side of the supply/demand equation is really being handled. Managing resources to maximize return on supply is not the same thing as establishing a healthy supply/demand equilibrium that conforms to basic economic theory and free market expectations.

If supply truly is meeting demand today (a questionable position based on carriers’ stated needs to throttle traffic throughout the day and charge grossly highly overage fees for bandwidth capacity use) then we might wonder about the regularized scare tactics surrounding Long Term Evolution (LTE) deployment in Canada. Access to the 700 MHz spectrum was a regular point of contention throughout the Summit, with carriers insisting that next-generation Internet services were dependent on each carrier receiving a large amount of that spectrum block. Discussions over wireless spectrum saw some ISPs advocate for entirely open auctions that avoid set-asides for new(er) entrants and others demanding spectrum set-asides or offering their own policy models that favor new(er) carriers.

For those not invested in the spectrum debates, the 700 MHz block is presently used for analogue television and is soon to be auctioned off once all television in Canada has migrated to digital systems. This particular block of spectrum is terrific at travelling long distances and passing through structures and other physical objects. Large carriers assert that delivering high-speed broadband to rural and remote locations will prominently require LTE technologies. Further, these same carriers threaten that LTE systems will be experience delayed deployments (or not be deployed at all) if they are not given access to the 700 MHz spectrum block. A critical observer might wonder whether those companies’ shareholders will stand for the executive and board  simply refusing to keep updating systems with the times, perhaps using non-beachfront spectrum, if not upgrading will reduce shareholder returns. The same observer might also wonder at just how often the larger providers have actually carried through with such threats of non-investment.

More generally, the efforts to frame the upcoming spectrum auctions were fast and furious, with each large company getting time on stage to talk to an audience composed of other telecommunications providers, regulators, media, and a precious few academics and students. The regulatory staff that I spoke to were all aware of the framing process – some found it moderately amusing – but it’s important to note not just what was said and who said it, but what wasn’t said and who didn’t have a chance to speak. Specifically, the strong positions taken by groups such as CIPPIC and Open Media over the past few years  in public and regulatory spaces were not articulated by members of those groups, nor were they given between a half-hour or an hour of stage time. More carefully stated, a framing process entails groups identifying a problem, groups responsible for it, and policy solutions to correct it. For all parties to have an equal handle in trying to shape the agenda, all must be permitted to proceed through the framing process during moments where the elites of the policy subsystem meets. Unsurprising, given the highly corporatized nature of the Summit, members of advocacy groups and coalitions were not invited to speak and have a shake at shaping Canada’s telecommunications regulatory agenda.

This isn’t to say, of course, that advocacy voices were entirely silent: John Lawford from PIAC spoke, as did Commissioner Stoddart. Neither focused on spectrum, but instead of specific harms experienced by Canadians. Their contributions operated within the conservative nature of the telecommunications subpolicy group, insofar as they slightly expand the scope of discourse without significantly throwing off or challenging ISPs’ cohesive framing (and exclusion/denigration) efforts.

Throughout the Summit there was a regular emphasis on disdain towards advocacy groups that had garnered significant attention from the media and Canadians more generally: Open Media’s recent report was referred to as “an homage to state sponsored network neutrality and broadband” by TELUS’ VP Regulatory, the organization was accused of taking advantage of social media and undermining its value as a source of information by Rogers’ President of Communications and the group is apparently obscuring network realities as far as Videotron’s President and CEO is concerned. The regulator also got involved, when the Chairman of the CRTC asserted that the consumer groups generally had to get organized and expand their knowledge.

This kind of broad framing – of extinguishing the legitimacy of a large voice without letting it speak – indicates a pair of things;

1. Open Media has been incredibly successful in getting under telecommunications providers’ skins. I’ve never been at a Summit (or other large industry event, of any kind) where an advocacy group and its coalition has attracted so much explicit and implicit vitriol;
2. Some companies are now ‘framing’ the group’s crowd-source effects as illegitimate and thus trying to illegitimate other attempts to crowd-source information.

I don’t expect, nor am I suggesting, that framing entirely obfuscates or undermines the conditions of Open Media’s attempts to work in the telecommunications regulatory space, but it does work to identify ‘qualified’ epistemic elites by whom telecommunications should be handled. The long-term consequences of depriving this advocacy group a voice at the Summit is to simultaneously reaffirm the legitimacy of actors that are present and harden combative language amongst the various members, as well as confirm that Open Media is a recognized adversary in Canada’s telecom space. This isn’t to suggest that providers have some kind of a ‘battle plan’ – there isn’t a central organizer that is using this space to intentionally coordinate language – but rather the result of a closed communications loops that constitute an ‘iron triangle’. Such triangles are composed of closed and mutually supportive groups that see governmental agencies, special interest lobbying groups, and legislative (sub)committees working together to develop policy. Members of such groups are typically specialized in very particular policy areas and present a united front towards interlopers or outsiders who

attempt to invade their turf and alter established policies that have been worked out by years of private negotiations among the “insiders” … These triangles are said to be as “strong as iron” in that these mutually supportive relationships are often so politically powerful that representatives of the more general interests of society are usually effectively prevented from “interfering” with policy-making altogether whenever their concept of the general interest runs counter to the special interests of the entrenched interest groups, bureaucrats and politicians (Source).

The CRTC in Focus

The Chairman of the CRTC was at this year’s Summit, and as usual interesting little tidbits came out in his discussion with Summit co-organizer, Mark Goldberg. von Finckenstein was regularly asked questions that followed Open Media’s general talking points, including questions of structural separation, roles of consumer groups, and effectiveness of existing CRTC regulatory policies. During the questions the Chairman was asked about the CRTC’s research capacity: in effect, is the regulator conducting in-depth research of goings on around the world, or is it predominantly relying on what is provided to it by those coming before the regulator? While I had expected that the CRTC was stacked with some research analysts who conduct research, von Finckenstein instead said that while the CRTC has a good handle on ‘the basics’ it isn’t actually engaged in detailed research of any particular regulatory approach to telecommunications. His rationale was that if the Commission was involved in intense research then it would come to particular proceedings with biases that might limit their position as impartial regulators. While I can appreciate the sentiment here, it seems somewhat off-base: as a scholar I expect that when I submit a piece for peer-review that it will be treated fairly and as neutrally as possible. This said, expect that reviewers will have conducted research in similar topic areas and that they will have private opinions concerning the argument-types presenting. I fail to understand why the CRTC cannot conduct basic research to evaluate the claims made by carriers and consumer groups alike, balancing any claims against existing policy research and analyses that are both conducted in house and by other regulators/academics.

Somewhat distressingly, the Chairman asserted a point that those who have spent time watching the CRTC already knew: the CRTC is of the opinion that consumer groups should be driving complaints before the CRTC instead of consumers themselves. von Finckenstein maintains that the highly technical nature of filing complaints means that the process is ill-suited to average consumers and that, as a result, consumers need to organize and develop a broader knowledge base concerning telecommunications so that they can then file complaints as appropriate. This having been said, he also asserted that consumers don’t generally have problems communicating with the CRTC. While unstated, I suspect that this particular comment was meant to capture the individuals consumers who are filing ITMP complaints with the CRTC, though doubt that he appreciates the level of consumer resentment towards the CRTC’s apparently toothless enforcement of their own regulatory decision around traffic management policies in Canada. I also find it of concern that the Chairman focuses on consumer groups as chiefly responsible for the formal complaints: for the full range of consumer issues to be brought before the CRTC there must be enhanced funding for these very groups. Canada is not the US, it doesn’t have the support of private foundations that enable civil society to work in the favor of citizens and consumers. Ideally, if the Chairman were serious about his suggestion, he would also demand that additional funds be provided to consumer groups prior to filing a claim so that research and testing could be performed ahead of time. As the ITMP proceeding demonstrated, the costs associated with significant hearings are so high that few can afford to do the work and simply hope to get paid at the conclusion of a particular regulatory procedure.

Unsurprisingly, the Commissioner also asserted that ITMP audits were not something that CRTC was interested in conducting because any such practice would operate under the assumption that there might be something wrong in the first place. As a complaints-driven body it would be inappropriate to make such an assumption. This is unfortunate because it can be so challenging for individuals to actually trace the source of network-based problems. Further, it is in companies’ best interests to keep a shroud drawn tightly around themselves and their infrastructure operations to obfuscate their own misdeeds. Indeed, this very point has been made repeatedly by scholars in the telecommunications sphere but without a research wing it would appear that the CRTC is ignorant of the basic facts of corporate strategies that are designed to confuse consumers. Further, without such a research wing the Commission is apparently unaware that those conducting research on the outskirts of the network infrastructure will almost certainly have a very difficult, if not impossible, time trying to identify problems that reside within ISPs’ infrastructure.

The Haunting of Open Media

Open Media hung over most of the Summit as a spectre that could-not-be-named. Various CEOs, Presidents, and Vice-Presidents raised concerns over the role of advocacy groups. Rogers’ President of Communications worried that ‘special interests’ were undermining the value of social media as a source of fact-finding and outreach, Videotron’s President and CEO asserted that customers were happy with Usage Based Billing and that Open Media was just trying to obscure network realities and the Chairman of the CRTC maintained that a series of Open Media’s key issues (audits of ITMP systems, functional separation) were not issues that the regulator was willing to take up. TELUS’s Mike Hennessy stated (without defending the claim) that Open Media’s recent report, “Casting an Open Net: A Leading-Edge Approach to Canada’s Digital Future,” was homage to state-sponsored network neutrality and broadband. Further, it was suggested that Open Media should have been the consumer group that was present at the annual ‘Regulatory Blockbuster’ panel instead of PIAC, based on each consumer groups’ relative prominence in the broadband space this past year. It is admittedly somewhat anecdotal, but a vast number of the conversations that I participated in over the two days I attended the Summit saw Open Media either directly or indirectly come up.

What does this mean for Open Media as an organization? To begin, it indicates that the organization is implicitly recognized as an actor in the Canadian telecommunications policy subsystem, as demonstrated both by their involvement in discussing policy issues and bargaining in pursuit of their interests, as well as by the agenda denial tactics that are being undertaken by incumbent subsystem actors. The group’s effectiveness is arguably tied to their ability to harness epistemic elites that are not typically associated with regulatory proceedings and while simultaneously forging alliances with established actors. Further, Open Media has a demonstrated an ability to capture public attention and focus government awareness on issues in a manner that simultaneously aligns and opens policy windows. As a result of their focusing efforts, the group have effected changes to the regulatory agendas.

The capturing of public attention is key to their status as members of this particular policy sub-community: while they present policy alternatives they have also leveraged the potential votes of their backers and thus seen political parties seek Open Media’s favor. As a result of their capacity to capture and harness public attention, Open Media is challenging existing policy monopolies by becoming a dark horse that frames problems differently than Canada’s dominant carriers and that demands solutions often diverging from carriers’. Despite this divergent framing and solution set, the organization has often attempted to link their own issue set with the government’s economic principles and objectives, defending their position by appealing to key regulatory directives and frameworks. This insulates some of their work from overt assault. In effect, Open Media is working to alter “policy images through a number of tactics related to altering the venue of policy debate” and is consequently undermining “the complacency or stability of an existing policy subsystem” (Howlett and Ramesh 2003: 139).

The organization’s actual impact in the formation of policy itself – decision, implementation, and auditing policy stages that follow agenda shaping – is less clear. Along with other sub-system actors, such as Jean-François Mezei, Open Media has successfully rebuffed at least one major policy initiative that was decided by the CRTC around UBB. The development of alternate policy principles and guidelines may assist in promoting their issue-set but the rate of seeing their suggestions introduced into regulatory policy will be delayed based on the complexity of the policy subsystem they are operating in. Further complicating their efforts are the constraints placed upon the regulators who are expected to make, implement, and regulate telecommunications policy. Consequently, incrementalist changes are most likely. Incrementalism does not necessarily mean that Open Media’s own policy initiatives and principles are transformed into policy, but that existing policy actors’ traditional principles, aims, and policy preferences may not be codified as rapidly as in the past. Further, traditional actors may need to modify their narrative and either incorporate some of Open Media’s language to hedge out the advocacy group or reorient their discourse to more effectively isolate and exclude Open Media as a legitimate policy actor. Regardless, for the moment at least Open Media has successfully intruded on a (relatively) monopolized policy subsystem and is affecting change, though it will be an uphill battle to establish themselves as a long-term member in Canada’s telecommunications policy network.

Text Sources:

M. Howlett and M. Ramesh. (2003). Studying Public Policy: Policy Cycles and Policy Subsystems (Second Edition). Toronto: Oxford University Press.

Other posts you might be interested in:

1. Canadian Telecom Summit and DPI
2. Privacy Advocates and Deep Packet Inspection: Vendors, ISPs, and Third-Parties
3. EU: Judicial Review Central to Telecom Disconnects

Image by David Clow

Rogers Communications modified their packet inspection systems last year, and ever since customers have experienced degraded download speeds. It’s not that random users happen to be complaining about an (effectively) non-problem: Rogers’ own outreach staff has confirmed that the modifications took place and that these changes have negatively impacted peer to peer (P2P) and non-P2P applications alike. Since then, a Rogers Communications senior-vice president, Ken Englehart, has suggested that any problems customers have run into are resultant of P2P applications themselves; no mention is made of whether or how Rogers’ throttling systems have affected non-P2P traffic.

In this brief post, I want to quickly refresh readers on the changes that Rogers Communications made to their systems last year, and also note some of the problems that have subsequently arisen. Following this, I take up what Mr. Englehart recently stated in the media about Rogers’ throttling mechanisms. I conclude by noting that Rogers is likely in compliance with the CRTC’s transparency requirements (or at least soon will be), but that such requirements are ill suited to inform the typical consumer. 

Rogers’ Renewed Throttling Scheme

Last December I wrote about how Rogers’ throttling systems were causing significant problems for customers. Specifically, it seemed as though a badly tested update to the Rogers network mediation infrastructure had caused P2P download speeds to sharply fall, and non-P2P applications were also impacted. These problems were confirmed by Keith McArthur, Rogers’ senior director of social media and digital communications, when he wrote that:

As some of you are aware, Rogers recently made some upgrades to our network management systems that had the unintended effect of impacting non-p2p file sharing traffic under a specific combination of conditions. Our network engineering team is working on the best way to address this issue as quickly as possible. However, I’m not able to provide any updates at this time about when this will be fixed. Our network management policy remains unchanged. You can find details of our policy here (»www.rogers.com/web/content/netwo···nagement). We are working hard to ensure that there are no gaps between our policy and the technology that enables that policy.

While it was disturbing that it took months for an official Rogers representative to confirm the problem – and that even upon confirming the issue, no timeframe for resolving it was provided – at least the company publicly recognized the problem and stated that it would be fixed. Further, it seemed that the fix (whatever it entailed) would return the mediation of customers’ data traffic to a pre-September 2010 status. Unfortunately, rather than working to resolve the problem (and maintain the network management policy) Rogers has changed their policy. This change was needed to comply with a CRTC directive – ISPs must be transparent to their customers about Internet Traffic Management Practices (ITMPs) – but since the change has taken place I’ve not seen any suggestion that things will ‘return to the old normal.’

Public Statements and Policy Updates

The most recent CRTC investigation into ISP traffic management policies began after Justin McKillican filed a complaint alleging that Rogers had “introduced changes to its Internet traffic management practices (ITMP) which impacted downstream peer to peer (P2P) traffic without providing the 30 day notice required by Telecom Regulatory Policy 2009-657.” The CRTC’s response (.pdf) to Mr. McKillican and Rogers’ Ken Thompson (Director and Counsel Copyright and Broadband Law, Rogers Communications Incorporated) directed the company to revise its ITMP disclosures on Rogers web pages on the basis that, at the time of investigating Mr. McKillican’s complaint, the disclosure on Rogers’ website was non-compliant with the transparency requirements set down in 2009-657.

In an interview with Carrt.ca about Rogers’ throttling policies (Subscription required), Mr. Englehart stated that Rogers does not traffic shape downstream traffic. Further, he asserted that Rogers had already provided an explicit disclosure of their practices on their web site. The disclosure that had been available to the public for over a year was previously in conformance “with what the CRTC wanted so it’s strange that they’re now saying it needs more work given we did it in consultation with them.” In the interview, he asserted that only P2P was affected by the throttling mechanisms, though his statement stands at odds with Rogers’ actual traffic management policies that have recently been amended. Perhaps Mr. Englehart was unaware that the policy had been amended on the basis that newly deployed technical measures, but this seems unlikely given that the CRTC letter explicitly noted that there were changes to Rogers’ throttling systems.

The changes to Rogers’ traffic management policy are significant. An entirely new section – “Are there other applications that could be impacted by Rogers traffic management measures?” – has been introduced, following almost word-for-word what Bell Canada has published in the same section of their own traffic management policy. Bell (and, now, Rogers) recognizes that sometimes their DPI systems negatively impact non-P2P applications, and puts the onus on the consumer to get things working again. Specifically, users are instructed to setup applications so that they only use IANA-specified ports[1] (with Rogers providing a non-hyperlined URL to the official IANA list on their traffic management page). Specifically, Bell and Rogers customers are told to:

1. Close the affected application along with all P2P applications;
2. Ensure that non-P2P applications have their ports properly assigned;
3. Wait to ten minutes, and then restart the non-P2P application.

Knowing many Bell and Rogers customers, and just how tech-savvy they are, I cannot imagine that many end-users can actually modify port numbers for various programs. As such, the solutions these companies are providing assume that the people who either care enough to find a solution, or can solve it in the first place, tend to be reasonably technically inclined. At the same time, I fully recognize that the provided solutions will most likely comply with CRTC requirements. This suggests that ISPs are invested in making ITMP policies transparent as far as regulators are concerned, but are not so interested in making the entirety of those policies transparent to typical consumers as well.

Consumer vs Technical/Regulatory Transparency

For a system to be considered transparent to consumers it must be described so that non-experts can decode what is being described. Rogers is almost certainly not being transparent to consumers given the brevity of their ITMP policy and because customers must consult a massive text-based document (with little context), modify some applications’ port numbers, and only then have applications properly access the Internet. While such a list lets me set up port numbers on applications to avoid throttling, this is not the case with far less technically savvy individuals. What does the ‘regular consumer’ do when their particular application isn’t listed in the ports (as will happen, often) and they’re experiencing slowdown on non-P2P application traffic?

In essence, while ISPs have publicized how their traffic management policies impact traffic, in the cases of Bell and Rogers only technically savvy individuals can follow the suggested troubleshooting steps. So, while both companies are (arguably) within the confines of regulatory transparency that is required by the CRTC,[2] the transparency that these bodies require doesn’t necessarily mean that end-users without technical savvy will understand how to resolve problems. Similar to how long or complicated privacy policies are only understood by those trained to read and/or write them, I suspect that only those who already have a degree of technical awareness will understand what ISPs are doing to customer data traffic.

For a policy to be ‘consumer transparent’ it has to be non-technical, while specific enough to inform end-users what is going on. Much of Bell’s own ITMP policy is good, insofar as it is understandable and accessible to those who happen across the policy, but the troubleshooting approach that is provided is poor at best. The brevity of Rogers’ own policy, combined with the poor design decisions that reduce readability, means that Rogers has provided a policy that is less transparent to the consumer, while simultaneously meeting much of the CRTC’s own regulatory transparency requirements. Deep packet inspection and Quality of Service infrastructure regularly mediates Canadians’ digital communications. Given the importance of our digital systems I think that ISPs should remain compliant with technical and regulatory transparency requirements, but also ensure that their policies are also transparent and understandable to end-users.

Footnotes

[1] The Internet Assigned Numbers Authority (IANA) is responsible for allocating and maintaining a variety of numerical codes related to technical standards and protocols that undergird the Internet. To learn more about them, read their About page.

[2] Admittedly, in the case of Rogers the CRTC has taken issue with how ‘transparent’ their approach is. Given that Rogers’ policies are written similarly to Bell, I suspect this has more to do with the ease of finding and reading Rogers’ policies instead of what is written. See the below of how to navigate to a few Canadian ISPs’ traffic management pages:

Rogers

1. Go to the Rogers homepage
2. Select ‘Internet’ >> ‘Packages and Pricing’
3. Scroll to the bottom of the page and click on their Internet Traffic Management Practices and Legal Disclosure link
4. In the popup box, click the grey link in the third paragraph labeled ‘click here’.

Bell

1. Go to Bell’s homepage
2. Select ‘Internet’
3. Scroll down to the bottom of the page and click their Network Management link

Shaw

1. Go to their homepage
2. Select ‘Internet’
3. Select the link to their traffic management policies

Cogeco

1. Go to their homepage
2. Select ‘Internet’
3. Select ‘Internet Usage’
4. Select ‘Learn more about Internet traffic management
5. Select one of the six options to learn about, read it, and then either use your browser’s back button or the back button on the page and scroll back down to where you were on the page.

In the case of both Bell and Shaw, there is an easily found, easily accessed, and easily read traffic management policy. In the cases of Rogers and Cogeco it is more challenging to believe that a casual consumer would happen upon the traffic management policies. The text of Rogers’ ITMP policy is incredibly small – I need to move very close to the screen to read the grey 11 font text – and Cogeco’s is buried – multiple links have to be clicked to read the whole policy even after finding it. Neither of these two policies would pass a sniff test for being ‘consumer transparent’, even if they are seen as compliant with legal and regulatory transparency requirements.

Other posts you might be interested in:

1. Background to North American Politics of Deep Packet Inspection
2. Beyond Fear and Deep Packet Inspection
3. Choosing Winners with Deep Packet Inspection

Photo credit: Faramarz Hashemi

Deep packet inspection (DPI) is a form of network surveillance and control that will remain in Canadian networks for the foreseeable future. It operates by examining data packets, determining their likely application-of-origin, and then delaying, prioritizing, or otherwise mediating the content and delivery of the packets. Ostensibly, ISPs have inserted it into their network architectures to manage congestion, mitigate unprofitable capital investment, and enhance billing regimes. These same companies routinely run tests of DPI systems to better nuance the algorithmic identification and mediation of data packets. These tests are used to evaluate algorithmic enhancements of system productivity and efficiency at microlevels prior to rolling new policies out to the entire network.

Such tests are not publicly broadcast, nor are customers notified when ISPs update their DPI devices’ long-term policies. While notification must be provided to various bodies when material changes are made to the network, non-material changes can typically be deployed quietly. Few notice when a deployment of significant scale happens…unless it goes wrong. Based on user-reports in the DSLreports forums it appears that one of Rogers’ recent policy updates was poorly tested and then massively deployed. The ill effects of this deployment are still unresolved, over sixty days later.

In this post, I first detail issues facing Rogers customers, drawing heavily from forum threads at DSLreports. I then suggest that this incident demonstrates multiple failings around DPI governance: a failure to properly evaluate analysis and throttling policies; a failure to significantly acknowledge problems arising from DPI misconfiguration; a failure to proactively alleviate inconveniences of accidental throttling. Large ISPs’ abilities to modify data transit and discrimination conditions is problematic because it increases the risks faced by innovators and developers who cannot predict future data discrimination policies. Such increased risks threaten the overall generative nature of the ends of the Internet. To alleviate some of these risks a trusted third-party should be established. This party would monitor how ISPs themselves govern data traffic and alert citizens and regulators if ISPs discriminate against ‘non-problematic’ traffic types or violate their own terms of service. I ultimately suggest that an independent, though associated, branch of the CRTC that is responsible for watching over ISPs could improve trust between Canadians and the CRTC and between customers and their ISPs.

What’s Going On?

Rogers has publicly stated that they are predominantly concerned with managing upstream traffic, claiming that without throttling it they risk “becoming the world’s buffet.” As a result, the company uses DPI appliances to delay uploading data to the Internet; downloads are unaffected. Their technology, “looks at the header information embedded in the payload and session establishment procedures” to identify peer-to-peer based upload traffic. If such traffic is identified it is put into a portion or allocation of the network dedicated to upstream peer-to-peer traffic. Further, Rogers’ network management policy states that “For Rogers Hi Speed Internet (delivered over cable) and Portable Internet from Rogers customers, the maximum upload speed for P2P file sharing traffic is 80 kbps at all times. There are no limits on download speed for any application or protocol.”

Unfortunately, it appears as though a badly tested update to Rogers’ DPI equipment has had unintended consequences. Customers that previously enjoyed very fast downloads using P2P clients – often several Mb/s – have seen their download speeds sharply curtailed to the point where some users are reporting maximum speeds of under 100kb/s. Moreover, it isn’t just just P2P applications that are being affected; Keith McArthur, Rogers’ senior director of social media and digital communications, has publicly confirmed that non-P2P applications are being affected by this misconfiguration. Specifically;

As some of you are aware, Rogers recently made some upgrades to our network management systems that had the unintended effect of impacting non-p2p file sharing traffic under a specific combination of conditions. Our network engineering team is working on the best way to address this issue as quickly as possible. However, I’m not able to provide any updates at this time about when this will be fixed. Our network management policy remains unchanged. You can find details of our policy here (»www.rogers.com/web/content/netwo···nagement). We are working hard to ensure that there are no gaps between our policy and the technology that enables that policy.

Keith’s public statement came about a month after people began reporting this problem (September 20, 2010) and after his comment the problem remains unresolved over a month later (now December 3, 2010). There has been a massive delay in recognizing a problem, and an even more massive delay in resolving it.

Problems in Governance

Since September, one forum user has reportedly submitted a complaint to the CRTC. The result is that Rogers has to either reverse its present policies and stop throttling downloads or change their terms of service to reflect their current practice of throttling downstream traffic. While Rogers is to be commended for leaving a comment in a public forum and acknowledging the problem, they have not been particularly proactive in notifying their end-users about the problems with the company’s DPI appliances. As noted in the threads on DSLreports, low level technical staff ascribe degraded service of P2P and non-P2P applications alike to customers’ use of P2P applications. While there may be a correlate relationship, the root cause (improperly configured network infrastructure) is not being identified over the phone.

Such ascriptions indicate that customer service has not been properly notified of DPI-related network degradation problems. Though the senior director of social media and digital communications is aware of these problems, no notice is posted on their social-media inspired RedBoard website or to be found on their traditional corporate website.

To begin, this failure of network configuration suggests that Rogers’ testing system needs to be refined. I expect that Rogers’ professional networking staff tested the network updates – either in an isolated test network that replicates real-world conditions or in a small portion of their production network. Doing anything else would constitute an incredibly arrogant and inappropriate deployment regime, and I cannot believe that Rogers’ networking staff would behave in such an unprofessional manner. What is more likely is that the micro-level tests were either too narrow or the derived findings were misunderstood/ambiguous. Such a failure in the testing regime demands a reevaluation of how engineers make upgrades to the Rogers networks and is especially important given that the error has resulted in a material degradation of service – a change that requires Rogers to notify various actors prior to the modification.

The lack of widespread attention to the problem – at customer service, at their informal website or at their formal corporate website – indicates an additional issue concerning staff and (by extension) customer education. Customers are unlikely to know the source of their network-related problem because Rogers has only acknowledged the misconfiguration in limited channels. A customer shouldn’t have to (and is unlikely to) dig into the depths of a specialized web forum to learn about material changes that have affected their network service for a prolonged period of time, regardless of whether the changes are intentional or not.

Finally, the misconfiguration of Rogers’ equipment shows a failure to proactively notify customers of problems. I’ve contacted a host of Rogers customers over the past day, asking similar questions: Are you experiencing particular degradations of service? (All responses: yes.) Have you been contacted about the problem by Rogers? (All responses: no.) While I appreciate that it would be challenging to call every single customer, a mass email to all Rogers customers would not be a financially expensive operation, nor would a posting on their corporate website. That the company has remained relatively quiet about known issues on its network for over 60 days, knowing that network changes have had material impacts on the quality of service and that are in violation of their network management policy, speaks poorly of the company’s willingness to openly address the problem.

The Impacts of Control

There are consequences associated with running a partially controllable network, a network that is “generally open to new applications, but can be used to block them selectively” (van Schewick 2010: 288). Shifting network architectures away from the end-to-end model and towards applianced models of network connectivity “increases the relative costs of innovation and decreases the relative benefits for independent innovations” (van Schewick 2010: 289). Such changes threaten the development of novel applications that could improve the utility derived from Internet access, as well as potentially imposing constraints on technology and (metaphorically) killing the goose that lays the golden egg (Greenstein 2001: 390).

DPI has been deployed to provide ISPs with insight into, and control over, their customers’ data transmissions. Such insight is needed because applications at the ends of the network are less and less trustworthy; port obfuscation, payload encryption, randomized initial packet exchanges and more are designed to hide what applications customers are using. ISPs assert that they need to better understand the packets in their entirety to properly identify applications and transit their associated packets. In essence, ISP routers cannot trust applications to ‘honestly’ disclose their packets and so ISPs aim to ‘restore’ this trust by inspecting most/all packets that go through their routers. Thus, restoring trust has led ISPs to increase middle-network intelligence and required customers to trust network providers more than when providers operated as ‘simple’ transit networks.

The problem with adding intelligence into the middle of the network is that middle-network failures have broader impacts than failures at the ends. Per Blumenthal and Clark (2001):

Network designers make a strong distinction between two sorts of elements – those that are “in” the network and those that are “attached to,” or “on,” the network. A failure of a device that is “in” the network can crash the network, not just certain applications; its impact is more universal. The end-to-end argument at this level thus states that services “in” the network are undesirable because they constrain application behaviour and add complexity and risk to the core (201).

Blumethal and Clark’s approach to the end-to-end principle restricts the ‘narrow’ version of the end-to-end argument that van Schewick has identified. The narrow version of end-to-end asserts that “A function should only be implemented in a lower layer, if it can be completely and correctly implemented at that layer. Sometimes an incomplete implementation of the function at the lower layer may be useful as a performance enhancement” (2010: 58). Such narrow approaches to the end-to-end principle were meant to try and help implement applications, whereas many present understandings of this principle are used to justify hostile intentions, seeing ISP engineers prevent things from happening on the network and blocking certain applications (Blumethal and Clark 2001: 106-7). The effect overall is to reduce the generativity of network itself, reducing its “capacity to produce unanticipated change through unfiltered contributions from broad and varied audiences” (Zittrain 2008: 70).

Finally, the appropriateness of network control varies depending on the reader’s understanding of the term ‘network management’. The issue with ‘reasonable network management’ language is that it tends not to describe an engineering principle but a policy decision. Such policy decisions are made by weighing legitimate technical and business goals with what society will bear in regards to principles such as user privacy. Thus, reasonable network management is unlikely to correlate with Paul Ohm’s definition, where the term exclusively refers to:

…the activities, methods, procedures, and tools that pertain to the operation, administration, maintenance, and provisioning of networked systems (51).

In aggregate, the introduction of control has a series of impacts. Realigning where intelligence is located in the network changes the risks and cost/benefit structure for innovators at the ends of the network. That ISPs such as Rogers can have misconfigurations lasting over 60 days that detrimentally affect P2P and non-P2P applications alike is problematic. Individuals are unlikely to know who is to blame and such misconfigurations may increase unpredictability of application discrimination to the point where innovators and developers abandon or limit Internet-interfaced application creation. If application-like services from the ISP continue to work (e.g. Rogers On Demand Online) people may be led away from non-proprietary streaming and content delivery services in favour of the ISP’s monetized systems. Moreover, when the ISP’s own services are not impacted by network misconfigurations there is less of an incentive for their engineers to quickly resolve the problem.

Finally, the quiet (if accidental) increase in network control also has the effect of potentially undermining the trustworthiness of the network itself. If DPI was (in part) installed because of untrustworthiness at the ends, now consumers and developers alike have less reason than before to trust the middle and core of the networks. Trust and transparency, it seems, are lacking throughout the network.

Third-Party Oversight

The capacity for large ISPs to modify data transit conditions in a seemingly randomized manner is made possible by the packet monitoring and control systems now grafted into ISPs’ networks. Given the impacts that control can have on the future of telecommunications a trusted third-party is needed. This party should monitor how ISPs govern data traffic, alerting citizens and regulators alike if ISPs are found discriminating against ‘non-problematic’ traffic types or violating their own terms of service. Such a party does not necessarily need to dogmatically require all ISP actions fit within the end-to-end principle. Let me illustrate what this might mean.

While Jonathan Zittrain worries about the installation of intelligence into the network he also argues that we must abandon strict adherence to end-to-end neutrality. Zittrain asserts that we would be well served to replace the end-to-end principle with a generativity principle, “a rule that asks that any modifications to the Internet’s design or to the behaviour of ISPs be made when they will do least harm to generative possibilities” (2008: 165). For such a system to be adopted, however, there must be some third-party that is technically competent and that can audit what ISPs are doing to their networks.

The hope is that by introducing a third-party between customers and ISPs some of the mutual antagonism between these two parties might be alleviated, whilst also reducing some of the privacy concerns associated with DPI more generally. Specifically, the third-party would lack a profit-based motivation to access personal information and could, as part of its mandate, oversee the limitation of ISPs’ access to personal information where the information isn’t relevant for business purposes.

While key-signing authorities could theoretically operate as one of the neutral third-parties, there remains a question of trusting the third-party itself. VeriSign, as an example, presently works alongside American copyright groups and changes DNS entries for some .com addresses and could do the same for .net addresses. As a result, VeriSign couldn’t be considered a trusted third-party because of this partisan behaviour. Thus, any party exercising oversight of ISPs ought to be composed of a set of neutral third-parties so that if/when a member reveals itself as no longer trustworthy the entire oversight committee/board/organization doesn’t collapse.

Such an oversight body (in Canada) could be associated with, but independent of, the CRTC. The body ought to be resourced regardless of whether its investigations embarrass ISPs or its regulatory parent. Its acting commissioner should be appointed for a significant period of time. Further, the commissioner should retain independent authority over who to hire, within requirements set by the CRTC. Anticompetitive actions or those in breech of acceptable use policies, network policy agreements, service level agreements or privacy policies should be fully disclosed to the public by this independent body. ISPs could not claim confidentiality to hide their actions or network configurations when their actions or network configurations violate their public statements, agreements, or CRTC decisions. The threat of this transparency into ISP network operations could and should cause ISPs to be more cautious and measured in their actions, reducing the likelihood of network misconfigurations or at least limiting the duration of misconfigurations. Additionally, this body might generate trust with the public by separating its policies from the more formal regulatory hearings at the CRTC.

Is such an oversight body a pipe dream? Perhaps, but not an entirely unreasonable one. The CRTC is increasingly under pressure by members of the public to be more transparent or dissolve, and telecommunications companies in general are distrusted by Canadians. Adopting an independent oversight board – one solely responsible for audits and oversight of ISP networks, and ensuring compliance with existing CRTC policies – could realign the trust Canadians put in carriers and practically demonstrate the value and legitimacy of the CRTC to the Canadian people.

Book Sources:

Blumenthal, Marjory S. and Clark, David D. (2001). “Rethinking the Design of the Internet: The End-to-End Arguments vs. the Brave New World” in B. M. Compaine and S. Greenstein (eds.). Communications Policy in Transition: The Internet and Beyond. Cambridge, Mass.: The MIT Press.

Greenstein, Shane. (2001). “Copyright in the Age of Distributed Applications” in B. M. Compaine and S. Greenstein (eds.). Communications Policy in Transition: The Internet and Beyond. Cambridge, Mass.: The MIT Press.

van Schewick, Barbara. (2010). Internet Architecture and Innovation. Cambridge, Mass.: The MIT Press.

Zittrain, Jonathan. (2008). The Future of the Internet and How to Stop It. New Haven: Yale University Press.

Other posts you might be interested in:

1. Deep Packet Inspection and Consumer Transparency
2. Background to North American Politics of Deep Packet Inspection
3. Draft: What’s Driving Deep Packet Inspection in Canada?

I’m intending this to be the first of a few posts on network neutrality.[1] In this post, I exclusively work through the principles suggested by Verizon-Google. In this first, and probationary, analysis I will draw on existing American regulatory language and lessons that might be drawn from the Canadian experience surrounding network management. My overall feel of the document published by Verizon-Google is that, in many ways, it’s very conservative insofar as it adheres to dominant North American regulatory approaches. My key suggestion is that instead of rejecting the principles laid out in their entirety we should carefully consider each in turn. During my examination, I hope to identify what principles and/or their elements could be usefully taken up into a government-backed regulatory framework that recognizes the technical, social, and economic potentials of America’s broadband networks.

Background

Before jumping into my discussion of the proposed Verizon-Google principles, I want to provide some background to the network neutrality discussion underway in the US. This background will, ideally, introduce newcomers to the discussion of net neutrality with a basic understanding of political lay of the land that preceded the Verizon-Google policy framework. I want to make clear that I’m not providing a fully comprehensive contextualization, but a basic outline to assist you in placing the policy framework in relation to ongoing processes.

Since a federal appeals court ruled against the FCC in their case against Comcast’s usage of deep packet inspection equipment, the American telecommunications regulator has been struggling. After its defeat in court, the FCC quickly announced its ‘third way’. This is an effort to realign how broadband carriers are regulated in the US. The carriers are presently classified as ‘information services’ instead of ‘telecommunications services’, which limits the FCC’s ability to adjudicate how ISPs actually manage their services. To draw ‘information services’ more significantly into the FCC’s regulatory fold, Chairman Julius Genachowski has proposed that the transmission of broadband Internet access is a telecommunications service, though the actual content that is transmitted is outside of the FCC’s purview. The third way has been incredibly poorly received by major telecommunications carriers and had, in part, been responsible for closed-door meetings between the FCC and net neutrality stakeholders. These meetings were meant to establish a regulatory framework that met network neutrality principles while moderating FCC regulation.

Many of the folks involved in network neutrality are the same people deeply invested in the copyfights of the past decade; Lessig, the EFF, CDT, and similar groups have witnessed the negative consequences of industry-driven back room dealings for copyright extension. [2] While some public interest groups attended the closed-door network neutrality meetings, their involvement was, reputedly, fairly minor.[3] Hopefully as time goes on, more light will be shed on the actual suggestions and compromises proposed in these meetings between public advocates, their corporate counterparts, and the FCC staff in attendance.

While the FCC-driven meetings were ongoing, Verizon and Google had their own private negotiations on what a national broadband policy might look like. This policy was published August 9, 2010 after a weekend of rumors; Edward Wyatt at the New York Times broke a story (“Google and Verizon Near Deal on Web Pay Tiers“) suggesting that Google would pay for ‘special carriage’ on Verizon’s network, and in return Google’s services would faster than those of their competitor. This fee-for-carriage suggestion was denounced by Google, but may have led to a premature release of the Verizon-Google policy document we have today.

As a policy position paper, the document by Verizon-Google has been incredibly effective in energizing discussion around network practices and reinvigorating the discussion in the public eye. The actual framework that was released is helpful, insofar as there are some decent elements, but clearly it needs revision.

For the rest of this post, I will be performing brief and tentative analyses of each principle of the Verizon-Google document. This will often see me refer to prior FCC policies, Canadian regulatory decisions, and academic works around network management and power relations. It’s not intended to be fully comprehensive, but an early effort to collect my thoughts. If you don’t have the time, or desire, to read through these analyses in detail feel free to jump to the end where I’ve tried to briefly summarize my positions. You’ll lose some of the context of the argument, but should leave with a working understanding of my present positions on each principle. I’ll state up front that I’m neither entirely opposed, nor entirely in favour of what Verizon-Google have provided; I’m most interested in picking up their ‘homework assignment’ (as described by Vint Cerf) and playing with the results rather than trying to independently assert a set of principles around network neutrality.

Principle One: Consumer Protections

A broadband Internet access service provider would be prohibited from preventing users of its broadband Internet access service from: sending and receiving lawful content of their choice; running lawful applications and using lawful services of their choice; and connecting their choice of legal devices that do not harm the network or service, facilitate theft of service, or harm other users of the service. There have been serious concerns about the focus on ‘lawful’ in this principle, as there should be. Does this mean that service providers would be justified in throttling, blocking, or otherwise degrading delivery of ‘unlawful content’? How would the differentiation between lawful and non-lawful content types be identified? What constitutes a lawful application and service; is this a reference to some kind of sanctioned and non-sanctioned set of application protocols?

There are considerable concerns around the integration of ‘unlawful’ throughout this principle. Specifically, there are worries that this could lead to systematic blocking of ‘bad’ content and applications. Rather than (exclusively) directing vehement anger towards the corporate giants that have included this in their framework, however, perhaps we should consider the source of this principle. In FCC 05-151, approved in 2005, the FCC outlined the four ‘Internet freedoms’. In principle one, the Commission adopts the principle;

To encourage broadband deployment and preserve and promote the open and interconnected nature of the public Internet, consumers are entitled to access the lawful Internet content of their choice.

This first principle, as written by the FCC, recognizes that consumers are only entitled to access lawful content. The addition in the Verizon-Google proposal is to extend ‘content’ to applications and services as well. Per Carterfone, consumers can attach devices, and make use of the network, so long as the attachments and uses do not damage the network itself. The language “any lawful device” in the Carterfone decision permits the attachment of answering machines, fax machines, and modems to the network at the ends. Applying the principle of charity, I presume that including the language ‘services and applications’ in the Verizon-Google document is intended to clarify the rules laid down in Carterfone. A serious concern, however, is that neither the FCC nor the Verizon-Google policy framework extend the lessons of Carterfone to wireless networks; principle six of the Verizon-Google framework is an attempt to forebear regulation of wireless networks and the FCC has historically been unwilling to extend Carterfone to wireless Voice over Internet Protocol (VoIP) services. Thus, the policy framework issued August 9, 2010 can be seen as integrating the FCC’s already existing position into the corporate-created document.

What can we take away from this principle then? I would suggest that the principle is conservative, insofar as it closely adheres to earlier regulations set forth by the FCC. While we can continue to be worried about ‘lawful content’ in an era where network surveillance practices might be deployed to discriminate between lawful and unlawful content, and ‘harmless’ versus ‘harmful’ application types, the principle established by Verizon-Google isn’t itself pushing the bar very far. Concerns around this principle speak to already existing worries and concerns around network management, concerns derived from existing FCC policies. While there is good reason to be involved in a discussion about ‘lawful content’ and ‘lawful applications’, we need to remind ourselves that this isn’t a novel form of language being assumed by Verizon-Google.

Principle Two: Non-Discrimination Requirement

In providing broadband Internet access service, a provider would be prohibited from engaging in undue discrimination against any lawful Internet content, application, or service in a manner that causes meaningful harm to competition or to users. Prioritization of Internet traffic would be presumed inconsistent with the non-discrimination standard, but the presumption could be rebutted.

Attention must be paid to the phrase ‘meaningful harm to competition or to users’. Adding small amounts of delay to content delivery times can seriously impact the likelihood that users will use a service and/or continue to receive content from the ‘slow’ source. Not only can this potentially cause visitors to never return to your product/site – perhaps instead going to fast products and services provided by the ISP that are guaranteed to be fast – but in the case of websites can impact your visibility via lower Google Pagerank ratings. Slow speeds can have real economic impacts.

The Canadian network neutrality/traffic management hearings included language bordering what is included in the Verizon-Google principle. Specifically, when writing about delaying or slowing down Internet traffic, the CRTC notes (n.126-127) that;

… use of an ITMP [Internet Traffic Management Practice] resulting in the noticeable degradation of time-sensitive Internet traffic will require prior Commission approval under section 36 of the Act.

With respect to non-time-sensitive traffic, the Commission considers that the use of ITMPs that delay such traffic does not require approval under section 36 of the Act. However, the Commission is of the view that non-time-sensitive traffic may be slowed down to such an extent that it amounts to blocking the content and therefore controlling the content and influencing the meaning and purpose. In such a case, section 36 of the Act would be engaged and prior Commission approval would be required.

If we assume that even rudimentary policy learning or interpretation might occur, then the Verizon-Google principle could be read as articulating something resembling what the CRTC has already established. Small-content creators don’t exactly love the CRTC decision, nor even large content creators like the CBC, but adopting something like the Canadian approach would, again, be relatively conservative in the context of North American telecommunications regulation.

Critical commentators are, however, rightfully concerned over the last sentence of the principle. Under what possible conditions could it by non-discriminatory for certain Internet traffic to be prioritized! Wouldn’t such an action add too much ‘intelligence’ to the network, undermining end-to-end arguments?

Perhaps, but not necessarily. At the past two Canadian Telecommunication Summits, pro- and anti-DPI advocates have suggested that a compromise position might be that traffic prioritization is permissible in a network architecture where the user has control over how their own traffic is prioritized. This is a relatively benign approach to traffic management, one that is (arguably) empowering where accompanied by clear user education and accessible user-interfaces. Prioritization is less desired when the telecommunications carrier makes a unilateral decision, without accepting input from the user-base that is substantively drawn into the service providers’ decision-making framework. It is this unilateral decision capacity that has commentators (rightfully) worried; carriers aren’t terribly well known for their active engagement with their customer bases.

While an ideal might be to strip out this last sentence, I almost wonder if having it there is helpful. Carriers have spoken of their prioritization/deprioritization of particular traffic-types; ‘bulk’ traffic is given a lower priority than traffic that is jitter-sensitive. As I understand it, the concern is that particular applications (i.e. Verizon’s own VoIP solution) will be prioritized, rather than a concern that particular application-types (i.e. VoIP in general, which would include both Verizon’s solution, Skype, and other VoIP providers). Perhaps we could ‘simply’ rewrite the sentence in a way to differentiate between application prioritization (bad and not allowed) and application-type prioritization (not necessarily bad, and potentially permissible). Such a distinction would permit prioritization, and were the service provider required to appear before the FCC before implementing the prioritization some ex ante oversight could be performed. Further, such prioritization schemes could be required to come up for independent review periodically. Such reviews would be aimed at preventing new application-types entering the market from being set at a competitive disadvantage on the basis that other application-types receive benefits from packet prioritization.

Principle Three: Transparency

Providers of broadband Internet access service would be required to disclose accurate and relevant information in plain language about the characteristics and capabilities of their offerings, their broadband network management, and other practices necessary for consumers and other users to make informed choices.

The transparency principle, again, is relatively conservative. It parallels the requirements of the Office of the Privacy Commissioner of Canada (OPC) concerning the use of deep packet inspection, where ISPs are required to note how the technology is used in their respective networks, the FCC’s own principle of transparency, and the position on transparency assumed by the CRTC.

In a response to a complaint brought by CIPPIC, the OPC required Bell Canada to include information on how the ISP uses DPI on their webpage. Bell now has a link on their privacy policy page to their network management practices, fulfilling the OPC’s transparency-related requirements.

In the case of the FCC, their proposed ‘sixth principle’ reads as follows;

…providers of broadband Internet access must be transparent about their network management practices.

Finally, the CRTC has a more detailed account of transparency as it relates to traffic management practices, stating that ISPs must disclose five elements of technical management systems to consumers. Specifically, ISPs must disclose:

1. why ITMPs are being introduced;
2. who is affected by the ITMP;
3. when the Internet management will occur;
4. what type of Internet management (e.g. application, class of application, protocol) is subject to management; and
5. how the ITMP will affect a user’s Internet experience, including the specific impact on speeds.

Ideally, were the Verizon-Google principle fleshed out by the FCC, the regulator would adopt a set of guidelines similar to those set down by the CRTC. Further, the regulator would adopt the requirements of the OPC, though ideally the FCC would be slightly clearer on what is meant for information to be ‘clear’ to an end-user; I remain unconvinced the burying information in a privacy policy, which then links to additional technical details in the depths of Bell’s website, constitutes ‘clear’ disclosure to most of Bell’s consumers.

This said, while the principle as outlined by Verizon-Google leaves room for improvement, it also extends on the sixth principle established by the FCC. As such, I (again) suggest that this element of the corporate framework is conservative because it hews closely to existing or proposed transparency principles amongst North American regulators.

Principle Four: Network Management

Broadband Internet access service providers are permitted to engage in reasonable network management. Reasonable network management includes any technically sound practice: to reduce or mitigate the effects of congestion on its network; to ensure network security or integrity; to address traffic that is unwanted by or harmful to users, the provider’s network, or the Internet; to ensure service quality to a subscriber; to provide services or capabilities consistent with a consumer’s choices; that is consistent with the technical requirements, standards, or best practices adopted by an independent, widely recognized Internet community governance initiative or standard-setting organization; to prioritize general classes or types of Internet traffic, based on latency; or otherwise to manage the daily operation of its network.

Network management is an interesting issue, and while the principle is ‘conservative’ we should question how it is structured on two grounds. First, with respect to the use of an independent (non-FCC) body to determine best practices and standards, and second in the sense that ‘reasonable network management’ procedures are policy-driven, and less technically oriented. Both of these suggestions are contentious and so I spend a bit of time here in speaking to both points.

Under the Canadian decision, ISPs can manage traffic (i.e engage in network management practices) to ensure network security or protect network integrity. Economic management techniques – those where consumers are billed for excessive usage – are preferred, but technical measures can be deployed in limited fashions as required. The policy principle provided by Verizon-Google captures the issues of security and congestion addressed by the CRTC. Charitably, we can read ‘unwanted traffic’ as referring to email spam, virus laden packets, and other harmful data transmissions coming to, and trying to exit, the ISP network. Such actions are already commonplace amongst many (most? all?) Western ISPs and  are helpful because they protect ‘the ends’ from harm while preserving the network’s overall capacities.

The reliance on a standards-setting organization can be read as good – bodies such as the IETF are reputable – or bad – if these bodies are taken to mean American-only ISP/content provider ‘standards’ groups. Concerns have been trumpeted that the latter groups are the referent in this policy principle, but I still haven’t seen actual evidence of that this is, indeed, the referent. A related concern is that, per this principle, were an ISP in compliance with a standards body they would be free from direct FCC regulation. This is true, to a point: at the moment, the FCC’s control over the direct technical capacities of most networks is limited, insofar given that Internet governance bodies are already international groups that (often) escape any particular nation’s all-encompassing sovereign power. Mueller (along with his various colleagues) has written a considerable amount on Internet governance;[4] he has argued that, contra Goldsmith and Wu, nation-states cannot entirely assert their sovereign power in the control of national networks in light of the expanded number of partners in governing global digital networks. Nation-states, and their various institutional organs, can exert considerable influence but not absolute sovereignty over the technical infrastructure of the Internet and expect full integration with the rest of the ‘net.

The concerns about prioritizing particular kinds of content could be problematic, but is equally likely to be helpful. If an ISP actively works to reduce jitter resulting from economically unmanageable congestion then, so long as such prioritization schemas are made public and conform with international best-practices, they can be understood as appropriate, or at least acceptable. Note that this shouldn’t mean that technical measures should permanently be used to manage congestion; shifts to DOCSIS 3.0 and fiber are preferable long-term solutions to managing congestion towards the last mile (where congestion is often most prominent and problematic) but limited technical resolutions may be required as capital expenditures are mobilized to improve the physical network.

From this, I suggest that what Verizon-Google is proposing in this principle is somewhat conservative, and would be entirely conservative if the principle recognized the FCC’s involvement in regulating network management practices. I’ll address a possible division of FCC/international bodies’ responsibilities in a minute, but will ‘tease’ you by stating that granting international bodies ultimate responsibility over the technical elements of network management practices doesn’t necessarily herald the end of the Internet. This statement is made in light of the fact that non-governmental technical bodies already govern various facets of the Internet’s existing infrastructure through the standards setting process.

Before discussing a possible FCC/international bodies division of labor, however, I need to distinguish between the terminology of ‘reasonable network management’ and ‘network management’. I agree with an element of Paul Ohm’s paper that interrogates ISP practices in the US. Ohm identifies reasonable network management as having gained prominence in America following a 2004 speech by Chairman Powell, and the FCC has since adopted reasonable network management as a policy position. While ‘network management’ is a technical issue – Ohm recognizes it as referring “to the activities, methods, procedures, and tools that pertain to the operation, administration, maintenance, and provisioning of networked systems” (1462) – ‘reasonable’ network management is a broader, policy-informed, management apparatus. Specifically, Ohm argues that “it describes not an engineering principle, but a policy conclusion made by weighing the legitimate technological and business goals of network management with what society deems reasonable in light of many principles, including privacy” (1461).

If we accept the division of ‘network management’ and ‘reasonable network management’ as outlined by Ohm, then there is a concern that standards bodies would, in fact, be incapable of establishing ‘reasonable’ network management standards. They could establish network management standards, but without an insight into the realities of particular ISPs and content providers’ relationships, and the economic models underlying these parties, the international groups would be unable to pointedly provide granular international standards.

In light of this potential difficulty I suggest that the policy and economic factors of ‘reasonable network management’ could be kept entirely within the purview of the FCC, while the technical facets of ‘network management’ could be put under FCC purview on a probationary basis. On this basis, where novel management approaches are used those techniques would be regulated by the FCC until an appropriate international technical body came to a conclusion on whether the novel approach adhered to international best practices. The FCC could engage in a consultation, or related, process to integrate those standards into national policy, which would (effectively) see the FCC engage in policy learning/harmonization in technical issues with the global Internet governance community.

This suggestion creates a ‘two-track’ approach to regulation; one that lets America assert its norms and values in management practices, and another that limits over-exuberant novel management techniques while still enabling a flexible technical networking culture. In sum, the two-track approach would see the US retain national/regional sovereignty over non-technical issues – privacy, economics, free speech and so forth – and permit existing international governance bodies to develop the best practices for a functioning Internet community.

Principle Five: Additional Online Services

A provider that offers a broadband Internet access service complying with the above principles could offer any other additional or differentiated services. Such other services would have to be distinguishable in scope and purpose from broadband Internet access service, but could make use of or access Internet content, applications or services and could include traffic prioritization. The FCC would publish an annual report on the effect of these additional services, and immediately report if it finds at any time that these services threaten the meaningful availability of broadband Internet access services or have been devised or promoted in a manner designed to evade these consumer protections.

The additional services proviso has resulted in considerable worries; would this create a two-track Internet, a ‘public’ and a ‘private’ Internet? Would there be price differentials between the services made available over these two Internets?

I’ve already identified a problem with the prior network management principle; let’s assume that the dual track approach is acceptable and so ISPs are prevented from gaming the system to prioritize and deprioritize traffic in a relatively ad hoc manner. I approach the principle of additional online services in two parts: first, from the point of offering ‘other services’, and second, concerning the FCC’s (lack of) regulatory power enshrined in this principle.

Novel bandwidth provision for specialized services happens right now; if you have IPTV coming into your home then your service provider either has, or soon will, segregate a portion of the bandwidth coming into your home to prioritize your IPTV traffic. Rogers and Shaw, Canadian ISPs, have publicly noted that they differentiate bandwidth in their networks so that certain portions are available to different traffic-types. Bandwidth is already provisioned to guarantee certain services at the expense of others.

The wording, ‘clearly differentiated services’, noted in this principle may see some of that aggregate bandwidth provisioned to provide instant-on services, such as a dedicated secure line to your bank[5] or links to an ISP-hosted home monitoring/security system. Such ‘discrete’ uses of the network are not necessarily bad and, in fact, you can imagine that various consumers would welcome the ability to set priorities on various services or receive ‘specialty’ services that are not available over the top. This said, a very real concern surrounding bandwidth segregation and provisioning can be read through Winseck’s work on “netscapes of power”,[6] where a service provider uses their institutional power to impact content/service availability for economic gains. Such differentiation subtly pushes consumers to the service providers’ own offerings in lieu of ‘slower’ third-party, often over the top, offerings.

The FCC should step in whenever there is a netscape of power manifests. This said, a netscape is not necessarily established through the provision of ISP-specific services; such services can be complementary with non-ISP, over the top, services. In the language of Jonathan Zittrain,[7] the ISP-exclusive feature might be the equivalent of an ‘appliance-use’ of the network that competes with ‘generatively-derived’ web systems. Zittrain worries that appliance-like systems (e.g limited-use hardware/software interactions) threaten the ‘generativity’ of the Internet itself. Generativity is defined as a “system’s capacity to produce unanticipated change through unfiltered contributions from broad and varied audiences” (70) but, so long as the ‘public Internet’ is made unconditionally available, I suggest that the generative Internet can peacefully cohabitate with the appliance-Internet.

Let me introduce an example of an instance where appliance-Internet and generative-Internet are arguably not cohabitating. This lack of successful cohabitation results in what appears as a netscape or power, and indicates the value of establishing clear rules for rebalancing the appliance- and generative-Internet. Many Canadians are excited that Netflix, a streaming video service, is finally coming to Canada. Unfortunately, almost immediately after the service was announced one of Canada’s largest ISPs significantly reduced the monthly data caps available to its users. This will reduce the amount of content that Canadians using that ISP can receive from Netflix, ‘encouraging’ those consumers to use the ISP’s own content systems that do not count towards a monthly data cap. This is an example of a netscape of power because an ISP is creating a soft wall around its provisions and encouraging the use of in-house content provision at the expense of Netflix. Arguably, this is a case where an appliance – cable TV offerings – is at odds with the generative Internet. The appliance/generative balance is potentially skewed in this case.

Given the worrying appearance of the imbalance between appliance/generative bandwidth provisions, a regulator should investigate this scenario, possibly on anti-competition grounds. Recognizing that these (anti)competitive activities happen in a converged marketplace, the FCC could avoid the present Canadian situation by developing a heuristic for determining whether the ‘appliance-Internet’ was being used to limit the possibilities of ‘generative-Internet’. Such a heuristic would permit carriers to provide their ‘clearly differentiated services’ while setting clear conditions on how those services operate in relation to generative Internet offerings. Wherever and whenever a netscape was identified the ISP might be forced to adjust their appliance/generative balance. My attention, here, is that a balance is possible. That ISPs want to offer unique services is not necessarily bad in themselves, but such services must be carefully watched and regulated.

Of course, this assumes that the FCC would have a role in adjudicating the appliance-Internet, and the principle outlined by Verizon-Google attempts to forebear that kind of interference. A report is not the same as regulation; the FCC needs to retain regulatory power to prevent a creation of semi-walled gardens, where consumers can venture out from beyond an ISP’s walls but at significant economic or temporal cost. Thus, while appliance and generative networks can potentially function alongside one another without significant difficulties, regulatory oversight must be retained to ensure that the relationship is acceptable.

Principle Six: Wireless Broadband

Because of the unique technical and operational characteristics of wireless networks, and the competitive and still-developing nature of wireless broadband services, only the transparency principle would apply to wireless broadband at this time. The U.S. Government Accountability Office would report to Congress annually on the continued development and robustness of wireless broadband Internet access services.

Anyone who is surprised to see this principle is either new to network policy discussions or has remained willfully ignorant of the ever-present discussions around regulating wireless. ISPs want to keep regulatory authorities at bay from their markets as long as possible, and this principle is just another articulation of this desire. With this in mind, it’s important to note that regulators have generally been hesitant to get involved in regulating wireless broadband in North America. It was roughly nine months after Canada’s traffic management hearings that wireless was drawn into the wireline management framework. The initial forbearance of regulation on wireless caused considerable concern in Canada – Canadians, like their American counterparts, recognize that wireless is the future of broadband markets – but such forbearance was (relatively) quickly reversed. Any principles established by the FCC that include forbearance on wireless could see the same rapid reversal.

Thus, I would suggest that the Verizon-Google principle is conservative. This isn’t to say that such conservatism is necessarily a good thing – nor it is necessarily indicative that I agree with ISP concerns about spectrum scarcity[8] – but that the conservatism is understandable. Ideally, should a principle resembling the Verizon-Google proposal for the wireless market make its way into a regulatory framework it would include a proviso that the issue of wireless regulation would be taken up again within clearly stated period of time. This might let the FCC conduct its own investigations into how it wants to approach the wireless environment, effectively buying it some breathing room without permanently committing (or being committed to) to wireless forbearance.

Principle Seven: Case-by-Case Enforcement

The FCC would enforce the consumer protection and nondiscrimination requirements through case-by-case adjudication, but would have no rulemaking authority with respect to those provisions. Parties would be encouraged to use non- governmental dispute resolution processes established by independent, widely-recognized Internet community governance initiatives, and the FCC would be directed to give appropriate deference to decisions or advisory opinions of such groups. The FCC could grant injunctive relief for violations of the consumer protection and non-discrimination provisions. The FCC could impose a forfeiture of up to $2,000,000 for knowing violations of the consumer-protection or non-discrimination provisions. The proposed framework would not affect rights or obligations under existing Federal or State laws that generally apply to businesses, and would not create any new private right of action.

Principle seven has been heavily criticized, and rightly so. This said, for all of the problems inherent in maintaining that the FCC must limit their regulation of ISPs, some of the suggestions in this principle could adhere to my earlier division between what the FCC might be responsible for and what international standards bodies might be involved in.

The FCC requires rulemaking authority, a capacity to determine what ‘meaningful harm’ is defined as, and the regulator should have its full set regulatory tools to respond to violations of consumer protection laws. I would note that this is also an area where the FTC’s Bureau of Consumer Protection might get involved, as implicitly recognized in the principle’s last sentence. That the FCC should effectively abandon its roles, and rulemaking in particular, makes much of this principle a non-starter.

Having made this claim, however, the position that the FCC would be directed to “give appropriate deference to decisions or advisory opinions of such [independent, widely-recognized Internet community governance] groups” isn’t necessarily bad. If we adopt the division of responsibilities between the FCC and international bodies that I previously articulated in Principle Four (Network Management), a suitable division of labor might be met. To remind you, this division saw the FCC regulating norms and values governing ISPs’ ‘reasonable’ network management, accompanied by limited regulation in non-standardized technical management processes. Technical deference was given to international groups like the IETF after they established technical standards; such ‘formalized’ standards would then be harmonized with FCC policies concerning appropriate technical management of networks within the US. Under this schema an appropriate balance between international groups and the FCC could be struck.

It is important that any independent governance group is international, given that this prevents America’s service providers from assuming the technical policy reins themselves. Further, by separating the ‘reasonable’ from standardized network management practices we might avoid situations where ‘reasonable network practices’ (i.e. policy and business considerations merged with technical realities of the day) are ingrained into the independent policy standards that emerge. Thus, the position that the FCC gives deference to an “independent, widely-recognized Internet community governance” group could be massaged. Whether such massaging is desired, however, is a question and issue extending beyond my efforts here.

Principle Eight: Regulatory Authority

The FCC would have exclusive authority to oversee broadband Internet access service, but would not have any authority over Internet software applications, content or services. Regulatory authorities would not be permitted to regulate broadband Internet access service.

The FCC’s own third way is an effort to extend the definition of ‘access’ to include the transmission of broadband Internet access as a telecommunications service. Under the third way, this means that where an ISP did the equivalent of slowing down a telephone call (let’s not get started on how ugly metaphors will probably get under a third way approach…) then the FCC could step in whenever such delays meaningfully impact the delivery of the telecommunications service. This, in effect, would apply common carrier provisions to ISP services and enable the FCC to stop ISPs from engaging in either unjust or unreasonable practices towards services and applications. Under the third way, however, the FCC would still be prevented from regulating subscription rates or applying various other Title II regulatory tools.

With this in mind, we can see how Principle Eight is designed to stop the third way in its tracks. As I read it, by stemming what ‘access’ refers to the Verizon-Google framework attempts to circumvent the FCC’s reclassification of broadband providers from ‘pure’ information services to information services with limited common carrier requirements. The principle is incredibly important to Verizon (probably less so for Google) if it is to terminate the third way. Given the FCC’s defeat to Comcast, the third way is essential if the regulator is to gain power over how providers manage their networks. I can see nothing in this principle that should be maintained, save that the FCC should continue to have exclusive authority to oversee broadband Internet access services.

Principle Nine: Broadband Access for Americans

Broadband Internet access would be eligible for Federal universal service fund support to spur deployment in unserved areas and to support programs to encourage broadband adoption by low-income populations. In addition, the FCC would be required to complete intercarrier compensation reform within 12 months. Broadband Internet access service and traffic or services using Internet protocol would be considered exclusively interstate in nature. In general, broadband Internet access service providers would ensure that the service is accessible to and usable by individuals with disabilities.

Adopting a principled approach to using the USF for broadband deployment strikes me as entirely reasonable, and is something that the FCC has been mulling for some time. This said, while carriers often argue that ‘intercarrier compensation reform’ will lead to overall lower broadband and phone rates for end-customers, this isn’t always the case. A concern is that reform will serve to (further) advantage large broadband carriers and (further) disadvantage smaller carriers that often struggle with intercarriage rates. While it might be argued that smaller carriers just have to swallow those rates as the cost of doing business, this translates into disadvantaging (often rural) consumers that may not have access to larger carriers’ networks. Further, the combination of opening up the USF, combined with potentially higher carriage raters, could be leveraged by larger carriers to compete with some rural carriers by rolling out their own networks using USF funds and cutting prices, while simultaneously requiring those same carriers pay out more money for carriage. Should this happen (and I stress that this is a hypothetical) I worry that rural customers would be put in an even worse situation than they often are now.

Conclusions

So, at the end of all of this, what do I think? As stated earlier, many of the principles seem relatively non-problematic and/or conservative in the context of North American telecommunications regulation. Others are deeply concerning. Below are brief summaries of the earlier arguments; they lose some of the nuance, but I think effectively capture my overall position on each principle.

Principle one, addressing consumer protections, doesn’t strike me as ‘dangerous’ as suggested by some when it’s juxtaposed against existing FCC policies around lawful content and applications.

Principle two, speaking to non-discrimination, doesn’t strike me a terribly problematic either. So long as regulatory authority is exercised over the decision to prioritize certain traffic, and that traffic is prioritized based on application- or traffic-type as opposed to particular applications (i.e. prioritize VoIP, not Verizon’s VoIP service) then even the potential to prioritize particular classes of traffic isn’t necessarily harmful.

Principle three, addressing the need for transparency, is entirely acceptable. Ideally the principle would hew to decisions in Canada, where there are rules for what information ISPs must provided and how it is provided, or further improve upon the Canadian requirements. Preferably, information on traffic management would be more prominent than on some Canadian ISPs’ websites, but simply requiring that the information is available is a good step in the right direction.

Principle Four, on the topic of network management, is potentially problematic insofar as it limits FCC oversight. I have suggested that there be a division in what is and isn’t overseen by the FCC, a division reflective of some realities of Internet governance. In short, a two-track system would be established. The FCC would retain regulatory authority over non-technical issues such as privacy, economics, free speech, and so forth, and regulate novel instantiations of network management. It would ultimately harmonize technical management practices with standards established by international governance bodies such as the IETF.

Principle Five, concerning additional online services, has justifiably elicited a considerable degree of concern. I suggest that appliance-Internet services do not inherently endanger the generative-Internet, but that regulatory authority is required to ensure that carriers do not create contemporary netscapes of power. The FCC, as such, requires more than report-writing powers and thus Verizon-Google’s proposed ‘check’ to balance carrier power is insufficient as written by the corporate giants.

Principle Six maintains that the FCC should forebear regulation of the wireless environment. I note that similar language emerged in the Canadian network management proceedings, and that the CRTC shortly thereafter included wireless services in the management framework. As a result, the principle here doesn’t strike me as ‘scary’, insofar as principles can be mediated in the future, but I admit that I hold the following opinion: wireless regulation is critical given that the future of broadband is wireless, and the FCC will have to get involved at some point. Canada has decided that the time for regulation is now, and including a proviso to revisit any forbearance on wireless regulation in the US is necessary should a decision be made to not immediately regulate wireless.

Principle Seven, case-by-case enforcement, needs to be significantly reworked. The FCC needs to retain rulemaking authority. This said, a ‘compromise’ might involve the measure noted under principle four, where there is a distinction between the ‘reasonable’ elements of network management and the technical elements of network management. The former would be exclusively under the jurisdiction of the FCC, and the latter would be largely drawn from international bodies’ proposed best practices and standards.

Principle Eight is designed to stop the third-way; as I read it the principle is an attempt to gut common carriage provisions for information services. Such a provision would be a massive setback for the FCC; this principle needs to be rejected out of hand.

Principle Nine is interesting; using the USF for broadband deployment in under serviced areas is relatively uncontroversial, but when combined with a renegotiation of intercarriage rates (which will likely increase rates for smaller ISPs) there is a risk that larger ISPs will draw on the USF to compete in regions exclusively serviced by smaller ISPs while raising carriage rates. When competition is combined with higher carriage rates the smaller ISPs may be endangered, which could hurt rural consumers. The principle doesn’t necessarily have to be rejected out of hand, but serious thought should go into the combined effects of USF for broadband and (likely) higher intercarriage rates.

As a final note, I want to iterate that while this is an area that I study, I learn more about it every day. What I’ve written are early, probationary thoughts. While I certainly hold the positions articulated in this post, those positions are subject to change with new information. If you disagree with me and/or think that I’ve misunderstood or misread things, please feel free to let me know; I’m actively interested in expanding my knowledge in this sphere of telecommunications policy. Given that this is an area of research I’ll be developing on for the next several months, all input is appreciated.

Footnotes

[1] I should note that I’m incredibly uncomfortable with the term ‘network neutrality’ for various theoretical reasons. I hope to spell out these theory-based dislike to the term in the future. For the purposes of limiting the expansiveness of this post, I’ve avoided delving into these dislikes here, but such avoidance should not be taken as either agreeing with the premises of the term itself nor with an acceptance of any particular theory or framework of network neutrality.

[2] For a spectacular reveal of how copyright law is traditionally drafted in the US, see “The Art of Making Copyright Laws” and “Copyright and Compromise” in Litman’s Digital Copyright.

[3] For a full list of those consulted, the the ‘Stakeholder Meetings‘ post over at the Official Blog of the National Broadband Plan.

[4] For more, see Cowhey and Mueller. (2009). “Delegation, Networks, and Internet Governance” in Networked Politics: Agency, Power, and Governance (ed. Kahler). See also, Mueller. (2002). Ruling the Root and Bendrath and Mueller. (2010). “The End of the Net as We Know It? Deep Packet Inspection and Internet Governance” via SSRN.

[5] The notion of direct, secure, banking services was stated during an interview between Peter Nowak and Vint Cert.

[6] Winseck. (2003). “Netscapes of power: convergence, network design, walled gardens, and other strategies of control in the information age” in Surveillance as Social Sorting: Privacy, Risk and Digital Discrimination (ed Lyon).

[7] For the full argument, see Zittrain. (2008). The End of the Internet – And How to Stop It.

[8] I admit to being taken by Cooper’s (2010) position paper entitled “The Myth of Spectrum Scarcity: Why Shuffling Existing Spectrum Among Users Will Not Solve America’s Wireless Broadband Challenge“.

Other posts you might be interested in:

1. Analysis: ipoque, DPI, and Network Neutrality
2. Rogers, Network Failures, and Third-Party Oversight
3. Background to North American Politics of Deep Packet Inspection

In this post I’m going to spell out what the changes actually mean – what duties and responsibilities, in specific, the CRTC is responsible for – and what traffic management on mobile networks would entail. This will see me significantly reference portions of the Canadian Telecommunications Act; if you do work in telecommunications in Canada you’ll be familiar with a lot of what’s below (and might find my earlier post on deep packet inspection and mobile discrimination more interesting), but for the rest this will expose you to some of the actual text of the Act.

In amending the forbearance framework the CRTC is entering the regulatory domain on several topics pertaining to wireless data communications. Specifically, wireless providers are now subject to section 24 and subsections 27(2), 27(3), and 27(4) of the Act. Section 24 states that the “offering and provision of telecommunications service by a Canadian carrier are subject to any conditions imposed by the Commission or included in tariff approved by the Commission.” In effect, the CRTC can now intervene in the conditions of service that carriers make available to other carriers and the public. Under 27(2) carriers can no longer unjustly discriminate against or give unreasonable preference towards any person. This limitation includes the telecommunications carrier itself and thus means that neither fees nor management of the network can be excessively leveraged to the benefit of the carrier and detriment of other parties.

Under 27(3) the CRTC can determine as a question of fact whether carriers have complied with sections 25 (broadly dealing with tariffs), 27 (which concerns the monitoring and enforcement of elements of the Act) or 29 (where the CRTC must approve working agreements between carriers). Further, a question of fact may be used to determine whether a carrier is in compliance with a decision concerning sections 24 (on the conditions of service), 25, 29, 34 (addressing issues of forbearance) or 40 (concerning the connection of facilities between carriers or other facilities).

Broadly, what all of this means is that the CRTC has stepped aside from their position that potential regulation could negatively injure the state of competition in Canada’s wireless market. This isn’t to say that they are regulating, but that they have stepped away from their traditional stance of forbearance around wireless. The shift isn’t terribly surprising given the rise of new entrants to the mobile space in Canada such as Mobilicity and Wind Mobile, as well as the multitude of high speed data networks in the country.

Also important is that the CRTC has decided to apply the Internet Traffic Management Proceedings (ITMP) framework, emergent from the ITMP Decision, to the wireless environment. In short form, this means that the rules Canadian carriers have to follow when they throttle or modify data packets on wireline connections (i.e. the cables running into your home/business) now apply to the wireless space. The shift isn’t surprising, save that it happened relatively shortly after last year’s decision to forbear a decision on the wireless space but had been previously announced as an element of the broader Proceedings to review access to basic telecommunications services and other matters. For practical purposes few will realize any difference in the provision of their wireless data services this week than they did last. It does, however, lay the conditions under which throttling and packet modification appliances can be used. These appliances include those with deep packet inspection functionality.

The ITMP framework identifies what a carrier must do whenever there is a complaint levied to the CRTC concerning the use of a traffic management technique or technology. Specifically the carrier must:

• Describe the ITMP being employed, as well as the need for it and its purpose and effect, and identify whether or not the ITMP results in discrimination or preference.
• In the case of an ITMP that results in any degree of discrimination or preference:
  • demonstrate that the ITMP is designed to address the need and achieve the purpose and effect in question, and nothing else;
  • establish that the ITMP results in discrimination or preference as little as reasonably possible;
  • demonstrate that any harm to a secondary ISP, end-user, or any other person is as little as reasonably possible; and
  • explain why, in the case of a technical ITMP, network investment or economic approaches alone would not reasonably address the need and effectively achieve the same purpose as the ITMP.

Of course, this requires the a complaint be levied: such an action is challenging given that where a customer is dealing with properly installed traffic management gear the equipment is effectively invisible. Determining a problem thus requires a very technically savvy customer or group and/or bad configuration by the carrier(s). As such, the Framework remains useful but mired in some potential implementation problems. More likely any complaint will result from a modification to terms of service between an Incumbent Local Exchange Carrier (ILEC) and Competitive Local Exchange Carrier (CLEC).

What will be fascinating to watch, as a researcher, is whether with Decision Canadian carriers begin deploying traffic management equipment capable of scanning the payloads of mobile data packets. Moreover, if/when the technologies are deployed will we see a trojan-horse like approach in mobile that we did in wireline – will is first be used for subscriber management, then for throttling, then for sending messages over through the browser? If/when they do deploy the technology, will they immediately and publicly update their traffic management policies to reflect the analysis of wireless traffic or will it take another complaint to the Office of the Privacy Commissioner of Canada to ‘encourage’ such modifications? Hopefully after a round in front of the CRTC and OPC carriers will willingly put packet inspection information where the public can easily find it (i.e. not buried in terms of service and changed without notification in the dead of night) but only time will tell. Overall, the decision to implement the traffic management framework is certainly a positive step forward and confirms my earlier hopes that a policy of non-discrimination in the Canadian wireless market would be adopted. The next step will be to watch and see whether deep packet inspection-based equipment is deployed in wireless environments in a transparent fashion or not.

Other posts you might be interested in:

1. Comment: Canadian ISPs and Internet Traffic Management
2. Deep Packet Inspection and Mobile Discrimination
3. Distinguishing Between Mobile Congestions

As part of an early bit of thinking on this, I want to direct our attention to Canada, the United States, and the United Kingdom to start framing how these jurisdictions are approaching the use of DPI. In the process, I will make the claim that Canada’s recent CRTC ruling on the use of the technology appears to be more and more progressive in light of recent decisions in the US and the likelihood of the UK’s Digital Economy Bill (DEB) becoming law. Up front I should note that while I think that Canada can be read as ‘progressive’ on the network neutrality front, this shouldn’t suggest that either the CRTC or parliament have done enough: further clarity into the practices of ISPs, additional insight into the technologies they use, and an ongoing discussion of traffic management systems are needed in Canada. Canadian communications increasingly pass through IP networks and as a result our communications infrastructure should be seen as important as defence, education, and health care, each of which are tied to their own critical infrastructures but connected to one another and enabled through digital communications systems. Digital infrastructures draw together the fibres connecting the Canadian people, Canadian business, and Canadian security, and we need to elevate the discussions about this infrastructure to make it a prominent part of the national agenda.

The Canadian Situation

In Canada, there has been a substantial amount of attention directed towards the use of DPI equipment since 2007 when CAIP filed a complaint about Bell’s use of the technology to affect how CAIP customers’ data traffic was being transmitted through Bell’s infrastructure. The result of Bell v. CAIP, and the 2008/9 CRTC investigation into how DPI is used by ISPs more widely, was positive in some lights and devastating in others. Positively, out of the 2008/9 investigation the CRTC asserted:

• the blocking of content is prohibited unless approved by the CRTC;
• when noticeable degradation of service for time sensitive services occurs, then a traffic management system amounts to controlling the content or influencing its meaning. As such, any actions that create such a degradation require approval by the CRTC;
• the CRTC affirmed that it works in a complementary fashion with the Privacy Commissioner of Canada and that telecommunications providers are held to a higher standard than that contained in PIPEDA alone. Critically, not only are primary ISPs prohibited from using data gathered from traffic management for anything other than management actions, but “the Commission directs all primary ISPs, as a condition of providing wholesale services to secondary ISPs, to include, in their service contracts or other arrangements with secondary ISPs, the requirement that the latter not use for other purposes personal information collected for the purposes of traffic management and not disclose such information.”
• economic measures are preferred to technical traffic management processes;
• the delaying of non-time sensitive services (e.g. email, peer-to-peer, FTP, etc) does not require CRTC approval.

Of course, this didn’t forbid ISPs from using DPI – something that was unlikely to happen – but did put strong conditions on what was and was not permissible use of DPI. What remained permissible was that delaying non-time sensitive services (e.g. email, peer-to-peer, FTP, etc) does not require CRTC approval, and wholesale ISPs both remain affected by DPI and can expect to receive a mere 30 to 60 day notification before primary ISPs make material changes that would affect wholesale ISPs. The privacy element of the ruling was reinforced in the Privacy Commissioner of Canada’s ruling on deep packet inspection, which required Bell to note on their website that personal information (i.e. subscriber ID and IP address) was briefly collected (and then quickly discarded) in the ongoing use of DPI. Emergent from the CRTC and OPC’s decisions, we can comfortably say that Canada has a strong set of regulatory bones when it comes to DPI and network neutrality; what’s left is fleshing the bones out, which will hopefully happen over the coming months and years.

The United States of Inspection

As we turn our gaze south of the 49th parallel, we see that DPI has been used in various ‘exploratory’ ways. Arguably, it was the use of DPI for behavioural advertising – by the company NebuAd and various ISP partners – and incredibly disruptive treatment of peer-to-peer filesharing applications that brought the technology into the media more widely. In the former case, NebuAd partnered with ISPs such as Charter to insert a DPI device in the ISPs’ network environments. Once in the network, it was possible for NebuAd to modify data transfers by creating a new packet and forging the IP address and port information to make the packet appear to come from the original source. Thus, if you were being served a packet from Google or Yahoo!, it would still appear to your computer as though it was delivered from a Google or Yahoo! server. The NebuAd system used TCP’s ACK and SEQ system to stop users’ computers from refusing to accept the forged packet.

Contained within this new packet was a bit of javascript that directed users’ computers to collect a cookie from a NebuAd server; this cookie was then used to track users and to subsequently serve ads that were relevant to the user based on their browsing history. Attempts to delete the cookie led to it simply being re-delivered the next time a user browsed somewhere on the ‘net. This behaviour led researcher Robert Topolski to assert that “NebuAd’s code injected into another’s page source is a cross-site exploit (XSS) and the subsequent behavior of loading cookies it normally would not load is a browser hijack. NebuAd accomplishes its XSS by using what is effectively a classic man-in-the-middle attack.”

In light of the damning evidence that ‘consent’ was never genuinely achieved (in at least one ISP’s case, there was a change to their already massive privacy policy to “inform” customers of the new behaviour) NebuAd was very publicly disciplined in front of the House Telecommunications Subcommittee. Congressman Markey asserted that “Simply providing a method for users to opt-out of the program is not the same has asking users to affirmatively agree to participate in the program.” While NebuAd has lost it’s CEO, is now subject to a class action lawsuit, and itself is dead in the water (though has arguably been reincarnated in the UK as Insight Ready), no legislation have been passed to address behavioural advertising using DPI. A Senate Commerce Committee session in September 2008 led to three of the US’s largest ISPs – AT&T, Verizon, and Time Warner – committing to an “affirmative consent” model for behavioural advertising should the ISPs ever adopt such an advertising system, but no Senate action even attempted to legislate a consent-based model. The Federal Trade Commission (FTC) went ‘so far’ as to advocate for voluntary self-regulation of the industry. This regulation encompassed the following principles;

1. Transparency and customer control, which maintains that on every website where data is collected for behavioural advertising that customers are informed of this in concise and clear language with the option of choosing whether their information will collected for these purposes.
2. Reasonable security, and limited retention, of consumer data. In essence, this requires companies to secure data in a manner consistent with FTC data security enforcement and only retain data as long as required for legitimate business purposes.
3. Affirmative express consent for material change to existing privacy promises. Critical is that this principle is meant to apply even when the material change is a result of a corporate merger when such a merger modifies the ways in which companies collect, use, and share information.
4. Affirmative express consent to (or prohibition against) using sensitive data for behavioural advertising. This principle does not actually identify what constitutes sensitive information; the FTC sought input into what classes of information should be considered sensitive and whether the collection of such information should be prohibited by regulation instead of by customer choice.

In the case of using DPI for network management purposes, Comcast was found using TCP RST packets to intentionally disrupt peer-to-peer filesharing programs that were accounting for substantial amounts of data traffic along their networks. The stated issue with the programs was that they generated high levels of congestion; in effect, this meant that a large number of customers’ packets were regularly being dropped as Comcast routers struggled to keep pace with the high levels of peer-to-peer traffic. While at one point the company maintained that it only used RST packets during periods of high congestion, it ultimately admitted that their RST-based system was triggered regardless of overall network congestion and at all times of they day.

As a result of Comcast’s use of DPI to target particular applications and application-types the FCC issued an order requiring the ISP to stop their particular mode of network management using their ancillary authority, or authority that implicitly is derived from past judicial rulings, policy contours, congressional mandate, and telecommunications act. Specifically, the FCC required Comcast to;

1. Reveal the “precise contours” of its network management practices, including the types of equipment used, when they came into use, how they were configured, and where they have been deployed.
2. Come up with a compliance plan complete with benchmarks that explains how Comcast will move “from discriminatory to nondiscriminatory network management practices by the end of the year.”
3. Publicly disclose the details of its new practices, “including the thresholds that will trigger any limits on customers’ access to bandwidth.”

The FCC decision was met with two responses from Comcast. First, the company adopted a protocol agnostic solution to dealing with high-bandwidth usage. This saw them move from using deep packet inspection – which examines the payload of data packets – to shallow packet inspection that is (relatively) limited to examining header information. Under the revised approach, where it is evidenced that consumers are engaged in high-bandwidth activities for 15 minutes or longer they have their packets reclassified to “best effort” from the default “priority best effort”.

Second, the company took the FCC to court, arguing that the FCC had exceeded their authority in determining how the corporation can manage their networks. The courts recently returned with a decision, and it was in Comcast’s favor: the FCC’s order that Comcast stop issuing RST packets using DPI equipment is now invalidated on the basis that the FCC decision exceeded their authority. This sends a message that American telecommunications carriers can use equipment, as they perceive needed, to manage their networks and such usage includes mobilizing DPI to invade and disrupt customers’ packet stream. It remains to be seen how this will affect the differentiation between facilities-based VoIP services that Comcast provides and the (apparent) degradation of non-facilities based VoIP services (e.g. Skype) when network congestion occurs: does the FCC have the right to require equal treatment of these types of service? This will be an interesting matter to see unfold in light of the Court’s decision today. It will similarly be interesting to see if, after the decision, ISPs actually use RST packets to disrupt particular traffic flows or instead avoid this approach given the negative press this technique attracted.

So, where does this all leave the US in comparison to Canada? It means that non-regulated processes are exclusively meant to limit the use of behavioural advertising – but, as demonstrated by Chris Soghoian’s work such self-regulation is practically non-regulation in the advertising business - and that the traffic management questions linger in the air. ISPs in the US managed to get a bit more freedom from the FCC with the decision favouring Comcast, and the FTC has been unwilling to strongly regulate ISPs’ uses of DPI. Thus, the American reality stands in stark contrast to Canada: Canadians have a skeleton of regulated guidelines that ISPs are required to adhere to, whereas the US remains a relatively unregulated market for DPI.

A Note on the UK

I’m not a European telecommunication scholar, and so don’t want to make broad statements about Europe, but am slightly more aware of the UK situation. As such, I’ll limit discussions of Europe to the UK.

Behavioural advertising and content management are key issues facing the UK citizenry. In the former’s case, Phorm has been the UK’s NebuAd and partnered with various prominent ISPs to provide an advertising service. The company’s use of DPI was perhaps even more egregious than in NebuAd’s case, insofar as Phorm’s use involves a series of 307 redirects that result in a cookie being placed on a customer’s computer for tracking and advertising purposes (a great technical analysis of Phorm’s system has been performed by Richard Clayton). Most significantly, Phorm forges the cookie so that it appears to come from the originating website, rather than the Phorm system; under this system you receive a cookie that appears to legitimately come from cnn.com when browsing to that website even though it comes from Phorm. Activists came together and have continuously put pressure on Phorm – often arguing that it’s actions are in violation of of the Regulation of Investigatory Powers Act – and the EU Commission is presently bearing down on the UK for its failure to address the privacy-related concerns accompanying this instantiation of behavioural advertising. (Perhaps in response, we now see Phorm scurrying to Brasil – will Brasilian activists take a stand against the company as UK citizens have?)

The content management issue has come up most recently in the form of the Digital Economy Bill (DEB), where there is a real possibility that ISPs will be required to act as a third-party in disputes between rights holders and those who are accused of infringing on holders’ copyrights. ISPs will be required to work against their own customers, insofar as repeat copyright infringers will be subject to some form of traffic throttling. Whether this involves the use of deep packet inspection, or other technological measures, isn’t entirely clear from the bill but many ISPs in the UK are violently opposed to redeveloping their network architecture to shield the copyright industries’ business models. The DEB, as presently written, makes it unclear what ISPs will actually be required to do, but rights holders seem to favor the inspection or analysis of data traffic, an approach to managing data that might lead to content discrimination or an extension of the already functioning discrimination against particular applications and application-types. From my own research perspective, it will be interesting to see if there is an expansion of the uses of CView on the Virgin network should the DEB be realized as law, and whether the EU would step in if enforcing the DEB results in egregious violations of privacy.

It must be recognized that UK ISPs, like their Canadian counterparts, are actively engaged in throttling particular applications and application-types during peak usage times to mitigate network congestion. Orange UK, as an example, throttles what they term ‘dirty’ protocols – those which “consume as much of the available bandwidth that is available”, with the rejoinder that if the ISP gives such protocols and their associated applications an inch they will try to “take a mile”. Orange, of course, is not exceptional: both BT and Virgin also have traffic management policies, as do most other UK ISPs that I’ve studied.

So, where does this leave the UK in contrast to the Canadian regulatory position on deep packet inspection, and content management more broadly? It remains questionable whether the EU will permit behavioural advertising that is based around DPI equipment, but the UK government itself has not come out against the technology in any meaningful way. In Canada, any use of DPI for behavioural advertising runs up against both the CRTC and OPC. UK ISPs are permitted to use traffic management systems, many of which, I suspect (though haven’t done the research yet to demonstrate), utilize systems that are similar to those in North America. Regardless, UK ISPs, like their Canadian counterparts, are involved in choosing the winning applications and application-types for content delivery though are potentially faced with the possibility of having to soon filter particular content. Canadian ISPs have repeatedly stated that they have no desire to filter content for technical, privacy, and business reasons, and it doesn’t look like a Canadian equivalent of the DEB is coming down the pipeline for a while. Unlike efforts such as Comcast’s, where traffic management is protocol agnostic, we see some Canadian and UK ISPs targeting particular methods of content delivery as clean or ‘dirty.’ Ultimately, Canadian and UK ISPs are similar in their respective approaches to traffic management but differ in respect to both behavioural advertising and (possibly) content filtering.

Network Neutrality in a Western Context?

We began with a note on network neutrality, and it seems appropriate to close on one as well. I firmly believe that network operators need to be able to manage their network in a manner that is transparent to the public, effective, and efficient. This may indeed require the implementation and use of technologies such as deep packet inspection. I would hasten to note that not all DPI is created equally; some excel at analyzing content by extracting and matching content signatures, but others are predominantly marketed and used as security appliances, and yet others for subscriber billing. Instead of resisting DPI as a broad technology, we need to focus on opposing some applications of the technology while praising others. While I’m not making an argument that DPI is a ‘neutral’ technology – it’s a surveillance technology with elements of control embedded into it – I do want to suggest that not all surveillance, not all applications of control, are inherently bad. Parents carry baby monitors with them – monitors that have surveillance as a key value embedded into their design – and this is a benign, if not positive, application of surveillance. We need to be mindful and on the watch for damaging surveillance and hindering acts of control while recognizing that some surveillance, some control, is good and required for a functioning contemporary Internet.

In light of my willingness to accept the value of DPI in network environments, I see a stanch opposition to ‘network intelligence’ as considerably far of the mark. Networks are intelligent, and there is nothing wrong with intelligence so long as it is used in a manner that is clearly beneficial for customers, with legislation and regulations precluding the application of network intelligence for negative purposes. Gaining customer acceptance may require transparency on the part of vendors and ISP’s alike; vendors to explain what their technology does and offer ‘virtual tests’ of the technology as is done with some consumer routers, and ISPs to explain why and how they have deployed the equipment. As awareness of how the network is intelligent spreads it is possible to engage is a more substantive discussion about the nature of contemporary networks, the challenges perceived by customers, civil advocates, and network operators. As it stands we are regularly subjected to near-dogmatic language from either camp – network neutrality is a meaningless slogan vs. smart networks are the death of the Internet – that is arguably misleading and polemic.

Given the different regulatory environments, we cannot expect supporters of network neutrality to adopt similar language in their advocacy – RIPA is clearly something that doesn’t enter North American debates, whereas different wiretapping laws and consumer protections are drawn on in American cases, and Canada regularly sees the language of privacy and consumer rights presented by its advocates – but this shouldn’t prevent researchers and other interested parties from identifying common advocacy principles to see what does and does not work. Further, any such comparative project ought to try and identify differences that arise when there is greater transparency (either required by regulation or performed on a voluntary basis) surrounding the development, deployment, and usage of the technologies. This would (and, in Canada, did) enable advocates to more clearly articulate their messages while also alleviating some of the concerns that emerge when our communications systems are mediated by an unknown technical power, in unknown manners, for less than clear corporate means.

Citizens of Canada, the US, and UK need to understand how their communications are regulated and have a clear and valued voice in shaping the structure of their communications systems; citizens along with government and business, as opposed to business and deep packet inspection alone, must be responsible for choosing the ‘winning’ applications that facilitate digital communications across the Internet.

Other posts you might be interested in:

1. Background to North American Politics of Deep Packet Inspection
2. Draft: What’s Driving Deep Packet Inspection in Canada?
3. Draft – Deep Packet Inspection: Privacy, Mash-ups, and Dignities

The result of the wireless competition in Canada is this: Canadians actually enjoy pretty fast wireless networks. We can certainly complain about the high costs of such networks, about the conditions under which wireless spectrum was purchased and is used, and so forth, but the fact is that pretty impressive wireless networks exist…for Canadians with cash. As any network operator knows, however, speed is only part of the equation; it’s just as important to have sufficient data provisioning so your user base can genuinely take advantage of the network. It’s partially on the grounds of data provisioning that we’re seeing vendors develop and offer deep packet inspection (DPI) appliances for the mobile environment.

I think that provisioning is the trojan horse, however, and that DPI is really being presented by vendors as a solution to a pair of ‘authentic’ issues: first, the need to improve customer billing, and second, to efficiently participate in the advertising and marketing ecosystem. I would suggest that ‘congestion management’, right now, is more of a spectre-like issue than an authentic concern (and get into defending that claim, in just a moment). Before diving into this issue, however, I want to be up front with you: much of what I’m going to be referencing in this post is from last year (2009) because I’ve had a pile of stuff I’ve meant to write about but haven’t had the time until recently.[1] I don’t think that this invalidates what I’m writing, but think that you deserve to know ‘when’ quite a few of the links will lead to.

Let’s begin with the issue of mobile ‘data hogs’. Last December, AT&T started making noises that iPhone users were ‘data hogs’ and some kind of extended monetization strategy was required. An economic solution was preferred on the basis that (a) it would generate revenue for AT&T; (b) economics are typically seen as a stellar way of dissuading popular use of expensive new and emerging technologies. In AT&T’s specific case, of course, there were questions about the degree of actual mobile 3G investment but, more significantly, the question of whether ‘data hogs’ were actually the problem.

You see, contemporary smart phones, such as the iPhone, iterations of Android, and Palm Pre, have been designed to maximize their battery life. Unfortunately, this life creates enormous problems for cellular towers. From Ars Technica, we find that:

… the iPhone uses more power saving features than previous smartphone designs. Most devices that use data do so in short bursts—a couple e-mails here, a tweet there, downloading a voicemail message, etc. Normally, devices that access the data network use an idling state that maintains the open data channel between the device and the network. However, to squeeze even more battery life from the iPhone, Apple configured the radio to simply drop the data connection as soon as any requested data is received. When the iPhone needs more data, it has to set up a new data connection.

The result is more efficient use of the battery, but it can cause problems with the signaling channels used to set up connections between a device and a cell node. Cell nodes use signaling channels to set up the data connection, as well as signaling phone calls, SMS messages, voicemails, and more. When enough iPhones are in a particular area, these signaling channels can become overloaded—there simply aren’t enough to handle all the data requests along with all the calls and messages.

In essence, the issue of congestion at cellular towards may not be a result of ‘data hogs’ but a consequence of how smart phones are being engineered; the backhaul networks are in fine shape, but the particular towers are being overwhelmed. (We might have a discussion/debate on the condition of middle-mile backhaul, but I’m less familiar with those stats so I’m leaving them out.) In the US, let’s not forget that areas with high penetration of smart phones like the Eastern and Western seaboard cities are also home to (a) expensive real-estate; (b) people who oppose the development of large cellular towers in their neighbourhoods (often out of fear of depreciating that expensive real-estate). The first condition means that there is an economic challenge to building towers, and the latter focuses on civil resistance to development that could better balance the ‘smart phone load’. In what I’ve read about deep packet inspection in the mobile market, DPI doesn’t alleviate this kind of problem – it doesn’t ‘correct’ of battery-saving engineering – but where the appliances can be installed under the guise of data hogs they could subsequently be used for (vendor stated) purposes of billing and service differentiation/provision.

At last year’s Canadian Telecom Summit, various vendors and sessions discussed the need to have better customer transparency to ‘improve the customer-service provider relationship’. In essence, they were really describing a desire to develop ‘insight’ into what customers do on mobile and wireline networks to better monetize those relationships, and in almost all cases the same vendors and speakers acknowledged the need to deal with the ‘creepy feeling’ that comes with using DPI and related surveillance architecture for pico-marketing purposes. Few had clear solutions to this, what is arguably the most significant PR issue that limits ISPs’ expansive uses of DPI for profit generation in the wireline and wireless environments.

It’s significant that the only really pressing statement about needing to efficiently manage bandwidth and spectrum came from RIM’s Mike Lazaridis. He was very concerned with actual mobile data usage, and at no point was traffic shaping or monitoring a ‘solution’: improved data compression techniques were the focus of his talk. Here, we had a smartphone vendor focusing on data efficiency itself instead of advocating for traffic shaping and analysis innovation. This strikes me as being very ‘forward thinking’, insofar as it tries to address the underlying issue of data growth instead of trying to find (what I see as) a bandage solution to limit and subsequently monetize this growth. Don’t stop people from using wireless, but learn how to transmit and receive it in a very efficient manner to deliver a solution that customers actually want!

However, it’s important that we not lose sight of the fact that DPI isn’t exclusively intended for traffic management but also to extend vision into the data stream – a data stream, I might add, that unless encrypted is almost entirely public facing. The drive to this transparency is confirmed by Allot Communications’ Cam Cullen, who last year noted that,

[t]he stats and visibility that DPI provides at the access and applications layer lets mobile operators build better service plans for congestion control and feed that data into mobile billing systems to support things like roaming and advice of charge.

To begin: data transparency can facilitate improved service offerings and let network providers more intelligently expand and develop their networks. You can learn what parties you might want to approach about setting up content delivery networks, what the trends in data usage are, and so forth. All of this can be invaluable in making the hard decisions of what to invest in, where, and why.

It is the potentialities of price, service, and customer discrimination that worry both PIAC and doctoral student Fenwick McKelvey. Having spoken with representatives of PIAC, the worry is that any such discrimination will generate inefficient economic situations for customers – they’ll pay higher costs, for less – and McKelvey similarly questions the fairness of any such differentiations. As I’ve understood McKelvey’s position, DPI facilitates an artificial differentiation based on economics rather than efficiency: you charge more for streaming video because it’s profitable, not because the economics of charging for streaming video improve the network situation.

I would suggest that it is a combination of DPI’s bad press, and the kinds of stories that would be generated if telecommunications providers stated they were using DPI for billing reasons, that billing isn’t a public-facing explanation ISPs present for introducing DPI into the mobile environment. I would, however, assert that billing and advertising are key motivating factors: the former allegation based on vendor statements and the latter based on less-public vendor statements and ISP discussions I’ve been privy to.

Even after all of this, there is a question of ‘so what?’

Where DPI and other traffic management solutions are publicly deployed to attend to a particular area of the telecommunications companies’ business (e.g. bandwidth management, customer billing, tiering service) it strikes me as dishonest to subtly extend them into other areas of the business without first, very publicly, alerting both customers and appropriate regulatory bodies. In the case of advertising, Canadian ISPs are expected to report to the OPC and CRTC if they ever decide to use DPI for advertising or discrete user-history analysis, but the same ISPs arguably have to meet a low bar to meet the OPC’s disclosure requirements concerning their actual uses of DPI.

Far more significantly, whereas the CRTC has maintained a hands-off approach to regulating wireless – and thus implicitly permitted discrimination in the wireless environment – that might be changing. In the forthcoming hearings in October and November entitled “Proceeding to review access to basic telecommunications services and other matters” we might see the beginning of an anti-discrimination regulatory framework that would address the economics of cellular service. The CRTC has been dropping ‘wireless’ into more regulatory hearing documents recently, which may suggest a transition away from their general forbearance approach and, if so, I expect that the work performed by PIAC and others will be leveraged to try and establish a policy of non-discrimination in the Canadian mobile market. Any such regulation will likely have a very real impact on the permissibility and conditions of deploying DPI appliances in mobile networks, as well as publicly lay bare whether any Canadian ISPs are interested in, or already moving to implement, mobile traffic management facilitated by DPI appliances. If last year was the year of wireline network management/neutrality in Canada, we might get lucky and see this one as the transition year that leads to a public discussion about Canadian telecommunications companies’ wireless network management/neutrality practices, with discrimination as the focal topic.

*********

[1] For the past eight or nine months I’ve been preparing for and writing doctoral candidacy exams. The last exam was recently concluded, leaving me with the new title of ‘Doctoral Candidate’ and time to get back to what I love: network analysis, surveillance, and digital privacy!

Other posts you might be interested in:

1. Background to North American Politics of Deep Packet Inspection
2. Choosing Winners with Deep Packet Inspection
3. Deep Packet Inspection and the Discourses of Censorship and Regulation

While I pay attention to copyright developments in Canada and abroad, and have strong stances on how academics and the Canadian government should licence their publications, I’m not a lawyer. I do, however, know that government documents in Canada are governed by Crown Copyright – unlike in the US, the Canadian government maintains copyright over its publications – and thus I wanted to check with the CRTC if there were any problems hosting documents from their site, including those presumably under a Crown copyright such as the CRTC’s decision.

Today I spoke with someone at the CRTC and received word that I could rehost the documents, without any problems. They were ‘in the public domain’ and so I could do with them what I wanted. I was pleased to hear this, as I wasn’t sure if the Reproduction of Federal Law Order would apply to the filings of private companies – it should apply to the CRTC’s decision itself, but as the order is written it’s ambiguous (to me) where and how private filings ‘fit’. In any case, I’ll take the CRTC’s word and be pleased that their public notice filings, including the filings by private corporations, are ‘public domain’ works and not governed by crown copyright. In case someone is wondering why I even bothered checking with the CRTC, given that my intended uses of the works arguably fall under under the research and review criteria of Canada’s fair dealing provisions, I expected that my use was legitimate but wanted to check with some lawyers that I was actually in the clear. I didn’t want to have a project go live, only to receive lawyer-grams from the CRTC or private companies! The CRTC has lawyers, and I thought it’d be a decent idea to draw on their expertise. Had I gotten a baffling response (e.g. no, for copyright reasons you cannot host anywhere else!) I’d have gotten a second opinion.

So, that’s fine and good: I can use the documents. It was the rest of the conversation that was particularly interesting, and more than a little disturbing.

I learned that the CRTC occasionally removes documents included in public filings and, far more significantly, sometimes changes the actual documents themselves without notifying anyone, not ever parties who were involved in the public notice. Such changes are made to correct misstatements of fact, to redact content already on the record or make available incorrectly redacted content, and so forth. This has far-reaching implications: closed public notices can have documented modified, where such modifications could potentially have affected public awareness of the notice as it was ongoing. In the case of some ‘corrections’, this could be incredibly important: what if in PN 2008-19 (and this is entirely hypothetical and meant as an example: I have ABSOLUTELY NO REASON TO BELIEVE THIS IS THE CASE) it turned out that one of TELUS’ redacted sentence was made available to the public, and it stated that TELUS was in early consideration stages of using Deep Packet Inspection in their networks? Such a ‘correction’ would have substantial effects on the arguments put forward by various civil advocates, and would render someone who was not involved with the public notice as it was ongoing very confused about the apparently contradictory filing between (in this example) TELUS and public advocacy groups. Thus, not only do these secretive changes risk contaminating later research, but it could also undermine public confidence in the public notice process itself.

The other very interesting copyright-related item that I learned was that, while hosting the documents isn’t a problem, were I to scrape and do a check-sum between what I have hosted and what the CRTC hosts that would be considered a copyright infringement. The gentleman I spoke with professed not understanding how that would be a copyright issue, and was just passing on the message from the lawyers, but it’s incredibly bizarre. In effect, it states (to me) that I can host but cannot check to guarantee that what I’m hosting is ‘the most accurate/recent version’ unless I want to eyeball the documents and look for ‘corrections’ that may or may not be announced anywhere in the document or public notice website itself. From a government transparency point of view, this is deeply concerning: members of the public, if aware of the potential for relatively secretive changes to public filings, cannot automate any system to watch for such changes without running afoul of lawyers. The resources thus required to ‘check up’ on the CRTC would be enormous for the poorly funded civil advocacy groups and members of the public (neither eyeballs or time are in abundant supply!). Moreover (and again, I am not a lawyer!) in my reading a check-sum or something like it is required to actually comply with Canadian copyright law. The law,

authorizes anyone, unless otherwise specified, to copy federal legislation, statutes, regulations, court decisions and tribunal decisions without the usual restrictions that govern Crown copyright materials, provided that one is careful to ensure the accuracy of the materials reproduced and that the reproduction is not represented as an official version. (emphasis added)

Given that I’ll be hosting documents, to ‘carefully ensure the accuracy of the materials reproduced’ aren’t I required to set up some automated system, given that the CRTC can potentially just change or remove documents without any public notification or transparency? Does this mean that compliance requires me to manually check on a daily/weekly/monthly basis that all the files on the CRTC’s webpage are exactly as they were when I first copied them?

Admittedly, these changes to documents in public notices are supposed to happen ‘fairly rarely’ and there isn’t any reason to expect that the filings for PN 2008-19 (which is what I’m interested in for this project, right now) are going to change. It’s possible that there was miscommunication as a result of interjecting an intermediary between myself and the CRTC’s lawyers. I’m very happy that I can host the filings for PN 2008-19 and that all of the items in that filing (including the CRTC decision) are apparently ‘public domain’ and thus outside of crown copyright. Those are all great things and I appreciate that the CRTC was fairly quick in getting back to me (it took about 4 business days). I’m far less impressed with secretive changes happening to public filings, and am disturbed by the position that scraping for check-sum purposes would somehow violate copyright.

I’m not a lawyer, and I’ll be following this up with the CRTC to try and get additional transparency into what’s going on. Hopefully there was just a miscommunication; I would understand if regular scraping was a problem because it could bog down their servers, and that on that basis they could drum up DDOS charge or something, but to construe server access to guarantee I’m hosting the most up-to-date documents with a copyright violation is mind boggling, and screams of misuse of copyright to this non-lawyer.

Other posts you might be interested in:

1. Update: CRTC PN 2008-19 ISP Filing Summary Document
2. Will Copyright Kill eHealth?
3. Update: CRTC PN 2008-19 Filings

1. They can continue to throttle ‘problem’ applications in the future;
2. The CRTC decides to leave the wireless market alone right now.

I want to talk about the effects of throttling problem applications, and how people talking about DPI should focus on the negative consequences of regulation (something that is, admittedly, often done). In thinking about this, however, I want to first attend to the issues of censorship models to render transparent the difficulties in relying on censorship-based arguments to oppose uses of DPI. Following this, I’ll consider some of the effects of regulating access to content through protocol throttling. The aim is to suggest that individuals and groups who are opposed to the throttling of particular application-protocols should focus on the effects of regulation, given that it is a more productive space of analysis and argumentation, instead of focusing on DPI as an instrument for censorship.

Let’s first touch on the language of censorship itself. We typically understand this action in terms of a juridico-discursive model, or a model that relies on rules to permit or negate discourse. There are three common elements to this model-type:

1. Such a thing cannot be permitted
2. Preventing a thing from being said
3. Denying that such a thing exists

Many people writing about DPI (including myself) have often relied on points (1) and/or (2) in our worries that the technology could be used to absolutely prohibit a particular protocol-type, or that certain things will be prevented from moving across networks using fingerprint and hash-based analyses of data transfers. While no ISP has stated that P2P doesn’t exist (the present traffic management hearings in Canada have seen ISPs focus on P2P as the reason for needing DPI appliances), ISPs such as Rogers have stated that none of their customers have complained about the throttling of P2P traffic.

I think that many censorship discussions about DPI broadly correspond with the worries around ‘netscapes of power’. Winseck (2003) has suggested that such netscapes are intended to “buttress market power and to regulate behaviour through network architecture, the privatization of cyberlaw, surveillance, and the creation of walled gardens.” In a recent paper, “What’s Driving DPI?“, I suggest that we can understand contemporary netscapes through the lens of delayed access to content. Whereas walled gardens let network providers (e.g. AOL Online) perfectly capture subscriber information, and generally try to centralize network intelligence in the network rather than the ends of the network (Zittrain 2008), I would suggest that Deep Packet Inspection can be understood as a productive form of regulation that facilitates access to particular content, without totally denying access to non-preferred content-types and repositories. Unlike the walled garden of AOL Online, Canadian customers can use application-types that their ISPs deem ‘problem applications’ (such as P2P), but using these application-types means that customers will suffer delays. As I will touch on shortly, even a few milliseconds can have significant consequences for using particular content portals; while ISPs claim that a few more minutes to download content is practically nothing, I would suggest that contemporary research puts those claims in question.

Whereas in a netscape of power, such as Winsecks, censorship revolves around the banning of, or prohibiting access to, content, perhaps a contemporary understanding of censorship could relate to development of extensive knowledge concerning individual and their habits, and a willingness to exploit their behaviours. Such censorship does not need to ban content outright; delaying it is sufficient to encourage consumers to use ‘preferred’ data protocols. Moreover, with an awareness of the discrete individual, not just what they do but why they do it, it is possible to preemptively target them for broadband packages using language that appeals to their ‘inner nature’. In effect, instead of talking about ‘censorship’, we can shift to a discussion of ‘consumer and citizen regulation’.

Google recently tested the effects of content delays; they found that when search results were delayed from 100 to 400 milliseconds that users were less and less likely to run searches using Google, even if the service was restored. While the argument could be made that a Google-to-P2P analogy is an apples-to-oranges comparison, I would suggest that Google’s experiment betrays a central consumer truth: in a digital economy, where consumers are regularly taught that ‘faster is better’, the fastest content delivery system that is convenient is (or becomes) the preferred content delivery system. Where P2P access is delayed, and is generally a pain in the butt to get working, non-P2P file transfer systems will be preferred. Where ISPs are also content providers, this means that they can often deliver the same, or similar, content immediately to the individual. In the face of slow or immediate content, consumers will tend to prefer the immediate.

An advantage of thinking through the productive uses of DPI, and its effects in regulating content access, is that we can ask more interesting questions about the discourses and networks of power are in operation around DPI than are afforded through discourses focused on censorship. There are already good people looking at this – Ralf Bendrath and Fenwick McKelvey have both been looking at DPI in this light – and I think that a regulatory framework offers useful ways of understanding the norming effects of DPI. Norming speaks to the mediation of consumers’ desires, aims, and networks of power penetrating them, whereas censorship tends to focus on preventing such networks from spawning, or (worse) obfuscates the actual existence of these networks where they already exist. Further, I think that regulation lets us ask those questions like; “even in the face of CRTC regulation that stops throttling of particular application-types, what are (or have been) the actual effects of regulating data protocols?”

This all having been written, if Google’s test does carry over to the realm of ISPs’ regulation of content delivery mechanisms, then it is possible that even a CRTC decision that prevents subsequent targeting of P2P may not matter: the ‘damage’ might already be done. The real risk, then, is that if ISPs are permitted to target ‘problem’ application types in the future, they can (effectively) encourage and discourage particular protocol uptake. This threatens to situate ISPs as regulators of emerging Internet protocols.

As regulators (and not censors), ISPs can easily navigate public criticism relying on traditional understandings of ‘censorship’ because the ISPs can refer back to that three point model, written above, and say ‘our actions don’t fit that model’. ISPs as regulators are, however, vulnerable to critiques of the very modes and effects of their regulations – they are vulnerable to explicit analyses of the effects of their norming actions (e.g. throttling P2P and making Direct TV available to the same consumer). Only by engaging with, and exploiting the internal logics of, ISPs-as-Content-Providers’ discourses are these discourses likely to be disrupted and shifted towards more appealing regulatory discussions and frameworks. Note that these are shifts, however, as opposed to stopping the discourse entirely. I have serious doubts that such a cessation of discourse on DPI can ever actually take place, though who or what orients future power formations remains an open (and thus actionable) question. Ultimately, as I’m thinking about things right now, it seems that focusing on regulatory discourse is far more promising than almost exclusively attending to a discourse of censorship, given censorship’s vulnerabilities to ISP-generated critique and rebuttal.

Other posts you might be interested in:

1. Background to North American Politics of Deep Packet Inspection
2. Deep Packet Inspection and Mobile Discrimination
3. Draft: What’s Driving Deep Packet Inspection in Canada?

Massive surveillance of digital networks took off as an issue in 2005, when the New York Times published their first article on the NSA’s warrantless wiretapping operations. The concern about such surveillance brewed for years, but (in my eyes) really exploded as the public started to learn about the capacities of DPI technologies as potential tools for mass surveillance.

DPI has been garnering headlines in a major way in 2007, which has really been the result of Nate Anderson’s piece, “Deep packet inspection meets ‘Net neutrality, CALEA.” Anderson’s article is typically recognized as the popular news article that put DPI on the scene, and the American public’s interest in this technology was reinforced by Comcast’s use of TCP RST packets, which was made possible using Sandvine equipment. These packets (which appear to have been first discussed in 1981) were used by Comcast to convince P2P clients that the other client(s) in the P2P session didn’t want to communicate with Comcast subscriber’s P2P application, which led to the termination of the data transmission. Things continued to heat up in the US, as the behavioural advertising company NebuAd began partnering with ISPs to deliver targeted ads to ISPs’ customers using DPI equipment. The Free Press hired Robert Topolski to perform a technical analysis of what NebuAd was doing, and found that NebuAd was (in effect) performing a man-in-the-middle attack to alter packets as they coursed through ISP network hubs. This report, prepared for Congressional hearings into the surveillance of Americans’ data transfers, was key to driving American ISPs away from NebuAd in the face of political and customer revolt over targeted advertising practices. NebuAd has since shut its doors. In the US there is now talk of shifting towards agnostic throttling, rather than throttling that targets particular applications. Discrimination is equally applied now, instead of honing in on specific groups.

In Canada, there haven’t been (many) accusations of ISPs using DPI for advertising purposes, but throttling has been at the center of our discussions of how Canadian ISPs use DPI to delay P2P applications’ data transfers.In 2008 Bell and the Canadian Association of Internet Providers (CAIP) got into a regulatory scuffle over Bell’s use of DPI appliances to throttle wholesale customers. Wholesale customers are ISPs (e.g. TekSavvy, Execulink) who purchase bandwidth with the intention of reselling it, whereas retail customers are (in Bell’s case) customers of Bell Sympatico. Bell had already been throttling their own retail customers’ P2P traffic, but unexpectedly began impacting wholesale data traffic flows on the basis that they had to manage the entirety of their network. Bell was required to justify their use of DPI to modulate data traffic flows, and at the end of they were told that since they were discriminating against both retail and wholesale customers that the application of DPI was fair. Konrad von Finckenstein, head of the CRTC, noted that this decision was just the ‘tip of the iceberg’ – more hearings into network neutrality were coming…

Over the course of the Bell v. CAIP proceeding, Canadians really started hearing a lot about ‘network neutrality‘. This term really has (at least) three principles (not necessarily inclusive, or mutually exclusive) behind it:

1. Net Neutrality as an end-to-end principle, where the ISP should not concern itself with the protocols or applications that are being used to transmit data.
2. Net Neutrality as Nonexclusionary Business Practices; where ISPs should not be permitted to apply surcharges to application/service providers to carry their traffic.
3. Network Neutrality as Content Nondiscrimination; where ISPs should not discriminate against messages/packets based on their content.

While I would argue that Tim Wu, Jack Goldsmith, and Lawrence Lessig are recognized as championing points (1) and (2), it is (3) that I personally find most worrying. In Canada, CIPPIC, SavetheNet.ca, P2Pnet, Michael Geist, and PAIC have all taken facets of these network neutrality principles to heart in their discussions of how Canadian ISPs throttle traffic and oppose the position that network neutrality is, in fact, laughable.

With the most recent CRTC public notice about traffic management, the language has against shifted to network neutrality, privacy, and drawn DPI appliances back into the spotlight. The CBC has put up an article that gives a nice overview of the present situation of this notice, and what each of the players are looking to get out of the proceeding. What is distinctly different between the present hearing and the CAIP v Bell hearing, is that advocates of network neutrality can try to leverage the language that ISPs used during the New Media hearing a few months ago to demonstrate that ISPs are not presenting a coherent position on DPI to the CRTC. What remains unchanged, of course, is that Sandvine continues to assert that network neutrality simply doesn’t exist, with Juniper Networks maintaining that there is a qualitative different between the Internet of the past, and the Internet of the present and future.

The hearings will be continuing for the next few days. CIPPIC is live blogging each day, and Michael Geist has been producing summaries of each day’s activities. If you want to learn about congestion, from a semi-technical point of view, head over to Security Now’s podcast on the subject; it’s a bit dated (and a bit long, at almost 90 minutes), but still informative and worth your time. Further, the Office of the Privacy Commissioner of Canada has a website devoted to DPI, and Ralf Bendrath has written a post pulling together an excellent collection of papers that have been written about the technology.

Hopefully, with this post and its links, you’ll be able to delve into the DPI discussions with a slightly broader background to what the technology is, and the controversies that have erupted thus far about it in North America. If you think I’ve missed a clearly critical article/event that’s taken place, and pertains to the North American situation, leave a note in the comments!

Other posts you might be interested in:

1. Choosing Winners with Deep Packet Inspection
2. Deep Packet Inspection and Consumer Transparency
3. Draft: What’s Driving Deep Packet Inspection in Canada?