I’m intending this to be the first of a few posts on network neutrality.[1] In this post, I exclusively work through the principles suggested by Verizon-Google. In this first, and probationary, analysis I will draw on existing American regulatory language and lessons that might be drawn from the Canadian experience surrounding network management. My overall feel of the document published by Verizon-Google is that, in many ways, it’s very conservative insofar as it adheres to dominant North American regulatory approaches. My key suggestion is that instead of rejecting the principles laid out in their entirety we should carefully consider each in turn. During my examination, I hope to identify what principles and/or their elements could be usefully taken up into a government-backed regulatory framework that recognizes the technical, social, and economic potentials of America’s broadband networks.

Background

Before jumping into my discussion of the proposed Verizon-Google principles, I want to provide some background to the network neutrality discussion underway in the US. This background will, ideally, introduce newcomers to the discussion of net neutrality with a basic understanding of political lay of the land that preceded the Verizon-Google policy framework. I want to make clear that I’m not providing a fully comprehensive contextualization, but a basic outline to assist you in placing the policy framework in relation to ongoing processes.

Since a federal appeals court ruled against the FCC in their case against Comcast’s usage of deep packet inspection equipment, the American telecommunications regulator has been struggling. After its defeat in court, the FCC quickly announced its ‘third way’. This is an effort to realign how broadband carriers are regulated in the US. The carriers are presently classified as ‘information services’ instead of ‘telecommunications services’, which limits the FCC’s ability to adjudicate how ISPs actually manage their services. To draw ‘information services’ more significantly into the FCC’s regulatory fold, Chairman Julius Genachowski has proposed that the transmission of broadband Internet access is a telecommunications service, though the actual content that is transmitted is outside of the FCC’s purview. The third way has been incredibly poorly received by major telecommunications carriers and had, in part, been responsible for closed-door meetings between the FCC and net neutrality stakeholders. These meetings were meant to establish a regulatory framework that met network neutrality principles while moderating FCC regulation.

Many of the folks involved in network neutrality are the same people deeply invested in the copyfights of the past decade; Lessig, the EFF, CDT, and similar groups have witnessed the negative consequences of industry-driven back room dealings for copyright extension. [2] While some public interest groups attended the closed-door network neutrality meetings, their involvement was, reputedly, fairly minor.[3] Hopefully as time goes on, more light will be shed on the actual suggestions and compromises proposed in these meetings between public advocates, their corporate counterparts, and the FCC staff in attendance.

While the FCC-driven meetings were ongoing, Verizon and Google had their own private negotiations on what a national broadband policy might look like. This policy was published August 9, 2010 after a weekend of rumors; Edward Wyatt at the New York Times broke a story (“Google and Verizon Near Deal on Web Pay Tiers“) suggesting that Google would pay for ’special carriage’ on Verizon’s network, and in return Google’s services would faster than those of their competitor. This fee-for-carriage suggestion was denounced by Google, but may have led to a premature release of the Verizon-Google policy document we have today.

As a policy position paper, the document by Verizon-Google has been incredibly effective in energizing discussion around network practices and reinvigorating the discussion in the public eye. The actual framework that was released is helpful, insofar as there are some decent elements, but clearly it needs revision.

For the rest of this post, I will be performing brief and tentative analyses of each principle of the Verizon-Google document. This will often see me refer to prior FCC policies, Canadian regulatory decisions, and academic works around network management and power relations. It’s not intended to be fully comprehensive, but an early effort to collect my thoughts. If you don’t have the time, or desire, to read through these analyses in detail feel free to jump to the end where I’ve tried to briefly summarize my positions. You’ll lose some of the context of the argument, but should leave with a working understanding of my present positions on each principle. I’ll state up front that I’m neither entirely opposed, nor entirely in favour of what Verizon-Google have provided; I’m most interested in picking up their ‘homework assignment’ (as described by Vint Cerf) and playing with the results rather than trying to independently assert a set of principles around network neutrality.

Principle One: Consumer Protections

A broadband Internet access service provider would be prohibited from preventing users of its broadband Internet access service from: sending and receiving lawful content of their choice; running lawful applications and using lawful services of their choice; and connecting their choice of legal devices that do not harm the network or service, facilitate theft of service, or harm other users of the service. There have been serious concerns about the focus on ‘lawful’ in this principle, as there should be. Does this mean that service providers would be justified in throttling, blocking, or otherwise degrading delivery of ‘unlawful content’? How would the differentiation between lawful and non-lawful content types be identified? What constitutes a lawful application and service; is this a reference to some kind of sanctioned and non-sanctioned set of application protocols?

There are considerable concerns around the integration of ‘unlawful’ throughout this principle. Specifically, there are worries that this could lead to systematic blocking of ‘bad’ content and applications. Rather than (exclusively) directing vehement anger towards the corporate giants that have included this in their framework, however, perhaps we should consider the source of this principle. In FCC 05-151, approved in 2005, the FCC outlined the four ‘Internet freedoms’. In principle one, the Commission adopts the principle;

To encourage broadband deployment and preserve and promote the open and interconnected nature of the public Internet, consumers are entitled to access the lawful Internet content of their choice.

This first principle, as written by the FCC, recognizes that consumers are only entitled to access lawful content. The addition in the Verizon-Google proposal is to extend ‘content’ to applications and services as well. Per Carterfone, consumers can attach devices, and make use of the network, so long as the attachments and uses do not damage the network itself. The language “any lawful device” in the Carterfone decision permits the attachment of answering machines, fax machines, and modems to the network at the ends. Applying the principle of charity, I presume that including the language ’services and applications’ in the Verizon-Google document is intended to clarify the rules laid down in Carterfone. A serious concern, however, is that neither the FCC nor the Verizon-Google policy framework extend the lessons of Carterfone to wireless networks; principle six of the Verizon-Google framework is an attempt to forebear regulation of wireless networks and the FCC has historically been unwilling to extend Carterfone to wireless Voice over Internet Protocol (VoIP) services. Thus, the policy framework issued August 9, 2010 can be seen as integrating the FCC’s already existing position into the corporate-created document.

What can we take away from this principle then? I would suggest that the principle is conservative, insofar as it closely adheres to earlier regulations set forth by the FCC. While we can continue to be worried about ‘lawful content’ in an era where network surveillance practices might be deployed to discriminate between lawful and unlawful content, and ‘harmless’ versus ‘harmful’ application types, the principle established by Verizon-Google isn’t itself pushing the bar very far. Concerns around this principle speak to already existing worries and concerns around network management, concerns derived from existing FCC policies. While there is good reason to be involved in a discussion about ‘lawful content’ and ‘lawful applications’, we need to remind ourselves that this isn’t a novel form of language being assumed by Verizon-Google.

Principle Two: Non-Discrimination Requirement

In providing broadband Internet access service, a provider would be prohibited from engaging in undue discrimination against any lawful Internet content, application, or service in a manner that causes meaningful harm to competition or to users. Prioritization of Internet traffic would be presumed inconsistent with the non-discrimination standard, but the presumption could be rebutted.

Attention must be paid to the phrase ‘meaningful harm to competition or to users’. Adding small amounts of delay to content delivery times can seriously impact the likelihood that users will use a service and/or continue to receive content from the ’slow’ source. Not only can this potentially cause visitors to never return to your product/site – perhaps instead going to fast products and services provided by the ISP that are guaranteed to be fast – but in the case of websites can impact your visibility via lower Google Pagerank ratings. Slow speeds can have real economic impacts.

The Canadian network neutrality/traffic management hearings included language bordering what is included in the Verizon-Google principle. Specifically, when writing about delaying or slowing down Internet traffic, the CRTC notes (n.126-127) that;

… use of an ITMP [Internet Traffic Management Practice] resulting in the noticeable degradation of time-sensitive Internet traffic will require prior Commission approval under section 36 of the Act.

With respect to non-time-sensitive traffic, the Commission considers that the use of ITMPs that delay such traffic does not require approval under section 36 of the Act. However, the Commission is of the view that non-time-sensitive traffic may be slowed down to such an extent that it amounts to blocking the content and therefore controlling the content and influencing the meaning and purpose. In such a case, section 36 of the Act would be engaged and prior Commission approval would be required.

If we assume that even rudimentary policy learning or interpretation might occur, then the Verizon-Google principle could be read as articulating something resembling what the CRTC has already established. Small-content creators don’t exactly love the CRTC decision, nor even large content creators like the CBC, but adopting something like the Canadian approach would, again, be relatively conservative in the context of North American telecommunications regulation.

Critical commentators are, however, rightfully concerned over the last sentence of the principle. Under what possible conditions could it by non-discriminatory for certain Internet traffic to be prioritized! Wouldn’t such an action add too much ‘intelligence’ to the network, undermining end-to-end arguments?

Perhaps, but not necessarily. At the past two Canadian Telecommunication Summits, pro- and anti-DPI advocates have suggested that a compromise position might be that traffic prioritization is permissible in a network architecture where the user has control over how their own traffic is prioritized. This is a relatively benign approach to traffic management, one that is (arguably) empowering where accompanied by clear user education and accessible user-interfaces. Prioritization is less desired when the telecommunications carrier makes a unilateral decision, without accepting input from the user-base that is substantively drawn into the service providers’ decision-making framework. It is this unilateral decision capacity that has commentators (rightfully) worried; carriers aren’t terribly well known for their active engagement with their customer bases.

While an ideal might be to strip out this last sentence, I almost wonder if having it there is helpful. Carriers have spoken of their prioritization/deprioritization of particular traffic-types; ‘bulk’ traffic is given a lower priority than traffic that is jitter-sensitive. As I understand it, the concern is that particular applications (i.e. Verizon’s own VoIP solution) will be prioritized, rather than a concern that particular application-types (i.e. VoIP in general, which would include both Verizon’s solution, Skype, and other VoIP providers). Perhaps we could ’simply’ rewrite the sentence in a way to differentiate between application prioritization (bad and not allowed) and application-type prioritization (not necessarily bad, and potentially permissible). Such a distinction would permit prioritization, and were the service provider required to appear before the FCC before implementing the prioritization some ex ante oversight could be performed. Further, such prioritization schemes could be required to come up for independent review periodically. Such reviews would be aimed at preventing new application-types entering the market from being set at a competitive disadvantage on the basis that other application-types receive benefits from packet prioritization.

Principle Three: Transparency

Providers of broadband Internet access service would be required to disclose accurate and relevant information in plain language about the characteristics and capabilities of their offerings, their broadband network management, and other practices necessary for consumers and other users to make informed choices.

The transparency principle, again, is relatively conservative. It parallels the requirements of the Office of the Privacy Commissioner of Canada (OPC) concerning the use of deep packet inspection, where ISPs are required to note how the technology is used in their respective networks, the FCC’s own principle of transparency, and the position on transparency assumed by the CRTC.

In a response to a complaint brought by CIPPIC, the OPC required Bell Canada to include information on how the ISP uses DPI on their webpage. Bell now has a link on their privacy policy page to their network management practices, fulfilling the OPC’s transparency-related requirements.

In the case of the FCC, their proposed ’sixth principle’ reads as follows;

…providers of broadband Internet access must be transparent about their network management practices.

Finally, the CRTC has a more detailed account of transparency as it relates to traffic management practices, stating that ISPs must disclose five elements of technical management systems to consumers. Specifically, ISPs must disclose:

1. why ITMPs are being introduced;
2. who is affected by the ITMP;
3. when the Internet management will occur;
4. what type of Internet management (e.g. application, class of application, protocol) is subject to management; and
5. how the ITMP will affect a user’s Internet experience, including the specific impact on speeds.

Ideally, were the Verizon-Google principle fleshed out by the FCC, the regulator would adopt a set of guidelines similar to those set down by the CRTC. Further, the regulator would adopt the requirements of the OPC, though ideally the FCC would be slightly clearer on what is meant for information to be ‘clear’ to an end-user; I remain unconvinced the burying information in a privacy policy, which then links to additional technical details in the depths of Bell’s website, constitutes ‘clear’ disclosure to most of Bell’s consumers.

This said, while the principle as outlined by Verizon-Google leaves room for improvement, it also extends on the sixth principle established by the FCC. As such, I (again) suggest that this element of the corporate framework is conservative because it hews closely to existing or proposed transparency principles amongst North American regulators.

Principle Four: Network Management

Broadband Internet access service providers are permitted to engage in reasonable network management. Reasonable network management includes any technically sound practice: to reduce or mitigate the effects of congestion on its network; to ensure network security or integrity; to address traffic that is unwanted by or harmful to users, the provider’s network, or the Internet; to ensure service quality to a subscriber; to provide services or capabilities consistent with a consumer’s choices; that is consistent with the technical requirements, standards, or best practices adopted by an independent, widely recognized Internet community governance initiative or standard-setting organization; to prioritize general classes or types of Internet traffic, based on latency; or otherwise to manage the daily operation of its network.

Network management is an interesting issue, and while the principle is ‘conservative’ we should question how it is structured on two grounds. First, with respect to the use of an independent (non-FCC) body to determine best practices and standards, and second in the sense that ‘reasonable network management’ procedures are policy-driven, and less technically oriented. Both of these suggestions are contentious and so I spend a bit of time here in speaking to both points.

Under the Canadian decision, ISPs can manage traffic (i.e engage in network management practices) to ensure network security or protect network integrity. Economic management techniques – those where consumers are billed for excessive usage – are preferred, but technical measures can be deployed in limited fashions as required. The policy principle provided by Verizon-Google captures the issues of security and congestion addressed by the CRTC. Charitably, we can read ‘unwanted traffic’ as referring to email spam, virus laden packets, and other harmful data transmissions coming to, and trying to exit, the ISP network. Such actions are already commonplace amongst many (most? all?) Western ISPs and  are helpful because they protect ‘the ends’ from harm while preserving the network’s overall capacities.

The reliance on a standards-setting organization can be read as good – bodies such as the IETF are reputable – or bad – if these bodies are taken to mean American-only ISP/content provider ’standards’ groups. Concerns have been trumpeted that the latter groups are the referent in this policy principle, but I still haven’t seen actual evidence of that this is, indeed, the referent. A related concern is that, per this principle, were an ISP in compliance with a standards body they would be free from direct FCC regulation. This is true, to a point: at the moment, the FCC’s control over the direct technical capacities of most networks is limited, insofar given that Internet governance bodies are already international groups that (often) escape any particular nation’s all-encompassing sovereign power. Mueller (along with his various colleagues) has written a considerable amount on Internet governance;[4] he has argued that, contra Goldsmith and Wu, nation-states cannot entirely assert their sovereign power in the control of national networks in light of the expanded number of partners in governing global digital networks. Nation-states, and their various institutional organs, can exert considerable influence but not absolute sovereignty over the technical infrastructure of the Internet and expect full integration with the rest of the ‘net.

The concerns about prioritizing particular kinds of content could be problematic, but is equally likely to be helpful. If an ISP actively works to reduce jitter resulting from economically unmanageable congestion then, so long as such prioritization schemas are made public and conform with international best-practices, they can be understood as appropriate, or at least acceptable. Note that this shouldn’t mean that technical measures should permanently be used to manage congestion; shifts to DOCSIS 3.0 and fiber are preferable long-term solutions to managing congestion towards the last mile (where congestion is often most prominent and problematic) but limited technical resolutions may be required as capital expenditures are mobilized to improve the physical network.

From this, I suggest that what Verizon-Google is proposing in this principle is somewhat conservative, and would be entirely conservative if the principle recognized the FCC’s involvement in regulating network management practices. I’ll address a possible division of FCC/international bodies’ responsibilities in a minute, but will ‘tease’ you by stating that granting international bodies ultimate responsibility over the technical elements of network management practices doesn’t necessarily herald the end of the Internet. This statement is made in light of the fact that non-governmental technical bodies already govern various facets of the Internet’s existing infrastructure through the standards setting process.

Before discussing a possible FCC/international bodies division of labor, however, I need to distinguish between the terminology of ‘reasonable network management’ and ‘network management’. I agree with an element of Paul Ohm’s paper that interrogates ISP practices in the US. Ohm identifies reasonable network management as having gained prominence in America following a 2004 speech by Chairman Powell, and the FCC has since adopted reasonable network management as a policy position. While ‘network management’ is a technical issue – Ohm recognizes it as referring “to the activities, methods, procedures, and tools that pertain to the operation, administration, maintenance, and provisioning of networked systems” (1462) – ‘reasonable’ network management is a broader, policy-informed, management apparatus. Specifically, Ohm argues that “it describes not an engineering principle, but a policy conclusion made by weighing the legitimate technological and business goals of network management with what society deems reasonable in light of many principles, including privacy” (1461).

If we accept the division of ‘network management’ and ‘reasonable network management’ as outlined by Ohm, then there is a concern that standards bodies would, in fact, be incapable of establishing ‘reasonable’ network management standards. They could establish network management standards, but without an insight into the realities of particular ISPs and content providers’ relationships, and the economic models underlying these parties, the international groups would be unable to pointedly provide granular international standards.

In light of this potential difficulty I suggest that the policy and economic factors of ‘reasonable network management’ could be kept entirely within the purview of the FCC, while the technical facets of ‘network management’ could be put under FCC purview on a probationary basis. On this basis, where novel management approaches are used those techniques would be regulated by the FCC until an appropriate international technical body came to a conclusion on whether the novel approach adhered to international best practices. The FCC could engage in a consultation, or related, process to integrate those standards into national policy, which would (effectively) see the FCC engage in policy learning/harmonization in technical issues with the global Internet governance community.

This suggestion creates a ‘two-track’ approach to regulation; one that lets America assert its norms and values in management practices, and another that limits over-exuberant novel management techniques while still enabling a flexible technical networking culture. In sum, the two-track approach would see the US retain national/regional sovereignty over non-technical issues – privacy, economics, free speech and so forth – and permit existing international governance bodies to develop the best practices for a functioning Internet community.

Principle Five: Additional Online Services

A provider that offers a broadband Internet access service complying with the above principles could offer any other additional or differentiated services. Such other services would have to be distinguishable in scope and purpose from broadband Internet access service, but could make use of or access Internet content, applications or services and could include traffic prioritization. The FCC would publish an annual report on the effect of these additional services, and immediately report if it finds at any time that these services threaten the meaningful availability of broadband Internet access services or have been devised or promoted in a manner designed to evade these consumer protections.

The additional services proviso has resulted in considerable worries; would this create a two-track Internet, a ‘public’ and a ‘private’ Internet? Would there be price differentials between the services made available over these two Internets?

I’ve already identified a problem with the prior network management principle; let’s assume that the dual track approach is acceptable and so ISPs are prevented from gaming the system to prioritize and deprioritize traffic in a relatively ad hoc manner. I approach the principle of additional online services in two parts: first, from the point of offering ‘other services’, and second, concerning the FCC’s (lack of) regulatory power enshrined in this principle.

Novel bandwidth provision for specialized services happens right now; if you have IPTV coming into your home then your service provider either has, or soon will, segregate a portion of the bandwidth coming into your home to prioritize your IPTV traffic. Rogers and Shaw, Canadian ISPs, have publicly noted that they differentiate bandwidth in their networks so that certain portions are available to different traffic-types. Bandwidth is already provisioned to guarantee certain services at the expense of others.

The wording, ‘clearly differentiated services’, noted in this principle may see some of that aggregate bandwidth provisioned to provide instant-on services, such as a dedicated secure line to your bank[5] or links to an ISP-hosted home monitoring/security system. Such ‘discrete’ uses of the network are not necessarily bad and, in fact, you can imagine that various consumers would welcome the ability to set priorities on various services or receive ‘specialty’ services that are not available over the top. This said, a very real concern surrounding bandwidth segregation and provisioning can be read through Winseck’s work on “netscapes of power”,[6] where a service provider uses their institutional power to impact content/service availability for economic gains. Such differentiation subtly pushes consumers to the service providers’ own offerings in lieu of ’slower’ third-party, often over the top, offerings.

The FCC should step in whenever there is a netscape of power manifests. This said, a netscape is not necessarily established through the provision of ISP-specific services; such services can be complementary with non-ISP, over the top, services. In the language of Jonathan Zittrain,[7] the ISP-exclusive feature might be the equivalent of an ‘appliance-use’ of the network that competes with ‘generatively-derived’ web systems. Zittrain worries that appliance-like systems (e.g limited-use hardware/software interactions) threaten the ‘generativity’ of the Internet itself. Generativity is defined as a “system’s capacity to produce unanticipated change through unfiltered contributions from broad and varied audiences” (70) but, so long as the ‘public Internet’ is made unconditionally available, I suggest that the generative Internet can peacefully cohabitate with the appliance-Internet.

Let me introduce an example of an instance where appliance-Internet and generative-Internet are arguably not cohabitating. This lack of successful cohabitation results in what appears as a netscape or power, and indicates the value of establishing clear rules for rebalancing the appliance- and generative-Internet. Many Canadians are excited that Netflix, a streaming video service, is finally coming to Canada. Unfortunately, almost immediately after the service was announced one of Canada’s largest ISPs significantly reduced the monthly data caps available to its users. This will reduce the amount of content that Canadians using that ISP can receive from Netflix, ‘encouraging’ those consumers to use the ISP’s own content systems that do not count towards a monthly data cap. This is an example of a netscape of power because an ISP is creating a soft wall around its provisions and encouraging the use of in-house content provision at the expense of Netflix. Arguably, this is a case where an appliance – cable TV offerings – is at odds with the generative Internet. The appliance/generative balance is potentially skewed in this case.

Given the worrying appearance of the imbalance between appliance/generative bandwidth provisions, a regulator should investigate this scenario, possibly on anti-competition grounds. Recognizing that these (anti)competitive activities happen in a converged marketplace, the FCC could avoid the present Canadian situation by developing a heuristic for determining whether the ‘appliance-Internet’ was being used to limit the possibilities of ‘generative-Internet’. Such a heuristic would permit carriers to provide their ‘clearly differentiated services’ while setting clear conditions on how those services operate in relation to generative Internet offerings. Wherever and whenever a netscape was identified the ISP might be forced to adjust their appliance/generative balance. My attention, here, is that a balance is possible. That ISPs want to offer unique services is not necessarily bad in themselves, but such services must be carefully watched and regulated.

Of course, this assumes that the FCC would have a role in adjudicating the appliance-Internet, and the principle outlined by Verizon-Google attempts to forebear that kind of interference. A report is not the same as regulation; the FCC needs to retain regulatory power to prevent a creation of semi-walled gardens, where consumers can venture out from beyond an ISP’s walls but at significant economic or temporal cost. Thus, while appliance and generative networks can potentially function alongside one another without significant difficulties, regulatory oversight must be retained to ensure that the relationship is acceptable.

Principle Six: Wireless Broadband

Because of the unique technical and operational characteristics of wireless networks, and the competitive and still-developing nature of wireless broadband services, only the transparency principle would apply to wireless broadband at this time. The U.S. Government Accountability Office would report to Congress annually on the continued development and robustness of wireless broadband Internet access services.

Anyone who is surprised to see this principle is either new to network policy discussions or has remained willfully ignorant of the ever-present discussions around regulating wireless. ISPs want to keep regulatory authorities at bay from their markets as long as possible, and this principle is just another articulation of this desire. With this in mind, it’s important to note that regulators have generally been hesitant to get involved in regulating wireless broadband in North America. It was roughly nine months after Canada’s traffic management hearings that wireless was drawn into the wireline management framework. The initial forbearance of regulation on wireless caused considerable concern in Canada – Canadians, like their American counterparts, recognize that wireless is the future of broadband markets – but such forbearance was (relatively) quickly reversed. Any principles established by the FCC that include forbearance on wireless could see the same rapid reversal.

Thus, I would suggest that the Verizon-Google principle is conservative. This isn’t to say that such conservatism is necessarily a good thing – nor it is necessarily indicative that I agree with ISP concerns about spectrum scarcity[8] – but that the conservatism is understandable. Ideally, should a principle resembling the Verizon-Google proposal for the wireless market make its way into a regulatory framework it would include a proviso that the issue of wireless regulation would be taken up again within clearly stated period of time. This might let the FCC conduct its own investigations into how it wants to approach the wireless environment, effectively buying it some breathing room without permanently committing (or being committed to) to wireless forbearance.

Principle Seven: Case-by-Case Enforcement

The FCC would enforce the consumer protection and nondiscrimination requirements through case-by-case adjudication, but would have no rulemaking authority with respect to those provisions. Parties would be encouraged to use non- governmental dispute resolution processes established by independent, widely-recognized Internet community governance initiatives, and the FCC would be directed to give appropriate deference to decisions or advisory opinions of such groups. The FCC could grant injunctive relief for violations of the consumer protection and non-discrimination provisions. The FCC could impose a forfeiture of up to $2,000,000 for knowing violations of the consumer-protection or non-discrimination provisions. The proposed framework would not affect rights or obligations under existing Federal or State laws that generally apply to businesses, and would not create any new private right of action.

Principle seven has been heavily criticized, and rightly so. This said, for all of the problems inherent in maintaining that the FCC must limit their regulation of ISPs, some of the suggestions in this principle could adhere to my earlier division between what the FCC might be responsible for and what international standards bodies might be involved in.

The FCC requires rulemaking authority, a capacity to determine what ‘meaningful harm’ is defined as, and the regulator should have its full set regulatory tools to respond to violations of consumer protection laws. I would note that this is also an area where the FTC’s Bureau of Consumer Protection might get involved, as implicitly recognized in the principle’s last sentence. That the FCC should effectively abandon its roles, and rulemaking in particular, makes much of this principle a non-starter.

Having made this claim, however, the position that the FCC would be directed to “give appropriate deference to decisions or advisory opinions of such [independent, widely-recognized Internet community governance] groups” isn’t necessarily bad. If we adopt the division of responsibilities between the FCC and international bodies that I previously articulated in Principle Four (Network Management), a suitable division of labor might be met. To remind you, this division saw the FCC regulating norms and values governing ISPs’ ‘reasonable’ network management, accompanied by limited regulation in non-standardized technical management processes. Technical deference was given to international groups like the IETF after they established technical standards; such ‘formalized’ standards would then be harmonized with FCC policies concerning appropriate technical management of networks within the US. Under this schema an appropriate balance between international groups and the FCC could be struck.

It is important that any independent governance group is international, given that this prevents America’s service providers from assuming the technical policy reins themselves. Further, by separating the ‘reasonable’ from standardized network management practices we might avoid situations where ‘reasonable network practices’ (i.e. policy and business considerations merged with technical realities of the day) are ingrained into the independent policy standards that emerge. Thus, the position that the FCC gives deference to an “independent, widely-recognized Internet community governance” group could be massaged. Whether such massaging is desired, however, is a question and issue extending beyond my efforts here.

Principle Eight: Regulatory Authority

The FCC would have exclusive authority to oversee broadband Internet access service, but would not have any authority over Internet software applications, content or services. Regulatory authorities would not be permitted to regulate broadband Internet access service.

The FCC’s own third way is an effort to extend the definition of ‘access’ to include the transmission of broadband Internet access as a telecommunications service. Under the third way, this means that where an ISP did the equivalent of slowing down a telephone call (let’s not get started on how ugly metaphors will probably get under a third way approach…) then the FCC could step in whenever such delays meaningfully impact the delivery of the telecommunications service. This, in effect, would apply common carrier provisions to ISP services and enable the FCC to stop ISPs from engaging in either unjust or unreasonable practices towards services and applications. Under the third way, however, the FCC would still be prevented from regulating subscription rates or applying various other Title II regulatory tools.

With this in mind, we can see how Principle Eight is designed to stop the third way in its tracks. As I read it, by stemming what ‘access’ refers to the Verizon-Google framework attempts to circumvent the FCC’s reclassification of broadband providers from ‘pure’ information services to information services with limited common carrier requirements. The principle is incredibly important to Verizon (probably less so for Google) if it is to terminate the third way. Given the FCC’s defeat to Comcast, the third way is essential if the regulator is to gain power over how providers manage their networks. I can see nothing in this principle that should be maintained, save that the FCC should continue to have exclusive authority to oversee broadband Internet access services.

Principle Nine: Broadband Access for Americans

Broadband Internet access would be eligible for Federal universal service fund support to spur deployment in unserved areas and to support programs to encourage broadband adoption by low-income populations. In addition, the FCC would be required to complete intercarrier compensation reform within 12 months. Broadband Internet access service and traffic or services using Internet protocol would be considered exclusively interstate in nature. In general, broadband Internet access service providers would ensure that the service is accessible to and usable by individuals with disabilities.

Adopting a principled approach to using the USF for broadband deployment strikes me as entirely reasonable, and is something that the FCC has been mulling for some time. This said, while carriers often argue that ‘intercarrier compensation reform’ will lead to overall lower broadband and phone rates for end-customers, this isn’t always the case. A concern is that reform will serve to (further) advantage large broadband carriers and (further) disadvantage smaller carriers that often struggle with intercarriage rates. While it might be argued that smaller carriers just have to swallow those rates as the cost of doing business, this translates into disadvantaging (often rural) consumers that may not have access to larger carriers’ networks. Further, the combination of opening up the USF, combined with potentially higher carriage raters, could be leveraged by larger carriers to compete with some rural carriers by rolling out their own networks using USF funds and cutting prices, while simultaneously requiring those same carriers pay out more money for carriage. Should this happen (and I stress that this is a hypothetical) I worry that rural customers would be put in an even worse situation than they often are now.

Conclusions

So, at the end of all of this, what do I think? As stated earlier, many of the principles seem relatively non-problematic and/or conservative in the context of North American telecommunications regulation. Others are deeply concerning. Below are brief summaries of the earlier arguments; they lose some of the nuance, but I think effectively capture my overall position on each principle.

Principle one, addressing consumer protections, doesn’t strike me as ‘dangerous’ as suggested by some when it’s juxtaposed against existing FCC policies around lawful content and applications.

Principle two, speaking to non-discrimination, doesn’t strike me a terribly problematic either. So long as regulatory authority is exercised over the decision to prioritize certain traffic, and that traffic is prioritized based on application- or traffic-type as opposed to particular applications (i.e. prioritize VoIP, not Verizon’s VoIP service) then even the potential to prioritize particular classes of traffic isn’t necessarily harmful.

Principle three, addressing the need for transparency, is entirely acceptable. Ideally the principle would hew to decisions in Canada, where there are rules for what information ISPs must provided and how it is provided, or further improve upon the Canadian requirements. Preferably, information on traffic management would be more prominent than on some Canadian ISPs’ websites, but simply requiring that the information is available is a good step in the right direction.

Principle Four, on the topic of network management, is potentially problematic insofar as it limits FCC oversight. I have suggested that there be a division in what is and isn’t overseen by the FCC, a division reflective of some realities of Internet governance. In short, a two-track system would be established. The FCC would retain regulatory authority over non-technical issues such as privacy, economics, free speech, and so forth, and regulate novel instantiations of network management. It would ultimately harmonize technical management practices with standards established by international governance bodies such as the IETF.

Principle Five, concerning additional online services, has justifiably elicited a considerable degree of concern. I suggest that appliance-Internet services do not inherently endanger the generative-Internet, but that regulatory authority is required to ensure that carriers do not create contemporary netscapes of power. The FCC, as such, requires more than report-writing powers and thus Verizon-Google’s proposed ‘check’ to balance carrier power is insufficient as written by the corporate giants.

Principle Six maintains that the FCC should forebear regulation of the wireless environment. I note that similar language emerged in the Canadian network management proceedings, and that the CRTC shortly thereafter included wireless services in the management framework. As a result, the principle here doesn’t strike me as ’scary’, insofar as principles can be mediated in the future, but I admit that I hold the following opinion: wireless regulation is critical given that the future of broadband is wireless, and the FCC will have to get involved at some point. Canada has decided that the time for regulation is now, and including a proviso to revisit any forbearance on wireless regulation in the US is necessary should a decision be made to not immediately regulate wireless.

Principle Seven, case-by-case enforcement, needs to be significantly reworked. The FCC needs to retain rulemaking authority. This said, a ‘compromise’ might involve the measure noted under principle four, where there is a distinction between the ‘reasonable’ elements of network management and the technical elements of network management. The former would be exclusively under the jurisdiction of the FCC, and the latter would be largely drawn from international bodies’ proposed best practices and standards.

Principle Eight is designed to stop the third-way; as I read it the principle is an attempt to gut common carriage provisions for information services. Such a provision would be a massive setback for the FCC; this principle needs to be rejected out of hand.

Principle Nine is interesting; using the USF for broadband deployment in under serviced areas is relatively uncontroversial, but when combined with a renegotiation of intercarriage rates (which will likely increase rates for smaller ISPs) there is a risk that larger ISPs will draw on the USF to compete in regions exclusively serviced by smaller ISPs while raising carriage rates. When competition is combined with higher carriage rates the smaller ISPs may be endangered, which could hurt rural consumers. The principle doesn’t necessarily have to be rejected out of hand, but serious thought should go into the combined effects of USF for broadband and (likely) higher intercarriage rates.

As a final note, I want to iterate that while this is an area that I study, I learn more about it every day. What I’ve written are early, probationary thoughts. While I certainly hold the positions articulated in this post, those positions are subject to change with new information. If you disagree with me and/or think that I’ve misunderstood or misread things, please feel free to let me know; I’m actively interested in expanding my knowledge in this sphere of telecommunications policy. Given that this is an area of research I’ll be developing on for the next several months, all input is appreciated.

Footnotes

[1] I should note that I’m incredibly uncomfortable with the term ‘network neutrality’ for various theoretical reasons. I hope to spell out these theory-based dislike to the term in the future. For the purposes of limiting the expansiveness of this post, I’ve avoided delving into these dislikes here, but such avoidance should not be taken as either agreeing with the premises of the term itself nor with an acceptance of any particular theory or framework of network neutrality.

[2] For a spectacular reveal of how copyright law is traditionally drafted in the US, see “The Art of Making Copyright Laws” and “Copyright and Compromise” in Litman’s Digital Copyright.

[3] For a full list of those consulted, the the ‘Stakeholder Meetings‘ post over at the Official Blog of the National Broadband Plan.

[4] For more, see Cowhey and Mueller. (2009). “Delegation, Networks, and Internet Governance” in Networked Politics: Agency, Power, and Governance (ed. Kahler). See also, Mueller. (2002). Ruling the Root and Bendrath and Mueller. (2010). “The End of the Net as We Know It? Deep Packet Inspection and Internet Governance” via SSRN.

[5] The notion of direct, secure, banking services was stated during an interview between Peter Nowak and Vint Cert.

[6] Winseck. (2003). “Netscapes of power: convergence, network design, walled gardens, and other strategies of control in the information age” in Surveillance as Social Sorting: Privacy, Risk and Digital Discrimination (ed Lyon).

[7] For the full argument, see Zittrain. (2008). The End of the Internet – And How to Stop It.

[8] I admit to being taken by Cooper’s (2010) position paper entitled “The Myth of Spectrum Scarcity: Why Shuffling Existing Spectrum Among Users Will Not Solve America’s Wireless Broadband Challenge“.

Other posts you might be interested in:

1. Background to North American Politics of Deep Packet Inspection
2. Analysis: ipoque, DPI, and Network Neutrality
3. Choosing Winners with Deep Packet Inspection

In this post I’m going to spell out what the changes actually mean – what duties and responsibilities, in specific, the CRTC is responsible for – and what traffic management on mobile networks would entail. This will see me significantly reference portions of the Canadian Telecommunications Act; if you do work in telecommunications in Canada you’ll be familiar with a lot of what’s below (and might find my earlier post on deep packet inspection and mobile discrimination more interesting), but for the rest this will expose you to some of the actual text of the Act.

In amending the forbearance framework the CRTC is entering the regulatory domain on several topics pertaining to wireless data communications. Specifically, wireless providers are now subject to section 24 and subsections 27(2), 27(3), and 27(4) of the Act. Section 24 states that the “offering and provision of telecommunications service by a Canadian carrier are subject to any conditions imposed by the Commission or included in tariff approved by the Commission.” In effect, the CRTC can now intervene in the conditions of service that carriers make available to other carriers and the public. Under 27(2) carriers can no longer unjustly discriminate against or give unreasonable preference towards any person. This limitation includes the telecommunications carrier itself and thus means that neither fees nor management of the network can be excessively leveraged to the benefit of the carrier and detriment of other parties.

Under 27(3) the CRTC can determine as a question of fact whether carriers have complied with sections 25 (broadly dealing with tariffs), 27 (which concerns the monitoring and enforcement of elements of the Act) or 29 (where the CRTC must approve working agreements between carriers). Further, a question of fact may be used to determine whether a carrier is in compliance with a decision concerning sections 24 (on the conditions of service), 25, 29, 34 (addressing issues of forbearance) or 40 (concerning the connection of facilities between carriers or other facilities).

Broadly, what all of this means is that the CRTC has stepped aside from their position that potential regulation could negatively injure the state of competition in Canada’s wireless market. This isn’t to say that they are regulating, but that they have stepped away from their traditional stance of forbearance around wireless. The shift isn’t terribly surprising given the rise of new entrants to the mobile space in Canada such as Mobilicity and Wind Mobile, as well as the multitude of high speed data networks in the country.

Also important is that the CRTC has decided to apply the Internet Traffic Management Proceedings (ITMP) framework, emergent from the ITMP Decision, to the wireless environment. In short form, this means that the rules Canadian carriers have to follow when they throttle or modify data packets on wireline connections (i.e. the cables running into your home/business) now apply to the wireless space. The shift isn’t surprising, save that it happened relatively shortly after last year’s decision to forbear a decision on the wireless space but had been previously announced as an element of the broader Proceedings to review access to basic telecommunications services and other matters. For practical purposes few will realize any difference in the provision of their wireless data services this week than they did last. It does, however, lay the conditions under which throttling and packet modification appliances can be used. These appliances include those with deep packet inspection functionality.

The ITMP framework identifies what a carrier must do whenever there is a complaint levied to the CRTC concerning the use of a traffic management technique or technology. Specifically the carrier must:

• Describe the ITMP being employed, as well as the need for it and its purpose and effect, and identify whether or not the ITMP results in discrimination or preference.
• In the case of an ITMP that results in any degree of discrimination or preference:
  • demonstrate that the ITMP is designed to address the need and achieve the purpose and effect in question, and nothing else;
  • establish that the ITMP results in discrimination or preference as little as reasonably possible;
  • demonstrate that any harm to a secondary ISP, end-user, or any other person is as little as reasonably possible; and
  • explain why, in the case of a technical ITMP, network investment or economic approaches alone would not reasonably address the need and effectively achieve the same purpose as the ITMP.

Of course, this requires the a complaint be levied: such an action is challenging given that where a customer is dealing with properly installed traffic management gear the equipment is effectively invisible. Determining a problem thus requires a very technically savvy customer or group and/or bad configuration by the carrier(s). As such, the Framework remains useful but mired in some potential implementation problems. More likely any complaint will result from a modification to terms of service between an Incumbent Local Exchange Carrier (ILEC) and Competitive Local Exchange Carrier (CLEC).

What will be fascinating to watch, as a researcher, is whether with Decision Canadian carriers begin deploying traffic management equipment capable of scanning the payloads of mobile data packets. Moreover, if/when the technologies are deployed will we see a trojan-horse like approach in mobile that we did in wireline – will is first be used for subscriber management, then for throttling, then for sending messages over through the browser? If/when they do deploy the technology, will they immediately and publicly update their traffic management policies to reflect the analysis of wireless traffic or will it take another complaint to the Office of the Privacy Commissioner of Canada to ‘encourage’ such modifications? Hopefully after a round in front of the CRTC and OPC carriers will willingly put packet inspection information where the public can easily find it (i.e. not buried in terms of service and changed without notification in the dead of night) but only time will tell. Overall, the decision to implement the traffic management framework is certainly a positive step forward and confirms my earlier hopes that a policy of non-discrimination in the Canadian wireless market would be adopted. The next step will be to watch and see whether deep packet inspection-based equipment is deployed in wireless environments in a transparent fashion or not.

Other posts you might be interested in:

1. Comment: Canadian ISPs and Internet Traffic Management
2. Deep Packet Inspection and Mobile Discrimination
3. Some Data on the Skype iPhone Application

At the Canadian Telecom Summit this year, mobile operators such as TELUS, Wind Mobile, and Rogers Communications were all quick to pounce on the problems facing AT&T in the US. AT&T regularly suffers voice and data outages for its highest-revenue customers: those who own and use smart phones that are built on the Android, WebOS (i.e. Palm Pre and Pixi), and iOS. Each of these Canadian mobile companies used AT&T’s weaknesses to hammer home that unlimited bandwidth cannot be offered along mobile networks, and suggested that AT&T’s shift from unlimited to limited data plans are indicative of the backhaul and/or spectrum problems caused by smart devices. While I do not want to entirely contest the claim that there are challenges managing exponential increases in mobile data growth, I do want to suggest that technical analysis rather than rhetorical ‘obviousness’ should be applied to understand the similarities and differences between Canadian telcos/cablecos and AT&T.

Ars Technica recently provided a delightfully transparent, technically savvy, piece concerning the problems O2 in the UK encountered with the iPhone, and extrapolates that insight to the problems before AT&T. Central to the problems on both networks is how the iPhone (and related smart devices) actually conserves power. Specifically:

Most devices that use data do so in short bursts—a couple e-mails here, a tweet there, downloading a voicemail message, etc. Normally, devices that access the data network use an idling state that maintains the open data channel between the device and the network. However, to squeeze even more battery life from the iPhone, Apple configured the radio to simply drop the data connection as soon as any requested data is received. When the iPhone needs more data, it has to set up a new data connection.

While this has the benefit of saving on battery power it can have the effect of overloading the signalling channels that the devices use to communicate with cellular towers. While network equipment can dynamically shift spectrum to signalling channels as needed to mitigate the problem, the network nodes may not be able to set up data sessions or get valid network addresses from overloaded DHCP servers. Ars’ source at O2 states that “data capacity is rarely the problem—nodes themselves can usually handle much more data than is flowing through them. However, the networks need to be configured to handle a growing number of devices connecting and disconnecting at a much higher rate than they’ve been accustomed to.”

To be a bit more technical, we can turn to what a person working in the telecom industry stated in the comments associated with the Ars article:

The iPhone breaks 3GPP compatibility in the way it operates (going from Cell-DCH/Cell-FACH directly to IDLE cutting the connection to the network). Keepalives in the applications then cause the phone to open a new connection to the network after only a few seconds. In a normally operating phone, it would just continue using the existing connection since the connection is not cut in between. So the main blame to be placed lies in the iPhone. It doesn’t follow spec. Imagine you making phone calls and hanging up every time, your talk-buddy stops talking. Then dialing again to respond. That’s effectively what’s going on. Other phones (except the new kids on the block following Apple’s lead) don’t hang up in between. The talk is that signalling increases are in the thousandfold range (that’s hearsay though).

These are both technical responses and considerations of the problems facing the AT&T and other global networks: in neither the Ars article where they reached out to technical folk, nor in the case of the telecom worker speaking out to Ars, nor in a similar piece by NSN do we see a statement like: mobile operators need spectrum because otherwise they will end up with the AT&T situation. Spectrum, while helpful in somewhat alleviating the problems associated with the non-spec way that Apple and other smart device OS developers have set up power savings, is not an actual solution. What is required is a combination of updated towers/network equipment and terminals (i.e. phones) that actually comply with international specifications.

What can we take away from this point? First, we need to hear from the technical experts actually responsible from configuring the network equipment and analyzing failures of service. In listening to these individuals some light might be shed on the marketing platforms and rhetoric which is used to obfuscate the actual situations that mobile operators find themselves in. Second, we learn that backhaul bandwidth isn’t really a problem; bandwidth is, in fact, reasonably plentiful regardless of the substantial hike in mobile data traffic.

Unfortunately, without some light being shed into the debate on bandwidth caps and spectrum, we will sleepwalk into a world where the regulatory-normative conditions for participating in the mobile environment will favour limited, and specific, forms of content consumption. Creation will be strictly limited because of tiny upload caps and incredibly punitive overage charges that are drastically out of line with the realities of data transport costs.

In the case of AT&T, again, there is a variable cost of data that indicates 1GB of mobile data either “costs” $75/month (based on the DataPlus plan, where 200MB of data costs $15) or $12.50 – $10/GB (based on the DataPro plan, where the initial 2GB of data works out to $12.50/GB, and each additional GB of data incurs a $10 surcharge). Augmented reality, the integration of high-definition video in smart phones, application stores, streaming video and music, and other high-data services that include both downloading and uploading data are soon to be prohibited by a socially accepted rhetoric of ‘bandwidth hogs’, a rhetoric obfuscating technical realities and threatening to stifle real innovation in the mobile environment. Moreover, with the insistence that wireless can only be a side-channel to a ‘full’ broadband experience (read: wired broadband) telecommunications operators are able to ‘double dip’ and prevent people from cutting the cord and going entirely wireless. Worryingly, the adoption of the rhetoric that is immersed in the pseudo-truths of CEOs and marketers appears to have captured regulators who are not protesting the absurd costs of data traffic that is being imposed on relatively ignorant customers.

One might be inclined to say that mobile operators should be able to charge whatever the market will bear, but this ignores regulators’ unwillingness to let the market bear incredibly high prices for food or fuel (housing is another matter entirely…). While wireless isn’t yet at the same level of importance as food or fuel, the movement towards the Internet of Things, where devices will be dependent of wireless transmissions to provide basic services while consuming (seemingly) precious amounts of bandwidth, threatens to bankrupt a homestead. Broadband is rapidly becoming a utility in Canada and the United States, insofar as essential services are provided over the Internet and there is a rapid march towards getting customers and citizens to adopt a wireless existence. Requiring citizens move towards online forms of engagement, marketing services based on their wireless connectivity, and then turning around and not protecting the customer from price gouging is simply wrong, and the government should examine the actual competitiveness in mobile ecosystems as well as regulate the permissible rate of return on mobile data provision.

As the economics of mobiles are presently oriented the adoption of wireless by either Canada’s or the United States’ citizenry is a poison apple: wireless might be a delightful experience for the first 30 days or so but the 31st day (bill day!) threatens to cripple smart phone users with punitive and seemingly non-uniform data pricing (e.g. 1GB on AT&T costing either $75 or $12.50). Imagine receiving a bill for 40GB of mobile data use…that came in at $405! A wireline connection provided by most Canadian ISPs will grant at least 20GB/month more than that at a cost of $35-45. While slightly higher costs may be incurred for wireless over wireline broadband, the present scale of difference is disproportionate to the actual costs (and challenges) that are actually faced in either of these domains, and especially so in the wireless space.

Unless an accessible and technical outline of why mobile data has to cost an order of magnitude more money to deliver a 33% smaller amount of data than wireline broadband transmission, customers and regulators alike should demand a forced correction of present ISP pricing practices and begin holding mobile vendors to the fire, just as we do oil and gas companies whenever absurd charges for gasoline and oil are witnessed in the marketplace. Failure to be proactive in this space, failure to protect the consumer and provide an ecosystem for application developers to create the next killer mobile app, and failure to hold ISPs accountable for their social responsibilities to provide fast and cost-accessible mobile broadband, threatens to transform North America into an innovation ghetto, where innovation might emerge but is too expensive to actually be implemented and enjoyed on the continent from which it is born.

Other posts you might be interested in:

1. Deep Packet Inspection and Mobile Discrimination
2. Traffic Management on Mobile Gets Regulated
3. Bell Mobility and Solo Mobile make mobile Internet access safer

As part of an early bit of thinking on this, I want to direct our attention to Canada, the United States, and the United Kingdom to start framing how these jurisdictions are approaching the use of DPI. In the process, I will make the claim that Canada’s recent CRTC ruling on the use of the technology appears to be more and more progressive in light of recent decisions in the US and the likelihood of the UK’s Digital Economy Bill (DEB) becoming law. Up front I should note that while I think that Canada can be read as ‘progressive’ on the network neutrality front, this shouldn’t suggest that either the CRTC or parliament have done enough: further clarity into the practices of ISPs, additional insight into the technologies they use, and an ongoing discussion of traffic management systems are needed in Canada. Canadian communications increasingly pass through IP networks and as a result our communications infrastructure should be seen as important as defence, education, and health care, each of which are tied to their own critical infrastructures but connected to one another and enabled through digital communications systems. Digital infrastructures draw together the fibres connecting the Canadian people, Canadian business, and Canadian security, and we need to elevate the discussions about this infrastructure to make it a prominent part of the national agenda.

The Canadian Situation

In Canada, there has been a substantial amount of attention directed towards the use of DPI equipment since 2007 when CAIP filed a complaint about Bell’s use of the technology to affect how CAIP customers’ data traffic was being transmitted through Bell’s infrastructure. The result of Bell v. CAIP, and the 2008/9 CRTC investigation into how DPI is used by ISPs more widely, was positive in some lights and devastating in others. Positively, out of the 2008/9 investigation the CRTC asserted:

• the blocking of content is prohibited unless approved by the CRTC;
• when noticeable degradation of service for time sensitive services occurs, then a traffic management system amounts to controlling the content or influencing its meaning. As such, any actions that create such a degradation require approval by the CRTC;
• the CRTC affirmed that it works in a complementary fashion with the Privacy Commissioner of Canada and that telecommunications providers are held to a higher standard than that contained in PIPEDA alone. Critically, not only are primary ISPs prohibited from using data gathered from traffic management for anything other than management actions, but “the Commission directs all primary ISPs, as a condition of providing wholesale services to secondary ISPs, to include, in their service contracts or other arrangements with secondary ISPs, the requirement that the latter not use for other purposes personal information collected for the purposes of traffic management and not disclose such information.”
• economic measures are preferred to technical traffic management processes;
• the delaying of non-time sensitive services (e.g. email, peer-to-peer, FTP, etc) does not require CRTC approval.

Of course, this didn’t forbid ISPs from using DPI – something that was unlikely to happen – but did put strong conditions on what was and was not permissible use of DPI. What remained permissible was that delaying non-time sensitive services (e.g. email, peer-to-peer, FTP, etc) does not require CRTC approval, and wholesale ISPs both remain affected by DPI and can expect to receive a mere 30 to 60 day notification before primary ISPs make material changes that would affect wholesale ISPs. The privacy element of the ruling was reinforced in the Privacy Commissioner of Canada’s ruling on deep packet inspection, which required Bell to note on their website that personal information (i.e. subscriber ID and IP address) was briefly collected (and then quickly discarded) in the ongoing use of DPI. Emergent from the CRTC and OPC’s decisions, we can comfortably say that Canada has a strong set of regulatory bones when it comes to DPI and network neutrality; what’s left is fleshing the bones out, which will hopefully happen over the coming months and years.

The United States of Inspection

As we turn our gaze south of the 49th parallel, we see that DPI has been used in various ‘exploratory’ ways. Arguably, it was the use of DPI for behavioural advertising – by the company NebuAd and various ISP partners – and incredibly disruptive treatment of peer-to-peer filesharing applications that brought the technology into the media more widely. In the former case, NebuAd partnered with ISPs such as Charter to insert a DPI device in the ISPs’ network environments. Once in the network, it was possible for NebuAd to modify data transfers by creating a new packet and forging the IP address and port information to make the packet appear to come from the original source. Thus, if you were being served a packet from Google or Yahoo!, it would still appear to your computer as though it was delivered from a Google or Yahoo! server. The NebuAd system used TCP’s ACK and SEQ system to stop users’ computers from refusing to accept the forged packet.

Contained within this new packet was a bit of javascript that directed users’ computers to collect a cookie from a NebuAd server; this cookie was then used to track users and to subsequently serve ads that were relevant to the user based on their browsing history. Attempts to delete the cookie led to it simply being re-delivered the next time a user browsed somewhere on the ‘net. This behaviour led researcher Robert Topolski to assert that “NebuAd’s code injected into another’s page source is a cross-site exploit (XSS) and the subsequent behavior of loading cookies it normally would not load is a browser hijack. NebuAd accomplishes its XSS by using what is effectively a classic man-in-the-middle attack.”

In light of the damning evidence that ‘consent’ was never genuinely achieved (in at least one ISP’s case, there was a change to their already massive privacy policy to “inform” customers of the new behaviour) NebuAd was very publicly disciplined in front of the House Telecommunications Subcommittee. Congressman Markey asserted that “Simply providing a method for users to opt-out of the program is not the same has asking users to affirmatively agree to participate in the program.” While NebuAd has lost it’s CEO, is now subject to a class action lawsuit, and itself is dead in the water (though has arguably been reincarnated in the UK as Insight Ready), no legislation have been passed to address behavioural advertising using DPI. A Senate Commerce Committee session in September 2008 led to three of the US’s largest ISPs – AT&T, Verizon, and Time Warner – committing to an “affirmative consent” model for behavioural advertising should the ISPs ever adopt such an advertising system, but no Senate action even attempted to legislate a consent-based model. The Federal Trade Commission (FTC) went ’so far’ as to advocate for voluntary self-regulation of the industry. This regulation encompassed the following principles;

1. Transparency and customer control, which maintains that on every website where data is collected for behavioural advertising that customers are informed of this in concise and clear language with the option of choosing whether their information will collected for these purposes.
2. Reasonable security, and limited retention, of consumer data. In essence, this requires companies to secure data in a manner consistent with FTC data security enforcement and only retain data as long as required for legitimate business purposes.
3. Affirmative express consent for material change to existing privacy promises. Critical is that this principle is meant to apply even when the material change is a result of a corporate merger when such a merger modifies the ways in which companies collect, use, and share information.
4. Affirmative express consent to (or prohibition against) using sensitive data for behavioural advertising. This principle does not actually identify what constitutes sensitive information; the FTC sought input into what classes of information should be considered sensitive and whether the collection of such information should be prohibited by regulation instead of by customer choice.

In the case of using DPI for network management purposes, Comcast was found using TCP RST packets to intentionally disrupt peer-to-peer filesharing programs that were accounting for substantial amounts of data traffic along their networks. The stated issue with the programs was that they generated high levels of congestion; in effect, this meant that a large number of customers’ packets were regularly being dropped as Comcast routers struggled to keep pace with the high levels of peer-to-peer traffic. While at one point the company maintained that it only used RST packets during periods of high congestion, it ultimately admitted that their RST-based system was triggered regardless of overall network congestion and at all times of they day.

As a result of Comcast’s use of DPI to target particular applications and application-types the FCC issued an order requiring the ISP to stop their particular mode of network management using their ancillary authority, or authority that implicitly is derived from past judicial rulings, policy contours, congressional mandate, and telecommunications act. Specifically, the FCC required Comcast to;

1. Reveal the “precise contours” of its network management practices, including the types of equipment used, when they came into use, how they were configured, and where they have been deployed.
2. Come up with a compliance plan complete with benchmarks that explains how Comcast will move “from discriminatory to nondiscriminatory network management practices by the end of the year.”
3. Publicly disclose the details of its new practices, “including the thresholds that will trigger any limits on customers’ access to bandwidth.”

The FCC decision was met with two responses from Comcast. First, the company adopted a protocol agnostic solution to dealing with high-bandwidth usage. This saw them move from using deep packet inspection – which examines the payload of data packets – to shallow packet inspection that is (relatively) limited to examining header information. Under the revised approach, where it is evidenced that consumers are engaged in high-bandwidth activities for 15 minutes or longer they have their packets reclassified to “best effort” from the default “priority best effort”.

Second, the company took the FCC to court, arguing that the FCC had exceeded their authority in determining how the corporation can manage their networks. The courts recently returned with a decision, and it was in Comcast’s favor: the FCC’s order that Comcast stop issuing RST packets using DPI equipment is now invalidated on the basis that the FCC decision exceeded their authority. This sends a message that American telecommunications carriers can use equipment, as they perceive needed, to manage their networks and such usage includes mobilizing DPI to invade and disrupt customers’ packet stream. It remains to be seen how this will affect the differentiation between facilities-based VoIP services that Comcast provides and the (apparent) degradation of non-facilities based VoIP services (e.g. Skype) when network congestion occurs: does the FCC have the right to require equal treatment of these types of service? This will be an interesting matter to see unfold in light of the Court’s decision today. It will similarly be interesting to see if, after the decision, ISPs actually use RST packets to disrupt particular traffic flows or instead avoid this approach given the negative press this technique attracted.

So, where does this all leave the US in comparison to Canada? It means that non-regulated processes are exclusively meant to limit the use of behavioural advertising – but, as demonstrated by Chris Soghoian’s work such self-regulation is practically non-regulation in the advertising business - and that the traffic management questions linger in the air. ISPs in the US managed to get a bit more freedom from the FCC with the decision favouring Comcast, and the FTC has been unwilling to strongly regulate ISPs’ uses of DPI. Thus, the American reality stands in stark contrast to Canada: Canadians have a skeleton of regulated guidelines that ISPs are required to adhere to, whereas the US remains a relatively unregulated market for DPI.

A Note on the UK

I’m not a European telecommunication scholar, and so don’t want to make broad statements about Europe, but am slightly more aware of the UK situation. As such, I’ll limit discussions of Europe to the UK.

Behavioural advertising and content management are key issues facing the UK citizenry. In the former’s case, Phorm has been the UK’s NebuAd and partnered with various prominent ISPs to provide an advertising service. The company’s use of DPI was perhaps even more egregious than in NebuAd’s case, insofar as Phorm’s use involves a series of 307 redirects that result in a cookie being placed on a customer’s computer for tracking and advertising purposes (a great technical analysis of Phorm’s system has been performed by Richard Clayton). Most significantly, Phorm forges the cookie so that it appears to come from the originating website, rather than the Phorm system; under this system you receive a cookie that appears to legitimately come from cnn.com when browsing to that website even though it comes from Phorm. Activists came together and have continuously put pressure on Phorm – often arguing that it’s actions are in violation of of the Regulation of Investigatory Powers Act – and the EU Commission is presently bearing down on the UK for its failure to address the privacy-related concerns accompanying this instantiation of behavioural advertising. (Perhaps in response, we now see Phorm scurrying to Brasil – will Brasilian activists take a stand against the company as UK citizens have?)

The content management issue has come up most recently in the form of the Digital Economy Bill (DEB), where there is a real possibility that ISPs will be required to act as a third-party in disputes between rights holders and those who are accused of infringing on holders’ copyrights. ISPs will be required to work against their own customers, insofar as repeat copyright infringers will be subject to some form of traffic throttling. Whether this involves the use of deep packet inspection, or other technological measures, isn’t entirely clear from the bill but many ISPs in the UK are violently opposed to redeveloping their network architecture to shield the copyright industries’ business models. The DEB, as presently written, makes it unclear what ISPs will actually be required to do, but rights holders seem to favor the inspection or analysis of data traffic, an approach to managing data that might lead to content discrimination or an extension of the already functioning discrimination against particular applications and application-types. From my own research perspective, it will be interesting to see if there is an expansion of the uses of CView on the Virgin network should the DEB be realized as law, and whether the EU would step in if enforcing the DEB results in egregious violations of privacy.

It must be recognized that UK ISPs, like their Canadian counterparts, are actively engaged in throttling particular applications and application-types during peak usage times to mitigate network congestion. Orange UK, as an example, throttles what they term ‘dirty’ protocols – those which “consume as much of the available bandwidth that is available”, with the rejoinder that if the ISP gives such protocols and their associated applications an inch they will try to “take a mile”. Orange, of course, is not exceptional: both BT and Virgin also have traffic management policies, as do most other UK ISPs that I’ve studied.

So, where does this leave the UK in contrast to the Canadian regulatory position on deep packet inspection, and content management more broadly? It remains questionable whether the EU will permit behavioural advertising that is based around DPI equipment, but the UK government itself has not come out against the technology in any meaningful way. In Canada, any use of DPI for behavioural advertising runs up against both the CRTC and OPC. UK ISPs are permitted to use traffic management systems, many of which, I suspect (though haven’t done the research yet to demonstrate), utilize systems that are similar to those in North America. Regardless, UK ISPs, like their Canadian counterparts, are involved in choosing the winning applications and application-types for content delivery though are potentially faced with the possibility of having to soon filter particular content. Canadian ISPs have repeatedly stated that they have no desire to filter content for technical, privacy, and business reasons, and it doesn’t look like a Canadian equivalent of the DEB is coming down the pipeline for a while. Unlike efforts such as Comcast’s, where traffic management is protocol agnostic, we see some Canadian and UK ISPs targeting particular methods of content delivery as clean or ‘dirty.’ Ultimately, Canadian and UK ISPs are similar in their respective approaches to traffic management but differ in respect to both behavioural advertising and (possibly) content filtering.

Network Neutrality in a Western Context?

We began with a note on network neutrality, and it seems appropriate to close on one as well. I firmly believe that network operators need to be able to manage their network in a manner that is transparent to the public, effective, and efficient. This may indeed require the implementation and use of technologies such as deep packet inspection. I would hasten to note that not all DPI is created equally; some excel at analyzing content by extracting and matching content signatures, but others are predominantly marketed and used as security appliances, and yet others for subscriber billing. Instead of resisting DPI as a broad technology, we need to focus on opposing some applications of the technology while praising others. While I’m not making an argument that DPI is a ‘neutral’ technology – it’s a surveillance technology with elements of control embedded into it – I do want to suggest that not all surveillance, not all applications of control, are inherently bad. Parents carry baby monitors with them – monitors that have surveillance as a key value embedded into their design – and this is a benign, if not positive, application of surveillance. We need to be mindful and on the watch for damaging surveillance and hindering acts of control while recognizing that some surveillance, some control, is good and required for a functioning contemporary Internet.

In light of my willingness to accept the value of DPI in network environments, I see a stanch opposition to ‘network intelligence’ as considerably far of the mark. Networks are intelligent, and there is nothing wrong with intelligence so long as it is used in a manner that is clearly beneficial for customers, with legislation and regulations precluding the application of network intelligence for negative purposes. Gaining customer acceptance may require transparency on the part of vendors and ISP’s alike; vendors to explain what their technology does and offer ‘virtual tests’ of the technology as is done with some consumer routers, and ISPs to explain why and how they have deployed the equipment. As awareness of how the network is intelligent spreads it is possible to engage is a more substantive discussion about the nature of contemporary networks, the challenges perceived by customers, civil advocates, and network operators. As it stands we are regularly subjected to near-dogmatic language from either camp – network neutrality is a meaningless slogan vs. smart networks are the death of the Internet – that is arguably misleading and polemic.

Given the different regulatory environments, we cannot expect supporters of network neutrality to adopt similar language in their advocacy – RIPA is clearly something that doesn’t enter North American debates, whereas different wiretapping laws and consumer protections are drawn on in American cases, and Canada regularly sees the language of privacy and consumer rights presented by its advocates – but this shouldn’t prevent researchers and other interested parties from identifying common advocacy principles to see what does and does not work. Further, any such comparative project ought to try and identify differences that arise when there is greater transparency (either required by regulation or performed on a voluntary basis) surrounding the development, deployment, and usage of the technologies. This would (and, in Canada, did) enable advocates to more clearly articulate their messages while also alleviating some of the concerns that emerge when our communications systems are mediated by an unknown technical power, in unknown manners, for less than clear corporate means.

Citizens of Canada, the US, and UK need to understand how their communications are regulated and have a clear and valued voice in shaping the structure of their communications systems; citizens along with government and business, as opposed to business and deep packet inspection alone, must be responsible for choosing the ‘winning’ applications that facilitate digital communications across the Internet.

Other posts you might be interested in:

1. Background to North American Politics of Deep Packet Inspection
2. Draft: What’s Driving Deep Packet Inspection in Canada?
3. Draft – Deep Packet Inspection: Privacy, Mash-ups, and Dignities

This is a draft of the paper that I’ll be presenting at the Counter: Piracy and Counterfeit conference in Manchester in a few days. It’s still rough around some edges, but feels like a substantial piece. Comments, as always, are welcome.

Abstract: Privacy operates as an umbrella-like concept that shelters liberal citizens’ capacity to enjoy the autonomy, secrecy, and liberty, values that are key to citizens enjoying their psychic and civil dignity. As digitisation sweeps through the post-industrial information economy, these same citizens are increasingly sharing and disseminating copywritten files using peer-to-peer file sharing networks. In the face of economic challenges posed by these networks, some members of the recording industries have sought agreements with Internet Service Providers (ISPs) to govern the sharing of copywritten data. In Britain, file-sharing governance has recently manifested in the form of Virgin Media inserting deep packet inspection (DPI) appliances into their network to monitor for levels of infringing files. In this presentation, I argue that ISPs and vendors must demonstrate technical and social transparency over their use of DPI to assuage worries that communications providers are endangering citizens’ psychic and civil dignities. Drawing on recent Canadian regulatory processes concerning Canadian applications of DPI, I suggest that transparency between civil advocacy groups and ISPs and vendors can garner trust required to limit harms to citizens’ psychic dignity. Further, I maintain that using DPI appliances to detect copyright infringement and apply three-strikes proposals unduly threatens citizens’ civil dignities; alternate governance strategies must be adopted to preserve citizens’ civil dignity.

Download paper

Other posts you might be interested in:

1. Draft: What’s Driving Deep Packet Inspection in Canada?
2. Deep Packet Inspection and the Confluence of Privacy Regimes
3. Office of the Privacy Commissioner of Canada Reveals their Deep Packet Inspection Website

The result of the wireless competition in Canada is this: Canadians actually enjoy pretty fast wireless networks. We can certainly complain about the high costs of such networks, about the conditions under which wireless spectrum was purchased and is used, and so forth, but the fact is that pretty impressive wireless networks exist…for Canadians with cash. As any network operator knows, however, speed is only part of the equation; it’s just as important to have sufficient data provisioning so your user base can genuinely take advantage of the network. It’s partially on the grounds of data provisioning that we’re seeing vendors develop and offer deep packet inspection (DPI) appliances for the mobile environment.

I think that provisioning is the trojan horse, however, and that DPI is really being presented by vendors as a solution to a pair of ‘authentic’ issues: first, the need to improve customer billing, and second, to efficiently participate in the advertising and marketing ecosystem. I would suggest that ‘congestion management’, right now, is more of a spectre-like issue than an authentic concern (and get into defending that claim, in just a moment). Before diving into this issue, however, I want to be up front with you: much of what I’m going to be referencing in this post is from last year (2009) because I’ve had a pile of stuff I’ve meant to write about but haven’t had the time until recently.[1] I don’t think that this invalidates what I’m writing, but think that you deserve to know ‘when’ quite a few of the links will lead to.

Let’s begin with the issue of mobile ‘data hogs’. Last December, AT&T started making noises that iPhone users were ‘data hogs’ and some kind of extended monetization strategy was required. An economic solution was preferred on the basis that (a) it would generate revenue for AT&T; (b) economics are typically seen as a stellar way of dissuading popular use of expensive new and emerging technologies. In AT&T’s specific case, of course, there were questions about the degree of actual mobile 3G investment but, more significantly, the question of whether ‘data hogs’ were actually the problem.

You see, contemporary smart phones, such as the iPhone, iterations of Android, and Palm Pre, have been designed to maximize their battery life. Unfortunately, this life creates enormous problems for cellular towers. From Ars Technica, we find that:

… the iPhone uses more power saving features than previous smartphone designs. Most devices that use data do so in short bursts—a couple e-mails here, a tweet there, downloading a voicemail message, etc. Normally, devices that access the data network use an idling state that maintains the open data channel between the device and the network. However, to squeeze even more battery life from the iPhone, Apple configured the radio to simply drop the data connection as soon as any requested data is received. When the iPhone needs more data, it has to set up a new data connection.

The result is more efficient use of the battery, but it can cause problems with the signaling channels used to set up connections between a device and a cell node. Cell nodes use signaling channels to set up the data connection, as well as signaling phone calls, SMS messages, voicemails, and more. When enough iPhones are in a particular area, these signaling channels can become overloaded—there simply aren’t enough to handle all the data requests along with all the calls and messages.

In essence, the issue of congestion at cellular towards may not be a result of ‘data hogs’ but a consequence of how smart phones are being engineered; the backhaul networks are in fine shape, but the particular towers are being overwhelmed. (We might have a discussion/debate on the condition of middle-mile backhaul, but I’m less familiar with those stats so I’m leaving them out.) In the US, let’s not forget that areas with high penetration of smart phones like the Eastern and Western seaboard cities are also home to (a) expensive real-estate; (b) people who oppose the development of large cellular towers in their neighbourhoods (often out of fear of depreciating that expensive real-estate). The first condition means that there is an economic challenge to building towers, and the latter focuses on civil resistance to development that could better balance the ’smart phone load’. In what I’ve read about deep packet inspection in the mobile market, DPI doesn’t alleviate this kind of problem – it doesn’t ‘correct’ of battery-saving engineering – but where the appliances can be installed under the guise of data hogs they could subsequently be used for (vendor stated) purposes of billing and service differentiation/provision.

At last year’s Canadian Telecom Summit, various vendors and sessions discussed the need to have better customer transparency to ‘improve the customer-service provider relationship’. In essence, they were really describing a desire to develop ‘insight’ into what customers do on mobile and wireline networks to better monetize those relationships, and in almost all cases the same vendors and speakers acknowledged the need to deal with the ‘creepy feeling’ that comes with using DPI and related surveillance architecture for pico-marketing purposes. Few had clear solutions to this, what is arguably the most significant PR issue that limits ISPs’ expansive uses of DPI for profit generation in the wireline and wireless environments.

It’s significant that the only really pressing statement about needing to efficiently manage bandwidth and spectrum came from RIM’s Mike Lazaridis. He was very concerned with actual mobile data usage, and at no point was traffic shaping or monitoring a ’solution’: improved data compression techniques were the focus of his talk. Here, we had a smartphone vendor focusing on data efficiency itself instead of advocating for traffic shaping and analysis innovation. This strikes me as being very ‘forward thinking’, insofar as it tries to address the underlying issue of data growth instead of trying to find (what I see as) a bandage solution to limit and subsequently monetize this growth. Don’t stop people from using wireless, but learn how to transmit and receive it in a very efficient manner to deliver a solution that customers actually want!

However, it’s important that we not lose sight of the fact that DPI isn’t exclusively intended for traffic management but also to extend vision into the data stream – a data stream, I might add, that unless encrypted is almost entirely public facing. The drive to this transparency is confirmed by Allot Communications’ Cam Cullen, who last year noted that,

[t]he stats and visibility that DPI provides at the access and applications layer lets mobile operators build better service plans for congestion control and feed that data into mobile billing systems to support things like roaming and advice of charge.

To begin: data transparency can facilitate improved service offerings and let network providers more intelligently expand and develop their networks. You can learn what parties you might want to approach about setting up content delivery networks, what the trends in data usage are, and so forth. All of this can be invaluable in making the hard decisions of what to invest in, where, and why.

It is the potentialities of price, service, and customer discrimination that worry both PIAC and doctoral student Fenwick McKelvey. Having spoken with representatives of PIAC, the worry is that any such discrimination will generate inefficient economic situations for customers – they’ll pay higher costs, for less – and McKelvey similarly questions the fairness of any such differentiations. As I’ve understood McKelvey’s position, DPI facilitates an artificial differentiation based on economics rather than efficiency: you charge more for streaming video because it’s profitable, not because the economics of charging for streaming video improve the network situation.

I would suggest that it is a combination of DPI’s bad press, and the kinds of stories that would be generated if telecommunications providers stated they were using DPI for billing reasons, that billing isn’t a public-facing explanation ISPs present for introducing DPI into the mobile environment. I would, however, assert that billing and advertising are key motivating factors: the former allegation based on vendor statements and the latter based on less-public vendor statements and ISP discussions I’ve been privy to.

Even after all of this, there is a question of ’so what?’

Where DPI and other traffic management solutions are publicly deployed to attend to a particular area of the telecommunications companies’ business (e.g. bandwidth management, customer billing, tiering service) it strikes me as dishonest to subtly extend them into other areas of the business without first, very publicly, alerting both customers and appropriate regulatory bodies. In the case of advertising, Canadian ISPs are expected to report to the OPC and CRTC if they ever decide to use DPI for advertising or discrete user-history analysis, but the same ISPs arguably have to meet a low bar to meet the OPC’s disclosure requirements concerning their actual uses of DPI.

Far more significantly, whereas the CRTC has maintained a hands-off approach to regulating wireless – and thus implicitly permitted discrimination in the wireless environment – that might be changing. In the forthcoming hearings in October and November entitled “Proceeding to review access to basic telecommunications services and other matters” we might see the beginning of an anti-discrimination regulatory framework that would address the economics of cellular service. The CRTC has been dropping ‘wireless’ into more regulatory hearing documents recently, which may suggest a transition away from their general forbearance approach and, if so, I expect that the work performed by PIAC and others will be leveraged to try and establish a policy of non-discrimination in the Canadian mobile market. Any such regulation will likely have a very real impact on the permissibility and conditions of deploying DPI appliances in mobile networks, as well as publicly lay bare whether any Canadian ISPs are interested in, or already moving to implement, mobile traffic management facilitated by DPI appliances. If last year was the year of wireline network management/neutrality in Canada, we might get lucky and see this one as the transition year that leads to a public discussion about Canadian telecommunications companies’ wireless network management/neutrality practices, with discrimination as the focal topic.

*********

[1] For the past eight or nine months I’ve been preparing for and writing doctoral candidacy exams. The last exam was recently concluded, leaving me with the new title of ‘Doctoral Candidate’ and time to get back to what I love: network analysis, surveillance, and digital privacy!

Other posts you might be interested in:

1. Background to North American Politics of Deep Packet Inspection
2. Choosing Winners with Deep Packet Inspection
3. Draft: What’s Driving Deep Packet Inspection in Canada?

The concept of IICs is not new: in 2001 (!) the Institute of Public Policy Research suggested that children should take ‘proficiency tests’ at age 11 to let them ‘ride freer’ on the ‘net. Prior to passing this ‘test’ children would have restrictions on their browsing abilities, based (presumably) on some sort of identification system. The IIC, obviously, didn’t take off – children aren’t required to ‘license up’ – but the recession of the IIC into the background of the Western cyberenvironment hasn’t meant that either research and design or infrastructure deployment for these cards has gone away. Who might we identify as a national leader of the IIC movement, and why are such surveillance mechanisms likely incapable of meeting stated national policy objectives but nevertheless inevitable?

I would suggest that, in the Western hemisphere, Spain has been incredibly ‘forward thinking’ about Internet authentication. The Spanish identity card was initially deployed by Franco to starve out rebels – during the guerrilla war rations were only provided to identity card holders – and gradually expanded into all reaches of Spanish society. Buying gas? Show the card. Subscribing to a magazine? Offer up your card. Unlike in the UK, US, or Australia, Spanish citizens accept the identity card as just another part of daily life, which has made Spain a delightful testing ground for the various companies involved in updating the card for the 21st century. Significantly, this receptiveness to the identity card meant that the transition to an electronic card was remarkably simple: the electronic national identity card (the DNIe) was introduced as a mere policy update to the existing card. There was no parliamentary debate or civil resistance over the shift to digital surveillance.*

The DNIe is designed with Internet authentication in mind. It interfaces with hardware dongles** to authenticate the holder with Spain’s national identity architecture. Using this authenticated system, authorities can monitor where Spaniards travel online, and the authentication facilitates ’secure and convient’ engagement with Spanish e-government services. In 2005, Vice President Maria Teresa Fernandez de la Vega noted that the DNIe was a “tool for guaranteeing the security, confidentiality, and integrity of citizens using the Internet”, in 2006 the government maintained that the DNIe was “key to solving the security-privacy binomial”, and by 2008 it was recognized that a key objective of the DNIe was to “bring the digital world into the old processes of identification and signature” (Source, p. 50). Spain is a leader in the discussions of interoperable identity card standards in Europe, has already exported its technology and standards to areas of Italy, and is aggressively marketing the card technology in Latin America. A substantial military-industrial complex backs the DNIe, and the complex is leveraging their political, symbolic, and monetary capital to push for a European-wide identity card, where each sovereign nation would possess an interoperable card, and each citizen required to carry their card to operate online.

The aim of identity cards – to provide security, identification, and signatures – is doomed to fail, but this prognosis is unlikely to prevent their ultimate spread throughout many ‘modern’ democracies. Bruce Schneier notes that for such identification mechanisms to succeed “we’d need agencies — real-world organizations — to provide Internet identity credentials based on other identification systems: passports, national identity cards, driver’s licenses, whatever”. Obviously, Spain has this infrastructure, though in establishing it identity theft becomes that much more profitable.***

Without some sort of a biometric check at the level of the card itself there isn’t anything that stops one citizen from using another citizen’s card….save for conventional societal norms and law. Lawrence Lessig recognizes that regulation of digital environments are dependent on architecture, markets, law, and norms. In including a biometric ‘check’ on the cards that is mandated by law, it is possible to regulate the card along the lines of architecture, markets, and law. Where Spain, in particular, has a social-normative expectation that cards are required for personal identification, the normative conditions for effective (rather than perfect) regulation are set.

‘Effective’ regulation, of course, doesn’t necessarily resolve either the ’security-privacy’ binomial or signature and identification demands of an identity card. A friend or colleague could log you in, should you forget your card at home, and few biometrics are nearly as effective as suggested by vendors or their media shills. Facial recognition is demonstrably terrible when put to empirical tests, cheap digital-fingerprint systems are easily foiled, and even many iris recognition systems are subverted with photographs of eyes. In essence: biometrics are vulnerable to considerable failure and the number of false positive and negatives render their value questionable as identifiers or signatures (Anderson, p457-82). Accompanying the surrender of authentication processes to government bodies (as in Spain) are considerable worries that the information suffer function and security creep (privacy protection tend  to get clawed back with each new ‘crisis’). The security-privacy binomial is not, and likely cannot, be met using the equivalent of the DNIe, nor can the signature and identification requirements. Even should some of these issues be minimally dealt with, it only increases effective regulation. Teens, criminals, and hackers will all subvert any identity authentication system – never underestimate the motivation to engage in underage drinking, commit larceny, or just tinker.

Now, you might be asking at this point: who is trying to push this policy again? It’s probably a politician, someone who sees identity systems as a great way of gaining political capital with the security-ignorant public, right? Wrong. It’s Marcus Ranum, the CSO of Tenable Network Security, who is well known for his contributions to the security field. At the same time, Microsoft is (again) backing the idea that some sort of authentication mechanism be built onto the ‘net to avoid a ‘cyberwar’ or ‘cybercatastrophe’, this time at the UN level. In Ranum’s case, he argues that anonymity has a temporal value in a few cases – Deepthroat needed anonymity at the time to prevent backlash, but after his death anonymity held no value – and in Microsoft’s opinion a license should be required to ensure that a computer and/or user is ‘fit to surf’.

Obviously, attempts to terminate anonymity and expand online surveillance are not new, nor are the efforts to technologically resist such terminations. If we dispose of the notion that governments are actually aiming to secure citizen’s lives, and instead better ‘embrace’ them for bureaucratic purposes, then the adoption of some sort of IIC makes good sense: it contributes to security theatre (therefore gaining, or at least not losing, votes), could theoretically centralize citizen information (imagine tying the IIC to census data on the backend of the system), and its potentials are only restricted by privacy advocates, ombudsmen, and law. The first tend to be poorly funded, the second often lacking teeth, and the last maleable. If we accept the proposition that modernity’s institutions are accompanied by identity and surveillance systems to more strategically ‘embrace’ citizens and non-citizens as they move through institutional webs (as suggested by Lyon, Torpey, Giddens, amongst many others) then there is considerable paradigmatic force behind instituting an online identity system.****

For the state to ‘embrace’ those passing through its digital conduits perfect compliance may be desired, but isn’t necessary: law, architecture, norms, and markets can propel mass adoption of any such card or system. Spain is incredibly optimistic that it can teach identity card policy and techniques to Europe, and one would expect various members of international copyright cartels to jump at the opportunity for enhanced surveillance that advances along a non-deep packet inspection (DPI) route (on the basis that DPI has, somewhat surprisingly, garnered incredibly high degrees of public resistance). Informally, I’ve been told that cartel members regularly meet with government leaders in Europe to advance the idea of identity cards to fight copyright infringement.

Given the possibility of law to mandate basic architecture, market, and legal conditions for regulating the digital, it is on the social-norms front that governments genuinely have to win the ‘hearts and minds’ of citizens. A key question is whether crises of digital security, and the electronic economy more widely, will be sufficient to soften up Western populations and make them receptive to yet more intrusive, yet modernizing, surveillance systems that embrace national citizenries.

Will an electronic equivalent of Chernobyl lead to a twisted, long-term, combination of the American iPatriot Act and Spanish identity card expertise? Is it only a matter of when, rather than if, IICs or their equivalent are commonplace in the West? I expect that ongoing paradigmatic forces of modernity almost (though not quite) necessitate the eventual attempts (and, ideally, failures) to banish anonymity and introduce IICs or their equivalents. Where do you, my readers, stand?

—————

* Information about Spain is derived from Pablo Ouziel’s unpublished (but digitally accessible) Master’s thesis, The Spanish Identity Card: Historical Legacies and Contemporary Surveillance.

** It should be noted that, as of 2009, there were substantial incompatibility problems between the dongles and computers. The infrastructure is being laid: it isn’t yet in operation.

*** That the central databases for the card are located in a police bunker, amongst a police force that has never truly ‘democratized’ following the transition to democracy raises its own concerns.

**** For more on this notion of nations ‘embracing’ their citizens, turn to Torpey’s The Invention of the Passport: Surveillance, Citizenship, and the State.

Other posts you might be interested in:

1. Identification, Identity Systems, and the REAL ID Act
2. Update: Mobiles and Your Identity
3. Technology – Questions of Digitizing Identity

While I pay attention to copyright developments in Canada and abroad, and have strong stances on how academics and the Canadian government should licence their publications, I’m not a lawyer. I do, however, know that government documents in Canada are governed by Crown Copyright – unlike in the US, the Canadian government maintains copyright over its publications – and thus I wanted to check with the CRTC if there were any problems hosting documents from their site, including those presumably under a Crown copyright such as the CRTC’s decision.

Today I spoke with someone at the CRTC and received word that I could rehost the documents, without any problems. They were ‘in the public domain’ and so I could do with them what I wanted. I was pleased to hear this, as I wasn’t sure if the Reproduction of Federal Law Order would apply to the filings of private companies – it should apply to the CRTC’s decision itself, but as the order is written it’s ambiguous (to me) where and how private filings ‘fit’. In any case, I’ll take the CRTC’s word and be pleased that their public notice filings, including the filings by private corporations, are ‘public domain’ works and not governed by crown copyright. In case someone is wondering why I even bothered checking with the CRTC, given that my intended uses of the works arguably fall under under the research and review criteria of Canada’s fair dealing provisions, I expected that my use was legitimate but wanted to check with some lawyers that I was actually in the clear. I didn’t want to have a project go live, only to receive lawyer-grams from the CRTC or private companies! The CRTC has lawyers, and I thought it’d be a decent idea to draw on their expertise. Had I gotten a baffling response (e.g. no, for copyright reasons you cannot host anywhere else!) I’d have gotten a second opinion.

So, that’s fine and good: I can use the documents. It was the rest of the conversation that was particularly interesting, and more than a little disturbing.

I learned that the CRTC occasionally removes documents included in public filings and, far more significantly, sometimes changes the actual documents themselves without notifying anyone, not ever parties who were involved in the public notice. Such changes are made to correct misstatements of fact, to redact content already on the record or make available incorrectly redacted content, and so forth. This has far-reaching implications: closed public notices can have documented modified, where such modifications could potentially have affected public awareness of the notice as it was ongoing. In the case of some ‘corrections’, this could be incredibly important: what if in PN 2008-19 (and this is entirely hypothetical and meant as an example: I have ABSOLUTELY NO REASON TO BELIEVE THIS IS THE CASE) it turned out that one of TELUS’ redacted sentence was made available to the public, and it stated that TELUS was in early consideration stages of using Deep Packet Inspection in their networks? Such a ‘correction’ would have substantial effects on the arguments put forward by various civil advocates, and would render someone who was not involved with the public notice as it was ongoing very confused about the apparently contradictory filing between (in this example) TELUS and public advocacy groups. Thus, not only do these secretive changes risk contaminating later research, but it could also undermine public confidence in the public notice process itself.

The other very interesting copyright-related item that I learned was that, while hosting the documents isn’t a problem, were I to scrape and do a check-sum between what I have hosted and what the CRTC hosts that would be considered a copyright infringement. The gentleman I spoke with professed not understanding how that would be a copyright issue, and was just passing on the message from the lawyers, but it’s incredibly bizarre. In effect, it states (to me) that I can host but cannot check to guarantee that what I’m hosting is ‘the most accurate/recent version’ unless I want to eyeball the documents and look for ‘corrections’ that may or may not be announced anywhere in the document or public notice website itself. From a government transparency point of view, this is deeply concerning: members of the public, if aware of the potential for relatively secretive changes to public filings, cannot automate any system to watch for such changes without running afoul of lawyers. The resources thus required to ‘check up’ on the CRTC would be enormous for the poorly funded civil advocacy groups and members of the public (neither eyeballs or time are in abundant supply!). Moreover (and again, I am not a lawyer!) in my reading a check-sum or something like it is required to actually comply with Canadian copyright law. The law,

authorizes anyone, unless otherwise specified, to copy federal legislation, statutes, regulations, court decisions and tribunal decisions without the usual restrictions that govern Crown copyright materials, provided that one is careful to ensure the accuracy of the materials reproduced and that the reproduction is not represented as an official version. (emphasis added)

Given that I’ll be hosting documents, to ‘carefully ensure the accuracy of the materials reproduced’ aren’t I required to set up some automated system, given that the CRTC can potentially just change or remove documents without any public notification or transparency? Does this mean that compliance requires me to manually check on a daily/weekly/monthly basis that all the files on the CRTC’s webpage are exactly as they were when I first copied them?

Admittedly, these changes to documents in public notices are supposed to happen ‘fairly rarely’ and there isn’t any reason to expect that the filings for PN 2008-19 (which is what I’m interested in for this project, right now) are going to change. It’s possible that there was miscommunication as a result of interjecting an intermediary between myself and the CRTC’s lawyers. I’m very happy that I can host the filings for PN 2008-19 and that all of the items in that filing (including the CRTC decision) are apparently ‘public domain’ and thus outside of crown copyright. Those are all great things and I appreciate that the CRTC was fairly quick in getting back to me (it took about 4 business days). I’m far less impressed with secretive changes happening to public filings, and am disturbed by the position that scraping for check-sum purposes would somehow violate copyright.

I’m not a lawyer, and I’ll be following this up with the CRTC to try and get additional transparency into what’s going on. Hopefully there was just a miscommunication; I would understand if regular scraping was a problem because it could bog down their servers, and that on that basis they could drum up DDOS charge or something, but to construe server access to guarantee I’m hosting the most up-to-date documents with a copyright violation is mind boggling, and screams of misuse of copyright to this non-lawyer.

Other posts you might be interested in:

1. Update: CRTC PN 2008-19 Filings
2. Update: CRTC PN 2008-19 ISP Filing Summary Document
3. Summary: CRTC PN 2008-19; Requests for Public Disclosure Filings

What we see less of in the eHealth debate are the prevalent dangers accompanying threats to cut citizens off of the ‘net as a consequence of copyright infringement. It’s this issue that I want to briefly dwell on today, in part to start ramping up some thoughts on the wide-ranging effects of three-strikes laws that are starting to be adopted and/or seriously discussed in various jurisdictions around the world.

To give an overview, three-strikes laws in the copyright context are generally presented as a way of curtailing copyright infringement. Often acting under the assumption that a downloaded copy of a file is the equivalent of a lost sale, major content and rights holders insist that they are losing billions of dollars per year to Peer to Peer (P2P) filesharing. While I will note that this is a relatively insane equivalency (it is largely like arguing that every person who opens a book in a bookstore, reads it for about 10 minutes, and then puts it down constitutes a ‘lost sale’ – for more on this read Doctorow’s Ebooks: Neither E, Nor Books), there are lots of great articles you can read that deal with this issue and so I’m not going to dip my feet into that argument here. You might ask how it is possible to identify copyright infringing work, and one of the ways of doing so is through specific implementations of Deep Packet Inspection (DPI) appliances by Internet Service Providers (ISPs). Virgin Media is trialling a system that will generate a copyright infringement index (though won’t identify particular individuals who are infringing on copyright) and DPI vendors such as iPoque have already produced equipment that is designed to identify infringing file transfers in realtime.

Three-strikes laws have a common, general, format: after an individual is found, or believed to have been found, infringing on copyright three times they are forcibly disconnected from the Internet by their ISP either at the behest of the government or content holders. The particular legal structure that facilitates these ejections from the Internet differs – sometimes there is a presumption of innocence and requirement that infringing use is proven, whereas in other systems accusations alone suffice – but the common end is the same: during an era when broadband is seen as a key to performing job searches, gathering academic research, developing knowledge about our illnesses, and discovering new cultural artifacts, copyright holders want to insist that their intellectual property rights should be foregrounded and other social goods put to the back of the line.

This bring us to the question posed by this post’s title: “Will copyright kill eHealth?” What happens when, after investing billions of dollars in ‘revolutionizing’ the current health system so that individuals are ‘empowered’ to access their health records, governments and their citizens realize that they are in a digital wasteland, where accessing health records is dependent on good copyright-related behaviour? When I’m tasked with absolutely securing my wireless network so that a war driver can’t access my network and download some pop track, does this mean that I should sign up for expensive third-party services to guarantee access to my ‘newer and better’ health records and other government services? To alleviate these anxieties, perhaps I’ll be able to pay a small monthly fee to my ISP and they will, on my behalf, block anyone on my network from accessing potentially copyright infringing work from non-sanctioned repositories so that I can participate in the new digital economy.

I’m not suggesting that health authorities are necessarily experts in areas of copyright, network management, network surveillance, or data transactions. Typically, they’re not, and citizens don’t expect their M.D. to understand the ins and outs of file transfer protocols, file signature analysis, or data packet analysis. While I’ve suggested (recently, no less) that it is important to consider the particular impacts of certain ‘high-functional’ technologies, such as deep packet inspection, we do still need to step back occasionally and think of some of the possible impacts that high-functioning technologies and the surrounding basin of law might have on the delivery of core, newly digitized, government services. I don’t want to live in a world where my ISP has a real market incentive to ’sell’ me the equivalent of copyright-infringement ‘insurance’ on a monthly basis so that I can view the digital records that governments and corporations retain about me. I actually don’t think that ISPs want to live in this world either; in such a world they would be placed in a position of liability upon failing to prevent me from accessing infringing material! It’s because of the wide-ranging possibilities of network intelligence and the laws around it that research into network intelligence and security is so interesting – with the Western transition to the digital, and the ability to watch and impact digital flows, the role of the ISP will only become more and more significant to citizens’ daily lives.

Who can we turn to in the event that some kind of a three-strikes law becomes manifest in a Canadian context? It’s entirely possible that the inspection of data flows for copyright infringing material might be ‘privacy protective’ – privacy might be built into the infrastructure by design per the governing ethos of the Information and Privacy Commissioner of Ontario – and this suggests that the language of privacy may be insufficient to really limit the challenges of any three-strikes law. I have similar worries about the ability for consumer protection laws to effectively limit the negative consequences of a three-strikes law (though Canada does have one of the world’s forefront copyfighter’s on the people’s side), and if we require judges to hold real cases before individuals have their digital lifelines terminated then court costs over what are (likely) just people ‘browsing content’ will be exorbitant. The transition to electronically delivered content has (supposedly) been devastating for how the major content owners have been able to turn profits, but we need to go further than just say they need to develop better models instead of suing people. We need to ask this: should government be developing laws the prop up questionable current-day business models at the potential expense of wasting billions in public infrastructure upgrades, or should government be taking a longer view of things and start siding with both citizens and their own allocation of infrastructure dollars? I worry that if government doesn’t more prominently side with themselves and their citizens, we’ll see eHealth and other eGovernment ventures die under the knife of copyright reform and protection, and that would be a tragic shame and absolute waste of citizens’ tax dollars.

Other posts you might be interested in:

1. Three-Strike Copyright
2. Virgin Media to Monitor Copyright Infringement
3. Update to Virgin Media and Copyright DPI

1. They can continue to throttle ‘problem’ applications in the future;
2. The CRTC decides to leave the wireless market alone right now.

I want to talk about the effects of throttling problem applications, and how people talking about DPI should focus on the negative consequences of regulation (something that is, admittedly, often done). In thinking about this, however, I want to first attend to the issues of censorship models to render transparent the difficulties in relying on censorship-based arguments to oppose uses of DPI. Following this, I’ll consider some of the effects of regulating access to content through protocol throttling. The aim is to suggest that individuals and groups who are opposed to the throttling of particular application-protocols should focus on the effects of regulation, given that it is a more productive space of analysis and argumentation, instead of focusing on DPI as an instrument for censorship.

Let’s first touch on the language of censorship itself. We typically understand this action in terms of a juridico-discursive model, or a model that relies on rules to permit or negate discourse. There are three common elements to this model-type:

1. Such a thing cannot be permitted
2. Preventing a thing from being said
3. Denying that such a thing exists

Many people writing about DPI (including myself) have often relied on points (1) and/or (2) in our worries that the technology could be used to absolutely prohibit a particular protocol-type, or that certain things will be prevented from moving across networks using fingerprint and hash-based analyses of data transfers. While no ISP has stated that P2P doesn’t exist (the present traffic management hearings in Canada have seen ISPs focus on P2P as the reason for needing DPI appliances), ISPs such as Rogers have stated that none of their customers have complained about the throttling of P2P traffic.

I think that many censorship discussions about DPI broadly correspond with the worries around ‘netscapes of power’. Winseck (2003) has suggested that such netscapes are intended to “buttress market power and to regulate behaviour through network architecture, the privatization of cyberlaw, surveillance, and the creation of walled gardens.” In a recent paper, “What’s Driving DPI?“, I suggest that we can understand contemporary netscapes through the lens of delayed access to content. Whereas walled gardens let network providers (e.g. AOL Online) perfectly capture subscriber information, and generally try to centralize network intelligence in the network rather than the ends of the network (Zittrain 2008), I would suggest that Deep Packet Inspection can be understood as a productive form of regulation that facilitates access to particular content, without totally denying access to non-preferred content-types and repositories. Unlike the walled garden of AOL Online, Canadian customers can use application-types that their ISPs deem ‘problem applications’ (such as P2P), but using these application-types means that customers will suffer delays. As I will touch on shortly, even a few milliseconds can have significant consequences for using particular content portals; while ISPs claim that a few more minutes to download content is practically nothing, I would suggest that contemporary research puts those claims in question.

Whereas in a netscape of power, such as Winsecks, censorship revolves around the banning of, or prohibiting access to, content, perhaps a contemporary understanding of censorship could relate to development of extensive knowledge concerning individual and their habits, and a willingness to exploit their behaviours. Such censorship does not need to ban content outright; delaying it is sufficient to encourage consumers to use ‘preferred’ data protocols. Moreover, with an awareness of the discrete individual, not just what they do but why they do it, it is possible to preemptively target them for broadband packages using language that appeals to their ‘inner nature’. In effect, instead of talking about ‘censorship’, we can shift to a discussion of ‘consumer and citizen regulation’.

Google recently tested the effects of content delays; they found that when search results were delayed from 100 to 400 milliseconds that users were less and less likely to run searches using Google, even if the service was restored. While the argument could be made that a Google-to-P2P analogy is an apples-to-oranges comparison, I would suggest that Google’s experiment betrays a central consumer truth: in a digital economy, where consumers are regularly taught that ‘faster is better’, the fastest content delivery system that is convenient is (or becomes) the preferred content delivery system. Where P2P access is delayed, and is generally a pain in the butt to get working, non-P2P file transfer systems will be preferred. Where ISPs are also content providers, this means that they can often deliver the same, or similar, content immediately to the individual. In the face of slow or immediate content, consumers will tend to prefer the immediate.

An advantage of thinking through the productive uses of DPI, and its effects in regulating content access, is that we can ask more interesting questions about the discourses and networks of power are in operation around DPI than are afforded through discourses focused on censorship. There are already good people looking at this – Ralf Bendrath and Fenwick McKelvey have both been looking at DPI in this light – and I think that a regulatory framework offers useful ways of understanding the norming effects of DPI. Norming speaks to the mediation of consumers’ desires, aims, and networks of power penetrating them, whereas censorship tends to focus on preventing such networks from spawning, or (worse) obfuscates the actual existence of these networks where they already exist. Further, I think that regulation lets us ask those questions like; “even in the face of CRTC regulation that stops throttling of particular application-types, what are (or have been) the actual effects of regulating data protocols?”

This all having been written, if Google’s test does carry over to the realm of ISPs’ regulation of content delivery mechanisms, then it is possible that even a CRTC decision that prevents subsequent targeting of P2P may not matter: the ‘damage’ might already be done. The real risk, then, is that if ISPs are permitted to target ‘problem’ application types in the future, they can (effectively) encourage and discourage particular protocol uptake. This threatens to situate ISPs as regulators of emerging Internet protocols.

As regulators (and not censors), ISPs can easily navigate public criticism relying on traditional understandings of ‘censorship’ because the ISPs can refer back to that three point model, written above, and say ‘our actions don’t fit that model’. ISPs as regulators are, however, vulnerable to critiques of the very modes and effects of their regulations – they are vulnerable to explicit analyses of the effects of their norming actions (e.g. throttling P2P and making Direct TV available to the same consumer). Only by engaging with, and exploiting the internal logics of, ISPs-as-Content-Providers’ discourses are these discourses likely to be disrupted and shifted towards more appealing regulatory discussions and frameworks. Note that these are shifts, however, as opposed to stopping the discourse entirely. I have serious doubts that such a cessation of discourse on DPI can ever actually take place, though who or what orients future power formations remains an open (and thus actionable) question. Ultimately, as I’m thinking about things right now, it seems that focusing on regulatory discourse is far more promising than almost exclusively attending to a discourse of censorship, given censorship’s vulnerabilities to ISP-generated critique and rebuttal.

Other posts you might be interested in:

1. Deep Packet Inspection: What Innovation Will ISPs Encourage?
2. Background to North American Politics of Deep Packet Inspection
3. Choosing Winners with Deep Packet Inspection